1{
2 "$id": "https://raw.githubusercontent.com/ory/oathkeeper/v0.32.1-beta.1/.schemas/config.schema.json",
3 "$schema": "http://json-schema.org/draft-07/schema#",
4 "title": "ORY Oathkeeper Configuration",
5 "type": "object",
6 "definitions": {
7 "tlsxSource": {
8 "type": "object",
9 "additionalProperties": false,
10 "properties": {
11 "path": {
12 "title": "Path to PEM-encoded Fle",
13 "type": "string",
14 "examples": [
15 "path/to/file.pem"
16 ]
17 },
18 "base64": {
19 "title": "Base64 Encoded Inline",
20 "description": "The base64 string of the PEM-encoded file content. Can be generated using for example `base64 -i path/to/file.pem`.",
21 "type": "string",
22 "examples": [
23 "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr..."
24 ]
25 }
26 }
27 },
28 "tlsx": {
29 "title": "HTTPS",
30 "description": "Configure HTTP over TLS (HTTPS). All options can also be set using environment variables by replacing dots (`.`) with underscores (`_`) and uppercasing the key. For example, `some.prefix.tls.key.path` becomes `export SOME_PREFIX_TLS_KEY_PATH`. If all keys are left undefined, TLS will be disabled.",
31 "type": "object",
32 "additionalProperties": false,
33 "properties": {
34 "key": {
35 "title": "Private Key (PEM)",
36 "allOf": [
37 {
38 "$ref": "#/definitions/tlsxSource"
39 }
40 ]
41 },
42 "cert": {
43 "title": "TLS Certificate (PEM)",
44 "allOf": [
45 {
46 "$ref": "#/definitions/tlsxSource"
47 }
48 ]
49 }
50 }
51 },
52 "cors": {
53 "title": "Cross Origin Resource Sharing (CORS)",
54 "description": "Configure [Cross Origin Resource Sharing (CORS)](http://www.w3.org/TR/cors/) using the following options.",
55 "type": "object",
56 "properties": {
57 "enabled": {
58 "type": "boolean",
59 "default": false,
60 "title": "Enable CORS",
61 "description": "If set to true, CORS will be enabled and preflight-requests (OPTION) will be answered."
62 },
63 "allowed_origins": {
64 "title": "Allowed Origins",
65 "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin.",
66 "type": "array",
67 "items": {
68 "type": "string",
69 "minLength": 1
70 },
71 "default": [
72 "*"
73 ],
74 "uniqueItems": true,
75 "examples": [
76 "https://example.com",
77 "https://*.example.com",
78 "https://*.foo.example.com"
79 ]
80 },
81 "allowed_methods": {
82 "type": "array",
83 "title": "Allowed HTTP Methods",
84 "description": "A list of methods the client is allowed to use with cross-domain requests.",
85 "items": {
86 "type": "string",
87 "enum": [
88 "GET",
89 "HEAD",
90 "POST",
91 "PUT",
92 "DELETE",
93 "CONNECT",
94 "TRACE",
95 "PATCH"
96 ]
97 },
98 "uniqueItems": true,
99 "default": [
100 "GET",
101 "POST",
102 "PUT",
103 "PATCH",
104 "DELETE"
105 ]
106 },
107 "allowed_headers": {
108 "description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
109 "title": "Allowed Request HTTP Headers",
110 "type": "array",
111 "items": {
112 "type": "string"
113 },
114 "minLength": 1,
115 "uniqueItems": true,
116 "default": [
117 "Authorization",
118 "Content-Type"
119 ]
120 },
121 "exposed_headers": {
122 "description": "Indicates which headers are safe to expose to the API of a CORS API specification",
123 "title": "Allowed Response HTTP Headers",
124 "type": "array",
125 "items": {
126 "type": "string"
127 },
128 "minLength": 1,
129 "uniqueItems": true,
130 "default": [
131 "Content-Type"
132 ]
133 },
134 "allow_credentials": {
135 "type": "boolean",
136 "title": "Allow HTTP Credentials",
137 "default": false,
138 "description": "Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates."
139 },
140 "max_age": {
141 "type": "number",
142 "default": 0,
143 "title": "Maximum Age",
144 "description": "Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age."
145 },
146 "debug": {
147 "type": "boolean",
148 "default": false,
149 "title": "Enable Debugging",
150 "description": "Set to true to debug server side CORS issues."
