mirrors
/
authelia
mirror of https://github.com/authelia/authelia.git
0
0
Fork 0
Code Issues Projects Releases Wiki Activity
authelia/docs/static/schemas/v4.39/json-schema/configuration.json

3385 lines
115 KiB
JSON
Raw Permalink Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://www.authelia.com/schemas/v4.39/json-schema/configuration.json",
"$ref": "#/$defs/Configuration",
"$defs": {
"AccessControl": {
"properties": {
"default_policy": {
"type": "string",
"enum": [
"deny",
"one_factor",
"two_factor"
],
"title": "Default Authorization Policy",
"description": "The default policy applied to all authorization requests unrelated to OpenID Connect 1.0.",
"default": "deny"
},
"networks": {
"items": {
"$ref": "#/$defs/AccessControlNetwork"
},
"type": "array",
"title": "Named Networks",
"description": "The list of named networks which can be reused in any ACL rule."
},
"rules": {
"items": {
"$ref": "#/$defs/AccessControlRule"
},
"type": "array",
"title": "Rules List",
"description": "The list of ACL rules to enumerate for requests."
}
},
"additionalProperties": false,
"type": "object",
"description": "AccessControl represents the configuration related to ACLs."
},
"AccessControlNetwork": {
"properties": {
"name": {
"type": "string",
"title": "Network Name",
"description": "The name of this network to be used in the networks section of the rules section."
},
"networks": {
"$ref": "#/$defs/AccessControlNetworkNetworks",
"title": "Networks",
"description": "The remote IP's or network ranges in CIDR notation that this rule applies to."
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name",
"networks"
],
"description": "AccessControlNetwork represents one ACL network group entry."
},
"AccessControlNetworkNetworks": {
"oneOf": [
{
"type": "string",
"pattern": "((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\/([0-2]?[0-9]|3[0-2]))?$)|(^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))?(\\/(12[0-8]|1[0-1][0-9]|[0-9]{1,2}))?$))"
},
{
"items": {
"type": "string",
"pattern": "((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))(\\/([0-2]?[0-9]|3[0-2]))?$)|(^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))?(\\/(12[0-8]|1[0-1][0-9]|[0-9]{1,2}))?$))"
},
"type": "array",
"uniqueItems": true
}
]
},
"AccessControlRule": {
"oneOf": [
{
"required": [
"domain"
],
"title": "Domain"
},
{
"required": [
"domain_regex"
],
"title": "Domain Regex"
}
],
"properties": {
"domain": {
"$ref": "#/$defs/AccessControlRuleDomains",
"title": "Domain Literals",
"description": "The literal domains to match the domain against that this rule applies to."
},
"domain_regex": {
"$ref": "#/$defs/AccessControlRuleRegex",
"title": "Domain Regex Patterns",
"description": "The regex patterns to match the domain against that this rule applies to."
},
"policy": {
"type": "string",
"enum": [
"bypass",
"deny",
"one_factor",
"two_factor"
],
"title": "Rule Policy",
"description": "The policy this rule applies when all criteria match."
},
"subject": {
"$ref": "#/$defs/AccessControlRuleSubjects",
"title": "AccessControlRuleSubjects",
"description": "The users or groups that this rule applies to."
},
"networks": {
"$ref": "#/$defs/AccessControlRuleNetworks",
"title": "Networks",
"description": "The remote IP's, network ranges in CIDR notation, or network names that this rule applies to."
},
"resources": {
"$ref": "#/$defs/AccessControlRuleRegex",
"title": "Resources or Paths",
"description": "The regex patterns to match the resource paths that this rule applies to."
},
"methods": {
"$ref": "#/$defs/AccessControlRuleMethods",
"description": "The list of request methods this rule applies to."
},
"query": {
"items": {
"items": {
"$ref": "#/$defs/AccessControlRuleQuery"
},
"type": "array"
},
"type": "array",
"title": "Query Rules",
"description": "The list of query parameter rules this rule applies to."
}
},
"additionalProperties": false,
"type": "object",
"required": [
"policy"
],
"description": "AccessControlRule represents one ACL rule entry."
},
"AccessControlRuleDomains": {
"oneOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
}
]
},
"AccessControlRuleMethods": {
"oneOf": [
{
"type": "string",
"enum": [
"GET",
"HEAD",
"POST",
"PUT",
"PATCH",
"DELETE",
"TRACE",
"CONNECT",
"OPTIONS",
"COPY",
"LOCK",
"MKCOL",
"MOVE",
"PROPFIND",
"PROPPATCH",
"UNLOCK"
]
},
{
"items": {
"type": "string",
"enum": [
"GET",
"HEAD",
"POST",
"PUT",
"PATCH",
"DELETE",
"TRACE",
"CONNECT",
"OPTIONS",
"COPY",
"LOCK",
"MKCOL",
"MOVE",
"PROPFIND",
"PROPPATCH",
"UNLOCK"
]
},
"type": "array",
"uniqueItems": true
}
]
},
"AccessControlRuleNetworks": {
"oneOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
}
]
},
"AccessControlRuleQuery": {
"properties": {
"operator": {
"type": "string",
"enum": [
"equal",
"not equal",
"present",
"absent",
"pattern",
"not pattern"
],
"title": "Operator",
"description": "The list of query parameter rules this rule applies to."
},
"key": {
"type": "string",
"title": "Key",
"description": "The Query Parameter key this rule applies to."
},
"value": {
"title": "Value",
"description": "The Query Parameter value for this rule."
}
},
"additionalProperties": false,
"type": "object",
"required": [
"key"
],
"description": "AccessControlRuleQuery represents the ACL query criteria."
},
"AccessControlRuleRegex": {
"oneOf": [
{
"type": "string",
"format": "regex"
},
{
"items": {
"type": "string",
"format": "regex"
},
"type": "array",
"uniqueItems": true
}
]
},
"AccessControlRuleSubjects": {
"oneOf": [
{
"type": "string",
"pattern": "^(user|group|oauth2:client):.+$"
},
{
"items": {
"type": "string",
"pattern": "^(user|group|oauth2:client):.+$"
},
"type": "array"
},
{
"items": {
"items": {
"type": "string",
"pattern": "^(user|group|oauth2:client):.+$"
},
"type": "array"
},
"type": "array",
"uniqueItems": true
}
]
},
"AddressLDAP": {
"type": "string",
"pattern": "^((ldaps?:\\/\\/)?([^:\\/]*(:\\d+)|[^:\\/]+(:\\d+)?)?|ldapi:\\/\\/(\\/[^?\\n]+)?)$",
"format": "uri"
},
"AddressSMTP": {
"type": "string",
"pattern": "^((smtp|submissions?):\\/\\/)?([^:\\/]*(:\\d+)|[^:\\/]+(:\\d+)?)?$",
"format": "uri"
},
"AddressTCP": {
"type": "string",
"pattern": "^((tcp[46]?:\\/\\/)?([^:\\/]*(:\\d+)|[^:\\/]+(:\\d+)?)(\\/.*)?|unix:\\/\\/\\/[^?\\n]+(\\?(umask=[0-7]{3,4}|path=[a-z]+)(\u0026(umask=[0-7]{3,4}|path=[a-zA-Z0-9.~_-]+))?)?)$",
"format": "uri"
},
"AddressUDP": {
"type": "string",
"pattern": "^(udp[46]?:\\/\\/)?([^:\\/]*(:\\d+)|[^:\\/]+(:\\d+)?)(\\/.*)?$",
"format": "uri"
},
"AuthenticationBackend": {
"properties": {
"password_reset": {
"$ref": "#/$defs/AuthenticationBackendPasswordReset",
"title": "Password Reset",
"description": "Allows configuration of the password reset behaviour."
},
"refresh_interval": {
"$ref": "#/$defs/RefreshIntervalDuration",
"title": "Refresh Interval",
"description": "How frequently the user details are refreshed from the backend."
},
"file": {
"$ref": "#/$defs/AuthenticationBackendFile",
"title": "File Backend",
"description": "The file authentication backend configuration."
},
"ldap": {
"$ref": "#/$defs/AuthenticationBackendLDAP",
"title": "LDAP Backend",
"description": "The LDAP authentication backend configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackend represents the configuration related to the authentication backend."
},
"AuthenticationBackendFile": {
"properties": {
"path": {
"type": "string",
"title": "Path",
"description": "The file path to the user database."
},
"watch": {
"type": "boolean",
"title": "Watch",
"description": "Enables watching the file for external changes and dynamically reloading the database.",
"default": false
},
"password": {
"$ref": "#/$defs/AuthenticationBackendFilePassword",
"title": "Password Options",
"description": "Allows configuration of the password hashing options when the user passwords are changed directly by Authelia."
