1015 lines
41 KiB
YAML
1015 lines
41 KiB
YAML
# Include{groups}
|
|
portals:
|
|
open:
|
|
# Include{portalLink}
|
|
questions:
|
|
# Include{global}
|
|
# Include{controller}
|
|
# Include{replicas}
|
|
# Include{replica1}
|
|
# Include{controllerExpertExtraArgs}
|
|
# Include{containerConfig}
|
|
- variable: domain
|
|
group: "App Configuration"
|
|
label: "Domain"
|
|
description: "The highest domain level possible, for example: domain.com when using app.domain.com"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: default_redirection_url
|
|
group: "App Configuration"
|
|
label: "Default Redirection Url"
|
|
description: "If user tries to authenticate without any referer, this is used"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: theme
|
|
group: "App Configuration"
|
|
label: "Theme"
|
|
schema:
|
|
type: string
|
|
default: "auto"
|
|
enum:
|
|
- value: "auto"
|
|
description: "auto"
|
|
- value: "light"
|
|
description: "light"
|
|
- value: "grey"
|
|
description: "grey"
|
|
- value: "dark"
|
|
description: "dark"
|
|
- variable: log
|
|
group: "App Configuration"
|
|
label: "Log Configuration "
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: level
|
|
label: "Log Level"
|
|
schema:
|
|
type: string
|
|
default: "info"
|
|
enum:
|
|
- value: "info"
|
|
description: "info"
|
|
- value: "debug"
|
|
description: "debug"
|
|
- value: "trace"
|
|
description: "trace"
|
|
- variable: format
|
|
label: "Log Format"
|
|
schema:
|
|
type: string
|
|
default: "text"
|
|
enum:
|
|
- value: "json"
|
|
description: "json"
|
|
- value: "text"
|
|
description: "text"
|
|
- variable: totp
|
|
group: "App Configuration"
|
|
label: "TOTP Configuration"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: issuer
|
|
label: "Issuer"
|
|
description: "The issuer name displayed in the Authenticator application of your choice"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: period
|
|
label: "Period"
|
|
description: "The period in seconds a one-time password is current for"
|
|
schema:
|
|
type: int
|
|
default: 30
|
|
- variable: skew
|
|
label: "skew"
|
|
description: "Controls number of one-time passwords either side of the current one that are valid."
|
|
schema:
|
|
type: int
|
|
default: 1
|
|
- variable: duo_api
|
|
group: "App Configuration"
|
|
label: "DUO API Configuration"
|
|
description: "Parameters used to contact the Duo API."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: hostname
|
|
label: "Hostname"
|
|
schema:
|
|
type: string
|
|
required: true
|
|
default: ""
|
|
- variable: integration_key
|
|
label: "integration_key"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: plain_api_key
|
|
label: "plain_api_key"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: session
|
|
group: "App Configuration"
|
|
label: "Session Provider"
|
|
description: "The session cookies identify the user once logged in."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: name
|
|
label: "Cookie Name"
|
|
description: "The name of the session cookie."
|
|
schema:
|
|
type: string
|
|
required: true
|
|
default: "authelia_session"
|
|
- variable: same_site
|
|
label: "SameSite Value"
|
|
description: "Sets the Cookie SameSite value"
|
|
schema:
|
|
type: string
|
|
default: "lax"
|
|
enum:
|
|
- value: "lax"
|
|
description: "lax"
|
|
- value: "strict"
|
|
description: "strict"
|
|
- variable: expiration
|
|
label: "Expiration Time"
|
|
description: "The time in seconds before the cookie expires and session is reset."
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: inactivity
|
|
label: "Inactivity Time"
|
|
description: "The inactivity time in seconds before the session is reset."
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: inactivity
|
|
label: "Remember-Me duration"
|
|
description: "The remember me duration"
|
|
schema:
|
|
type: string
|
|
default: "5M"
|
|
required: true
|
|
- variable: regulation
|
|
group: "App Configuration"
|
|
label: "Regulation Configuration"
|
|
description: "his mechanism prevents attackers from brute forcing the first factor."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: max_retries
|
|
label: "Maximum Retries"
|
|
description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation."
|
|
schema:
|
|
type: int
|
|
default: 3
|
|
- variable: find_time
|
|
label: "Find Time"
|
|
description: "The time range during which the user can attempt login before being banned."
