Skip to content

Latest commit

 

History

History
837 lines (830 loc) · 21.3 KB

Config.md

File metadata and controls

837 lines (830 loc) · 21.3 KB

Hanko backend config

The Hanko backend can be configured using a yaml configuration file or using environment variables. Environment variables have higher precedence than configuration via file (i.e. if provided, they overwrite the values given in the file - multivalued options, like arrays, are also not merged but overwritten entirely).

The schema for the configuration file is given below. To set equivalent environment variables, join keys by _ (underscore) and uppercase the keys, i.e. for server.webauthn.relying_party.origins use:

export SERVER_WEBAUTHN_RELYING_PARTY_ORIGINS="https://hanko.io,android:apk-key-hash:nLSu7w..."

All available config options

## Hanko Service configuration ##
#

server:
  ## public ##
  #
  # Configuration for the public API.
  #
  public:
    ## address ##
    #
    # The address the public API will listen and handle requests on.
    #
    address: ":8000"
    ## cors ##
    #
    # Cross Origin Resource Sharing for public endpoints.
    #
    cors:
      ## allow_origins ##
      #
      # A list of allowed origins that may access the public endpoints.
      #
      allow_origins:
        - "https://hanko.io"
        - "https://example.com"
      ## unsafe_wildcard_origin_allowed ##
      #
      # If allow_origins contains a wildcard '*' origin, this flag must explicitly be set to 'true'.
      # Using wildcard '*' origins is insecure and potentially leads to cross-origin attacks.
      #
      unsafe_wildcard_origin_allowed: false
  ## admin ##
  #
  # Configuration for the admin API.
  #
  admin:
    ## address ##
    #
    # The address the admin API will listen and handle requests on.
    #
    address: ":8001"
## database ##
#
# Configures the backend where to persist data.
#
database:
  host: "localhost"
  ## port ##
  #
  # Default value: 5432
  #
  port: "5432"
  ## dialect ##
  #
  # Which database will be used.
  #
  # One of:
  # - cockroach
  # - mariadb
  # - mysql
  # - postgres
  #
  dialect: "postgres"
  user: "CHANGE-ME"
  password: "CHANGE-ME"
  database: "CHANGE-ME"
  ## url ##
  #
  # Instead of using the individual fields above this field can be used.
  # When this field is set, it will be used and the fields above have no effect.
  #
  # Url schema: `dialect://username:password@host:port/database`
  #
  # Examples:
  # - postgres://hanko:hanko@localhost:5432/hanko
  #
  url: "CHANGE-ME"
service:
  ## name ##
  #
  # The name of the service. This value will be used in the subject header of emails.
  #
  name: "Example Project"
## secrets ##
#
# Configures secrets used for en-/decrypting JWKs.
#
secrets:
  ## keys ##
  #
  # Keys secrets are used to en- and decrypt the JWKs which get used to sign the JWTs.
  # For every key a JWK is generated, encrypted with the key and persisted in the database.
  #
  # You can use this list for key rotation: add a new key to the beginning of the list and the corresponding
  # JWK will then be used for signing JWTs. All tokens signed with the previous JWK(s) will still
  # be valid until they expire. Removing a key from the list does not remove the corresponding
  # database record. If you remove a key, you also have to remove the database record, otherwise
  # application startup will fail.
  #
  # Each key must be at least 16 characters long.
  #
  keys:
    - "CHANGE-ME"
session:
  ## lifespan ##
  #
  # How long a session JWT is valid.
  #
  # Default value: 1h
  #
  # Examples:
  # - 1h
  # - 10m
  # - 720h
  # - 15h115m
  #
  lifespan: "1h"
  cookie:
    ## domain ##
    #
    # The domain the cookie will be bound to. Works for subdomains, but not cross-domain.
    #
    domain: "CHANGE-ME"
    ## http_only ##
    #
    # HTTP-only cookies or accessible by javascript.
    #
    # Default value: true
    #
    http_only: true
    ## same_site ##
    #
    # Same-site attribute of the session cookie.
    #
    # Default value: strict
    #
    # One of:
    # - strict
    # - lax
    # - none
    #
    same_site: "strict"
    ## secure ##
    #
    # Sets whether the cookie can only be read on secure sites.
    #
    # Default value: true
    #
