Configuration
You can load the config file from another source using the -c path/to/config.yaml or --config path/to/config.yaml flag: $oathkeeper --config path/to/config.yaml.
Config files can be formatted as JSON, YAML and TOML. Some configuration values support reloading without server restart. All configuration values can be set using environment variables, as documented below.
Disclaimer
This reference configuration documents all keys, also deprecated ones! It is a reference for all possible configuration values.
If you are looking for an example configuration, it is better to try out the quickstart.
To find out more about edge cases like setting string array values through environmental variables head to theConfiguration section.
## ORY Oathkeeper Configuration
serve:
api:
port: -100000000
host: localhost
timeout:
read: 5s
write: 5s
idle: 5s
cors:
enabled: false
allowed_origins:
- https://example.com
- https://*.example.com
- https://*.foo.example.com
allowed_methods:
- GET
allowed_headers:
- ""
exposed_headers:
- ""
allow_credentials: false
max_age: -100000000
debug: false
tls:
key:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
cert:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
proxy:
port: -100000000
host: localhost
trust_forwarded_headers: false
timeout:
read: 5s
write: 5s
idle: 5s
cors:
enabled: false
allowed_origins:
- https://example.com
- https://*.example.com
- https://*.foo.example.com
allowed_methods:
- GET
allowed_headers:
- ""
exposed_headers:
- ""
allow_credentials: false
max_age: -100000000
debug: false
tls:
key:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
cert:
path: path/to/file.pem
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
prometheus:
port: -100000000
host: localhost
metrics_path: ""
metric_name_prefix: ""
hide_request_paths: false
collapse_request_paths: false
access_rules:
repositories:
- file://path/to/rules.json
- inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d
- https://path-to-my-rules/rules.json
- s3://my-bucket-name/rules.json
- s3://my-bucket-name/rules.json?endpoint=minio.my-server.net
- gs://gcp-bucket-name/rules.json
- azblob://my-blob-container/rules.json
- https://path-to-my-rules/rules.json
matching_strategy: glob
authenticators:
anonymous:
enabled: true
config:
subject: guest
noop:
enabled: true
unauthorized:
enabled: true
cookie_session:
enabled: true
config:
check_session_url: https://session-store-host
only:
- ""
preserve_query: false
preserve_path: false
preserve_host: false
force_method: GET
forward_http_headers: []
additional_headers: {}
extra_from: ""
subject_from: ""
bearer_token:
enabled: true
config:
check_session_url: https://session-store-host
token_from: null
prefix: ""
preserve_query: false
preserve_path: false
preserve_host: false
force_method: GET
forward_http_headers: []
additional_headers: {}
extra_from: ""
subject_from: ""
jwt:
enabled: true
config:
required_scope:
- ""
target_audience:
- ""
trusted_issuers:
- ""
allowed_algorithms:
- ""
jwks_urls:
"0": https://my-website.com/.well-known/jwks.json
"1": https://my-other-website.com/.well-known/jwks.json
"2": file://path/to/local/jwks.json
jwks_max_wait: 100ms
jwks_ttl: 30m
scope_strategy: hierarchic
token_from: null
oauth2_client_credentials:
enabled: true
config:
token_url: https://my-website.com/oauth2/token
required_scope:
- ""
retry:
give_up_after: 0ns
max_delay: 0ns
cache:
enabled: true
ttl: 5s
max_tokens: -100000000
oauth2_introspection:
enabled: true
config:
introspection_url: https://my-website.com/oauth2/introspection
scope_strategy: hierarchic
pre_authorization:
enabled: false
audience: http://www.example.com
scope:
"0": foo
"1": bar
required_scope:
- ""
target_audience:
- ""
trusted_issuers:
- ""
prefix: ""
preserve_host: false
introspection_request_headers: {}
token_from: null
retry:
give_up_after: 0ns
max_delay: 0ns
cache:
enabled: true
ttl: 5s
max_cost: -100000000
errors:
fallback:
- redirect
handlers:
www_authenticate:
enabled: true
config:
realm: ""
when:
- error:
- unauthorized
request:
cidr:
- ""
header:
content_type: []
accept: []
redirect:
enabled: true
config:
to: http://my-app.com/dashboard
code: 301
return_to_query_param: ""
when:
- error:
- unauthorized
request:
cidr:
- ""
header:
content_type: []
accept: []
json:
enabled: true
config:
verbose: false
when:
- error:
- unauthorized
request:
cidr:
- ""
header:
content_type: []
accept: []
authorizers:
allow:
enabled: true
deny:
enabled: true
keto_engine_acp_ory:
enabled: true
config:
base_url: http://my-keto/
required_action: ""
required_resource: ""
subject: ""
flavor: ""
remote:
enabled: true
config:
remote: https://host/path
headers: {}
forward_response_headers_to_upstream:
- ""
retry:
give_up_after: 0ns
max_delay: 0ns
remote_json:
enabled: true
config:
remote: https://host/path
headers: {}
payload: '{"subject":"{{ .Subject }}"}'
forward_response_headers_to_upstream:
- ""
retry:
give_up_after: 0ns
max_delay: 0ns
mutators:
noop:
enabled: true
cookie:
enabled: true
config:
cookies: {}
header:
enabled: true
config:
headers: {}
hydrator:
enabled: true
config:
api:
url: http://a.aaa
auth:
basic:
username: ""
password: ""
retry:
give_up_after: 0ns
max_delay: 0ns
cache:
enabled: true
ttl: 0ns
id_token:
enabled: true
config:
claims: ""
issuer_url: ""
jwks_url: https://fetch-keys/from/this/location.json
ttl: 1h
log:
level: panic
format: json
leak_sensitive_values: false
redaction_text: ""
tracing:
provider: jaeger
service_name: Ory Hydra
deployment_environment: development
providers:
jaeger:
local_agent_address: 127.0.0.1:6831
sampling:
server_url: http://localhost:5778/sampling
trace_id_ratio: 0.5
zipkin:
server_url: http://localhost:9411/api/v2/spans
sampling:
sampling_ratio: 0.4
otlp:
server_url: localhost:4318
insecure: false
sampling:
sampling_ratio: 0.4
authorization_header: Bearer 2389s8fs9d8fus9f
profiling: cpu
version: v0.0.0