1014 lines
41 KiB
YAML
1014 lines
41 KiB
YAML
# Include{groups}
|
|
portals:
|
|
open:
|
|
# Include{portalLink}
|
|
questions:
|
|
# Include{global}
|
|
# Include{controller}
|
|
# Include{controllerDeployment}
|
|
# Include{replicas}
|
|
# Include{replica1}
|
|
# Include{strategy}
|
|
# Include{recreate}
|
|
# Include{controllerExpert}
|
|
# Include{controllerExpertExtraArgs}
|
|
# Include{containerConfig}
|
|
- variable: domain
|
|
group: "App Configuration"
|
|
label: "Domain"
|
|
description: "The highest domain level possible, for example: domain.com when using app.domain.com"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: default_redirection_url
|
|
group: "App Configuration"
|
|
label: "Default Redirection Url"
|
|
description: "If user tries to authenticate without any referer, this is used"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: theme
|
|
group: "App Configuration"
|
|
label: "Theme"
|
|
schema:
|
|
type: string
|
|
default: "light"
|
|
enum:
|
|
- value: "light"
|
|
description: "info"
|
|
- value: "grey"
|
|
description: "grey"
|
|
- value: "dark"
|
|
description: "dark"
|
|
- variable: log
|
|
group: "App Configuration"
|
|
label: "Log Configuration "
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: level
|
|
label: "Log Level"
|
|
schema:
|
|
type: string
|
|
default: "info"
|
|
enum:
|
|
- value: "info"
|
|
description: "info"
|
|
- value: "debug"
|
|
description: "debug"
|
|
- value: "trace"
|
|
description: "trace"
|
|
- variable: format
|
|
label: "Log Format"
|
|
schema:
|
|
type: string
|
|
default: "text"
|
|
enum:
|
|
- value: "json"
|
|
description: "json"
|
|
- value: "text"
|
|
description: "text"
|
|
- variable: totp
|
|
group: "App Configuration"
|
|
label: "TOTP Configuration"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: issuer
|
|
label: "Issuer"
|
|
description: "The issuer name displayed in the Authenticator application of your choice"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: period
|
|
label: "Period"
|
|
description: "The period in seconds a one-time password is current for"
|
|
schema:
|
|
type: int
|
|
default: 30
|
|
- variable: skew
|
|
label: "skew"
|
|
description: "Controls number of one-time passwords either side of the current one that are valid."
|
|
schema:
|
|
type: int
|
|
default: 1
|
|
- variable: duo_api
|
|
group: "App Configuration"
|
|
label: "DUO API Configuration"
|
|
description: "Parameters used to contact the Duo API."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: hostname
|
|
label: "Hostname"
|
|
schema:
|
|
type: string
|
|
required: true
|
|
default: ""
|
|
- variable: integration_key
|
|
label: "integration_key"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: plain_api_key
|
|
label: "plain_api_key"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: session
|
|
group: "App Configuration"
|
|
label: "Session Provider"
|
|
description: "The session cookies identify the user once logged in."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: name
|
|
label: "Cookie Name"
|
|
description: "The name of the session cookie."
|
|
schema:
|
|
type: string
|
|
required: true
|
|
default: "authelia_session"
|
|
- variable: same_site
|
|
label: "SameSite Value"
|
|
description: "Sets the Cookie SameSite value"
|
|
schema:
|
|
type: string
|
|
default: "lax"
|
|
enum:
|
|
- value: "lax"
|
|
description: "lax"
|
|
- value: "strict"
|
|
description: "strict"
|
|
- variable: expiration
|
|
label: "Expiration Time"
|
|
description: "The time in seconds before the cookie expires and session is reset."
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: inactivity
|
|
label: "Inactivity Time"
|
|
description: "The inactivity time in seconds before the session is reset."
