Configuration

Application configuration

The ForwardAuth application needs a configuration file called application.yaml to run. The easiest way is to supply the configuration file like described by Spring Boot Application Property Files examples.

Quoted from the Spring Boot documentation

SpringApplication loads properties from application.properties files in the following locations and adds them to the Spring Environment:

  • A /config subdirectory of the current directory

  • The current directory

  • A classpath /config package

  • The classpath root

See also

ForwardAuth is built using the Spring Boot application framework. It has a built-in and very flexible externalized configuration feature, read the Spring Boot documentation of externalized configuration for a complete description of all Spring Boot configuration features.

Complete configuration file format

# This is the forward authentiction configuration file for the Spring Boot application.
# Put this file somewhere where springboot will find it.
#
# For example in /config/application.yaml
# To select another port or another environment with less logging to stdout,
# set the environment variables ENV(DEV,TEST or PRODUCTION) and PORT to something you like.
# The default values are env DEV and port 8080.
#
# The values below where you need to fill in your own values is found in Applications 
# and Api in Auth0 management website.
#
domain: https://xxxxx.xx.auth0.com/
token-endpoint: https://xxx.xx.auth0.com/oauth/token
authorize-url: https://xxxx.xx.auth0.com/authorize
userinfo-endpoint: https://xxxx.xx.auth0.com/userinfo
logout-endpoint:  https://xxxx.xx.auth0.com/v2/logout

# Configure max age for nonce cookie to 5 min, default value if not supplied is 1 min.
nonce-max-age: 300

# By default all logging is directed to STDOUT/CONSOLE
# But if you need to direct the logs to a file you can comment out the setting below.
# The logfiles will be rotated daily, and kept for 7 days.
# logging.file: <path to log file for example /var/log/auth.log

# default application that is hostname of received request does not
# match any of the applications in the apps list will use, or if
# properties in the matched application in the apps list is not present
# the property value in the default app will be used instead.
default:
  name: example.test
  client-id: <from auth0 application config>
  client-secret: <from auth0 application config>
  audience: <from auth0 api config> or blank
  scope: "profile openid email"
  redirect-uri: http://www.example.test/oauth2/signin
  token-cookie-domain: example.test

  # this is the url to redirect to after successfull /signout has been called.
  # this url must also be set on the Application in Auth0 as valid signout redirect url.
  return-to: https://www.example.test

  # By default all method (GET, HEAD, OPTION, DELETE, PUT, PATCH and POST)
  # is restricted and must have an access token and a id token set in the
  # browser cookies.
  restricted-methods:
  - GET
  - HEAD
  - OPTION
  - DELETE
  - PUT
  - PATCH
  - POST

  # the ID Token from Auth0 contains user claims, specify a list of claims you want to
  # pass to the protected website. The access token is always added to the protected request
  # as header Authorization: Bearer <ACCESS TOKEN> and should be used to verify access in the backend API.
  # In addition to the mandatory Authorization header, you can specify a list of user claims from the ID Token below.
  claims:
    - sub
    - name
    - email

# The *name* field of the applications in the list below will be matched against the
# x-forwarded-host header from Traefik.
# For example if you have an application in called www.example.test the first application in the list
# below and all the values set for it in the list will be used to authenticate the user.
apps:
- name: www.example.test
  client-id: <from auth0 application config>
  client-secret: <from auth0 application config>
  audience: <from auth0 api config>
  scope: "profile openid email"
  redirect-uri: http://www.example.test/oauth2/signin
  token-cookie-domain: example.test

  # This application has only state altering methods restricted.
  # if an anonymous user tries to access a page to read the page he will be
  # allowed, but if when he tries to send an state altering request he will need to login.
  restricted-methods:
  - DELETE
  - PUT
  - PATCH
  - POST

  # after user has called /signout they will be redirected to this url
  return-to: http://example.com

  # if the user doesnt have all of the permissions required, he will get a 403 Permission Denied response.
  required-permissions:
    - read:whoami
    - read:website

# this application will inherit most of the values from the default app.
# just the audience field will be changed, all other values from the default.
- name: traefik.example.test
  audience: https://xxxxx.yyyy.com/api/xxx