1187 lines
50 KiB
YAML
1187 lines
50 KiB
YAML
# Include{groups}
|
||
portals:
|
||
open:
|
||
# Include{portalLink}
|
||
questions:
|
||
# Include{global}
|
||
# Include{credentials}
|
||
# Include{workload}
|
||
# Include{workloadDeployment}
|
||
# Include{replicas2}
|
||
# Include{podSpec}
|
||
# Include{containerMain}
|
||
# Include{containerBasic}
|
||
# Include{containerAdvanced}
|
||
# Include{containerConfig}
|
||
# Include{podOptions}
|
||
- variable: domain
|
||
group: "App Configuration"
|
||
label: "Domain"
|
||
description: "The highest domain level possible, for example: domain.com when using app.domain.com"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: default_redirection_url
|
||
group: "App Configuration"
|
||
label: "Default Redirection URL"
|
||
description: "If user tries to authenticate without any referrer, this is used"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
valid_chars: '^https?:\/\/(.*)'
|
||
- variable: theme
|
||
group: "App Configuration"
|
||
label: "Theme"
|
||
schema:
|
||
type: string
|
||
default: "auto"
|
||
enum:
|
||
- value: "auto"
|
||
description: "auto"
|
||
- value: "light"
|
||
description: "light"
|
||
- value: "grey"
|
||
description: "grey"
|
||
- value: "dark"
|
||
description: "dark"
|
||
- variable: log
|
||
group: "App Configuration"
|
||
label: "Log Configuration"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: level
|
||
label: "Log Level"
|
||
schema:
|
||
type: string
|
||
default: "info"
|
||
enum:
|
||
- value: "info"
|
||
description: "info"
|
||
- value: "debug"
|
||
description: "debug"
|
||
- value: "trace"
|
||
description: "trace"
|
||
- variable: format
|
||
label: "Log Format"
|
||
schema:
|
||
type: string
|
||
default: "text"
|
||
enum:
|
||
- value: "json"
|
||
description: "json"
|
||
- value: "text"
|
||
description: "text"
|
||
- variable: server
|
||
group: "App Configuration"
|
||
label: "Server Configuration"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: write_buffer_size
|
||
label: "Write Buffer Size"
|
||
description: "Configures the maximum response size. The default of 4096 is generally sufficient for most use cases."
|
||
schema:
|
||
type: int
|
||
default: 4096
|
||
- variable: read_buffer_size
|
||
label: "Read Buffer Size"
|
||
description: "Configures the maximum request size. The default of 4096 is generally sufficient for most use cases."
|
||
schema:
|
||
type: int
|
||
default: 4096
|
||
- variable: totp
|
||
group: "App Configuration"
|
||
label: "TOTP Configuration"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: issuer
|
||
label: "Issuer"
|
||
description: "The issuer name displayed in the Authenticator application of your choice"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
- variable: period
|
||
label: "Period"
|
||
description: "The period in seconds a one-time password is current for"
|
||
schema:
|
||
type: int
|
||
default: 30
|
||
- variable: skew
|
||
label: "skew"
|
||
description: "Controls number of one-time passwords either side of the current one that are valid."