    secure: true
    ## name ##
    #
    # Sets the name of the cookie.
    #
    # Default value: hanko
    #
    name: true
  ## enable_auth_token_header ##
  #
  # The JWT will be transmitted via the X-Auth-Token header. Enable during cross-domain operations.
  #
  enable_auth_token_header: false
  ## audience ##
  #
  # Audience optional []string containing strings which get put into the aud claim. If not set default to Webauthn.RelyingParty.Id config parameter.
  #
  audience:
  ## issuer ##
  #
  #  optional string to be used in the jwt iss claim.
  #
  issuer:
password:
  ## enabled ##
  #
  # Enables or disables passwords for all users.
  #
  # Default value: false
  #
  enabled: false
  ## min_password_length ##
  #
  # Sets the minimum password length.
  #
  # Default value: 8
  #
  min_password_length: 8
passcode:
  ## ttl ##
  #
  # How long a passcode is valid. Value is in seconds.
  #
  # Default value: 300
  #
  ttl: 300
  email:
    ## from_address ##
    #
    # The sender of emails sent to users.
    #
    # Default value: [email protected]
    #
    from_address: [email protected]"
    ## from_name ##
    #
    # The sender name of emails sent to users.
    #
    # Default value: Hanko
    #
    from_name: "Hanko"
  ## smtp ##
  #
  # SMTP server config to send emails.
  #
  smtp:
    host: "CHANGE-ME"
    ## port ##
    #
    # Default: 465
    #
    port: ""
    user: "CHANGE-ME"
    password: "CHANGE-ME"
## webauthn ##
#
# Configures Web Authentication (WebAuthn).
#
webauthn:
  ## timeout ##
  #
  # How long a WebAuthn request is valid and the user can confirm it. Value is in milliseconds.
  #
  # Default: 60000
  #
  timeout: 60000
  ## user_verification ##
  #
  # Describes your requirements regarding local authorization with an authenticator through
  # various authorization gesture modalities; for example, through a touch plus pin code,
  # password entry, or biometric recognition.
  #
  # Must be one of "required", "preferred" or "discouraged".
  #
  # The setting applies to both WebAuthn registration and authentication ceremonies.
  #
  # Default: preferred
  #
  user_verification: preferred
  relying_party:
    ## id ##
    #
    # The effective domain the WebAuthn credentials will be bound to.
    #
    # Examples:
    # - localhost
    # - example.com
    # - subdomain.example.com
    #
    id: "localhost"
    ## display_name ##
    #
    # The service's name that some WebAuthn Authenticators will display to the user during registration and authentication ceremonies.
    #
    # Examples:
    # - Example Project
    # - Hanko GmbH
    # - Acme, Inc.
    #
    display_name: ""
    ## origins ##
    #
    # A list of origins for which WebAuthn credentials will be accepted by the server. Must include the protocol and can only be the effective domain,
    # or a registrable domain suffix of the effective domain, as specified in the id. Except for localhost, the protocol must always be https for WebAuthn to work.
    # Ip Addresses will not work.
    #
    # For an Android app the origin must be the base64 url encoded SHA256 fingerprint of the signing certificate.
    #
    # Example:
    # - android:apk-key-hash:nLSu7wVTbnMOxLgC52f2faTnvCbXQrUn_wF9aCrr-l0
    # - https://login.example.com
    #
    origins:
      - "android:apk-key-hash:nLSu7wVTbnMOxLgC52f2faTnv..."
      - "https://login.example.com"
## audit_log ##
#
# Configures audit logging
#
audit_log:
  console_output:
    ## enabled ##
    #
    # Sets whether the output to console is enabled or disabled.
    #
    # Default: true
    #
    enabled: true
    ## output ##
    #
    # The output stream which audit logs are sent to.
    #
    # Possible values:
    # - stdout
    # - stderr
    #
    # Default: stdout
    #
    output: "stdout"
  storage:
    ## enabled ##
    #
    # Sets whether the audit logs are persisted in the database or not.
    #
    # Default: false
    #
    enabled: false
rate_limiter:
  ## enabled ##
  #
  # Sets whether the rate limiting is enabled or disabled
  #
  # Default: true
  #
  enabled: true
  ## store ##
  #
  # Sets the store for the rate limiter. When you have multiple instances of Hanko running, it is recommended to use
  # the "redis" store else your instances have their own states.
  #
  # One of:
  # - in_memory
  # - redis
  #
  # Default: in_memory
  #
  store: "in_memory"