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: inactivity
|
|
label: "Remember-Me duration"
|
|
description: "The remember me duration"
|
|
schema:
|
|
type: string
|
|
default: "5M"
|
|
required: true
|
|
- variable: regulation
|
|
group: "App Configuration"
|
|
label: "Regulation Configuration"
|
|
description: "his mechanism prevents attackers from brute forcing the first factor."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: max_retries
|
|
label: "Maximum Retries"
|
|
description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation."
|
|
schema:
|
|
type: int
|
|
default: 3
|
|
- variable: find_time
|
|
label: "Find Time"
|
|
description: "The time range during which the user can attempt login before being banned."
|
|
schema:
|
|
type: string
|
|
default: "2m"
|
|
required: true
|
|
- variable: ban_time
|
|
label: "Ban Duration"
|
|
description: "The length of time before a banned user can login again"
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: authentication_backend
|
|
group: "App Configuration"
|
|
label: "Authentication Backend Provider"
|
|
description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: disable_reset_password
|
|
label: "Disable Reset Password"
|
|
description: "Disable both the HTML element and the API for reset password functionality"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: refresh_interval
|
|
label: "Reset Interval"
|
|
description: "The amount of time to wait before we refresh data from the authentication backend"
|
|
schema:
|
|
type: string
|
|
default: "5m"
|
|
required: true
|
|
- variable: ldap
|
|
label: "LDAP backend configuration"
|
|
description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: implementation
|
|
label: "Implementation"
|
|
description: "The LDAP implementation, this affects elements like the attribute utilised for resetting a password"
|
|
schema:
|
|
type: string
|
|
default: "custom"
|
|
enum:
|
|
- value: "activedirectory"
|
|
description: "activedirectory"
|
|
- value: "custom"
|
|
description: "custom"
|
|
- variable: url
|
|
label: "URL"
|
|
description: "The url to the ldap server. Format: <scheme>://<address>[:<port>]"
|
|
schema:
|
|
type: string
|
|
default: "ldap://openldap.default.svc.cluster.local"
|
|
required: true
|
|
- variable: timeout
|
|
label: "Connection Timeout"
|
|
schema:
|
|
type: string
|
|
default: "5s"
|
|
required: true
|
|
- variable: start_tls
|
|
label: "Start TLS"
|
|
description: "Use StartTLS with the LDAP connection"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: tls
|
|
label: "TLS Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: server_name
|
|
label: "Server Name"
|
|
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: skip_verify
|
|
label: "Skip Certificate Verification"
|
|
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: minimum_version
|
|
label: "Minimum TLS version"
|
|
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
|
schema:
|
|
type: string
|
|
default: "TLS1.2"
|
|
enum:
|
|
- value: "TLS1.0"
|
|
description: "TLS1.0"
|
|
- value: "TLS1.1"
|
|
description: "TLS1.1"
|
|
- value: "TLS1.2"
|
|
description: "TLS1.2"
|
|
- value: "TLS1.3"
|
|
description: "TLS1.3"
|
|
- variable: base_dn
|
|
label: "Base DN"
|
|
description: "The base dn for every LDAP query."
|
|
schema:
|
|
type: string
|
|
default: "DC=example,DC=com"
|
|
required: true
|
|
- variable: username_attribute
|
|
label: "Username Attribute"
|
|
description: "The attribute holding the username of the user"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: additional_users_dn
|
|
label: "Additional Users DN"
|
|
description: "An additional dn to define the scope to all users."
|
|
schema:
|
|
type: string
|
|
default: "OU=Users"
|
|
required: true
|
|
- variable: users_filter
|
|
label: "Users Filter"
|
|
description: "The groups filter used in search queries to find the groups of the user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: additional_groups_dn
|
|
label: "Additional Groups DN"
|
|
description: "An additional dn to define the scope of groups."
|
|
schema:
|
|
type: string
|
|
default: "OU=Groups"
|
|
required: true
|
|
- variable: groups_filter
|
|
label: "Groups Filter"
|
|
description: "The groups filter used in search queries to find the groups of the user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: group_name_attribute
|
|
label: "Group name Attribute"
|
|
description: "The attribute holding the name of the group"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: mail_attribute
|
|
label: "Mail Attribute"
|
|
description: "The attribute holding the primary mail address of the user"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: display_name_attribute
|
|
label: "Display Name Attribute"
|
|
description: "he attribute holding the display name of the user. This will be used to greet an authenticated user."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: user
|
|
label: "Admin User"
|
|
description: "The username of the admin user used to connect to LDAP."