151 }
152 },
153 "additionalProperties": false
154 },
155 "handlerSwitch": {
156 "title": "Enabled",
157 "type": "boolean",
158 "default": false,
159 "examples": [
160 true
161 ],
162 "description": "En-/disables this component."
163 },
164 "scopeStrategy": {
165 "title": "Scope Strategy",
166 "type": "string",
167 "enum": [
168 "hierarchic",
169 "exact",
170 "wildcard",
171 "none"
172 ],
173 "default": "none",
174 "description": "Sets the strategy validation algorithm."
175 },
176 "configAuthenticatorsAnonymous": {
177 "type": "object",
178 "title": "Anonymous Authenticator Configuration",
179 "description": "This section is optional when the authenticator is disabled.",
180 "properties": {
181 "subject": {
182 "type": "string",
183 "title": "Anonymous Subject",
184 "examples": [
185 "guest",
186 "anon",
187 "anonymous",
188 "unknown"
189 ],
190 "default": "anonymous",
191 "description": "Sets the anonymous username."
192 }
193 },
194 "additionalProperties": false
195 },
196 "configAuthenticatorsCookieSession": {
197 "type": "object",
198 "title": "Cookie Session Authenticator Configuration",
199 "description": "This section is optional when the authenticator is disabled.",
200 "properties": {
201 "check_session_url": {
202 "title": "Session Check URL",
203 "type": "string",
204 "format": "uri",
205 "description": "The origin to proxy requests to. If the response is a 200 with body `{ \"subject\": \"...\", \"extra\": {} }`. The request will pass the subject through successfully, otherwise it will be marked as unauthorized.\n\n>If this authenticator is enabled, this value is required.",
206 "examples": [
207 "https://session-store-host"
208 ]
209 },
210 "only": {
211 "type": "array",
212 "items": {
213 "type": "string",
214 "additionalItems": false
215 },
216 "title": "Only Cookies",
217 "description": "A list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if none of the passed cookies are set on the request."
218 }
219 },
220 "required": [
221 "check_session_url"
222 ],
223 "additionalProperties": false
224 },
225 "configAuthenticatorsJwt": {
226 "type": "object",
227 "title": "JWT Authenticator Configuration",
228 "description": "This section is optional when the authenticator is disabled.",
229 "required": ["jwks_urls"],
230 "properties": {
231 "required_scope": {
232 "type": "array",
233 "title": "Required Token Scope",
234 "description": "An array of OAuth 2.0 scopes that are required when accessing an endpoint protected by this handler.\n If the token used in the Authorization header did not request that specific scope, the request is denied.",
235 "items": {
236 "type": "string"
237 }
238 },
239 "target_audience": {
240 "title": "Intended Audience",
241 "type": "array",
242 "description": "An array of audiences that are required when accessing an endpoint protected by this handler.\n If the token used in the Authorization header is not intended for any of the requested audiences, the request is denied.",
243 "items": {
244 "type": "string"
245 }
246 },
247 "trusted_issuers": {
248 "type": "array",
249 "items": {
250 "type": "string"
251 }
252 },
253 "allowed_algorithms": {
254 "type": "array",
255 "items": {
256 "type": "string"
257 }
258 },
259 "jwks_urls": {
260 "title": "JSON Web Key URLs",
261 "type": "array",
262 "items": {
263 "type": "string",
264 "format": "uri"
265 },
266 "description": "URLs where ORY Oathkeeper can retrieve JSON Web Keys from for validating the JSON Web Token. Usually something like \"https://my-keys.com/.well-known/jwks.json\". The response of that endpoint must return a JSON Web Key Set (JWKS).\n\n>If this authenticator is enabled, this value is required.",
267 "examples": [
268 "https://my-website.com/.well-known/jwks.json",
269 "https://my-other-website.com/.well-known/jwks.json",
270 "file://path/to/local/jwks.json"
271 ]
272 },
273 "scope_strategy": {
274 "$ref": "#/definitions/scopeStrategy"
275 },
276 "token_from": {
277 "title": "Token From",
278 "description": "The location of the token.\n If not configured, the token will be received from a default location - 'Authorization' header.\n One and only one location (header or query) must be specified.",
279 "oneOf": [
280 {
281 "type": "object",
282 "required": [
283 "header"
284 ],
285 "properties": {
286 "header": {
287 "title": "Header",
288 "type": "string",
289 "description": "The header (case insensitive) that must contain a token for request authentication. It can't be set along with query_parameter."
