Configuration¶
Application configuration¶
The ForwardAuth application needs a configuration file called application.yaml to run. The easiest way is to supply the configuration file like described by Spring Boot Application Property Files examples.
- Quoted from the Spring Boot documentation
SpringApplication loads properties from application.properties files in the following locations and adds them to the Spring Environment:
A /config subdirectory of the current directory
The current directory
A classpath /config package
The classpath root
See also
ForwardAuth is built using the Spring Boot application framework. It has a built-in and very flexible externalized configuration feature, read the Spring Boot documentation of externalized configuration for a complete description of all Spring Boot configuration features.
Complete configuration file format¶
# This is the forward authentiction configuration file for the Spring Boot application.
# Put this file somewhere where springboot will find it.
#
# For example in /config/application.yaml
# To select another port or another environment with less logging to stdout,
# set the environment variables ENV(DEV,TEST or PRODUCTION) and PORT to something you like.
# The default values are env DEV and port 8080.
#
# The values below where you need to fill in your own values is found in Applications
# and Api in Auth0 management website.
#
domain: https://xxxxx.xx.auth0.com/
token-endpoint: https://xxx.xx.auth0.com/oauth/token
authorize-url: https://xxxx.xx.auth0.com/authorize
userinfo-endpoint: https://xxxx.xx.auth0.com/userinfo
logout-endpoint: https://xxxx.xx.auth0.com/v2/logout
# Configure max age for nonce cookie to 5 min, default value if not supplied is 1 min.
nonce-max-age: 300
# By default all logging is directed to STDOUT/CONSOLE
# But if you need to direct the logs to a file you can comment out the setting below.
# The logfiles will be rotated daily, and kept for 7 days.
# logging.file: <path to log file for example /var/log/auth.log
# default application that is hostname of received request does not
# match any of the applications in the apps list will use, or if
# properties in the matched application in the apps list is not present
# the property value in the default app will be used instead.
default:
name: example.test
client-id: <from auth0 application config>
client-secret: <from auth0 application config>
audience: <from auth0 api config> or blank
scope: "profile openid email"
redirect-uri: http://www.example.test/oauth2/signin
token-cookie-domain: example.test
# this is the url to redirect to after successfull /signout has been called.
# this url must also be set on the Application in Auth0 as valid signout redirect url.
return-to: https://www.example.test
# By default all method (GET, HEAD, OPTION, DELETE, PUT, PATCH and POST)
# is restricted and must have an access token and a id token set in the
# browser cookies.
restricted-methods:
- GET
- HEAD
- OPTION
- DELETE
- PUT
- PATCH
- POST
# the ID Token from Auth0 contains user claims, specify a list of claims you want to
# pass to the protected website. The access token is always added to the protected request
# as header Authorization: Bearer <ACCESS TOKEN> and should be used to verify access in the backend API.
# In addition to the mandatory Authorization header, you can specify a list of user claims from the ID Token below.
claims:
- sub
- name
- email
# The *name* field of the applications in the list below will be matched against the
# x-forwarded-host header from Traefik.
# For example if you have an application in called www.example.test the first application in the list
# below and all the values set for it in the list will be used to authenticate the user.
apps:
- name: www.example.test
client-id: <from auth0 application config>
client-secret: <from auth0 application config>
audience: <from auth0 api config>
scope: "profile openid email"
redirect-uri: http://www.example.test/oauth2/signin
token-cookie-domain: example.test
# This application has only state altering methods restricted.
# if an anonymous user tries to access a page to read the page he will be
# allowed, but if when he tries to send an state altering request he will need to login.
restricted-methods:
- DELETE
- PUT
- PATCH
- POST
# after user has called /signout they will be redirected to this url
return-to: http://example.com
# if the user doesnt have all of the permissions required, he will get a 403 Permission Denied response.
required-permissions:
- read:whoami
- read:website
# this application will inherit most of the values from the default app.
# just the audience field will be changed, all other values from the default.
- name: traefik.example.test
audience: https://xxxxx.yyyy.com/api/xxx