},
"search": {
"$ref": "#/$defs/AuthenticationBackendFileSearch",
"title": "Search",
"description": "Configures the user searching behaviour."
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFile represents the configuration related to file-based backend."
},
"AuthenticationBackendFilePassword": {
"properties": {
"algorithm": {
"type": "string",
"enum": [
"argon2",
"sha2crypt",
"pbkdf2",
"bcrypt",
"scrypt"
],
"title": "Algorithm",
"description": "The password hashing algorithm to use.",
"default": "argon2"
},
"argon2": {
"$ref": "#/$defs/AuthenticationBackendFilePasswordArgon2",
"title": "Argon2",
"description": "Configure the Argon2 password hashing parameters."
},
"sha2crypt": {
"$ref": "#/$defs/AuthenticationBackendFilePasswordSHA2Crypt",
"title": "SHA2Crypt",
"description": "Configure the SHA2Crypt password hashing parameters."
},
"pbkdf2": {
"$ref": "#/$defs/AuthenticationBackendFilePasswordPBKDF2",
"title": "PBKDF2",
"description": "Configure the PBKDF2 password hashing parameters."
},
"bcrypt": {
"$ref": "#/$defs/AuthenticationBackendFilePasswordBCrypt",
"title": "BCrypt",
"description": "Configure the BCrypt password hashing parameters."
},
"scrypt": {
"$ref": "#/$defs/AuthenticationBackendFilePasswordSCrypt",
"title": "SCrypt",
"description": "Configure the SCrypt password hashing parameters."
},
"iterations": {
"type": "integer",
"title": "Iterations",
"description": "Deprecated: Use individual password options instead.",
"deprecated": true
},
"memory": {
"type": "integer",
"title": "Memory",
"description": "Deprecated: Use individual password options instead.",
"deprecated": true
},
"parallelism": {
"type": "integer",
"title": "Parallelism",
"description": "Deprecated: Use individual password options instead.",
"deprecated": true
},
"key_length": {
"type": "integer",
"title": "Key Length",
"description": "Deprecated: Use individual password options instead.",
"deprecated": true
},
"salt_length": {
"type": "integer",
"title": "Salt Length",
"description": "Deprecated: Use individual password options instead.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePassword represents the configuration related to password hashing."
},
"AuthenticationBackendFilePasswordArgon2": {
"properties": {
"variant": {
"type": "string",
"enum": [
"argon2id",
"argon2i",
"argon2d"
],
"title": "Variant",
"description": "The Argon2 variant to be used.",
"default": "argon2id"
},
"iterations": {
"type": "integer",
"title": "Iterations",
"description": "The number of Argon2 iterations (parameter t) to be used.",
"default": 3
},
"memory": {
"type": "integer",
"maximum": 4294967295,
"minimum": 8,
"title": "Memory",
"description": "The Argon2 amount of memory in kibibytes (parameter m) to be used.",
"default": 65536
},
"parallelism": {
"type": "integer",
"maximum": 16777215,
"minimum": 1,
"title": "Parallelism",
"description": "The Argon2 degree of parallelism (parameter p) to be used.",
"default": 4
},
"key_length": {
"type": "integer",
"maximum": 2147483647,
"minimum": 4,
"title": "Key Length",
"description": "The Argon2 key output length.",
"default": 32
},
"salt_length": {
"type": "integer",
"maximum": 2147483647,
"minimum": 1,
"title": "Salt Length",
"description": "The Argon2 salt length.",
"default": 16
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePasswordArgon2 represents the argon2 hashing settings."
},
"AuthenticationBackendFilePasswordBCrypt": {
"properties": {
"variant": {
"type": "string",
"enum": [
"standard",
"sha256"
],
"title": "Variant",
"description": "The BCrypt variant to be used.",
"default": "standard"
},
"cost": {
"type": "integer",
"maximum": 31,
"minimum": 10,
"title": "Cost",
"description": "The BCrypt cost to be used.",
"default": 12
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePasswordBCrypt represents the bcrypt hashing settings."
},
"AuthenticationBackendFilePasswordPBKDF2": {
"properties": {
"variant": {
"type": "string",
"enum": [
"sha1",
"sha224",
"sha256",
"sha384",
"sha512"
],
"title": "Variant",
"description": "The PBKDF2 variant to be used.",
"default": "sha512"
},
"iterations": {
"type": "integer",
"maximum": 2147483647,
"minimum": 100000,
"title": "Iterations",
"description": "The PBKDF2 iterations to be used.",
"default": 310000
},
"salt_length": {
"type": "integer",
"maximum": 2147483647,
"minimum": 8,
"title": "Salt Length",
"description": "The PBKDF2 salt length to be used.",
"default": 16
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePasswordPBKDF2 represents the PBKDF2 hashing settings."
},
"AuthenticationBackendFilePasswordSCrypt": {
"properties": {
"iterations": {
"type": "integer",
"maximum": 58,
"minimum": 1,
"title": "Iterations",
"description": "The SCrypt iterations to be used.",
"default": 16
},
"block_size": {
"type": "integer",
"maximum": 36028797018963967,
"minimum": 1,
"title": "Key Length",
"description": "The SCrypt block size to be used.",
"default": 8
},
"parallelism": {
"type": "integer",
"maximum": 1073741823,
"minimum": 1,
"title": "Key Length",
"description": "The SCrypt parallelism factor to be used.",
"default": 1
},
"key_length": {
"type": "integer",
"maximum": 137438953440,
"minimum": 1,
"title": "Key Length",
"description": "The SCrypt key length to be used.",
"default": 32
},
"salt_length": {
"type": "integer",
"maximum": 1024,
"minimum": 8,
"title": "Salt Length",
"description": "The SCrypt salt length to be used.",
"default": 16
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePasswordSCrypt represents the scrypt hashing settings."
},
"AuthenticationBackendFilePasswordSHA2Crypt": {
"properties": {
"variant": {
"type": "string",
"enum": [
"sha256",
"sha512"
],
"title": "Variant",
"description": "The SHA2Crypt variant to be used.",
"default": "sha512"
},
"iterations": {
"type": "integer",
"maximum": 999999999,
"minimum": 1000,
"title": "Iterations",
"description": "The SHA2Crypt iterations (parameter rounds) to be used.",
"default": 50000
},
"salt_length": {
"type": "integer",
"maximum": 16,
"minimum": 1,
"title": "Salt Length",
"description": "The SHA2Crypt salt length to be used.",
"default": 16
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFilePasswordSHA2Crypt represents the sha2crypt hashing settings."
},
"AuthenticationBackendFileSearch": {
"properties": {
"email": {
"type": "boolean",
"title": "Email Searching",
"description": "Allows users to either use their username or their configured email as a username.",
"default": false
},
"case_insensitive": {
"type": "boolean",
"title": "Case Insensitive Searching",
"description": "Allows usernames to be any case during the search.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendFileSearch represents the configuration related to file-based backend searching."
},
"AuthenticationBackendLDAP": {
"properties": {
"address": {
"$ref": "#/$defs/AddressLDAP",
"title": "Address",
"description": "The address of the LDAP directory server."
},
"implementation": {
"type": "string",
"enum": [
"custom",
"activedirectory",
"rfc2307bis",
"freeipa",
"lldap",
"glauth"
],
"title": "Implementation",
"description": "The implementation which mostly decides the default values.",
"default": "custom"
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The LDAP directory server connection timeout."
},
"start_tls": {
"type": "boolean",
"title": "StartTLS",
"description": "Enables the use of StartTLS.",
"default": false
},
"tls": {
"$ref": "#/$defs/TLS",
"title": "TLS",
"description": "The LDAP directory server TLS connection properties."
},
"base_dn": {
"type": "string",
"title": "Base DN",
"description": "The base for all directory server operations."
},
"additional_users_dn": {
"type": "string",
"title": "Additional User Base",
"description": "The base in addition to the Base DN for all directory server operations for users."
},
"users_filter": {
"type": "string",
"title": "Users Filter",
"description": "The LDAP filter used to search for user objects."
},
"additional_groups_dn": {
"type": "string",
"title": "Additional Group Base",
"description": "The base in addition to the Base DN for all directory server operations for groups."
},
"groups_filter": {
"type": "string",
"title": "Groups Filter",
"description": "The LDAP filter used to search for group objects."