290 }
291 }
292 },
293 {
294 "type": "object",
295 "required": [
296 "query_parameter"
297 ],
298 "properties": {
299 "query_parameter": {
300 "title": "Query Parameter",
301 "type": "string",
302 "description": "The query parameter (case sensitive) that must contain a token for request authentication. It can't be set along with header."
303 }
304 }
305 }
306 ]
307 }
308 },
309 "additionalProperties": false
310 },
311 "configAuthenticatorsOauth2ClientCredentials": {
312 "type": "object",
313 "title": "OAuth 2.0 Client Credentials Authenticator Configuration",
314 "description": "This section is optional when the authenticator is disabled.",
315 "properties": {
316 "token_url": {
317 "type": "string",
318 "description": "The OAuth 2.0 Token Endpoint that will be used to validate the client credentials.\n\n>If this authenticator is enabled, this value is required.",
319 "format": "uri",
320 "examples": [
321 "https://my-website.com/oauth2/token"
322 ]
323 },
324 "required_scope": {
325 "type": "array",
326 "title": "Request Permissions (Token Scope)",
327 "description": "Scopes is an array of OAuth 2.0 scopes that are required when accessing an endpoint protected by this rule.\n If the token used in the Authorization header did not request that specific scope, the request is denied.",
328 "items": {
329 "type": "string"
330 }
331 }
332 },
333 "required": [
334 "token_url"
335 ],
336 "additionalProperties": false
337 },
338 "configAuthenticatorsOauth2Introspection": {
339 "type": "object",
340 "title": "OAuth 2.0 Introspection Authenticator Configuration",
341 "description": "This section is optional when the authenticator is disabled.",
342 "properties": {
343 "introspection_url": {
344 "type": "string",
345 "format": "uri",
346 "examples": [
347 "https://my-website.com/oauth2/introspection"
348 ],
349 "title": "OAuth 2.0 Introspection URL",
350 "description": "The OAuth 2.0 Token Introspection endpoint URL.\n\n>If this authenticator is enabled, this value is required."
351 },
352 "scope_strategy": {
353 "$ref": "#/definitions/scopeStrategy"
354 },
355 "pre_authorization": {
356 "title": "Pre-Authorization",
357 "description": "Enable pre-authorization in cases where the OAuth 2.0 Token Introspection endpoint is protected by OAuth 2.0 Bearer Tokens that can be retrieved using the OAuth 2.0 Client Credentials grant.",
358 "type": "object",
359 "additionalProperties": false,
360 "properties": {
361 "enabled": {
362 "title": "Enabled",
363 "type": "boolean",
364 "default": false
365 },
366 "client_id": {
367 "type": "string",
368 "title": "OAuth 2.0 Client ID",
369 "description": "The OAuth 2.0 Client ID to be used for the OAuth 2.0 Client Credentials Grant.\n\n>If pre-authorization is enabled, this value is required."
370 },
371 "client_secret": {
372 "type": "string",
373 "title": "OAuth 2.0 Client Secret",
374 "description": "The OAuth 2.0 Client Secret to be used for the OAuth 2.0 Client Credentials Grant.\n\n>If pre-authorization is enabled, this value is required."
375 },
376 "token_url": {
377 "type": "string",
378 "format": "uri",
379 "title": "OAuth 2.0 Token URL",
380 "description": "The OAuth 2.0 Token Endpoint where the OAuth 2.0 Client Credentials Grant will be performed.\n\n>If pre-authorization is enabled, this value is required."
381 },
382 "scope": {
383 "type": "array",
384 "items": {
385 "type": "string"
386 },
387 "title": "OAuth 2.0 Scope",
388 "description": "The OAuth 2.0 Scope to be requested during the OAuth 2.0 Client Credentials Grant.",
389 "examples": [
390 [
391 "[\"foo\", \"bar\"]"
392 ]
393 ]
394 }
395 },
396 "oneOf": [
397 {
398 "properties": {
399 "enabled": {
400 "const": false
401 }
402 }
403 },
404 {
405 "required": [
406 "client_id",
407 "client_secret",
408 "token_url"
409 ],
410 "properties": {
411 "enabled": {
412 "const": true
413 },
414 "client_id": {
415 "type": "string",
416 "title": "OAuth 2.0 Client ID",
417 "description": "The OAuth 2.0 Client ID to be used for the OAuth 2.0 Client Credentials Grant.\n\n>If pre-authorization is enabled, this value is required."
