-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathoathkeeper.yaml.j2
87 lines (80 loc) · 1.84 KB
/
oathkeeper.yaml.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
log:
level: info
format: json
serve:
api:
cors:
enabled: true
allowed_origins:
- "*"
prometheus:
port: 9000
metrics_path: /metrics/prometheus
metric_name_prefix: oathkeeper_
errors:
fallback:
- www_authenticate
- json
handlers:
redirect:
enabled: true
config:
to: {{ kratos_login_url | d("http://default-kratos-url/self-service/login/browser", true) }}
return_to_query_param: return_to
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
www_authenticate:
enabled: true
config:
realm: unauthorized
when:
- error:
- not_found
- internal_server_error
json:
enabled: true
access_rules:
matching_strategy: regexp
{%- if access_rules %}
repositories:
{%- for access_rule in access_rules %}
- file://{{ access_rule }}
{%- endfor %}
{%- endif %}
authenticators:
anonymous:
enabled: true
noop:
enabled: true
cookie_session:
enabled: true
config:
check_session_url: {{ kratos_session_url | d("http://default-kratos-url/sessions/whoami", true) }}
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
authorizers:
allow:
enabled: true
mutators:
noop:
enabled: true
header:
enabled: true
config:
headers:
X-User: {% raw %}"{{ print .Subject }}"{% endraw %}
{%- if "X-Email" in headers %}
X-Email: {% raw %}"{{ print .Extra.identity.traits.email }}"{% endraw %}
{%- endif %}
{%- if "X-Name" in headers %}
X-Name: {% raw %}"{{ print .Extra.identity.traits.name }}"{% endraw %}
{%- endif %}