nginx-sso/config.yaml

---

login:
  title: "luzifer.io - Login"
  default_method: "simple"
  names:
    simple: "Username / Password"
    yubikey: "Yubikey"

cookie:
  domain: ".example.com"
  authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"
  expire: 3600        # Optional, default: 3600
  prefix: "nginx-sso" # Optional, default: nginx-sso
  secure: true        # Optional, default: false

# Optional, default: 127.0.0.1:8082
listen:
  addr: "127.0.0.1"
  port: 8082

acl:
  rule_sets:
  - rules:
    - field: "host"
      equals: "test.example.com"
    - field: "x-origin-uri"
      regexp: "^/api"
    allow: ["luzifer", "@admins"]

providers:
  # Authentication against embedded user database
  # Supports: Users, Groups
  simple:
    enable_basic_auth: false

    # Unique username mapped to bcrypt hashed password
    users:
      luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"

    # Groupname to users mapping
    groups:
      admins: ["luzifer"]

  # Authentication against embedded token directory
  # Supports: Users, Groups
  token:
    # Mapping of unique token names to the token
    tokens:
      tokenname: "MYTOKEN"

    # Groupname to token mapping
    groups:
      mytokengroup: ["tokenname"]

  # Authentication against Yubikey cloud validation servers
  # Supports: Users, Groups
  yubikey:
    # Get your client / secret from https://upgrade.yubico.com/getapikey/
    client_id: "12345"
    secret_key: "foobar"

    # First 12 characters of the OTP string mapped to the username
    devices:
      ccccccfcvuul: "luzifer"

    # Groupname to users mapping
    groups:
      admins: ["luzifer"]

...
Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`---`

			`login:`
			`title: "luzifer.io - Login"`
			`default_method: "simple"`
			`names:`
			`simple: "Username / Password"`
			`yubikey: "Yubikey"`

			`cookie:`
			`domain: ".example.com"`
			`authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"`
			`expire: 3600 # Optional, default: 3600`
			`prefix: "nginx-sso" # Optional, default: nginx-sso`
			`secure: true # Optional, default: false`

			`# Optional, default: 127.0.0.1:8082`
			`listen:`
			`addr: "127.0.0.1"`
			`port: 8082`

			`acl:`
			`rule_sets:`
			`- rules:`
			`- field: "host"`
			`equals: "test.example.com"`
			`- field: "x-origin-uri"`
			`regexp: "^/api"`
			`allow: ["luzifer", "@admins"]`

			`providers:`
			`# Authentication against embedded user database`
			`# Supports: Users, Groups`
			`simple:`
Add basic auth to example config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 20:54:30 +00:00			`enable_basic_auth: false`

Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`# Unique username mapped to bcrypt hashed password`
			`users:`
			`luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"`

			`# Groupname to users mapping`
			`groups:`
			`admins: ["luzifer"]`

			`# Authentication against embedded token directory`
Allow grouping of tokens for simpler ACL Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-02-04 10:34:04 +00:00			`# Supports: Users, Groups`
Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`token:`
			`# Mapping of unique token names to the token`
			`tokens:`
			`tokenname: "MYTOKEN"`

Allow grouping of tokens for simpler ACL Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-02-04 10:34:04 +00:00			`# Groupname to token mapping`
			`groups:`
			`mytokengroup: ["tokenname"]`

Initial version (#1) * Initial draft * HCL does not support int64 * Add http stubs * Login does not need to return user details * Fields should have a label * Add example configuration * Add stub for "Simple" authenticator * Add debug logging * Implement configuration loading * Implement user detection * Fix error names in doc strings * Implement session store * Implement "Token" provider * Add login frontend * Implement login and logout * Do not show tabs when there is no choice * Fix multi-tab errors, sorting * Implement "Yubikey" authenticator * Lint: Rename error to naming convention * Apply cookie security * Prevent double-login * Adjust parameters for crowd * Implement ACL * Replace HCL config with YAML config * Remove config debug output * Remove crowd config Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-28 14:16:52 +00:00			`# Authentication against Yubikey cloud validation servers`
			`# Supports: Users, Groups`
			`yubikey:`
			`# Get your client / secret from https://upgrade.yubico.com/getapikey/`
			`client_id: "12345"`
			`secret_key: "foobar"`

			`# First 12 characters of the OTP string mapped to the username`
			`devices:`
			`ccccccfcvuul: "luzifer"`

			`# Groupname to users mapping`
			`groups:`
			`admins: ["luzifer"]`

			`...`