},
"group_search_mode": {
"type": "string",
"enum": [
"filter",
"memberof"
],
"title": "Groups Search Mode",
"description": "The LDAP group search mode used to search for group objects.",
"default": "filter"
},
"attributes": {
"$ref": "#/$defs/AuthenticationBackendLDAPAttributes"
},
"permit_referrals": {
"type": "boolean",
"title": "Permit Referrals",
"description": "Enables chasing LDAP referrals.",
"default": false
},
"permit_unauthenticated_bind": {
"type": "boolean",
"title": "Permit Unauthenticated Bind",
"description": "Enables omission of the password to perform an unauthenticated bind.",
"default": false
},
"permit_feature_detection_failure": {
"type": "boolean",
"title": "Permit Feature Detection Failure",
"description": "Enables failures when detecting directory server features using the Root DSE lookup.",
"default": false
},
"user": {
"type": "string",
"title": "User",
"description": "The user distinguished name for LDAP binding."
},
"password": {
"type": "string",
"title": "Password",
"description": "The password for LDAP authenticated binding."
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendLDAP represents the configuration related to LDAP server."
},
"AuthenticationBackendLDAPAttributes": {
"properties": {
"distinguished_name": {
"type": "string",
"title": "Attribute: Distinguished Name",
"description": "The directory server attribute which contains the distinguished name for all objects."
},
"username": {
"type": "string",
"title": "Attribute: User Username",
"description": "The directory server attribute which contains the username for all users."
},
"display_name": {
"type": "string",
"title": "Attribute: User Display Name",
"description": "The directory server attribute which contains the display name for all users."
},
"mail": {
"type": "string",
"title": "Attribute: User Mail",
"description": "The directory server attribute which contains the mail address for all users and groups."
},
"MemberOf": {
"type": "string",
"title": "Attribute: Member Of",
"description": "The directory server attribute which contains the objects that an object is a member of."
},
"group_name": {
"type": "string",
"title": "Attribute: Group Name",
"description": "The directory server attribute which contains the group name for all groups."
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes."
},
"AuthenticationBackendPasswordReset": {
"properties": {
"disable": {
"type": "boolean",
"title": "Disable",
"description": "Disables the Password Reset option.",
"default": false
},
"custom_url": {
"type": "string",
"format": "uri",
"title": "Custom URL",
"description": "Disables the internal Password Reset option and instead redirects users to this specified URL."
}
},
"additionalProperties": false,
"type": "object",
"description": "AuthenticationBackendPasswordReset represents the configuration related to password reset functionality."
},
"Configuration": {
"properties": {
"theme": {
"type": "string",
"enum": [
"auto",
"light",
"dark",
"grey"
],
"title": "Theme Name",
"description": "The name of the theme to apply to the web UI.",
"default": "light"
},
"certificates_directory": {
"type": "string",
"title": "Certificates Directory Path",
"description": "The path to a directory which is used to determine the certificates that are trusted."
},
"default_2fa_method": {
"type": "string",
"enum": [
"totp",
"webauthn",
"mobile_push"
],
"title": "Default 2FA method",
"description": "When a user logs in for the first time this is the 2FA method configured for them."
},
"log": {
"$ref": "#/$defs/Log",
"title": "Log",
"description": "Logging Configuration."
},
"identity_providers": {
"$ref": "#/$defs/IdentityProviders",
"title": "Identity Providers",
"description": "Identity Providers Configuration."
},
"authentication_backend": {
"$ref": "#/$defs/AuthenticationBackend",
"title": "Authentication Backend",
"description": "Authentication Backend Configuration."
},
"session": {
"$ref": "#/$defs/Session",
"title": "Session",
"description": "Session Configuration."
},
"totp": {
"$ref": "#/$defs/TOTP",
"title": "TOTP",
"description": "Time-based One-Time Password Configuration."
},
"duo_api": {
"$ref": "#/$defs/DuoAPI",
"title": "Duo API",
"description": "Duo API Configuration."
},
"access_control": {
"$ref": "#/$defs/AccessControl",
"title": "Access Control",
"description": "Access Control Configuration."
},
"ntp": {
"$ref": "#/$defs/NTP",
"title": "NTP",
"description": "Network Time Protocol Configuration."
},
"regulation": {
"$ref": "#/$defs/Regulation",
"title": "Regulation",
"description": "Regulation Configuration."
},
"storage": {
"$ref": "#/$defs/Storage",
"title": "Storage",
"description": "Storage Configuration."
},
"notifier": {
"$ref": "#/$defs/Notifier",
"title": "Notifier",
"description": "Notifier Configuration."
},
"server": {
"$ref": "#/$defs/Server",
"title": "Server",
"description": "Server Configuration."
},
"telemetry": {
"$ref": "#/$defs/Telemetry",
"title": "Telemetry",
"description": "Telemetry Configuration."
},
"webauthn": {
"$ref": "#/$defs/WebAuthn",
"title": "WebAuthn",
"description": "WebAuthn Configuration."
},
"password_policy": {
"$ref": "#/$defs/PasswordPolicy",
"title": "Password Policy",
"description": "Password Policy Configuration."
},
"privacy_policy": {
"$ref": "#/$defs/PrivacyPolicy",
"title": "Privacy Policy",
"description": "Privacy Policy Configuration."
},
"identity_validation": {
"$ref": "#/$defs/IdentityValidation",
"title": "Identity Validation",
"description": "Identity Validation Configuration."
},
"default_redirection_url": {
"type": "string",
"format": "uri",
"title": "The default redirection URL",
"description": "Deprecated: Use the session cookies option with the same name instead.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "Configuration object extracted from YAML configuration file."
},
"DuoAPI": {
"properties": {
"disable": {
"type": "boolean",
"title": "Disable",
"description": "Disable the Duo API integration.",
"default": false
},
"hostname": {
"type": "string",
"format": "hostname",
"title": "Hostname",
"description": "The Hostname provided by your Duo API dashboard."
},
"integration_key": {
"type": "string",
"title": "Integration Key",
"description": "The Integration Key provided by your Duo API dashboard."
},
"secret_key": {
"type": "string",
"title": "Secret Key",
"description": "The Secret Key provided by your Duo API dashboard."
},
"enable_self_enrollment": {
"type": "boolean",
"title": "Enable Self Enrollment",
"description": "Enable the Self Enrollment flow.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "DuoAPI represents the configuration related to Duo API."
},
"IdentityProviders": {
"properties": {
"oidc": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnect"
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProviders represents the Identity Providers configuration for Authelia."
},
"IdentityProvidersOpenIDConnect": {
"properties": {
"hmac_secret": {
"type": "string",
"title": "HMAC Secret",
"description": "The HMAC Secret used to sign Access Tokens."
},
"jwks": {
"items": {
"$ref": "#/$defs/JWK"
},
"type": "array",
"title": "Issuer JSON Web Keys",
"description": "The JWK's which are to be used to sign various objects like ID Tokens."
},
"enable_client_debug_messages": {
"type": "boolean",
"title": "Enable Client Debug Messages",
"description": "Enables additional debug messages for clients.",
"default": false
},
"minimum_parameter_entropy": {
"type": "integer",
"minimum": -1,
"title": "Minimum Parameter Entropy",
"description": "The minimum entropy of the nonce parameter.",
"default": 8
},
"enforce_pkce": {
"type": "string",
"enum": [
"public_clients_only",
"never",
"always"
],
"title": "Enforce PKCE",
"description": "Controls enforcement of the use of Proof Key for Code Exchange on all clients.",
"default": "public_clients_only"
},
"enable_pkce_plain_challenge": {
"type": "boolean",
"title": "Enable PKCE Plain Challenge",
"description": "Enables use of the discouraged plain Proof Key for Code Exchange challenges.",
"default": false
},
"enable_jwt_access_token_stateless_introspection": {
"type": "boolean",
"title": "Enable JWT Access Token Stateless Introspection",
"description": "Allows the use of stateless introspection of JWT Access Tokens which is not recommended."
},
"discovery_signed_response_alg": {
"type": "string",
"enum": [
"none",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Discovery Response Signing Algorithm",
"description": "The Algorithm this provider uses to sign the Discovery and Metadata Document responses.",
"default": "none"
},
"discovery_signed_response_key_id": {
"type": "string",
"title": "Discovery Response Signing Key ID",
"description": "The Key ID this provider uses to sign the Discovery and Metadata Document responses (overrides the 'discovery_signed_response_alg')."
},
"require_pushed_authorization_requests": {
"type": "boolean",
"title": "Require Pushed Authorization Requests",
"description": "Requires Pushed Authorization Requests for all clients for this Issuer."
},
"cors": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectCORS",
"title": "CORS",
"description": "Configuration options for Cross-Origin Request Sharing."
},
"clients": {
"items": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectClient"
},
"type": "array",
"title": "Clients",
"description": "OpenID Connect 1.0 clients registry."