|
||
schema:
|
||
type: int
|
||
default: 1
|
||
- variable: password_policy
|
||
group: "App Configuration"
|
||
label: "Password Policy Configuration"
|
||
description: "Authelia allows administrators to configure an enforced password policy. Choose one of Standard or zxcvbn and not both, refer to upstream docs for more info "
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: standard
|
||
label: Standard
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: Enabled
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: min_length
|
||
label: "Minimum Password Length"
|
||
description: "Minimum Password Length"
|
||
schema:
|
||
type: int
|
||
required: true
|
||
show_if: [["enabled", "=", true]]
|
||
default: 8
|
||
- variable: max_length
|
||
label: "Max Passsword Length"
|
||
description: "Max Password Length"
|
||
schema:
|
||
type: int
|
||
required: true
|
||
show_if: [["enabled", "=", true]]
|
||
default: 0
|
||
- variable: require_uppercase
|
||
label: "Require Upppercase"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_if: [["enabled", "=", true]]
|
||
required: true
|
||
- variable: require_lowercase
|
||
label: "Require Lowercase"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_if: [["enabled", "=", true]]
|
||
required: true
|
||
- variable: require_number
|
||
label: "Require Numbers"
|
||
description: "Require Numbers in the password"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_if: [["enabled", "=", true]]
|
||
required: true
|
||
- variable: require_special
|
||
label: "Require Special Characters"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_if: [["enabled", "=", true]]
|
||
- variable: zxcvbn
|
||
label: zxcvbn
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: Enabled
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
required: true
|
||
- variable: min_score
|
||
label: "Min Score"
|
||
schema:
|
||
type: int
|
||
required: true
|
||
show_if: [["enabled", "=", true]]
|
||
default: 3
|
||
- variable: duo_api
|
||
group: "App Configuration"
|
||
label: "DUO API Configuration"
|
||
description: "Parameters used to contact the Duo API."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: hostname
|
||
label: "Hostname"
|
||
schema:
|
||
type: string
|
||
required: true
|
||
default: ""
|
||
- variable: integration_key
|
||
label: "integration_key"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: plain_api_key
|
||
label: "plain_api_key"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: session
|
||
group: "App Configuration"
|
||
label: "Session Provider"
|
||
description: "The session cookies identify the user once logged in."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: name
|
||
label: "Cookie Name"
|
||
description: |
|
||
The name of the session cookie. By default this is set to authelia_session.
|
||
It’s mostly useful to change this if you are doing development or running multiple instances of Authelia.
|
||
schema:
|
||
type: string
|
||
required: true
|
||
default: "authelia_session"
|
||
- variable: same_site
|
||
label: "SameSite Value"
|
||
description: |
|
||
You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally
|
||
the most desirable option for Authelia. None is not recommended unless you absolutely know what you’re doing
|
||
and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in
|
||
this state but it’s available as an option anyway.
|
||
schema:
|
||
type: string
|
||
default: "lax"
|
||
enum:
|
||
- value: "lax"
|
||
description: "lax"
|
||
- value: "strict"
|
||
description: "strict"
|
||
- variable: expiration
|
||
label: "Expiration Time"
|
||
description: |
|
||
The period of time before the cookie expires and the session is destroyed. This is overriden by
|
||
remember_me_duration when the remember me box is checked.
|
||
schema:
|
||
type: string
|
||
default: "1h"
|
||
required: true
|
||
- variable: inactivity
|
||
label: "Inactivity Time"
|
||
description: |
|
||
The period of time the user can be inactive for until the session is destroyed when the remember me box is
|
||
not checked or is otherwise disabled. Useful if you want long session timers but don’t want unused devices to be vulnerable.
|
||
schema:
|
||
type: string
|
||
default: "5m"
|
||
required: true
|
||
- variable: remember_me_duration
|
||
label: "Remember-Me duration"
|
||
description: |
|
||
The period of time before the cookie expires and the session is destroyed when the remember me box is checked, a user
|
||
selecting this option negates the inactivity timeout. Setting this to -1 disables this feature entirely.
|
||
schema:
|
||
type: string
|
||
default: "5M"
|
||
required: true
|
||
- variable: regulation
|
||
group: "App Configuration"
|
||
label: "Regulation Configuration"
|
||
description: "This mechanism prevents attackers from brute forcing the first factor."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: max_retries
|
||
label: "Maximum Retries"
|
||
description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation."
|
||
schema:
|
||
type: int
|
||
default: 3
|
||
- variable: find_time
|
||
label: "Find Time"
|
||
description: |
|
||
The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to
|
||
2m this means the user must have 3 failed logins in 2 minutes.