|
|
schema:
|
|
type: string
|
|
default: "2m"
|
|
required: true
|
|
- variable: ban_time
|
|
label: "Ban Duration"
|
|
description: "The length of time before a banned user can login again"
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: authentication_backend
|
|
group: "App Configuration"
|
|
label: "Authentication Backend Provider"
|
|
description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: disable_reset_password
|
|
label: "Disable Reset Password"
|
|
description: "Disable both the HTML element and the API for reset password functionality"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: refresh_interval
|
|
label: "Reset Interval"
|
|
description: "The amount of time to wait before we refresh data from the authentication backend"
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: ldap
|
|
label: "LDAP backend configuration"
|
|
description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: implementation
|
|
label: "Implementation"
|
|
description: "The LDAP implementation, this affects elements like the attribute utilised for resetting a password"
|
|
schema:
|
|
type: string
|
|
default: "custom"
|
|
enum:
|
|
- value: "activedirectory"
|
|
description: "activedirectory"
|
|
- value: "custom"
|
|
description: "custom"
|
|
- variable: url
|
|
label: "URL"
|
|
description: "The url to the ldap server. Format: <scheme>://<address>[:<port>]"
|
|
schema:
|
|
type: string
|
|
default: "ldap://openldap.default.svc.cluster.local"
|
|
required: true
|
|
- variable: timeout
|
|
label: "Connection Timeout"
|
|
schema:
|
|
type: string
|
|
default: "5s"
|
|
required: true
|
|
- variable: start_tls
|
|
label: "Start TLS"
|
|
description: "Use StartTLS with the LDAP connection"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: tls
|
|
label: "TLS Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: server_name
|
|
label: "Server Name"
|
|
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: skip_verify
|
|
label: "Skip Certificate Verification"
|
|
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: minimum_version
|
|
label: "Minimum TLS version"
|
|
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
|
schema:
|
|
type: string
|
|
default: "TLS1.2"
|
|
enum:
|
|
- value: "TLS1.0"
|
|
description: "TLS1.0"
|
|
- value: "TLS1.1"
|
|
description: "TLS1.1"
|
|
- value: "TLS1.2"
|
|
description: "TLS1.2"
|
|
- value: "TLS1.3"
|
|
description: "TLS1.3"
|
|
- variable: base_dn
|
|
label: "Base DN"
|
|
description: "The base dn for every LDAP query."
|
|
schema:
|
|
type: string
|
|
default: "DC=example,DC=com"
|
|
required: true
|
|
- variable: username_attribute
|
|
label: "Username Attribute"
|
|
description: "The attribute holding the username of the user"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: additional_users_dn
|
|
label: "Additional Users DN"
|
|
description: "An additional dn to define the scope to all users."
|
|
schema:
|
|
type: string
|
|
default: "OU=Users"
|
|
required: true
|
|
- variable: users_filter
|
|
label: "Users Filter"
|
|
description: "The groups filter used in search queries to find the groups of the user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: additional_groups_dn
|
|
label: "Additional Groups DN"
|
|
description: "An additional dn to define the scope of groups."
|
|
schema:
|
|
type: string
|
|
default: "OU=Groups"
|
|
required: true
|
|
- variable: groups_filter
|
|
label: "Groups Filter"
|
|
description: "The groups filter used in search queries to find the groups of the user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: group_name_attribute
|
|
label: "Group name Attribute"
|
|
description: "The attribute holding the name of the group"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: mail_attribute
|
|
label: "Mail Attribute"
|
|
description: "The attribute holding the primary mail address of the user"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: display_name_attribute
|
|
label: "Display Name Attribute"
|
|
description: "he attribute holding the display name of the user. This will be used to greet an authenticated user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: user
|
|
label: "Admin User"
|
|
description: "The username of the admin user used to connect to LDAP."
|
|
schema:
|
|
type: string
|
|
default: "CN=Authelia,DC=example,DC=com"
|
|
required: true
|
|
- variable: plain_password
|
|
label: "Password"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: file
|
|
label: "File backend configuration"
|
|
description: "With this backend, the users database is stored in a file which is updated when users reset their passwords."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: path
|
|
label: "Path"
|
|
schema:
|
|
type: string
|
|
default: "/config/users_database.yml"
|
|
required: true
|
|
- variable: password
|
|
label: "Password Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: algorithm
|
|
label: "Algorithm"
|
|
schema:
|
|
type: string
|
|
default: "argon2id"
|
|
enum:
|
|
- value: "argon2id"
|
|
description: "argon2id"
|
|
- value: "sha512"
|
|
description: "sha512"
|
|
- variable: iterations
|
|
label: "Iterations"
|
|
schema:
|
|
type: int
|
|
default: 1
|
|
required: true
|
|
- variable: key_length
|
|
label: "Key Length"
|
|
schema:
|
|
type: int
|
|
default: 32
|
|
required: true
|
|
- variable: salt_length
|
|
label: "Salt Length"
|
|
schema:
|
|
type: int
|
|
default: 16
|
|
required: true
|
|
- variable: memory
|
|
label: "Memory"
|
|
schema:
|
|
type: int
|
|
default: 1024
|
|
required: true
|
|
- variable: parallelism
|
|
label: "Parallelism"
|
|
schema:
|
|
type: int
|
|
default: 8
|
|
required: true
|
|
- variable: notifier
|
|
group: "App Configuration"
|
|
label: "Notifier Configuration"
|
|
description: "otifications are sent to users when they require a password reset, a u2f registration or a TOTP registration."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: disable_startup_check
|
|
label: "Disable Startup Check"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: filesystem
|
|
label: "Filesystem Provider"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: filename
|
|
label: "File Path"
|
|
schema:
|
|
type: string
|
|
default: "/config/notification.txt"
|
|
required: true
|
|
- variable: smtp
|
|
label: "SMTP Provider"
|
|
description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: host
|
|
label: "Host"
|
|
schema:
|
|
type: string
|
|
default: "smtp.mail.svc.cluster.local"
|
|
required: true
|
|
- variable: port
|
|
label: "Port"
|
|
schema:
|
|
type: int
|
|
default: 25
|
|
required: true
|
|
- variable: timeout
|
|
label: "Timeout"
|
|
schema:
|
|
type: string
|
|
default: "5s"
|
|
required: true
|
|
- variable: username
|
|
label: "Username"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: plain_password
|
|
label: "Password"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: sender
|
|
label: "Sender"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: identifier
|
|
label: "Identifier"
|
|
description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost."