418 },
419 "client_secret": {
420 "type": "string",
421 "title": "OAuth 2.0 Client Secret",
422 "description": "The OAuth 2.0 Client Secret to be used for the OAuth 2.0 Client Credentials Grant.\n\n>If pre-authorization is enabled, this value is required."
423 },
424 "token_url": {
425 "type": "string",
426 "format": "uri",
427 "title": "OAuth 2.0 Token URL",
428 "description": "The OAuth 2.0 Token Endpoint where the OAuth 2.0 Client Credentials Grant will be performed.\n\n>If pre-authorization is enabled, this value is required."
429 },
430 "scope": {
431 "type": "array",
432 "items": {
433 "type": "string"
434 },
435 "title": "OAuth 2.0 Scope",
436 "description": "The OAuth 2.0 Scope to be requested during the OAuth 2.0 Client Credentials Grant.",
437 "examples": [
438 [
439 "[\"foo\", \"bar\"]"
440 ]
441 ]
442 }
443 }
444 }
445 ]
446 },
447 "required_scope": {
448 "title": "Required Scope",
449 "description": "An array of OAuth 2.0 scopes that are required when accessing an endpoint protected by this handler.\n If the token used in the Authorization header did not request that specific scope, the request is denied.",
450 "type": "array",
451 "items": {
452 "type": "string"
453 }
454 },
455 "target_audience": {
456 "title": "Target Audience",
457 "description": "An array of audiences that are required when accessing an endpoint protected by this handler.\n If the token used in the Authorization header is not intended for any of the requested audiences, the request is denied.",
458 "type": "array",
459 "items": {
460 "type": "string"
461 }
462 },
463 "trusted_issuers": {
464 "title": "Trusted Issuers",
465 "description": "The token must have been issued by one of the issuers listed in this array.",
466 "type": "array",
467 "items": {
468 "type": "string"
469 }
470 },
471 "token_from": {
472 "title": "Token From",
473 "description": "The location of the token.\n If not configured, the token will be received from a default location - 'Authorization' header.\n One and only one location (header or query) must be specified.",
474 "type": "object",
475 "oneOf": [
476 {
477 "required": [
478 "header"
479 ],
480 "properties": {
481 "header": {
482 "title": "Header",
483 "type": "string",
484 "description": "The header (case insensitive) that must contain a token for request authentication.\n It can't be set along with query_parameter."
485 }
486 }
487 },
488 {
489 "required": [
490 "query_parameter"
491 ],
492 "properties": {
493 "query_parameter": {
494 "title": "Query Parameter",
495 "type": "string",
496 "description": "The query parameter (case sensitive) that must contain a token for request authentication.\n It can't be set along with header."
497 }
498 }
499 }
500 ]
501 }
502 },
503 "required": [
504 "introspection_url"
505 ],
506 "additionalProperties": false
507 },
508 "configAuthorizersKetoEngineAcpOry": {
509 "type": "object",
510 "title": "ORY Keto Access Control Policy Authorizer Configuration",
511 "description": "This section is optional when the authorizer is disabled.",
512 "properties": {
513 "base_url": {
514 "title": "Base URL",
515 "type": "string",
516 "format": "uri",
517 "description": "The base URL of ORY Keto.\n\n>If this authorizer is enabled, this value is required.",
518 "examples": [
519 "http://my-keto/"
520 ]
521 },
522 "required_action": {
523 "type": "string",
524 "default": "unset"
525 },
526 "required_resource": {
527 "type": "string",
528 "default": "unset"
529 },
530 "subject": {
531 "type": "string"
532 },
533 "flavor": {
534 "type": "string"
535 }
536 },
537 "required": [
538 "base_url",
539 "required_action",
540 "required_resource"
541 ],
542 "additionalProperties": false
543 },
544 "configMutatorsCookie": {
545 "type": "object",
546 "title": "Cookie Mutator Configuration",
547 "description": "This section is optional when the mutator is disabled.",
548 "required": [
549 "cookies"
550 ],
551 "properties": {
552 "cookies": {
553 "type": "object",
554 "additionalProperties": {
555 "type": "string"
556 }
557 }
558 },