|
||
schema:
|
||
type: string
|
||
default: "2m"
|
||
required: true
|
||
- variable: ban_time
|
||
label: "Ban Duration"
|
||
description: |
|
||
The period of time the user is banned for after meeting the max_retries and find_time configuration.
|
||
After this duration the account will be able to login again.
|
||
schema:
|
||
type: string
|
||
default: "5m"
|
||
required: true
|
||
- variable: authentication_backend
|
||
group: "App Configuration"
|
||
label: "Authentication Backend Provider"
|
||
description: |
|
||
Used for verifying user passwords and retrieve information such as email
|
||
address and groups users belong to.
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: disable_reset_password
|
||
label: "Disable Reset Password"
|
||
description: "Disable both the HTML element and the API for reset password functionality"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: refresh_interval
|
||
label: "Reset Interval"
|
||
description: "The amount of time to wait before we refresh data from the authentication backend"
|
||
schema:
|
||
type: string
|
||
default: "5m"
|
||
required: true
|
||
- variable: ldap
|
||
label: "LDAP backend configuration"
|
||
description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: implementation
|
||
label: "Implementation"
|
||
description: "The LDAP implementation, this affects elements like the attribute utilized for resetting a password"
|
||
schema:
|
||
type: string
|
||
default: "custom"
|
||
enum:
|
||
- value: "activedirectory"
|
||
description: "Active Directory"
|
||
- value: "custom"
|
||
description: "Custom"
|
||
- variable: url
|
||
label: "URL"
|
||
description: "The url to the ldap server. Format: <scheme>://<address>[:<port>]"
|
||
schema:
|
||
type: string
|
||
default: "ldap://openldap.default.svc.cluster.local"
|
||
required: true
|
||
- variable: timeout
|
||
label: "Connection Timeout"
|
||
schema:
|
||
type: string
|
||
default: "5s"
|
||
required: true
|
||
- variable: start_tls
|
||
label: "Start TLS"
|
||
description: "Use StartTLS with the LDAP connection"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: tls
|
||
label: "TLS Settings"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: server_name
|
||
label: "Server Name"
|
||
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
- variable: skip_verify
|
||
label: "Skip Certificate Verification"
|
||
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: minimum_version
|
||
label: "Minimum TLS version"
|
||
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
||
schema:
|
||
type: string
|
||
default: "TLS1.2"
|
||
enum:
|
||
- value: "TLS1.0"
|
||
description: "TLS1.0"
|
||
- value: "TLS1.1"
|
||
description: "TLS1.1"
|
||
- value: "TLS1.2"
|
||
description: "TLS1.2"
|
||
- value: "TLS1.3"
|
||
description: "TLS1.3"
|
||
- variable: base_dn
|
||
label: "Base DN"
|
||
description: "The base dn for every LDAP query."
|
||
schema:
|
||
type: string
|
||
default: "DC=example,DC=com"
|
||
required: true
|
||
- variable: username_attribute
|
||
label: "Username Attribute"
|
||
description: "The attribute holding the username of the user"
|
||
schema:
|
||
type: string
|
||
default: "uid"
|
||
required: true
|
||
- variable: additional_users_dn
|
||
label: "Additional Users DN"
|
||
description: "An additional dn to define the scope to all users."
|
||
schema:
|
||
type: string
|
||
default: "OU=people"
|
||
required: true
|
||
- variable: users_filter
|
||
label: "Users Filter"
|
||
description: "The groups filter used in search queries to find the groups of the user."
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: additional_groups_dn
|
||
label: "Additional Groups DN"
|
||
description: "An additional dn to define the scope of groups."
|
||
schema:
|
||
type: string
|
||
default: "OU=Groups"
|
||
required: true
|
||
- variable: groups_filter
|
||
label: "Groups Filter"
|
||
description: "The groups filter used in search queries to find the groups of the user."
