The ForwardAuth application needs a configuration file called application.yaml to run. The easiest way is to supply the configuration file like described by Spring Boot Application Property Files examples.
- Quoted from the Spring Boot documentation
SpringApplication loads properties from application.properties files in the following locations and adds them to the Spring Environment:
A /config subdirectory of the current directory
The current directory
A classpath /config package
The classpath root
ForwardAuth is built using the Spring Boot application framework. It has a built-in and very flexible externalized configuration feature, read the Spring Boot documentation of externalized configuration for a complete description of all Spring Boot configuration features.
Complete configuration file format¶
# This is the forward authentiction configuration file for the Spring Boot application. # Put this file somewhere where springboot will find it. # # For example in /config/application.yaml # To select another port or another environment with less logging to stdout, # set the environment variables ENV(DEV,TEST or PRODUCTION) and PORT to something you like. # The default values are env DEV and port 8080. # # The values below where you need to fill in your own values is found in Applications # and Api in Auth0 management website. # domain: https://xxxxx.xx.auth0.com/ token-endpoint: https://xxx.xx.auth0.com/oauth/token authorize-url: https://xxxx.xx.auth0.com/authorize userinfo-endpoint: https://xxxx.xx.auth0.com/userinfo logout-endpoint: https://xxxx.xx.auth0.com/v2/logout # Configure max age for nonce cookie to 5 min, default value if not supplied is 1 min. nonce-max-age: 300 # By default all logging is directed to STDOUT/CONSOLE # But if you need to direct the logs to a file you can comment out the setting below. # The logfiles will be rotated daily, and kept for 7 days. # logging.file: <path to log file for example /var/log/auth.log # default application that is hostname of received request does not # match any of the applications in the apps list will use, or if # properties in the matched application in the apps list is not present # the property value in the default app will be used instead. default: name: example.test client-id: <from auth0 application config> client-secret: <from auth0 application config> audience: <from auth0 api config> or blank scope: "profile openid email" redirect-uri: http://www.example.test/oauth2/signin token-cookie-domain: example.test # this is the url to redirect to after successfull /signout has been called. # this url must also be set on the Application in Auth0 as valid signout redirect url. return-to: https://www.example.test # By default all method (GET, HEAD, OPTION, DELETE, PUT, PATCH and POST) # is restricted and must have an access token and a id token set in the # browser cookies. restricted-methods: - GET - HEAD - OPTION - DELETE - PUT - PATCH - POST # the ID Token from Auth0 contains user claims, specify a list of claims you want to # pass to the protected website. The access token is always added to the protected request # as header Authorization: Bearer <ACCESS TOKEN> and should be used to verify access in the backend API. # In addition to the mandatory Authorization header, you can specify a list of user claims from the ID Token below. claims: - sub - name - email # The *name* field of the applications in the list below will be matched against the # x-forwarded-host header from Traefik. # For example if you have an application in called www.example.test the first application in the list # below and all the values set for it in the list will be used to authenticate the user. apps: - name: www.example.test client-id: <from auth0 application config> client-secret: <from auth0 application config> audience: <from auth0 api config> scope: "profile openid email" redirect-uri: http://www.example.test/oauth2/signin token-cookie-domain: example.test # This application has only state altering methods restricted. # if an anonymous user tries to access a page to read the page he will be # allowed, but if when he tries to send an state altering request he will need to login. restricted-methods: - DELETE - PUT - PATCH - POST # after user has called /signout they will be redirected to this url return-to: http://example.com # if the user doesnt have all of the permissions required, he will get a 403 Permission Denied response. required-permissions: - read:whoami - read:website # this application will inherit most of the values from the default app. # just the audience field will be changed, all other values from the default. - name: traefik.example.test audience: https://xxxxx.yyyy.com/api/xxx