Skip to content

Latest commit

 

History

History
105 lines (72 loc) · 6.01 KB

configuration.md

File metadata and controls

105 lines (72 loc) · 6.01 KB

Configuration Properties

Items marked with (*) are required.
Items marked with (#) are likely relevant.

  • (*)api_url: URL of Perun RPC, e.g. https://perun-dev.cesnet.cz/oauth/rpc

  • oidc_client: Necessary information needed for oidc_client

    • (*)oauth_authority:

      • Entity that issues a set of Claims
      • Case-sensitive URL using the HTTPS scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components
      • e.g. https://login.cesnet.cz/oidc/

    • (*)oauth_callback: URL of the app, has to end with /api-callback

    • (*)oauth_client_id: Get this by registering the app to SP

    • (*)oauth_post_logout_redirect_uri: URL where the user is redirected after log out, by default this is empty

    • (*)oauth_redirect_uri:

      • Redirection URI to which the response will be sent after the user signs in
      • Usually same as oauth_callback
      • Has to end with /api-callback

    • oauth_scopes:

      • Defines scopes of the app as defined in spec
        • openid: Includes the identifier of the user (required for RPC and GUI)
        • profile: Includes other information about the user, e.g. name (required just for GUI)
        • perun_api: For accessing Perun API
        • perun_admin: Allows full access when the user is a Perun admin
        • offline_access: Allows usage of refresh tokens (required just for GUI which should use refresh tokens)
      • Default: openid profile perun_api perun_admin

    • oauth_response_type:

      • id_token token for implicit flow (now deprecated); RFC 6749
      • code for code flow with PKCE; RFC 6819
      • Depends on proxy
      • Default: code

    • (#)filters: Shortcuts for values that are added to acr_values during authentication

      • default: Default value, which is added unless the query parameter idpFilter is set
      • When idpFilter is set, the long value corresponding to the short value sent in idpFilter is added to acr_values
      • This can be used, for example, with the CESNET proxy to send IdP filters. See Podpora autentizačního filtru v novém GUI (restricted)

    • oauth_offline_access_consent_prompt:

      • If offline_access is contained in authorization scopes and this property is set to true, prompt=consent query parameter is added in client configuration

    • (*)oauth_acr_value:

      • Default acr_value
      • Default value (urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport https://refeds.org/profile/sfa https://refeds.org/profile/mfa) of this property enables correctly handling information about already performed MFA. If the IdP requires MFA by itself, Perun applications should skip its own MFA logic because the user already has a valid MFA session on the proxy.

  • (*)proxy_logout: Boolean, if the logout process (including post-logout redirect) is handled by proxy or just locally, default: true

  • (*)mfa: An object containing information needed for MFA

    • url_<language_shortcut>: URL for PrivacyIDEA
    • step_up_available: Boolean, whether the frontend will initiate step-up when the backend requires MFA
    • Default: true

  • (#)auto_auth_redirect: boolean, whether the user will be automatically redirected to proxy for authentication after entering the GUI, if set to false, the user will be redirected to the login screen, default: true

  • document_title: An object containing Html Document Title (what will be shown on the tab of the browser e.g.: Perun Web Gui) for all supported languages, e.g. document_title: { "en": "Example title" }

  • (#)other_apps: on a first level maps a language (en, cs, …) to another property. This property defines the labels that are shown in the "more applications" header menu as map other_app: label, where other_app is one of admin, profile, pwdReset, consolidator, linker (as defined in AppType) and the label is the label to be displayed in the menu

  • other_apps_custom: the structure is the same as other_apps, however the other_app keys are replaced with urls, allowing to link to external applications.

    • E.g.: 
      "en": {
      "https://www.google.com": "Google"
    }

  • (#)footer: an object containing all the columns and copyright, if not filled default configuration is used

    • columns: array of objects representing each column in the footer

      • title_<language_shortcut>: title of the column in specified language

      • logos: boolean, flag whether the column contains logos

      • elements: array of links in this column

        • logo: string, name of the file or path to the file with logo, when using just name, the path to the directory is /assets/config/

        • icon: (optional) material icon displayed next to the label

        • dialog: (optional) short name of dialog that will be opened after clicking on the label (currently supported just value reportIssue)

        • link_<language_shortcut>: URL

        • label_<language_shortcut>: label of the link in a specific language, irrelevant when logos is set to true

    • copyright_items: array of objects for each party

      • name: string, name of a party

      • url: string, can be empty, URL to the website of a party

    • gitlab_releases: URL to the GitLab Releases page of the GUI

    • gitlab_backend_releases: URL to the GitLab Releases page of the backend

  • display_warning: boolean, if there should be some sort of warning text that's always present on top of the GUI

    • If display_warning is set to true:
      • warning_message: type: string, text that will be shown on top of the GUI

  • instance_favicon: if set to true, uses instanceFavicon.ico located in the directory of the configuration file (/assets/config/instanceFavicon.ico), the default option is false