-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.toml
More file actions
53 lines (47 loc) · 2.29 KB
/
config.example.toml
File metadata and controls
53 lines (47 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[server]
host = "0.0.0.0"
port = 7021
# Optional path to webui static files.
# webui_dir = "./webui"
# External base URL for generating absolute URLs (e.g. OIDC redirect_uri).
# "auto" (default) = infer from request headers at runtime:
# Forwarded (RFC 7239) > X-Forwarded-Host/Proto > Host header > http://{host}:{port}
# Or set a fixed URL, e.g. "https://auth.example.com"
# external_base_url = "auto" # for production
# Remove the entire [oidc] section (or set OIDC_ENABLED=false) to disable OIDC for local debugging.
# issuer_url is required. When well_known_url is set, discovery is loaded from it and the
# endpoint URLs below (if set) override discovered values. When well_known_url is not set,
# issuer_url, authorization_endpoint, token_endpoint and jwks_uri must be set.
# userinfo_endpoint is recommended; user_info_claims are fetched only when it is set.
[oidc]
client_id = "your-client-id"
client_secret = "your-client-secret"
well_known_url = "https://your-oidc-provider.com/.well-known/openid-configuration"
# or scopes = ["openid", "profile", "email"]
scopes = ["openid", "profile", "email"]
## Optional overrides when using well_known_url. When well_known_url is omitted,
## issuer_url/authorization_endpoint/token_endpoint/jwks_uri are required and userinfo_endpoint is recommended:
#
# issuer_url = "https://your-oidc-provider.com"
# authorization_endpoint = "https://your-oidc-provider.com/authorize"
# token_endpoint = "https://your-oidc-provider.com/token"
# userinfo_endpoint = "https://your-oidc-provider.com/userinfo"
# jwks_uri = "https://your-oidc-provider.com/jwks"
## Optional metadata hints/overrides
#
# token_endpoint_auth_methods_supported = ["client_secret_basic"]
# id_token_signing_alg_values_supported = ["RS256"]
# userinfo_signing_alg_values_supported = ["none"]
# pkce_enabled = true
## Optional claims check script, if not set, the default rust claims checker will be used.
#
# claims_check_script = "./claims-script-check.mts"
## When enabled, refresh tokens will be encrypted using the master key
## Mainly used in the scenario of distributed stateless service frontend
## storage of refresh token, to prevent the attack of refresh token being
## stolen in plain text.
#
# master_key = "your-master-key"
# sealed_refresh_token_capsule = true
[creds_manage]
data_path = "./data/data.json"