|
|
schema:
|
|
type: string
|
|
default: "CN=Authelia,DC=example,DC=com"
|
|
required: true
|
|
- variable: plain_password
|
|
label: "Password"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: file
|
|
label: "File backend configuration"
|
|
description: "With this backend, the users database is stored in a file which is updated when users reset their passwords."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: path
|
|
label: "Path"
|
|
schema:
|
|
type: string
|
|
default: "/config/users_database.yml"
|
|
required: true
|
|
- variable: password
|
|
label: "Password Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: algorithm
|
|
label: "Algorithm"
|
|
schema:
|
|
type: string
|
|
default: "argon2id"
|
|
enum:
|
|
- value: "argon2id"
|
|
description: "argon2id"
|
|
- value: "sha512"
|
|
description: "sha512"
|
|
- variable: iterations
|
|
label: "Iterations"
|
|
schema:
|
|
type: int
|
|
default: 1
|
|
required: true
|
|
- variable: key_length
|
|
label: "Key Length"
|
|
schema:
|
|
type: int
|
|
default: 32
|
|
required: true
|
|
- variable: salt_length
|
|
label: "Salt Length"
|
|
schema:
|
|
type: int
|
|
default: 16
|
|
required: true
|
|
- variable: memory
|
|
label: "Memory"
|
|
schema:
|
|
type: int
|
|
default: 1024
|
|
required: true
|
|
- variable: parallelism
|
|
label: "Parallelism"
|
|
schema:
|
|
type: int
|
|
default: 8
|
|
required: true
|
|
- variable: notifier
|
|
group: "App Configuration"
|
|
label: "Notifier Configuration"
|
|
description: "otifications are sent to users when they require a password reset, a u2f registration or a TOTP registration."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: disable_startup_check
|
|
label: "Disable Startup Check"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: filesystem
|
|
label: "Filesystem Provider"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: filename
|
|
label: "File Path"
|
|
schema:
|
|
type: string
|
|
default: "/config/notification.txt"
|
|
required: true
|
|
- variable: smtp
|
|
label: "SMTP Provider"
|
|
description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "Enable"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: host
|
|
label: "Host"
|
|
schema:
|
|
type: string
|
|
default: "smtp.mail.svc.cluster.local"
|
|
required: true
|
|
- variable: port
|
|
label: "Port"
|
|
schema:
|
|
type: int
|
|
default: 25
|
|
required: true
|
|
- variable: timeout
|
|
label: "Timeout"
|
|
schema:
|
|
type: string
|
|
default: "5s"
|
|
required: true
|
|
- variable: username
|
|
label: "Username"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: plain_password
|
|
label: "Password"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: sender
|
|
label: "Sender"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: identifier
|
|
label: "Identifier"
|
|
description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost."
|
|
schema:
|
|
type: string
|
|
default: "localhost"
|
|
required: true
|
|
- variable: subject
|
|
label: "Subject"
|
|
description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier"
|
|
schema:
|
|
type: string
|
|
default: "[Authelia] {title}"
|
|
required: true
|
|
- variable: startup_check_address
|
|
label: "Startup Check Address"
|
|
description: "This address is used during the startup check to verify the email configuration is correct."
