-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
diridp.dist.yaml
183 lines (157 loc) · 7.02 KB
/
diridp.dist.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# Example configuration for diridp that lists all available options.
#
# Because this file lists all options, it seems long, but many of the
# non-required options already have sensible defaults and don't need to be
# specified.
#
# General notes:
# - Durations are in seconds.
# - Unless otherwise specified, relative paths are resolved against the current
# working directory when the process is started.
# Default directory for state, if not overriden by the provider.
state_dir: "/var/lib/diridp"
# REQUIRED: One or more provider configurations.
#
# Each provider entry defines a unique issuer with its own keys. The name of
# the entry can be considered private; it is used for logging purposes, and as
# a default state subdirectory name.
#
# This can also be a list instead of map, in which case names are automatically
# derived from `issuer`.
providers:
main:
# REQUIRED: Issuer for the token `iss` claim and the discovery document.
issuer: "https://example.com"
# Directory where public web files are written.
#
# If not set, derived as: `<state_dir>/<provider>/webroot`
#
# This directory will be created if it does not exist.
webroot: "/var/lib/diridp/test/webroot"
# Absolute path within the webroot where the JWKs document is written.
jwks_path: "/jwks.json"
# Absolute URL to the JWKs document, as set in the discovery document.
#
# If not set, derived as: issuer + jwks_path
jwks_uri: "https://example.com/jwks.json"
# Any additional claims added to all tokens of this provider.
#
# Note that `iss`, `iat`, `exp` and `nbf` are automatically set.
claims:
# Just an example. It's often more useful to add claims per-token.
locale: "nl-NL"
# REQUIRED: One or more configurations for signing keys.
#
# If more than one key is configured here, token configurations below must
# specify a `key_name`. The name of the key is simply the `alg` by default,
# but in complicated setups this may run into conflicts. In that case, you
# can use a map here, instead of a list, and manually assign names.
#
# The following example sections demonstrate all the supported types of
# signing keys, roughly in order of preference.
keys:
# EdDSA using curve25519 and SHA512. This is an all-around good first
# choice if the service you wish to use the tokens with supports it, but
# support is likely limited.
- alg: EdDSA
crv: Ed25519
# ECDSA using the NIST P-256 curve, and SHA256. This is the most widely
# supported elliptic curve cryptography implementation.
- alg: ES256
# RSA-PSS using SHA256. This is preferred over RS256 if supported, but
# support may be limited,
- alg: PS256
# RSA algorithms allow specifying a key size. The default is 2048-bits,
# and while you may choose a smaller size, many verifiers are now
# rejecting keys smaller than 2048 bits. Larger sizes are usually only
# needed when there are specific security requirements.
key_size: 2048
# RSA-PKCS#1 using SHA256. This is the most widely supported of all
# algorithms, but one of the more modern alternatives above should be
# preferred, if possible.
- alg: RS256
# Optional, same as for PS256.
key_size: 2048
# These variants of the above are also supported, but typically only
# useful when there is a specific security requirement.
- alg: ES384
- alg: PS384
- alg: PS512
- alg: RS384
- alg: RS512
# The following are common properties supported by ALL algorithms.
# These are all optional and listed with their defaults.
# Directory where keys are stored.
#
# If not set, derived as: `<state_dir>/<provider>/keys/<key>`
#
# This directory will be created if it does not exist, and permissions will
# be set to 0700 (only accessible by the owner).
dir: "/var/lib/diridp/main/keys/RS512"
# Duration a key is used, before being rotated.
lifespan: 86400 # 1 day
# Duration before and after key lifespan during which the key is still
# announced. This should be larger than the Cache-Control age you apply to
# the webroot from which public keys are served.
#
# If not set, derived as: lifespan / 4
publish_margin: 21600
# REQUIRED: One or more tokens issued by this provider.
tokens:
-
# REQUIRED: Path where to write the token.
#
# The recommended location is somewhere in `/run/diridp`. Systemd can
# create this directory for you with `RuntimeDirectory=`. Diridp does
# not otherwise use this directory for anything special, so its
# contents are entirely up to you.
#
# The parent directory of the token itself MUST already exist. This is
# a requirement because setting correct permissions on the directory is
# essential for security. File permissions on the token itself are NOT
# preserved when the token is rotated.
#
# One solution is to use the systemd option `ExecStartPre=` to run a
# script before startup that creates the directories, for example:
#
# install -d -o diridp -g my-app -m 0750 /run/diridp/my-application
#
path: "/run/diridp/my-application/token"
# Which signing key from the `keys` section to use for this token.
# REQUIRED IF there are multiple keys configured.
key_name: EdDSA
# Duration the token is valid.
lifespan: 3600
# Duration from the current token creation time after which to rotate
# it. This must not be larger than `lifespan`.
#
# If not set, derived as: lifespan * 3 / 4
refresh: 2700
# Margin to apply to the `nbf` claim.
#
# This can be used to account for clock skew, though must clients will
# also add some margin for the same purpose.
nbf_margin: 5
# Any additional claims to add to this token.
#
# Note that `iss`, `iat`, `exp` and `nbf` are automatically set.
#
# If provider claims were also specified, the two are merged together,
# with token claims taking precedence on conflict.
claims:
# RECOMMENDED: Clients typically require `sub` and `aud` claims.
sub: "my-application"
aud: "some-cloud-service.example.com"
-
# Alternative: path with a parameter.
#
# A claim is added to the token matching the parameter name, in this
# example: `sub`. Currently, only one parameter is supported in the
# next-to-last position, as shown in this example.
#
# The parent directory `/path/to/some/directory` MUST already exist.
# This directory will be monitored, and tokens will be generated for
# all subdirectories inside it.
path: "/run/diridp/applications/:sub/token"
claims:
aud: "some-cloud-service.example.com"