},
"authorization_policies": {
"patternProperties": {
".*": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectPolicy"
}
},
"type": "object",
"title": "Authorization Policies",
"description": "Custom client authorization policies."
},
"lifespans": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespans",
"title": "Lifespans",
"description": "Token lifespans configuration."
},
"issuer_certificate_chain": {
"$ref": "#/$defs/X509CertificateChain",
"title": "Issuer Certificate Chain",
"description": "The Issuer Certificate Chain with an RSA Public Key used to sign ID Tokens.",
"deprecated": true
},
"issuer_private_key": {
"type": "string",
"pattern": "^-{5}(BEGIN (RSA )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (RSA )?PRIVATE KEY-{5}\\n?)+$",
"title": "Issuer Private Key",
"description": "The Issuer Private Key with an RSA Private Key used to sign ID Tokens.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnect represents the configuration for OpenID Connect 1.0."
},
"IdentityProvidersOpenIDConnectCORS": {
"properties": {
"endpoints": {
"items": {
"type": "string",
"enum": [
"authorization",
"pushed-authorization-request",
"token",
"introspection",
"revocation",
"userinfo"
]
},
"type": "array",
"uniqueItems": true,
"title": "Endpoints",
"description": "List of endpoints to enable CORS handling for."
},
"allowed_origins": {
"items": {
"type": "string",
"format": "uri"
},
"type": "array",
"title": "Allowed Origins",
"description": "List of arbitrary allowed origins for CORS requests."
},
"allowed_origins_from_client_redirect_uris": {
"type": "boolean",
"title": "Allowed Origins From Client Redirect URIs",
"description": "Automatically include the redirect URIs from the registered clients.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectCORS represents an OpenID Connect 1.0 CORS config."
},
"IdentityProvidersOpenIDConnectClient": {
"properties": {
"client_id": {
"type": "string",
"minLength": 1,
"title": "Client ID",
"description": "The Client ID."
},
"client_name": {
"type": "string",
"title": "Client Name",
"description": "The Client Name displayed to End-Users."
},
"client_secret": {
"$ref": "#/$defs/PasswordDigest",
"title": "Client Secret",
"description": "The Client Secret for Client Authentication."
},
"sector_identifier_uri": {
"type": "string",
"format": "uri",
"title": "Sector Identifier URI",
"description": "The Client Sector Identifier URI for Privacy Isolation via Pairwise subject types."
},
"public": {
"type": "boolean",
"title": "Public",
"description": "Enables the Public Client Type.",
"default": false
},
"redirect_uris": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectClientURIs",
"title": "Redirect URIs",
"description": "List of whitelisted redirect URIs."
},
"request_uris": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectClientURIs",
"title": "Request URIs",
"description": "List of whitelisted request URIs."
},
"audience": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true,
"title": "Audience",
"description": "List of authorized audiences."
},
"scopes": {
"items": {
"type": "string",
"enum": [
"openid",
"offline_access",
"groups",
"email",
"profile",
"authelia.bearer.authz"
]
},
"type": "array",
"uniqueItems": true,
"title": "Scopes",
"description": "The Scopes this client is allowed request and be granted."
},
"grant_types": {
"items": {
"type": "string",
"enum": [
"authorization_code",
"implicit",
"refresh_token",
"client_credentials"
]
},
"type": "array",
"uniqueItems": true,
"title": "Grant Types",
"description": "The Grant Types this client is allowed to use for the protected endpoints."
},
"response_types": {
"items": {
"type": "string",
"enum": [
"code",
"id_token token",
"id_token",
"token",
"code token",
"code id_token",
"code id_token token"
]
},
"type": "array",
"uniqueItems": true,
"title": "Response Types",
"description": "The Response Types the client is authorized to request."
},
"response_modes": {
"items": {
"type": "string",
"enum": [
"form_post",
"form_post.jwt",
"query",
"query.jwt",
"fragment",
"fragment.jwt",
"jwt"
]
},
"type": "array",
"uniqueItems": true,
"title": "Response Modes",
"description": "The Response Modes this client is authorized request."
},
"authorization_policy": {
"type": "string",
"title": "Authorization Policy",
"description": "The Authorization Policy to apply to this client."
},
"lifespan": {
"type": "string",
"title": "Lifespan Name",
"description": "The name of the custom lifespan to utilize for this client."
},
"requested_audience_mode": {
"type": "string",
"enum": [
"explicit",
"implicit"
],
"title": "Requested Audience Mode",
"description": "The Requested Audience Mode used for this client."
},
"consent_mode": {
"type": "string",
"enum": [
"auto",
"explicit",
"implicit",
"pre-configured"
],
"title": "Consent Mode",
"description": "The Consent Mode used for this client."
},
"pre_configured_consent_duration": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Pre-Configured Consent Duration",
"description": "The Pre-Configured Consent Duration when using Consent Mode pre-configured for this client."
},
"require_pushed_authorization_requests": {
"type": "boolean",
"title": "Require Pushed Authorization Requests",
"description": "Requires Pushed Authorization Requests for this client to perform an authorization.",
"default": false
},
"require_pkce": {
"type": "boolean",
"title": "Require PKCE",
"description": "Requires a Proof Key for this client to perform Code Exchange.",
"default": false
},
"pkce_challenge_method": {
"type": "string",
"enum": [
"plain",
"S256"
],
"title": "PKCE Challenge Method",
"description": "The PKCE Challenge Method enforced on this client."
},
"authorization_signed_response_alg": {
"type": "string",
"enum": [
"none",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Authorization Response Signing Algorithm",
"description": "The Authorization Endpoint Signing Algorithm this client uses.",
"default": "none"
},
"authorization_signed_response_key_id": {
"type": "string",
"title": "Authorization Response Signing Key ID",
"description": "The Key ID this client uses to sign the Authorization responses (overrides the 'authorization_signed_response_alg')."
},
"id_token_signed_response_alg": {
"type": "string",
"enum": [
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "ID Token Signing Algorithm",
"description": "The algorithm (JWA) this client uses to sign ID Tokens.",
"default": "RS256"
},
"id_token_signed_response_key_id": {
"type": "string",
"title": "ID Token Signing Key ID",
"description": "The Key ID this client uses to sign ID Tokens (overrides the 'id_token_signing_alg')."
},
"access_token_signed_response_alg": {
"type": "string",
"enum": [
"none",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Access Token Signing Algorithm",
"description": "The algorithm (JWA) this client uses to sign Access Tokens.",
"default": "none"
},
"access_token_signed_response_key_id": {
"type": "string",
"title": "Access Token Signing Key ID",
"description": "The Key ID this client uses to sign Access Tokens (overrides the 'access_token_signed_response_alg')."
},
"userinfo_signed_response_alg": {
"type": "string",
"enum": [
"none",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "UserInfo Response Signing Algorithm",
"description": "The UserInfo Endpoint Signing Algorithm this client uses.",
"default": "none"
},
"userinfo_signed_response_key_id": {
"type": "string",
"title": "UserInfo Response Signing Key ID",
"description": "The Key ID this client uses to sign the UserInfo responses (overrides the 'userinfo_signed_response_alg')."
},
"introspection_signed_response_alg": {
"type": "string",
"enum": [
"none",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Introspection Response Signing Algorithm",
"description": "The Introspection Endpoint Signing Algorithm this client uses.",
"default": "none"
},
"introspection_signed_response_key_id": {
"type": "string",
"title": "Introspection Response Signing Key ID",
"description": "The Key ID this client uses to sign the Introspection responses (overrides the 'introspection_signed_response_alg')."
},
"request_object_signing_alg": {
"type": "string",
"enum": [
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Request Object Signing Algorithm",
"description": "The Request Object Signing Algorithm the provider accepts for this client."
},
"token_endpoint_auth_signing_alg": {
"type": "string",
"enum": [
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Token Endpoint Auth Signing Algorithm",
"description": "The Token Endpoint Auth Signing Algorithm the provider accepts for this client."
},
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"none",
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"client_secret_jwt"
],
"title": "Token Endpoint Auth Method",
"description": "The Token Endpoint Auth Method enforced by the provider for this client."
},
"allow_multiple_auth_methods": {
"type": "boolean",
"title": "Allow Multiple Authentication Methods",
"description": "Permits this registered client to accept misbehaving clients which use a broad authentication approach. This is not standards complaint, use at your own security risk."
},
"jwks_uri": {
"type": "string",
"format": "uri",
"title": "JSON Web Keys URI",
"description": "URI of the JWKS endpoint which contains the Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."
},
"jwks": {
"items": {
"$ref": "#/$defs/JWK"
},
"type": "array",
"title": "JSON Web Keys",
"description": "List of arbitrary Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."