559 "additionalProperties": false
560 },
561 "configMutatorsHeader": {
562 "type": "object",
563 "title": "Header Mutator Configuration",
564 "description": "This section is optional when the mutator is disabled.",
565 "required": [
566 "headers"
567 ],
568 "properties": {
569 "headers": {
570 "type": "object",
571 "additionalProperties": {
572 "type": "string"
573 }
574 }
575 },
576 "additionalProperties": false
577 },
578 "configMutatorsHydrator": {
579 "type": "object",
580 "title": "Hydrator Mutator Configuration",
581 "description": "This section is optional when the mutator is disabled.",
582 "properties": {
583 "api": {
584 "additionalProperties": false,
585 "required": [
586 "url"
587 ],
588 "type": "object",
589 "properties": {
590 "url": {
591 "type": "string",
592 "format": "uri"
593 },
594 "auth": {
595 "type": "object",
596 "additionalProperties": false,
597 "properties": {
598 "basic": {
599 "required": [
600 "username",
601 "password"
602 ],
603 "type": "object",
604 "additionalProperties": false,
605 "properties": {
606 "username": {
607 "type": "string"
608 },
609 "password": {
610 "type": "string"
611 }
612 }
613 }
614 }
615 },
616 "retry": {
617 "type": "object",
618 "additionalProperties": false,
619 "properties": {
620 "number_of_retries": {
621 "type": "number",
622 "minimum": 0,
623 "default": 100
624 },
625 "delay_in_milliseconds": {
626 "type": "integer",
627 "minimum": 0,
628 "default": 3
629 }
630 }
631 }
632 }
633 }
634 },
635 "required": [
636 "api"
637 ],
638 "additionalProperties": false
639 },
640 "configMutatorsIdToken": {
641 "type": "object",
642 "title": "ID Token Mutator Configuration",
643 "description": "This section is optional when the mutator is disabled.",
644 "required": [
645 "jwks_url",
646 "issuer_url"
647 ],
648 "properties": {
649 "claims": {
650 "type": "string"
651 },
652 "issuer_url": {
653 "type": "string",
654 "title": "Issuer URL",
655 "description": "Sets the \"iss\" value of the ID Token.\n\n>If this mutator is enabled, this value is required."
656 },
657 "jwks_url": {
658 "type": "string",
659 "format": "uri",
660 "title": "JSON Web Key URL",
661 "description": "Sets the URL where keys should be fetched from. Supports remote locations (http, https) as well as local filesystem paths.\n\n>If this mutator is enabled, this value is required.",
662 "examples": [
663 "https://fetch-keys/from/this/location.json",
664 "file:///from/this/absolute/location.json",
665 "file://../from/this/relative/location.json"
666 ]
667 },
668 "ttl": {
669 "type": "string",
670 "title": "Expire After",
671 "description": "Sets the time-to-live of the JSON Web Token.",
672 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
673 "default": "1m",
674 "examples": [
675 "1h",
676 "1m",
677 "30s"
678 ]
679 }
680 },
681 "additionalProperties": false
682 }
683 },
684 "properties": {
685 "serve": {
686 "title": "HTTP(s)",
687 "additionalProperties": false,
688 "type": "object",
689 "properties": {
690 "api": {
691 "type": "object",
692 "title": "HTTP REST API",
693 "additionalProperties": false,
694 "properties": {
695 "port": {
696 "type": "number",
697 "default": 4456,
698 "title": "Port",
699 "description": "The port to listen on."
700 },
701 "host": {
702 "type": "string",
703 "default": "",
704 "examples": [
705 "localhost",
706 "127.0.0.1"
707 ],
708 "title": "Host",
709 "description": "The network interface to listen on."
710 },
711 "cors": {
712 "$ref": "#/definitions/cors"
713 },
714 "tls": {
715 "$ref": "#/definitions/tlsx"
716 }
717 }
718 },
719 "proxy": {
720 "type": "object",
721 "title": "HTTP Reverse Proxy",
722 "additionalProperties": false,
723 "properties": {
724 "port": {
725 "type": "number",
726 "default": 4455,
727 "title": "Port",
728 "description": "The port to listen on."
729 },
730 "host": {
731 "type": "string",
732 "default": "",
733 "examples": [
734 "localhost",
735 "127.0.0.1"
736 ],
737 "title": "Host",
738 "description": "The network interface to listen on. Leave empty to listen on all interfaces."