|
|
schema:
|
|
type: string
|
|
default: "localhost"
|
|
required: true
|
|
- variable: subject
|
|
label: "Subject"
|
|
description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier"
|
|
schema:
|
|
type: string
|
|
default: "[Authelia] {title}"
|
|
required: true
|
|
- variable: startup_check_address
|
|
label: "Startup Check Address"
|
|
description: "This address is used during the startup check to verify the email configuration is correct."
|
|
schema:
|
|
type: string
|
|
default: "test@authelia.com"
|
|
required: true
|
|
- variable: disable_require_tls
|
|
label: "Disable Require TLS"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: disable_html_emails
|
|
label: "Disable HTML emails"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: tls
|
|
label: "TLS Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: server_name
|
|
label: "Server Name"
|
|
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: skip_verify
|
|
label: "Skip Certificate Verification"
|
|
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: minimum_version
|
|
label: "Minimum TLS version"
|
|
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
|
schema:
|
|
type: string
|
|
default: "TLS1.2"
|
|
enum:
|
|
- value: "TLS1.0"
|
|
description: "TLS1.0"
|
|
- value: "TLS1.1"
|
|
description: "TLS1.1"
|
|
- value: "TLS1.2"
|
|
description: "TLS1.2"
|
|
- value: "TLS1.3"
|
|
description: "TLS1.3"
|
|
- variable: access_control
|
|
group: "App Configuration"
|
|
label: "Access Control Configuration"
|
|
description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: default_policy
|
|
label: "Default Policy"
|
|
description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "bypass"
|
|
description: "bypass"
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- value: "deny"
|
|
description: "deny"
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: networkItem
|
|
label: "Network Item"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: name
|
|
label: "Name"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: network
|
|
label: "network"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: rules
|
|
label: "Rules"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: rulesItem
|
|
label: "Rule"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: domain
|
|
label: "Domains"
|
|
description: "defines which domain or set of domains the rule applies to."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: domainEntry
|
|
label: "Domain"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: policy
|
|
label: "Policy"
|
|
description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "bypass"
|
|
description: "bypass"
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- value: "deny"
|
|
description: "deny"
|
|
- variable: subject
|
|
label: "Subject"
|
|
description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: subjectitem
|
|
label: "Subject"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: network
|
|
label: "Network"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: resources
|
|
label: "Resources"
|
|
description: "is a list of regular expressions that matches a set of resources to apply the policy to"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: resource
|
|
label: "Resource"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
# Include{serviceRoot}
|
|
- variable: main
|
|
label: "Main Service"
|
|
description: "The Primary service on which the healthcheck runs, often the webUI"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{serviceSelectorLoadBalancer}
|
|
# Include{serviceSelectorExtras}
|
|
- variable: main
|
|
label: "Main Service Port Configuration"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: port
|
|
label: "Port"
|
|
description: "This port exposes the container port on the service"
|
|
schema:
|
|
type: int
|
|
default: 9091
|
|
required: true
|
|
# Include{serviceExpertRoot}
|
|
default: false
|
|
# Include{serviceExpert}
|
|
# Include{serviceList}
|
|
# Include{persistenceRoot}
|
|
- variable: config
|
|
label: "App Config Storage"
|
|
description: "Stores the Application Configuration."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{persistenceBasic}
|
|
# Include{persistenceList}
|
|
# Include{ingressRoot}
|
|
- variable: main
|
|
label: "Main Ingress"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{ingressDefault}
|
|
# Include{ingressTLS}
|
|
# Include{ingressTraefik}
|
|
# Include{ingressList}
|
|
# Include{security}
|
|
# Include{securityContextAdvancedRoot}
|
|
- variable: privileged
|
|
label: "Privileged mode"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: readOnlyRootFilesystem
|
|
label: "ReadOnly Root Filesystem"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
- variable: allowPrivilegeEscalation
|
|
label: "Allow Privilege Escalation"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: runAsNonRoot
|
|
label: "runAsNonRoot"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
# Include{podSecurityContextRoot}
|
|
- variable: runAsUser
|
|
label: "runAsUser"
|
|
description: "The UserID of the user running the application"
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
- variable: runAsGroup
|
|
label: "runAsGroup"
|
|
description: "The groupID this App of the user running the application"
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
- variable: fsGroup
|
|
label: "fsGroup"
|
|
description: "The group that should own ALL storage."