}
},
"additionalProperties": false,
"type": "object",
"required": [
"client_id",
"scopes"
],
"description": "IdentityProvidersOpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client."
},
"IdentityProvidersOpenIDConnectClientURIs": {
"oneOf": [
{
"type": "string",
"format": "uri"
},
{
"items": {
"type": "string",
"format": "uri"
},
"type": "array",
"uniqueItems": true
}
]
},
"IdentityProvidersOpenIDConnectLifespan": {
"properties": {
"access_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Access Token Lifespan",
"description": "The duration an Access Token is valid for."
},
"authorize_code": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Authorize Code Lifespan",
"description": "The duration an Authorization Code is valid for."
},
"id_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "ID Token Lifespan",
"description": "The duration an ID Token is valid for."
},
"refresh_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Refresh Token Lifespan",
"description": "The duration a Refresh Token is valid for."
},
"grants": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanGrants",
"title": "Grant Types",
"description": "Allows tuning the token lifespans for individual grant types."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectLifespan allows tuning the lifespans for OpenID Connect 1.0 issued tokens."
},
"IdentityProvidersOpenIDConnectLifespanGrants": {
"properties": {
"authorize_code": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanToken",
"title": "Authorize Code Grant",
"description": "Allows tuning the token lifespans for the authorize code grant."
},
"implicit": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanToken",
"title": "Implicit Grant",
"description": "Allows tuning the token lifespans for the implicit flow and grant."
},
"client_credentials": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanToken",
"title": "Client Credentials Grant",
"description": "Allows tuning the token lifespans for the client credentials grant."
},
"refresh_token": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanToken",
"title": "Refresh Token Grant",
"description": "Allows tuning the token lifespans for the refresh token grant."
},
"jwt_bearer": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespanToken",
"title": "JWT Bearer Grant",
"description": "Allows tuning the token lifespans for the JWT bearer grant."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectLifespanGrants allows tuning the lifespans for each grant type."
},
"IdentityProvidersOpenIDConnectLifespanToken": {
"properties": {
"access_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Access Token Lifespan",
"description": "The duration an Access Token is valid for."
},
"authorize_code": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Authorize Code Lifespan",
"description": "The duration an Authorization Code is valid for."
},
"id_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "ID Token Lifespan",
"description": "The duration an ID Token is valid for."
},
"refresh_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Refresh Token Lifespan",
"description": "The duration a Refresh Token is valid for."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectLifespanToken allows tuning the lifespans for each token type."
},
"IdentityProvidersOpenIDConnectLifespans": {
"properties": {
"access_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Access Token Lifespan",
"description": "The duration an Access Token is valid for."
},
"authorize_code": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Authorize Code Lifespan",
"description": "The duration an Authorization Code is valid for."
},
"id_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "ID Token Lifespan",
"description": "The duration an ID Token is valid for."
},
"refresh_token": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Refresh Token Lifespan",
"description": "The duration a Refresh Token is valid for."
},
"jwt_secured_authorization": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "JARM",
"description": "Allows tuning the token lifespan for the JWT Secured Authorization Response Mode (JARM)."
},
"custom": {
"patternProperties": {
".*": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectLifespan"
}
},
"type": "object",
"title": "Custom Lifespans",
"description": "Allows creating custom lifespans to be used by individual clients."
}
},
"additionalProperties": false,
"type": "object"
},
"IdentityProvidersOpenIDConnectPolicy": {
"properties": {
"default_policy": {
"type": "string",
"enum": [
"one_factor",
"two_factor",
"deny"
],
"title": "Default Policy",
"description": "The default policy action for this policy."
},
"rules": {
"items": {
"$ref": "#/$defs/IdentityProvidersOpenIDConnectPolicyRule"
},
"type": "array",
"title": "Rules",
"description": "The list of rules for this policy."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectPolicy configuration for OpenID Connect 1.0 authorization policies."
},
"IdentityProvidersOpenIDConnectPolicyRule": {
"properties": {
"policy": {
"type": "string",
"enum": [
"one_factor",
"two_factor",
"deny"
],
"title": "Policy",
"description": "The policy to apply to this rule."
},
"subject": {
"$ref": "#/$defs/AccessControlRuleSubjects",
"title": "Subject",
"description": "Allows tuning the token lifespans for the authorize code grant."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityProvidersOpenIDConnectPolicyRule configuration for OpenID Connect 1.0 authorization policies rules."
},
"IdentityValidation": {
"properties": {
"reset_password": {
"$ref": "#/$defs/IdentityValidationResetPassword",
"title": "Reset Password",
"description": "Identity Validation options for the Reset Password flow."
},
"elevated_session": {
"$ref": "#/$defs/IdentityValidationElevatedSession",
"title": "Elevated Session",
"description": "Identity Validation options for obtaining an Elevated Session for flows such as the Credential Management flows."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityValidation represents the configuration for identity verification actions/flows."
},
"IdentityValidationElevatedSession": {
"properties": {
"code_lifespan": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Code Lifespan",
"description": "The lifespan of the randomly generated One Time Code after which it's considered invalid."
},
"elevation_lifespan": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Elevation Lifespan",
"description": "The lifespan of the elevation after initially validating the One-Time Code before it expires."
},
"otp_characters": {
"type": "integer",
"maximum": 12,
"minimum": 6,
"title": "OTP Characters",
"description": "Number of characters in the generated OTP codes.",
"default": 8
},
"require_second_factor": {
"type": "boolean",
"title": "Require Second Factor",
"description": "Requires the user use a second factor if they have any known second factor methods.",
"default": false
},
"skip_second_factor": {
"type": "boolean",
"title": "Skip Second Factor",
"description": "Skips the primary identity verification process if the user has authenticated with a second factor.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityValidationElevatedSession represents the tunable aspects of the credential control identity verification action/flow."
},
"IdentityValidationResetPassword": {
"properties": {
"jwt_lifespan": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "JWT Lifespan",
"description": "The lifespan of the JSON Web Token after it's initially generated after which it's considered invalid."
},
"jwt_algorithm": {
"type": "string",
"enum": [
"HS256",
"HS384",
"HS512"
],
"title": "JWT Algorithm",
"description": "The JSON Web Token Algorithm (JWA) used to sign the Reset Password flow JSON Web Token's.",
"default": "HS256"
},
"jwt_secret": {
"type": "string",
"title": "JWT Secret",
"description": "The secret key used to sign the Reset Password flow JSON Web Token's."
}
},
"additionalProperties": false,
"type": "object",
"description": "IdentityValidationResetPassword represents the tunable aspects of the reset password identity verification action/flow."
},
"JWK": {
"properties": {
"key_id": {
"type": "string",
"maxLength": 100,
"title": "Key ID",
"description": "The ID of this JWK."
},
"use": {
"type": "string",
"enum": [
"sig"
],
"title": "Use",
"description": "The Use of this JWK.",
"default": "sig"
},
"algorithm": {
"type": "string",
"enum": [
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512"
],
"title": "Algorithm",
"description": "The Algorithm of this JWK."
},
"key": {
"type": "string",
"pattern": "^-{5}BEGIN (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END (((RSA|EC) )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-{5}\\n?$",
"description": "The Private/Public key material of this JWK in Base64 PEM format."
},
"certificate_chain": {
"$ref": "#/$defs/X509CertificateChain",
"title": "Certificate Chain",
"description": "The optional associated certificate which matches the Key public key portion for this JWK."
}
},
"additionalProperties": false,
"type": "object",
"description": "JWK represents a JWK."
},
"Log": {
"properties": {
"level": {
"type": "string",
"enum": [
"error",
"warn",
"info",
"debug",
"trace"
],
"title": "Level",
"description": "The minimum Level a Log message must be before it's added to the log."
},
"format": {
"type": "string",
"enum": [
"json",
"text"
],
"title": "Format",
"description": "The Format of Log messages."
},
"file_path": {
"type": "string",
"title": "File Path",
"description": "The File Path to save the logs to instead of sending them to stdout, it's strongly recommended this option is only enabled with 'keep_stdout' also enabled."
},
"keep_stdout": {
"type": "boolean",
"title": "Keep Stdout",
"description": "Enables keeping stdout when using the File Path option.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "Log represents the logging configuration."
},
"NTP": {
"properties": {
"address": {
"$ref": "#/$defs/AddressUDP",
"title": "NTP Address",
"description": "The remote address of the NTP server."
},
"version": {
"type": "integer",
"enum": [
3,
4
],
"title": "NTP Version",
"description": "The NTP Version to use."
},
"max_desync": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Maximum Desync",
"description": "The maximum amount of time that the server can be out of sync."