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: group_name_attribute
|
||
label: "Group name Attribute"
|
||
description: "The attribute holding the name of the group"
|
||
schema:
|
||
type: string
|
||
default: "cn"
|
||
required: true
|
||
- variable: mail_attribute
|
||
label: "Mail Attribute"
|
||
description: "The attribute holding the primary mail address of the user"
|
||
schema:
|
||
type: string
|
||
default: "mail"
|
||
required: true
|
||
- variable: display_name_attribute
|
||
label: "Display Name Attribute"
|
||
description: "he attribute holding the display name of the user. This will be used to greet an authenticated user."
|
||
schema:
|
||
type: string
|
||
default: "displayName"
|
||
- variable: user
|
||
label: "Admin User"
|
||
description: "The username of the admin user used to connect to LDAP."
|
||
schema:
|
||
type: string
|
||
default: "CN=admin,ou=people,DC=example,DC=com"
|
||
required: true
|
||
- variable: plain_password
|
||
label: "Password"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: file
|
||
label: "File backend configuration"
|
||
description: "With this backend, the users database is stored in a file which is updated when users reset their passwords."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: path
|
||
label: "Path"
|
||
schema:
|
||
type: string
|
||
default: "/config/users_database.yml"
|
||
required: true
|
||
- variable: password
|
||
label: "Password Settings"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: algorithm
|
||
label: "Algorithm"
|
||
schema:
|
||
type: string
|
||
default: "argon2id"
|
||
enum:
|
||
- value: "argon2id"
|
||
description: "argon2id"
|
||
- value: "sha512"
|
||
description: "sha512"
|
||
- variable: iterations
|
||
label: "Iterations"
|
||
schema:
|
||
type: int
|
||
default: 1
|
||
required: true
|
||
- variable: key_length
|
||
label: "Key Length"
|
||
schema:
|
||
type: int
|
||
default: 32
|
||
required: true
|
||
- variable: salt_length
|
||
label: "Salt Length"
|
||
schema:
|
||
type: int
|
||
default: 16
|
||
required: true
|
||
- variable: memory
|
||
label: "Memory"
|
||
schema:
|
||
type: int
|
||
default: 1024
|
||
required: true
|
||
- variable: parallelism
|
||
label: "Parallelism"
|
||
schema:
|
||
type: int
|
||
default: 8
|
||
required: true
|
||
- variable: notifier
|
||
group: "App Configuration"
|
||
label: "Notifier Configuration"
|
||
description: "Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: disable_startup_check
|
||
label: "Disable Startup Check"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: filesystem
|
||
label: "Filesystem Provider"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: filename
|
||
label: "File Path"
|
||
schema:
|
||
type: string
|
||
default: "/config/notification.txt"
|
||
required: true
|
||
- variable: smtp
|
||
label: "SMTP Provider"
|
||
description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enable"
|
||
schema:
|
||
type: boolean
|
||
default: true
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: host
|
||
label: "Host"
|
||
schema:
|
||
type: string
|
||
default: "smtp.mail.svc.cluster.local"
|
||
required: true
|
||
- variable: port
|
||
label: "Port"
|
||
schema:
|
||
type: int
|
||
default: 25
|
||
required: true
|
||
- variable: timeout
|
||
label: "Timeout"
|
||
schema:
|
||
type: string
|
||
default: "5s"
|
||
required: true
|
||
- variable: username
|
||
label: "Username"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
- variable: plain_password
|
||
label: "Password"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
- variable: sender
|
||
label: "Sender"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: identifier
|
||
label: "Identifier"
|
||
description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost."
|
||
schema:
|
||
type: string
|
||
default: "localhost"
|
||
required: true
|
||
- variable: subject
|
||
label: "Subject"
|
||
description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier"
|
||
schema:
|
||
type: string
|
||
default: "[Authelia] {title}"
|
||
required: true
|
||
- variable: startup_check_address
|
||
label: "Startup Check Address"
|
||
description: "This address is used during the startup check to verify the email configuration is correct."