739 },
740 "timeout": {
741 "title": "HTTP Timeouts",
742 "description": "Control the reverse proxy's HTTP timeouts.",
743 "type": "object",
744 "additionalProperties": false,
745 "properties": {
746 "read": {
747 "title": "HTTP Read Timeout",
748 "type": "string",
749 "default": "5s",
750 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
751 "description": "The maximum duration for reading the entire request, including the body.",
752 "examples": [
753 "5s",
754 "5m",
755 "5h"
756 ]
757 },
758 "write": {
759 "title": "HTTP Write Timeout",
760 "type": "string",
761 "default": "120s",
762 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
763 "description": "The maximum duration before timing out writes of the response. Increase this parameter to prevent unexpected closing a client connection if an upstream request is responding slowly.",
764 "examples": [
765 "5s",
766 "5m",
767 "5h"
768 ]
769 },
770 "idle": {
771 "title": "HTTP Idle Timeout",
772 "type": "string",
773 "default": "120s",
774 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
775 "description": " The maximum amount of time to wait for any action of a request session, reading data or writing the response.",
776 "examples": [
777 "5s",
778 "5m",
779 "5h"
780 ]
781 }
782 }
783 },
784 "cors": {
785 "$ref": "#/definitions/cors"
786 },
787 "tls": {
788 "$ref": "#/definitions/tlsx"
789 }
790 }
791 }
792 }
793 },
794 "access_rules": {
795 "title": "Access Rules",
796 "description": "Configure access rules. All sub-keys support configuration reloading without restarting.",
797 "type": "object",
798 "additionalProperties": false,
799 "properties": {
800 "repositories": {
801 "title": "Repositories",
802 "description": "Locations (list of URLs) where access rules should be fetched from on boot. It is expected that the documents at those locations return a JSON or YAML Array containing ORY Oathkeeper Access Rules:\n\n- If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be fetched from the local file system.\n- If the URL Scheme is `inline://`, the access rules (an array of access rules is expected) are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{\"id\":\"foo-rule\",\"authenticators\":[....]}]`)).\n- If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be fetched from the provided HTTP(s) location.",
803 "type": "array",
804 "items": {
805 "type": "string",
806 "format": "uri"
807 },
808 "examples": [
809 "[\"file://path/to/rules.json\",\"inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d\",\"https://path-to-my-rules/rules.json\"]"
810 ]
811 }
812 }
813 },
814 "authenticators": {
815 "title": "Authenticators",
816 "type": "object",
817 "description": "For more information on authenticators head over to: https://www.ory.sh/docs/oathkeeper/pipeline/authn",
818 "additionalProperties": false,
819 "properties": {
820 "anonymous": {
821 "title": "Anonymous",
822 "description": "The [`anonymous` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#anonymous).",
823 "type": "object",
824 "additionalProperties": false,
825 "properties": {
826 "enabled": {
827 "$ref": "#/definitions/handlerSwitch"
828 },
829 "config": {
830 "$ref": "#/definitions/configAuthenticatorsAnonymous"
831 }
832 }
833 },
834 "noop": {
835 "title": "No Operation (noop)",
836 "description": "The [`noop` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#noop).",
837 "type": "object",
838 "additionalProperties": false,
839 "properties": {
840 "enabled": {
841 "$ref": "#/definitions/handlerSwitch"
842 }
843 }
844 },
845 "unauthorized": {
846 "title": "Unauthorized",
847 "description": "The [`unauthorized` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#unauthorized).",
848 "type": "object",
849 "additionalProperties": false,
850 "properties": {
851 "enabled": {
852 "$ref": "#/definitions/handlerSwitch"
853 }
854 }
855 },
856 "cookie_session": {
857 "title": "Cookie Session",
858 "description": "The [`cookie_session` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#cookie_session).",
859 "type": "object",
860 "additionalProperties": false,
861 "properties": {