|
|
schema:
|
|
type: string
|
|
default: "test@authelia.com"
|
|
required: true
|
|
- variable: disable_require_tls
|
|
label: "Disable Require TLS"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: disable_html_emails
|
|
label: "Disable HTML emails"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: tls
|
|
label: "TLS Settings"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: server_name
|
|
label: "Server Name"
|
|
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
- variable: skip_verify
|
|
label: "Skip Certificate Verification"
|
|
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: minimum_version
|
|
label: "Minimum TLS version"
|
|
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
|
schema:
|
|
type: string
|
|
default: "TLS1.2"
|
|
enum:
|
|
- value: "TLS1.0"
|
|
description: "TLS1.0"
|
|
- value: "TLS1.1"
|
|
description: "TLS1.1"
|
|
- value: "TLS1.2"
|
|
description: "TLS1.2"
|
|
- value: "TLS1.3"
|
|
description: "TLS1.3"
|
|
- variable: access_control
|
|
group: "App Configuration"
|
|
label: "Access Control Configuration"
|
|
description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: default_policy
|
|
label: "Default Policy"
|
|
description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "bypass"
|
|
description: "bypass"
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- value: "deny"
|
|
description: "deny"
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: networkItem
|
|
label: "Network Item"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: name
|
|
label: "Name"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: network
|
|
label: "network"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: rules
|
|
label: "Rules"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: rulesItem
|
|
label: "Rule"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: domain
|
|
label: "Domains"
|
|
description: "defines which domain or set of domains the rule applies to."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: domainEntry
|
|
label: "Domain"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: policy
|
|
label: "Policy"
|
|
description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "bypass"
|
|
description: "bypass"
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- value: "deny"
|
|
description: "deny"
|
|
- variable: subject
|
|
label: "Subject"
|
|
description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: subjectitem
|
|
label: "Subject"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: networks
|
|
label: "Networks"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: network
|
|
label: "Network"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: resources
|
|
label: "Resources"
|
|
description: "is a list of regular expressions that matches a set of resources to apply the policy to"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: resource
|
|
label: "Resource"
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
# Include{serviceRoot}
|
|
- variable: main
|
|
label: "Main Service"
|
|
description: "The Primary service on which the healthcheck runs, often the webUI"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{serviceSelectorLoadBalancer}
|
|
# Include{serviceSelectorExtras}
|
|
- variable: main
|
|
label: "Main Service Port Configuration"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: port
|
|
label: "Port"
|
|
description: "This port exposes the container port on the service"
|
|
schema:
|
|
type: int
|
|
default: 9091
|
|
required: true
|
|
# Include{advancedPortHTTP}
|
|
- variable: targetPort
|
|
label: "Target Port"
|
|
description: "The internal(!) port on the container the Application runs on"
|
|
schema:
|
|
type: int
|
|
default: 9091
|
|
# Include{serviceExpertRoot}
|
|
default: false
|
|
# Include{serviceExpert}
|
|
# Include{serviceList}
|
|
# Include{persistenceRoot}
|
|
- variable: config
|
|
label: "App Config Storage"
|
|
description: "Stores the Application Configuration."
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{persistenceBasic}
|
|
# Include{persistenceAdvanced}
|
|
# Include{persistenceList}
|
|
# Include{ingressRoot}
|
|
- variable: main
|
|
label: "Main Ingress"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
# Include{ingressDefault}
|
|
# Include{ingressTLS}
|
|
# Include{ingressTraefik}
|
|
# Include{ingressExpert}
|
|
# Include{ingressList}
|
|
# Include{security}
|
|
# Include{securityContextAdvancedRoot}
|
|
- variable: privileged
|
|
label: "Privileged mode"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: readOnlyRootFilesystem
|
|
label: "ReadOnly Root Filesystem"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
- variable: allowPrivilegeEscalation
|
|
label: "Allow Privilege Escalation"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: runAsNonRoot
|
|
label: "runAsNonRoot"
|
|
schema:
|
|
type: boolean
|
|
default: true
|
|
# Include{securityContextAdvanced}
|
|
# Include{podSecurityContextRoot}
|
|
- variable: runAsUser
|
|
label: "runAsUser"
|
|
description: "The UserID of the user running the application"
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
- variable: runAsGroup
|
|
label: "runAsGroup"
|
|
description: "The groupID this App of the user running the application"
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
- variable: fsGroup
|
|
label: "fsGroup"
|
|
description: "The group that should own ALL storage."