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
# Include{podSecurityContextAdvanced}
|
|
# Include{resources}
|
|
# Include{advanced}
|
|
# Include{addons}
|
|
# Include{codeserver}
|
|
# Include{vpn}
|
|
# Include{documentation}
|
|
- variable: identity_providers
|
|
group: "Advanced"
|
|
label: "Authelia Identity Providers (BETA)"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: oidc
|
|
label: "OpenID Connect(BETA)"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "enabled"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: access_token_lifespan
|
|
label: "Access Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: authorize_code_lifespan
|
|
label: "Authorize Code Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1m"
|
|
required: true
|
|
- variable: id_token_lifespan
|
|
label: "ID Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: refresh_token_lifespan
|
|
label: "Refresh Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "90m"
|
|
required: true
|
|
- variable: enable_client_debug_messages
|
|
label: "Enable Client Debug Messages"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: clients
|
|
label: "Clients"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: clientEntry
|
|
label: "Client"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: id
|
|
label: "ID/Name"
|
|
description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration."
|
|
schema:
|
|
type: string
|
|
default: "myapp"
|
|
required: true
|
|
- variable: description
|
|
label: "Description"
|
|
description: "The description to show to users when they end up on the consent screen. Defaults to the ID above."
|
|
schema:
|
|
type: string
|
|
default: "My Application"
|
|
required: true
|
|
- variable: secret
|
|
label: "Secret"
|
|
description: "The client secret is a shared secret between Authelia and the consumer of this client."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: public
|
|
label: "public"
|
|
description: "Sets the client to public. This should typically not be set, please see the documentation for usage."
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: authorization_policy
|
|
label: "Authorization Policy"
|
|
description: "The policy to require for this client; one_factor or two_factor."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- variable: consent_mode
|
|
label: "Consent Mode"
|
|
description: "Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)"
|
|
schema:
|
|
type: string
|
|
default: "auto"
|
|
enum:
|
|
- value: "auto"
|
|
description: "auto"
|
|
- value: "explicit"
|
|
description: "explicit"
|
|
- value: "implicit"
|
|
description: "implicit"
|
|
- variable: userinfo_signing_algorithm
|
|
label: "Userinfo Signing Algorithm"
|
|
description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256."
|
|
schema:
|
|
type: string
|
|
default: "none"
|
|
enum:
|
|
- value: "none"
|
|
description: "none"
|
|
- value: "RS256"
|
|
description: "RS256"
|
|
- variable: audience
|
|
label: "Audience"
|
|
description: "Audience this client is allowed to request."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: audienceEntry
|
|
label: ""
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: scopes
|
|
label: "Scopes"
|
|
description: "Scopes this client is allowed to request."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: ScopeEntry
|
|
label: "Scope"
|
|
schema:
|
|
type: string
|
|
default: "openid"
|
|
required: true
|
|
- variable: redirect_uris
|
|
label: "redirect_uris"
|
|
description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: uriEntry
|
|
label: "Url"
|
|
schema:
|
|
type: string
|
|
default: "https://oidc.example.com/oauth2/callback"
|
|
required: true
|
|
- variable: grant_types
|
|
description: "Grant Types configures which grants this client can obtain."
|
|
label: "grant_types"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: grantEntry
|
|
label: "Grant"
|
|
schema:
|
|
type: string
|
|
default: "refresh_token"
|
|
required: true
|
|
- variable: response_types
|
|
description: "Response Types configures which responses this client can be sent."
|
|
label: "response_types"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: responseEntry
|
|
label: "type"
|
|
schema:
|
|
type: string
|
|
default: "code"
|
|
required: true
|
|
- variable: response_modes
|
|
description: "Response Modes configures which response modes this client supports."
|
|
label: "response_modes"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: modeEntry
|
|
label: "Mode"
|
|
schema:
|
|
type: string
|
|
default: "form_post"
|
|
required: true
|