},
"disable_startup_check": {
"type": "boolean",
"title": "Disable Startup Check",
"description": "Disables the NTP Startup Check entirely.",
"default": false
},
"disable_failure": {
"type": "boolean",
"title": "Disable Failure",
"description": "Disables complete failure whe the Startup Check fails and instead just logs the error.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "NTP represents the configuration related to ntp server."
},
"Notifier": {
"properties": {
"disable_startup_check": {
"type": "boolean",
"title": "Disable Startup Check",
"description": "Disables the notifier startup checks.",
"default": false
},
"filesystem": {
"$ref": "#/$defs/NotifierFileSystem",
"title": "File System",
"description": "The File System notifier."
},
"smtp": {
"$ref": "#/$defs/NotifierSMTP",
"title": "SMTP",
"description": "The SMTP notifier."
},
"template_path": {
"type": "string",
"title": "Template Path",
"description": "The path for notifier template overrides."
}
},
"additionalProperties": false,
"type": "object",
"description": "Notifier represents the configuration of the notifier to use when sending notifications to users."
},
"NotifierFileSystem": {
"properties": {
"filename": {
"type": "string",
"title": "Filename",
"description": "The file path of the notifications."
}
},
"additionalProperties": false,
"type": "object",
"description": "NotifierFileSystem represents the configuration of the notifier writing emails in a file."
},
"NotifierSMTP": {
"properties": {
"address": {
"$ref": "#/$defs/AddressSMTP",
"title": "Address",
"description": "The SMTP server address."
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The SMTP server connection timeout."
},
"username": {
"type": "string",
"title": "Username",
"description": "The username for SMTP authentication."
},
"password": {
"type": "string",
"title": "Password",
"description": "The password for SMTP authentication."
},
"identifier": {
"type": "string",
"title": "Identifier",
"description": "The identifier used during the HELO/EHLO command.",
"default": "localhost"
},
"sender": {
"type": "string",
"format": "email",
"title": "Sender",
"description": "The sender used for SMTP."
},
"subject": {
"type": "string",
"title": "Subject",
"description": "The subject format used.",
"default": "[Authelia] {title}"
},
"startup_check_address": {
"type": "string",
"format": "email",
"title": "Startup Check Address",
"description": "The address used for the recipient in the startup check.",
"default": "Authelia Test \u003ctest@authelia.com\u003e"
},
"disable_require_tls": {
"type": "boolean",
"title": "Disable Require TLS",
"description": "Disables the requirement to use TLS.",
"default": false
},
"disable_html_emails": {
"type": "boolean",
"title": "Disable HTML Emails",
"description": "Disables the mixed content type of emails and only sends the plaintext version.",
"default": false
},
"disable_starttls": {
"type": "boolean",
"title": "Disable StartTLS",
"description": "Disables the opportunistic StartTLS functionality which is useful for bad SMTP servers which advertise support for it but don't actually support it.",
"default": false
},
"tls": {
"$ref": "#/$defs/TLS",
"title": "TLS",
"description": "The SMTP server TLS connection properties."
},
"host": {
"type": "string",
"description": "Deprecated: use address instead.",
"deprecated": true
},
"port": {
"type": "integer",
"description": "Deprecated: use address instead.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "NotifierSMTP represents the configuration of the SMTP server to send emails with."
},
"PasswordDigest": {
"type": "string",
"pattern": "^\\$((argon2(id|i|d)\\$v=19\\$m=\\d+,t=\\d+,p=\\d+|scrypt\\$ln=\\d+,r=\\d+,p=\\d+)\\$[a-zA-Z0-9\\/+]+\\$[a-zA-Z0-9\\/+]+|pbkdf2(-sha(224|256|384|512))?\\$\\d+\\$[a-zA-Z0-9\\/.]+\\$[a-zA-Z0-9\\/.]+|bcrypt-sha256\\$v=2,t=2b,r=\\d+\\$[a-zA-Z0-9\\/.]+\\$[a-zA-Z0-9\\/.]+|2(a|b|y)?\\$\\d+\\$[a-zA-Z0-9.\\/]+|(5|6)\\$rounds=\\d+\\$[a-zA-Z0-9.\\/]+\\$[a-zA-Z0-9.\\/]+|plaintext\\$.+|base64\\$[a-zA-Z0-9.=\\/]+)$"
},
"PasswordPolicy": {
"properties": {
"standard": {
"$ref": "#/$defs/PasswordPolicyStandard",
"title": "Standard",
"description": "The standard password policy engine."
},
"zxcvbn": {
"$ref": "#/$defs/PasswordPolicyZXCVBN",
"title": "ZXCVBN",
"description": "The ZXCVBN password policy engine."
}
},
"additionalProperties": false,
"type": "object",
"description": "PasswordPolicy represents the configuration related to password policy."
},
"PasswordPolicyStandard": {
"properties": {
"enabled": {
"type": "boolean",
"title": "Enabled",
"description": "Enables the standard password policy engine.",
"default": false
},
"min_length": {
"type": "integer",
"title": "Minimum Length",
"description": "Minimum password length."
},
"max_length": {
"type": "integer",
"title": "Maximum Length",
"description": "Maximum password length.",
"default": 8
},
"require_uppercase": {
"type": "boolean",
"title": "Require Uppercase",
"description": "Require uppercase characters.",
"default": false
},
"require_lowercase": {
"type": "boolean",
"title": "Require Lowercase",
"description": "Require lowercase characters.",
"default": false
},
"require_number": {
"type": "boolean",
"title": "Require Number",
"description": "Require numeric characters.",
"default": false
},
"require_special": {
"type": "boolean",
"title": "Require Special",
"description": "Require symbolic characters.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "PasswordPolicyStandard represents the configuration related to standard parameters of password policy."
},
"PasswordPolicyZXCVBN": {
"properties": {
"enabled": {
"type": "boolean",
"title": "Enabled",
"description": "Enables the ZXCVBN password policy engine.",
"default": false
},
"min_score": {
"type": "integer",
"title": "Minimum Score",
"description": "The minimum ZXCVBN score allowed.",
"default": 3
}
},
"additionalProperties": false,
"type": "object",
"description": "PasswordPolicyZXCVBN represents the configuration related to ZXCVBN parameters of password policy."
},
"PrivacyPolicy": {
"properties": {
"enabled": {
"type": "boolean",
"title": "Enabled",
"description": "Enables the Privacy Policy functionality.",
"default": false
},
"require_user_acceptance": {
"type": "boolean",
"title": "Require User Acceptance",
"description": "Enables the requirement for users to accept the policy.",
"default": false
},
"policy_url": {
"type": "string",
"format": "uri",
"title": "Policy URL",
"description": "The URL of the privacy policy."
}
},
"additionalProperties": false,
"type": "object",
"description": "PrivacyPolicy is the privacy policy configuration."
},
"RefreshIntervalDuration": {
"oneOf": [
{
"type": "string",
"enum": [
"always",
"never"
]
},
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"default": "5 minutes"
},
"Regulation": {
"properties": {
"max_retries": {
"type": "integer",
"title": "Maximum Retries",
"description": "The maximum number of failed attempts permitted before banning a user.",
"default": 3
},
"find_time": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Find Time",
"description": "The amount of time to consider when determining the number of failed attempts."
},
"ban_time": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Ban Time",
"description": "The amount of time to ban the user for when it's determined the maximum retries has been exceeded."
}
},
"additionalProperties": false,
"type": "object",
"description": "Regulation represents the configuration related to regulation."
},
"Server": {
"properties": {
"address": {
"$ref": "#/$defs/AddressTCP",
"title": "Address",
"description": "The address to listen on."
},
"asset_path": {
"type": "string",
"title": "Asset Path",
"description": "The directory where the server asset overrides reside."
},
"disable_healthcheck": {
"type": "boolean",
"title": "Disable Healthcheck",
"description": "Disables the healthcheck functionality.",
"default": false
},
"tls": {
"$ref": "#/$defs/ServerTLS",
"title": "TLS",
"description": "The server TLS configuration."
},
"headers": {
"$ref": "#/$defs/ServerHeaders",
"title": "Headers",
"description": "The server headers configuration."
},
"endpoints": {
"$ref": "#/$defs/ServerEndpoints",
"title": "Endpoints",
"description": "The server endpoints configuration."
},
"buffers": {
"$ref": "#/$defs/ServerBuffers",
"title": "Buffers",
"description": "The server buffers configuration."
},
"timeouts": {
"$ref": "#/$defs/ServerTimeouts",
"title": "Timeouts",
"description": "The server timeouts configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": "Server represents the configuration of the http server."