|
|
schema:
|
|
type: int
|
|
default: 568
|
|
# Include{podSecurityContextAdvanced}
|
|
# Include{resources}
|
|
# Include{advanced}
|
|
# Include{addons}
|
|
# Include{documentation}
|
|
- variable: identity_providers
|
|
group: "Advanced"
|
|
label: "Authelia Identity Providers (BETA)"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: oidc
|
|
label: "OpenID Connect(BETA)"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: enabled
|
|
label: "enabled"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
show_subquestions_if: true
|
|
subquestions:
|
|
- variable: access_token_lifespan
|
|
label: "Access Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: authorize_code_lifespan
|
|
label: "Authorize Code Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1m"
|
|
required: true
|
|
- variable: id_token_lifespan
|
|
label: "ID Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "1h"
|
|
required: true
|
|
- variable: refresh_token_lifespan
|
|
label: "Refresh Token Lifespan"
|
|
schema:
|
|
type: string
|
|
default: "90m"
|
|
required: true
|
|
- variable: enable_client_debug_messages
|
|
label: "Enable Client Debug Messages"
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: clients
|
|
label: "Clients"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: clientEntry
|
|
label: "Client"
|
|
schema:
|
|
additional_attrs: true
|
|
type: dict
|
|
attrs:
|
|
- variable: id
|
|
label: "ID/Name"
|
|
description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration."
|
|
schema:
|
|
type: string
|
|
default: "myapp"
|
|
required: true
|
|
- variable: description
|
|
label: "Description"
|
|
description: "The description to show to users when they end up on the consent screen. Defaults to the ID above."
|
|
schema:
|
|
type: string
|
|
default: "My Application"
|
|
required: true
|
|
- variable: secret
|
|
label: "Secret"
|
|
description: "The client secret is a shared secret between Authelia and the consumer of this client."
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: public
|
|
label: "public"
|
|
description: "Sets the client to public. This should typically not be set, please see the documentation for usage."
|
|
schema:
|
|
type: boolean
|
|
default: false
|
|
- variable: authorization_policy
|
|
label: "Authorization Policy"
|
|
description: "The policy to require for this client; one_factor or two_factor."
|
|
schema:
|
|
type: string
|
|
default: "two_factor"
|
|
enum:
|
|
- value: "one_factor"
|
|
description: "one_factor"
|
|
- value: "two_factor"
|
|
description: "two_factor"
|
|
- variable: userinfo_signing_algorithm
|
|
label: "Userinfo Signing Algorithm"
|
|
description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256."
|
|
schema:
|
|
type: string
|
|
default: "none"
|
|
enum:
|
|
- value: "none"
|
|
description: "none"
|
|
- value: "RS256"
|
|
description: "RS256"
|
|
- variable: audience
|
|
label: "Audience"
|
|
description: "Audience this client is allowed to request."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: audienceEntry
|
|
label: ""
|
|
schema:
|
|
type: string
|
|
default: ""
|
|
required: true
|
|
- variable: scopes
|
|
label: "Scopes"
|
|
description: "Scopes this client is allowed to request."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: ScopeEntry
|
|
label: "Scope"
|
|
schema:
|
|
type: string
|
|
default: "openid"
|
|
required: true
|
|
- variable: redirect_uris
|
|
label: "redirect_uris"
|
|
description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client."
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: uriEntry
|
|
label: "Url"
|
|
schema:
|
|
type: string
|
|
default: "https://oidc.example.com/oauth2/callback"
|
|
required: true
|
|
- variable: grant_types
|
|
description: "Grant Types configures which grants this client can obtain."
|
|
label: "grant_types"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: grantEntry
|
|
label: "Grant"
|
|
schema:
|
|
type: string
|
|
default: "refresh_token"
|
|
required: true
|
|
- variable: response_types
|
|
description: "Response Types configures which responses this client can be sent."
|
|
label: "response_types"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: responseEntry
|
|
label: "type"
|
|
schema:
|
|
type: string
|
|
default: "code"
|
|
required: true
|
|
- variable: response_modes
|
|
description: "Response Modes configures which response modes this client supports."
|
|
label: "response_modes"
|
|
schema:
|
|
type: list
|
|
default: []
|
|
items:
|
|
- variable: modeEntry
|
|
label: "Mode"
|
|
schema:
|
|
type: string
|
|
default: "form_post"
|
|
required: true
|