862 "enabled": {
863 "$ref": "#/definitions/handlerSwitch"
864 },
865 "config": {
866 "$ref": "#/definitions/configAuthenticatorsCookieSession"
867 }
868 },
869 "oneOf": [
870 {
871 "properties": {
872 "enabled": {
873 "const": true
874 }
875 },
876 "required": [
877 "config"
878 ]
879 },
880 {
881 "properties": {
882 "enabled": {
883 "const": false
884 }
885 }
886 }
887 ]
888 },
889 "jwt": {
890 "title": "JSON Web Token (jwt)",
891 "description": "The [`jwt` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#jwt).",
892 "type": "object",
893 "additionalProperties": false,
894 "properties": {
895 "enabled": {
896 "$ref": "#/definitions/handlerSwitch"
897 },
898 "config": {
899 "$ref": "#/definitions/configAuthenticatorsJwt"
900 }
901 },
902 "oneOf": [
903 {
904 "properties": {
905 "enabled": {
906 "const": true
907 }
908 },
909 "required": [
910 "config"
911 ]
912 },
913 {
914 "properties": {
915 "enabled": {
916 "const": false
917 }
918 }
919 }
920 ]
921 },
922 "oauth2_client_credentials": {
923 "title": "OAuth 2.0 Client Credentials",
924 "description": "The [`oauth2_client_credentials` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_client_credentials).",
925 "type": "object",
926 "additionalProperties": false,
927 "properties": {
928 "enabled": {
929 "$ref": "#/definitions/handlerSwitch"
930 },
931 "config": {
932 "$ref": "#/definitions/configAuthenticatorsOauth2ClientCredentials"
933 }
934 },
935 "oneOf": [
936 {
937 "properties": {
938 "enabled": {
939 "const": true
940 }
941 },
942 "required": [
943 "config"
944 ]
945 },
946 {
947 "properties": {
948 "enabled": {
949 "const": false
950 }
951 }
952 }
953 ]
954 },
955 "oauth2_introspection": {
956 "title": "OAuth 2.0 Token Introspection",
957 "description": "The [`oauth2_introspection` authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection).",
958 "type": "object",
959 "additionalProperties": false,
960 "properties": {
961 "enabled": {
962 "$ref": "#/definitions/handlerSwitch"
963 },
964 "config": {
965 "$ref": "#/definitions/configAuthenticatorsOauth2Introspection"
966 }
967 },
968 "oneOf": [
969 {
970 "properties": {
971 "enabled": {
972 "const": true
973 }
974 },
975 "required": [
976 "config"
977 ]
978 },
979 {
980 "properties": {
981 "enabled": {
982 "const": false
983 }
984 }
985 }
986 ]
987 }
988 }
989 },
990 "authorizers": {
991 "title": "Authorizers",
992 "type": "object",
993 "description": "For more information on authorizers head over to: https://www.ory.sh/docs/oathkeeper/pipeline/authz",
994 "additionalProperties": false,
995 "properties": {
996 "allow": {
997 "title": "Allow",
998 "description": "The [`allow` authorizer](https://www.ory.sh/docs/oathkeeper/pipeline/authz#allow).",
999 "type": "object",
1000 "additionalProperties": false,
1001 "properties": {
1002 "enabled": {
1003 "$ref": "#/definitions/handlerSwitch"
1004 }
1005 }
1006 },
1007 "deny": {
1008 "title": "Deny",
1009 "description": "The [`deny` authorizer](https://www.ory.sh/docs/oathkeeper/pipeline/authz#allow).",
1010 "type": "object",
1011 "additionalProperties": false,
1012 "properties": {
1013 "enabled": {
1014 "$ref": "#/definitions/handlerSwitch"
1015 }
1016 }
1017 },
1018 "keto_engine_acp_ory": {
1019 "title": "ORY Keto Access Control Policies Engine",
1020 "description": "The [`keto_engine_acp_ory` authorizer](https://www.ory.sh/docs/oathkeeper/pipeline/authz#keto_engine_acp_ory).",
1021 "type": "object",
1022 "additionalProperties": false,
1023 "properties": {
1024 "enabled": {
1025 "$ref": "#/definitions/handlerSwitch"
1026 },
1027 "config": {
1028 "$ref": "#/definitions/configAuthorizersKetoEngineAcpOry"
1029 }
1030 },
1031 "oneOf": [
1032 {
1033 "properties": {
1034 "enabled": {
1035 "const": true
1036 }
1037 },
1038 "required": [
1039 "config"
1040 ]
1041 },
1042 {
1043 "properties": {
1044 "enabled": {
1045 "const": false
1046 }
1047 }
1048 }
1049 ]
1050 }
1051 }
1052 },
1053 "mutators": {
1054 "title": "Mutators",
1055 "type": "object",
1056 "description": "For more information on mutators head over to: https://www.ory.sh/docs/oathkeeper/pipeline/mutator",