},
"ServerBuffers": {
"properties": {
"read": {
"type": "integer",
"title": "Read",
"description": "The read buffer size.",
"default": 4096
},
"write": {
"type": "integer",
"title": "Write",
"description": "The write buffer size.",
"default": 4096
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerBuffers represents server buffer configurations."
},
"ServerEndpoints": {
"properties": {
"enable_pprof": {
"type": "boolean",
"title": "Enable PProf",
"description": "Enables the developer specific pprof endpoints which should not be used in production and only used for debugging purposes.",
"default": false
},
"enable_expvars": {
"type": "boolean",
"title": "Enable ExpVars",
"description": "Enables the developer specific ExpVars endpoints which should not be used in production and only used for debugging purposes.",
"default": false
},
"authz": {
"patternProperties": {
".*": {
"$ref": "#/$defs/ServerEndpointsAuthz"
}
},
"type": "object",
"title": "Authz",
"description": "Configures the Authorization endpoints."
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerEndpoints is the endpoints configuration for the HTTP server."
},
"ServerEndpointsAuthz": {
"properties": {
"implementation": {
"type": "string",
"enum": [
"ForwardAuth",
"AuthRequest",
"ExtAuthz",
"Legacy"
],
"title": "Implementation",
"description": "The specific Authorization implementation to use for this endpoint."
},
"authn_strategies": {
"items": {
"$ref": "#/$defs/ServerEndpointsAuthzAuthnStrategy"
},
"type": "array",
"title": "Authn Strategies",
"description": "The specific Authorization strategies to use for this endpoint."
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerEndpointsAuthz is the Authz endpoints configuration for the HTTP server."
},
"ServerEndpointsAuthzAuthnStrategy": {
"properties": {
"name": {
"type": "string",
"enum": [
"HeaderAuthorization",
"HeaderProxyAuthorization",
"HeaderAuthRequestProxyAuthorization",
"HeaderLegacy",
"CookieSession"
],
"title": "Name",
"description": "The name of the Authorization strategy to use."
},
"schemes": {
"items": {
"type": "string",
"enum": [
"basic",
"bearer"
]
},
"type": "array",
"title": "Authorization Schemes",
"description": "The name of the authorization schemes to allow with the header strategies.",
"default": [
"basic"
]
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerEndpointsAuthzAuthnStrategy is the Authz endpoints configuration for the HTTP server."
},
"ServerHeaders": {
"properties": {
"csp_template": {
"type": "string",
"title": "CSP Template",
"description": "The Content Security Policy template.",
"default": "default-src 'self'; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-%s'; frame-ancestors 'none'; base-uri 'self'"
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerHeaders represents the customization of the http server headers."
},
"ServerTLS": {
"properties": {
"certificate": {
"type": "string",
"title": "Certificate",
"description": "Path to the Certificate."
},
"key": {
"type": "string",
"title": "Key",
"description": "Path to the Private Key."
},
"client_certificates": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true,
"title": "Client Certificates",
"description": "Path to the Client Certificates to trust for mTLS."
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerTLS represents the configuration of the http servers TLS options."
},
"ServerTimeouts": {
"properties": {
"read": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Read",
"description": "The read timeout."
},
"write": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Write",
"description": "The write timeout."
},
"idle": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Idle",
"description": "The idle timeout."
}
},
"additionalProperties": false,
"type": "object",
"description": "ServerTimeouts represents server timeout configurations."
},
"Session": {
"properties": {
"name": {
"type": "string",
"description": "The session cookie name.",
"default": "authelia_session"
},
"same_site": {
"type": "string",
"enum": [
"lax",
"strict",
"none"
],
"description": "The session cookie same site value.",
"default": "lax"
},
"expiration": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session cookie expiration when remember me is not checked."
},
"inactivity": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session inactivity timeout."
},
"remember_me": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session cookie expiration when remember me is checked."
},
"secret": {
"type": "string",
"title": "Secret",
"description": "Secret used to encrypt the session data."
},
"cookies": {
"items": {
"$ref": "#/$defs/SessionCookie"
},
"type": "array",
"title": "Cookies",
"description": "List of cookie domain configurations."
},
"redis": {
"$ref": "#/$defs/SessionRedis",
"title": "Redis",
"description": "Redis Session Provider configuration."
},
"domain": {
"type": "string",
"title": "Domain",
"description": "Deprecated: Use the session cookies option with the same name instead.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "Session represents the configuration related to user sessions."
},
"SessionCookie": {
"properties": {
"name": {
"type": "string",
"description": "The session cookie name.",
"default": "authelia_session"
},
"same_site": {
"type": "string",
"enum": [
"lax",
"strict",
"none"
],
"description": "The session cookie same site value.",
"default": "lax"
},
"expiration": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session cookie expiration when remember me is not checked."
},
"inactivity": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session inactivity timeout."
},
"remember_me": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"description": "The session cookie expiration when remember me is checked."
},
"domain": {
"type": "string",
"format": "hostname",
"title": "Domain",
"description": "The domain for this session cookie configuration."
},
"authelia_url": {
"type": "string",
"format": "uri",
"title": "Authelia URL",
"description": "The Root Authelia URL to redirect users to for this session cookie configuration."
},
"default_redirection_url": {
"type": "string",
"format": "uri",
"title": "Default Redirection URL",
"description": "The default redirection URL for this session cookie configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": "SessionCookie represents the configuration for a cookie domain."
},
"SessionRedis": {
"properties": {
"host": {
"type": "string",
"title": "Host",
"description": "The redis server host."
},
"port": {
"type": "integer",
"title": "Host",
"description": "The redis server port.",
"default": 6379
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The Redis server connection timeout."
},
"max_retries": {
"type": "integer",
"title": "Maximum Retries",
"description": "The maximum number of retries on a failed command.",
"default": 3
},
"username": {
"type": "string",
"title": "Username",
"description": "The redis username."
},
"password": {
"type": "string",
"title": "Password",
"description": "The redis password."
},
"database_index": {
"type": "integer",
"title": "Database Index",
"description": "The redis database index.",
"default": 0
},
"maximum_active_connections": {
"type": "integer",
"title": "Maximum Active Connections",
"description": "The maximum connections that can be made to redis at one time.",
"default": 8
},
"minimum_idle_connections": {
"type": "integer",
"title": "Minimum Idle Connections",
"description": "The minimum idle connections that should be open to redis."
},
"tls": {
"$ref": "#/$defs/TLS"
},
"high_availability": {
"$ref": "#/$defs/SessionRedisHighAvailability"
}
},
"additionalProperties": false,
"type": "object",
"description": "SessionRedis represents the configuration related to redis session store."
},
"SessionRedisHighAvailability": {
"properties": {
"sentinel_name": {
"type": "string",
"title": "Sentinel Name",
"description": "The name of the sentinel instance."
},
"sentinel_username": {
"type": "string",
"title": "Sentinel Username",
"description": "The username for the sentinel instance."
},
"sentinel_password": {
"type": "string",
"title": "Sentinel Username",
"description": "The username for the sentinel instance."
},
"route_by_latency": {
"type": "boolean",
"title": "Route by Latency",
"description": "Uses the Route by Latency mode.",
"default": false
},
"route_randomly": {
"type": "boolean",
"title": "Route Randomly",
"description": "Uses the Route Randomly mode.",
"default": false
},
"nodes": {
"items": {
"$ref": "#/$defs/SessionRedisHighAvailabilityNode"
},
"type": "array",
"title": "Nodes",
"description": "The pre-populated list of nodes for the sentinel instance."
}
},
"additionalProperties": false,
"type": "object",
"description": "SessionRedisHighAvailability holds configuration variables for Redis Cluster/Sentinel."
},
"SessionRedisHighAvailabilityNode": {
"properties": {
"host": {
"type": "string",
"title": "Host",
"description": "The redis sentinel node host."
},
"port": {
"type": "integer",
"title": "Port",
"description": "The redis sentinel node port.",
"default": 26379
}
},
"additionalProperties": false,
"type": "object",
"description": "SessionRedisHighAvailabilityNode Represents a Node."
},
"Storage": {
"properties": {
"local": {
"$ref": "#/$defs/StorageLocal",
"title": "Local",
"description": "The Local SQLite3 Storage configuration settings."
},
"mysql": {
"$ref": "#/$defs/StorageMySQL",
"title": "MySQL",
"description": "The MySQL/MariaDB Storage configuration settings."
},
"postgres": {
"$ref": "#/$defs/StoragePostgreSQL",
"title": "PostgreSQL",
"description": "The PostgreSQL Storage configuration settings."
},
"encryption_key": {
"type": "string",
"title": "Encryption Key",
"description": "The Storage Encryption Key used to secure security sensitive values in the storage engine."
}
},
"additionalProperties": false,
"type": "object",
"description": "Storage represents the configuration of the storage backend."