|
||
schema:
|
||
type: string
|
||
default: "test@authelia.com"
|
||
required: true
|
||
- variable: disable_require_tls
|
||
label: "Disable Require TLS"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: disable_html_emails
|
||
label: "Disable HTML emails"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: tls
|
||
label: "TLS Settings"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: server_name
|
||
label: "Server Name"
|
||
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
- variable: skip_verify
|
||
label: "Skip Certificate Verification"
|
||
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: minimum_version
|
||
label: "Minimum TLS version"
|
||
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
|
||
schema:
|
||
type: string
|
||
default: "TLS1.2"
|
||
enum:
|
||
- value: "TLS1.0"
|
||
description: "TLS1.0"
|
||
- value: "TLS1.1"
|
||
description: "TLS1.1"
|
||
- value: "TLS1.2"
|
||
description: "TLS1.2"
|
||
- value: "TLS1.3"
|
||
description: "TLS1.3"
|
||
- variable: access_control
|
||
group: "App Configuration"
|
||
label: "Access Control Configuration"
|
||
description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: default_policy
|
||
label: "Default Policy"
|
||
description: |
|
||
The default policy defines the policy applied if no rules section apply to the information known about the request.
|
||
It is recommended that this is configured to deny for security reasons. Sites which you do not wish to secure at all
|
||
with Authelia should not be configured in your reverse proxy to perform authentication with Authelia at all for performance reasons.
|
||
schema:
|
||
type: string
|
||
default: "deny"
|
||
enum:
|
||
- value: "bypass"
|
||
description: "bypass"
|
||
- value: "one_factor"
|
||
description: "one_factor"
|
||
- value: "two_factor"
|
||
description: "two_factor"
|
||
- value: "deny"
|
||
description: "deny"
|
||
- variable: networks_access_control
|
||
label: "Networks"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: networkItem
|
||
label: "Network Item"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: name
|
||
label: "Name"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: networks
|
||
label: "Networks"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: network
|
||
label: "network"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: rules
|
||
label: "Rules"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: rulesItem
|
||
label: "Rule"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: domain
|
||
label: "Domains"
|
||
description: "Defines which domain or set of domains the rule applies to."
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: domainEntry
|
||
label: "Domain"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: domain_regex
|
||
label: "Domains RegEx"
|
||
description: "defines which domain or set of domains the rule applies to using regular expressions."
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: domainRegexEntry
|
||
label: "Domain RegEx"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: policy
|
||
label: "Policy"
|
||
description: |
|
||
The specific policy to apply to the selected rule. This is not criteria for a match, this is the
|
||
action to take when a match is made.
|
||
schema:
|
||
type: string
|
||
default: "two_factor"
|
||
enum:
|
||
- value: "bypass"
|
||
description: "bypass"
|
||
- value: "one_factor"
|
||
description: "one_factor"
|
||
- value: "two_factor"
|
||
description: "two_factor"
|
||
- value: "deny"
|
||
description: "deny"
|
||
- variable: subject
|
||
label: "Subject"
|
||
description: |
|
||
This criteria matches identifying characteristics about the subject. Currently this is either
|
||
user or groups the user belongs to. This allows you to effectively control exactly what each user is
|
||
authorized to access or to specifically require two-factor authentication to specific users. Subjects
|
||
are prefixed with either user: or group: to identify which part of the identity to check.