1057 "additionalProperties": false,
1058 "properties": {
1059 "noop": {
1060 "title": "No Operation (noop)",
1061 "description": "The [`noop` mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#noop).",
1062 "type": "object",
1063 "additionalProperties": false,
1064 "properties": {
1065 "enabled": {
1066 "$ref": "#/definitions/handlerSwitch"
1067 }
1068 }
1069 },
1070 "cookie": {
1071 "title": "HTTP Cookie",
1072 "description": "The [`cookie` mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#cookie).",
1073 "type": "object",
1074 "additionalProperties": false,
1075 "properties": {
1076 "enabled": {
1077 "$ref": "#/definitions/handlerSwitch"
1078 },
1079 "config": {
1080 "$ref": "#/definitions/configMutatorsCookie"
1081 }
1082 },
1083 "oneOf": [
1084 {
1085 "properties": {
1086 "enabled": {
1087 "const": true
1088 }
1089 },
1090 "required": [
1091 "config"
1092 ]
1093 },
1094 {
1095 "properties": {
1096 "enabled": {
1097 "const": false
1098 }
1099 }
1100 }
1101 ]
1102 },
1103 "header": {
1104 "title": "HTTP Header",
1105 "description": "The [`header` mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#header).",
1106 "type": "object",
1107 "additionalProperties": false,
1108 "properties": {
1109 "enabled": {
1110 "$ref": "#/definitions/handlerSwitch"
1111 },
1112 "config": {
1113 "$ref": "#/definitions/configMutatorsHeader"
1114 }
1115 },
1116 "oneOf": [
1117 {
1118 "properties": {
1119 "enabled": {
1120 "const": true
1121 }
1122 },
1123 "required": [
1124 "config"
1125 ]
1126 },
1127 {
1128 "properties": {
1129 "enabled": {
1130 "const": false
1131 }
1132 }
1133 }
1134 ]
1135 },
1136 "hydrator": {
1137 "title": "Hydrator",
1138 "description": "The [`hydrator` mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#hydrator).",
1139 "type": "object",
1140 "additionalProperties": false,
1141 "properties": {
1142 "enabled": {
1143 "$ref": "#/definitions/handlerSwitch"
1144 },
1145 "config": {
1146 "$ref": "#/definitions/configMutatorsHydrator"
1147 }
1148 },
1149 "oneOf": [
1150 {
1151 "properties": {
1152 "enabled": {
1153 "const": true
1154 }
1155 },
1156 "required": [
1157 "config"
1158 ]
1159 },
1160 {
1161 "properties": {
1162 "enabled": {
1163 "const": false
1164 }
1165 }
1166 }
1167 ]
1168 },
1169 "id_token": {
1170 "title": "ID Token (JSON Web Token)",
1171 "description": "The [`id_token` mutator](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token).",
1172 "type": "object",
1173 "additionalProperties": false,
1174 "properties": {
1175 "enabled": {
1176 "$ref": "#/definitions/handlerSwitch"
1177 },
1178 "config": {
1179 "$ref": "#/definitions/configMutatorsIdToken"
1180 }
1181 },
1182 "oneOf": [
1183 {
1184 "properties": {
1185 "enabled": {
1186 "const": true
1187 }
1188 },
1189 "required": [
1190 "config"
1191 ]
1192 },
1193 {
1194 "properties": {
1195 "enabled": {
1196 "const": false
1197 }
1198 }
1199 }
1200 ]
1201 }
1202 }
1203 },
1204 "log": {
1205 "title": "Log",
1206 "description": "Configure logging using the following options. Logging will always be sent to stdout and stderr.",
1207 "type": "object",
1208 "properties": {
1209 "level": {
1210 "type": "string",
1211 "default": "info",
1212 "enum": [
1213 "panic",
1214 "fatal",
1215 "error",
1216 "warn",
1217 "info",
1218 "debug"
1219 ],
1220 "title": "Level",
1221 "description": "Debug enables stack traces on errors. Can also be set using environment variable LOG_LEVEL."
1222 },
1223 "format": {
1224 "type": "string",
1225 "default": "text",
1226 "enum": [
1227 "text",
1228 "json"
1229 ],
1230 "title": "Format",
1231 "description": "The log format can either be text or JSON."
1232 }
1233 },
1234 "additionalProperties": false
1235 },
1236 "profiling": {
1237 "title": "Profiling",
1238 "description": "Enables CPU or memory profiling if set. For more details on profiling Go programs read [Profiling Go Programs](https://blog.golang.org/profiling-go-programs).",
1239 "type": "string",
1240 "enum": [
1241 "cpu",
1242 "mem"
1243 ]
1244 }
1245 },
1246 "required": [],
1247 "additionalProperties": false
1248}View as plain text