},
"StorageLocal": {
"properties": {
"path": {
"type": "string",
"title": "Path",
"description": "The Path for the SQLite3 database file."
}
},
"additionalProperties": false,
"type": "object",
"description": "StorageLocal represents the configuration when using local storage."
},
"StorageMySQL": {
"properties": {
"address": {
"$ref": "#/$defs/AddressTCP",
"title": "Address",
"description": "The address of the database."
},
"database": {
"type": "string",
"title": "Database",
"description": "The database name to use upon a successful connection."
},
"username": {
"type": "string",
"title": "Username",
"description": "The username to use to authenticate."
},
"password": {
"type": "string",
"title": "Password",
"description": "The password to use to authenticate."
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The timeout for the database connection."
},
"tls": {
"$ref": "#/$defs/TLS"
}
},
"additionalProperties": false,
"type": "object",
"description": "StorageMySQL represents the configuration of a MySQL database."
},
"StoragePostgreSQL": {
"properties": {
"address": {
"$ref": "#/$defs/AddressTCP",
"title": "Address",
"description": "The address of the database."
},
"database": {
"type": "string",
"title": "Database",
"description": "The database name to use upon a successful connection."
},
"username": {
"type": "string",
"title": "Username",
"description": "The username to use to authenticate."
},
"password": {
"type": "string",
"title": "Password",
"description": "The password to use to authenticate."
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The timeout for the database connection."
},
"schema": {
"type": "string",
"title": "Schema",
"description": "The default schema name to use.",
"default": "public"
},
"tls": {
"$ref": "#/$defs/TLS"
},
"ssl": {
"$ref": "#/$defs/StoragePostgreSQLSSL",
"title": "SSL",
"description": "Deprecated: Use the TLS configuration instead.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "StoragePostgreSQL represents the configuration of a PostgreSQL database."
},
"StoragePostgreSQLSSL": {
"properties": {
"mode": {
"type": "string",
"enum": [
"disable",
"verify-ca",
"require",
"verify-full"
],
"title": "Mode",
"description": "The SSL mode to use, deprecated and replaced with the TLS options.",
"deprecated": true
},
"root_certificate": {
"type": "string",
"title": "Root Certificate",
"description": "Path to the Root Certificate to use, deprecated and replaced with the TLS options.",
"deprecated": true
},
"certificate": {
"type": "string",
"title": "Certificate",
"description": "Path to the Certificate to use, deprecated and replaced with the TLS options.",
"deprecated": true
},
"key": {
"type": "string",
"title": "Key",
"description": "Path to the Private Key to use, deprecated and replaced with the TLS options.",
"deprecated": true
}
},
"additionalProperties": false,
"type": "object",
"description": "StoragePostgreSQLSSL represents the SSL configuration of a PostgreSQL database."
},
"TLS": {
"properties": {
"minimum_version": {
"$ref": "#/$defs/TLSVersion",
"title": "Minimum Version",
"description": "The minimum TLS version accepted."
},
"maximum_version": {
"$ref": "#/$defs/TLSVersion",
"title": "Maximum Version",
"description": "The maximum TLS version accepted."
},
"skip_verify": {
"type": "boolean",
"title": "Skip Verify",
"description": "Disable all verification of the TLS properties.",
"default": false
},
"server_name": {
"type": "string",
"format": "hostname",
"title": "Server Name",
"description": "The expected server name to match the certificate against."
},
"private_key": {
"type": "string",
"pattern": "^-{5}BEGIN ((RSA|EC) )?PRIVATE KEY-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END ((RSA|EC) )?PRIVATE KEY-{5}\\n?$",
"title": "Private Key",
"description": "The private key."
},
"certificate_chain": {
"$ref": "#/$defs/X509CertificateChain",
"title": "Certificate Chain",
"description": "The certificate chain."
}
},
"additionalProperties": false,
"type": "object",
"description": "TLS is a representation of the TLS configuration."
},
"TLSVersion": {
"type": "string",
"enum": [
"TLS1.0",
"TLS1.1",
"TLS1.2",
"TLS1.3"
]
},
"TOTP": {
"properties": {
"disable": {
"type": "boolean",
"title": "Disable",
"description": "Disables the TOTP 2FA functionality.",
"default": false
},
"issuer": {
"type": "string",
"title": "Issuer",
"description": "The issuer value for generated TOTP keys.",
"default": "Authelia"
},
"algorithm": {
"type": "string",
"enum": [
"SHA1",
"SHA256",
"SHA512"
],
"title": "Algorithm",
"description": "The algorithm value for generated TOTP keys.",
"default": "SHA1"
},
"digits": {
"type": "integer",
"enum": [
6,
8
],
"title": "Digits",
"description": "The digits value for generated TOTP keys.",
"default": 6
},
"period": {
"type": "integer",
"title": "Period",
"description": "The period value for generated TOTP keys.",
"default": 30
},
"skew": {
"type": "integer",
"title": "Skew",
"description": "The permitted skew for generated TOTP keys.",
"default": 1
},
"secret_size": {
"type": "integer",
"minimum": 20,
"title": "Secret Size",
"description": "The secret size for generated TOTP keys.",
"default": 32
},
"allowed_algorithms": {
"items": {
"type": "string",
"enum": [
"SHA1",
"SHA256",
"SHA512"
]
},
"type": "array",
"title": "Allowed Algorithms",
"description": "List of algorithms the user is allowed to select in addition to the default.",
"default": [
"SHA1"
]
},
"allowed_digits": {
"items": {
"type": "integer",
"enum": [
6,
8
]
},
"type": "array",
"title": "Allowed Digits",
"description": "List of digits the user is allowed to select in addition to the default.",
"default": [
6
]
},
"allowed_periods": {
"items": {
"type": "integer"
},
"type": "array",
"title": "Allowed Periods",
"description": "List of periods the user is allowed to select in addition to the default.",
"default": [
30
]
},
"disable_reuse_security_policy": {
"type": "boolean",
"title": "Disable Reuse Security Policy",
"description": "Disables the security policy that prevents reuse of a TOTP code.",
"default": false
}
},
"additionalProperties": false,
"type": "object",
"description": "TOTP represents the configuration related to TOTP options."
},
"Telemetry": {
"properties": {
"metrics": {
"$ref": "#/$defs/TelemetryMetrics",
"title": "Metrics",
"description": "The telemetry metrics server configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": "Telemetry represents the telemetry config."
},
"TelemetryMetrics": {
"properties": {
"enabled": {
"type": "boolean",
"title": "Enabled",
"description": "Enables the metrics server.",
"default": false
},
"address": {
"$ref": "#/$defs/AddressTCP",
"title": "Address",
"description": "The address for the metrics server to listen on."
},
"buffers": {
"$ref": "#/$defs/ServerBuffers",
"title": "Buffers",
"description": "The server buffers configuration for the metrics server."
},
"timeouts": {
"$ref": "#/$defs/ServerTimeouts",
"title": "Timeouts",
"description": "The server timeouts configuration for the metrics server."
}
},
"additionalProperties": false,
"type": "object",
"description": "TelemetryMetrics represents the telemetry metrics config."
},
"WebAuthn": {
"properties": {
"disable": {
"type": "boolean",
"title": "Disable",
"description": "Disables the WebAuthn 2FA functionality.",
"default": false
},
"display_name": {
"type": "string",
"title": "Display Name",
"description": "The display name attribute for the WebAuthn relying party.",
"default": "Authelia"
},
"attestation_conveyance_preference": {
"type": "string",
"enum": [
"none",
"indirect",
"direct"
],
"title": "Conveyance Preference",
"description": "The default conveyance preference for all WebAuthn credentials.",
"default": "indirect"
},
"user_verification": {
"type": "string",
"enum": [
"discouraged",
"preferred",
"required"
],
"title": "User Verification",
"description": "The default user verification preference for all WebAuthn credentials.",
"default": "preferred"
},
"timeout": {
"oneOf": [
{
"type": "string",
"pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
},
{
"type": "integer",
"description": "The duration in seconds"
}
],
"title": "Timeout",
"description": "The default timeout for all WebAuthn ceremonies."
}
},
"additionalProperties": false,
"type": "object",
"description": "WebAuthn represents the webauthn config."
},
"X509CertificateChain": {
"type": "string",
"pattern": "^(-{5}BEGIN CERTIFICATE-{5}\\n([a-zA-Z0-9\\/+]{1,64}\\n)+([a-zA-Z0-9\\/+]{1,64}[=]{0,2})\\n-{5}END CERTIFICATE-{5}\\n?)+$"
}
}
}
Reference in New Issue View Git Blame Copy Permalink