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: subjectitem
|
||
label: "Subject"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: networks
|
||
label: "Networks"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: network
|
||
label: "Network"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: resources
|
||
label: "Resources"
|
||
description: "is a list of regular expressions that matches a set of resources to apply the policy to"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: resource
|
||
label: "Resource"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
# Include{serviceRoot}
|
||
- variable: main
|
||
label: "Main Service"
|
||
description: "The Primary service on which the healthcheck runs, often the webUI"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
# Include{serviceSelectorLoadBalancer}
|
||
# Include{serviceSelectorExtras}
|
||
- variable: main
|
||
label: "Main Service Port Configuration"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: port
|
||
label: "Port"
|
||
description: "This port exposes the container port on the service"
|
||
schema:
|
||
type: int
|
||
default: 9091
|
||
required: true
|
||
# Include{externalInterfaces}
|
||
|
||
# Include{serviceList}
|
||
# Include{persistenceRoot}
|
||
- variable: config
|
||
label: "App Config Storage"
|
||
description: "Stores the Application Configuration."
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
# Include{persistenceBasic}
|
||
# Include{persistenceList}
|
||
# Include{ingressRoot}
|
||
- variable: main
|
||
label: "Main Ingress"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
# Include{ingressDefault}
|
||
# Include{ingressAdvanced}
|
||
# Include{ingressList}
|
||
# Include{securityContextRoot}
|
||
- variable: runAsUser
|
||
label: "runAsUser"
|
||
description: "The UserID of the user running the application"
|
||
schema:
|
||
type: int
|
||
default: 568
|
||
- variable: runAsGroup
|
||
label: "runAsGroup"
|
||
description: "The groupID of the user running the application"
|
||
schema:
|
||
type: int
|
||
default: 568
|
||
# Include{securityContextContainer}
|
||
# Include{securityContextAdvanced}
|
||
# Include{securityContextPod}
|
||
- variable: fsGroup
|
||
label: "fsGroup"
|
||
description: "The group that should own ALL storage."
|
||
schema:
|
||
type: int
|
||
default: 568
|
||
# Include{resources}
|
||
# Include{postgresql}
|
||
# Include{advanced}
|
||
- variable: identity_providers
|
||
group: "Experimental"
|
||
label: "Authelia Identity Providers (BETA)"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: oidc
|
||
label: "OpenID Connect(BETA)"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: enabled
|
||
label: "Enabled"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: access_token_lifespan
|
||
label: "Access Token Lifespan"
|
||
schema:
|
||
type: string
|
||
default: "1h"
|
||
required: true
|
||
- variable: authorize_code_lifespan
|
||
label: "Authorize Code Lifespan"
|
||
schema:
|
||
type: string
|
||
default: "1m"
|
||
required: true
|
||
- variable: id_token_lifespan
|
||
label: "ID Token Lifespan"
|
||
schema:
|
||
type: string
|
||
default: "1h"
|
||
required: true
|
||
- variable: refresh_token_lifespan
|
||
label: "Refresh Token Lifespan"
|
||
schema:
|
||
type: string
|
||
default: "90m"
|
||
required: true
|
||
- variable: enable_client_debug_messages
|
||
label: "Enable Client Debug Messages"
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: clients
|
||
label: "Clients"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: clientEntry
|
||
label: "Client"
|
||
schema:
|
||
additional_attrs: true
|
||
type: dict
|
||
attrs:
|
||
- variable: id
|
||
label: "ID/Name"
|
||
description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration."
|
||
schema:
|
||
type: string
|
||
default: "myapp"
|
||
required: true
|
||
- variable: description
|
||
label: "Description"
|
||
description: "The description to show to users when they end up on the consent screen. Defaults to the ID above."
|
||
schema:
|
||
type: string
|
||
default: "My Application"
|
||
required: true
|
||
- variable: secret
|
||
label: "Secret"
|
||
description: "The client secret is a shared secret between Authelia and the consumer of this client."
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: public
|
||
label: "public"
|
||
description: "Sets the client to public. This should typically not be set, please see the documentation for usage."
