example_config.yaml

serve:
  port: 4468
  tls:
    key_store:
      path: /path/to/file.pem
    min_version: TLS1.2
    cipher_suites:
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  trusted_proxies:
    - 0.0.0.0/0
  respond:
    verbose: true
    with:
      accepted:
        code: 200
      authorization_error:
        code: 404
      authentication_error:
        code: 404

log:
  level: debug
  format: text

metrics:
  enabled: false

profiling:
  enabled: true
  host: 0.0.0.0

tracing:
  span_processor: simple

mechanisms:
  authenticators:
    - id: anonymous_authenticator
      type: anonymous
    - id: unauthorized_authenticator
      type: unauthorized
    - id: kratos_session_authenticator
      type: generic
      config:
        identity_info_endpoint:
          url: http://127.0.0.1:4433/sessions/whoami
          retry:
            max_delay: 300ms
            give_up_after: 2s
        authentication_data_source:
          - cookie: ory_kratos_session
        subject:
          attributes: "@this"
          id: "identity.id"
    - id: hydra_authenticator
      type: oauth2_introspection
      config:
        metadata_endpoint:
          url: http://hydra:4445/oauth2/introspect
          retry:
            max_delay: 300ms
            give_up_after: 2s
          auth:
            type: basic_auth
            config:
              user: foo
              password: bar
        assertions:
          issuers:
            - http://127.0.0.1:4444/
          scopes:
            - foo
            - bar
          audience:
            - bla
        subject:
          attributes: "@this"
          id: sub
    - id: jwt_authenticator
      type: jwt
      config:
        jwks_endpoint:
          url: http://foo/token
          method: GET
          http_cache:
            enabled: true
            default_ttl: 5m
        jwt_source:
          - header: Authorization
            scheme: Bearer
        assertions:
          audience:
            - bla
          scopes:
            - foo
          allowed_algorithms:
            - RSA
          issuers:
            - bla
        subject:
          attributes: "@this"
          id: "identity.id"
        cache_ttl: 5m
  authorizers:
    - id: allow_all_authorizer
      type: allow
    - id: deny_all_authorizer
      type: deny
    - id: keto_authorizer
      type: remote
      config:
        endpoint:
          url: http://keto
          method: POST
          headers:
            foo-bar: "{{ .Subject.ID }}"
        payload: https://bla.bar
        forward_response_headers_to_upstream:
          - bla-bar
    - id: attributes_based_authorizer
      type: cel
      config:
        expressions:
          - expression: "true"
  contextualizers:
    - id: subscription_contextualizer
      type: generic
      config:
        endpoint:
          url: http://foo.bar
          method: GET
          headers:
            bla: bla
        payload: http://foo
    - id: profile_data_hydrator
      type: generic
      config:
        endpoint:
          url: http://profile
          headers:
            foo: bar
  finalizers:
  #  - id: jwt
  #    type: jwt
  #    config:
  #      ttl: 5m
  #      claims: |
  #        {"user": {{ quote .Subject.ID }} }
  #      signer:
  #        key_store:
  #          path: /path/to/file.pem
    - id: bla
      type: header
      config:
        headers:
          foo-bar: bla
    - id: blabla
      type: cookie
      config:
        cookies:
          foo-bar: '{{ .Subject.ID }}'
  error_handlers:
    - id: default
      type: default
    - id: authenticate_with_kratos
      type: redirect
      config:
        to: http://127.0.0.1:4433/self-service/login/browser?origin={{ .Request.URL | urlenc }}

default_rule:
  backtracking_enabled: false
  execute:
    - authenticator: anonymous_authenticator
    - finalizer: bla
  on_error:
    - error_handler: authenticate_with_kratos
      if: |
        Error.Source == "kratos_session_authenticator" && 
        type(Error) == authentication_error &&
        Request.Header("Accept").contains("*/*")

providers:
  file_system:
    src: example_rules.yaml
    watch: true

  http_endpoint:
    watch_interval: 5m
    endpoints:
      - url: http://foo.bar/rules.yaml
        http_cache:
          enabled: false
      - url: http://bar.foo/rules.yaml
        headers:
          bla: bla
        retry:
          give_up_after: 5s
          max_delay: 250ms
        auth:
          type: api_key
          config:
            name: foo
            value: bar
            in: header

  cloud_blob:
    watch_interval: 2m
    buckets:
      - url: gs://my-bucket
        prefix: service1
      - url: gs://my-bucket
        prefix: service2
      - url: s3://my-bucket/my-rule-set

  kubernetes:
    auth_class: foo