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
- variable: authorization_policy
|
||
label: "Authorization Policy"
|
||
description: "The policy to require for this client; one_factor or two_factor."
|
||
schema:
|
||
type: string
|
||
default: "two_factor"
|
||
enum:
|
||
- value: "one_factor"
|
||
description: "one_factor"
|
||
- value: "two_factor"
|
||
description: "two_factor"
|
||
- variable: consent_mode
|
||
label: "Consent Mode"
|
||
description: |
|
||
Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or
|
||
implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)
|
||
schema:
|
||
type: string
|
||
default: "auto"
|
||
enum:
|
||
- value: "auto"
|
||
description: "auto"
|
||
- value: "explicit"
|
||
description: "explicit"
|
||
- value: "implicit"
|
||
description: "implicit"
|
||
- variable: userinfo_signing_algorithm
|
||
label: "Userinfo Signing Algorithm"
|
||
description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256."
|
||
schema:
|
||
type: string
|
||
default: "none"
|
||
enum:
|
||
- value: "none"
|
||
description: "none"
|
||
- value: "RS256"
|
||
description: "RS256"
|
||
- variable: audience
|
||
label: "Audience"
|
||
description: "Audience this client is allowed to request."
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: audienceEntry
|
||
label: ""
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
required: true
|
||
- variable: scopes
|
||
label: "Scopes"
|
||
description: "Scopes this client is allowed to request."
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: ScopeEntry
|
||
label: "Scope"
|
||
schema:
|
||
type: string
|
||
default: "openid"
|
||
required: true
|
||
- variable: redirect_uris
|
||
label: "redirect_uris"
|
||
description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client."
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: uriEntry
|
||
label: "Url"
|
||
schema:
|
||
type: string
|
||
default: "https://oidc.example.com/oauth2/callback"
|
||
required: true
|
||
- variable: grant_types
|
||
description: "Grant Types configures which grants this client can obtain."
|
||
label: "grant_types"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: grantEntry
|
||
label: "Grant"
|
||
schema:
|
||
type: string
|
||
default: "refresh_token"
|
||
required: true
|
||
- variable: response_types
|
||
description: "Response Types configures which responses this client can be sent."
|
||
label: "response_types"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: responseEntry
|
||
label: "type"
|
||
schema:
|
||
type: string
|
||
default: "code"
|
||
required: true
|
||
- variable: response_modes
|
||
description: "Response Modes configures which response modes this client supports."
|
||
label: "response_modes"
|
||
schema:
|
||
type: list
|
||
default: []
|
||
items:
|
||
- variable: modeEntry
|
||
label: "Mode"
|
||
schema:
|
||
type: string
|
||
default: "form_post"
|
||
required: true
|
||
- variable: token_endpoint_auth_method
|
||
description: "The supported client authentication methods this client supports."
|
||
label: "token_endpoint_auth_method"
|
||
schema:
|
||
type: string
|
||
default: ""
|
||
enum:
|
||
- value: "client_secret_basic"
|
||
description: "client_secret_basic"
|
||
- value: "client_secret_post"
|
||
description: "client_secret_post"
|
||
- value: "client_secret_jwt"
|
||
description: "client_secret_jwt"
|
||
- value: "private_key_jwt"
|
||
description: "private_key_jwt"
|
||
- value: "none"
|
||
description: "none"
|
||
- variable: require_pkce
|
||
label: "Require PKCE"
|
||
description: "This configuration option enforces the use of PKCE for this registered client."
|
||
schema:
|
||
type: boolean
|
||
default: false
|
||
show_subquestions_if: true
|
||
subquestions:
|
||
- variable: pkce_challange_method
|
||
label: "PKCE Challange Method"
|
||
description: "This setting enforces the use of the specified PKCE challenge method for this individual client."
|
||
schema:
|
||
type: string
|
||
default: S256
|
||
enum:
|
||
- value: "plain"
|
||
description: "plain"
|
||
- value: "S256"
|
||
description: "S256"
|
||
# Include{addons}
|
||
# Include{codeserver}
|
||
# Include{vpn}
|
||
# Include{netshoot}
|
||
# Include{documentation}
|