  ## password_limits
  #
  # rate limits specific to the password/login endpoint
  #
  password_limits:
    ## tokens
    #
    # How many operations can occur in the given interval
    #
    # Default: 5
    tokens: 5
    ## interval
    #
    # When to reset the token interval
    #
    # Default: 1m
    #
    interval: 1m
  ## password_limits
  #
  # rate limits specific to the passcode/init endpoint
  #
  passcode_limits:
    ## tokens
    #
    # How many operations can occur in the given interval
    #
    # Default: 3
    tokens: 3
    ## interval
    #
    # When to reset the token interval
    #
    # Default: 1m
    #
    interval: 1m
  ## redis_config
  #
  # If you specify redis as backend you have to specify these values
  #
  redis_config:
    ## address
    #
    # Address of your redis instance in the form of host[:port][/database]
    #
    address: "CHANGE-ME"
    ## password
    #
    # The password of the redis instance
    #
    password: "CHANGE_ME"
emails:
  ## require_verification
  #
  # If turned on (true), email addresses must be verified to be assigned to a user. During account creation the user has
  # to verify the email address before a JWT can be issued and further email addresses can only be added after they have
  # been verified. If require_verification is turned off, the mentioned verification steps aren't necessary (and will be
  # skipped by hanko-elements), so the user can create an account without email verification and further email addresses
  # can be added directly.
  #
  # Default: true
  #
  require_verification: true
  ## max_num_of_addresses
  #
  # How many email addresses can be added to a user account
  #
  # Default: 5
  #
  max_num_of_addresses: 5
## third_party ##
#
# Configures third party providers
#
third_party:
  ## redirect_url
  #
  # Required if any providers are enabled.
  # The URL the third party provider redirects to with an authorization code. Must consist of the base URL of
  # your running hanko backend instance and the callback endpoint, i.e. <YOUR_BACKEND_INSTANCE>/thirdparty/callback.
  #
  redirect_url: "CHANGE_ME"
  ## allowed_redirect_urls
  #
  # Required if any providers are enabled.
  # List of URLS the backend is allowed to redirect to after third party sign-in was successful.
  # (see also the 'redirect_to' parameter for the third party auth initialization endpoint
  # - https://docs.hanko.io/api/public#tag/Third-Party/operation/thirdPartyAuth)
  #
  # Supports wildcard matching through globbing. e.g. https://*.example.com will allow https://foo.example.com and https://bar.example.com to be accepted.
  # Globbing is also supported for paths, e.g. https://foo.example.com/* will match https://foo.example.com/page1 and https://foo.example.com/page2.
  # A double asterisk (`**`) acts as a "super"-wildcard/match-all.
  #
  # More on globbing: https://pkg.go.dev/github.com/gobwas/glob#Compile
  #
  # NOTE: URLs in the list MUST NOT have trailing slash
  #
  # Examples:
  # - http://localhost:8888
  #
  allowed_redirect_urls:
    - "CHANGE_ME"
  ##
  #
  # Required if any providers are enabled. URL the backend redirects to if an error occurs during third party sign-in. Errors are provided
  # as 'error' and 'error_description' query params in the redirect location URL.
  #
  # When using the Hanko web components it should be the URL of the page that embeds the web component such that
  # errors can be processed properly by the web component.
  #
  # You do not have to add this URL to the 'allowed_redirect_urls', it is automatically included when validating
  # redirect URLs.
  #
  # NOTE: MUST NOT have trailing slash
  #
  # Example:
  # - http://localhost:8888/error
  #
  error_redirect_url: "CHANGE_ME"
  ##
  #
  # The third party provider configurations. Unknown providers will be ignored.
  #
  providers:
    ##
    #
    # The Apple provider configuration
    #
    apple:
      ##
      #
      # Enable or disable the Google provider.
      #
      # Default: false
      #
      enabled: false
      ##
      #
      # The client ID (Services ID) of your Apple credentials.
      # See: https://docs.hanko.io/guides/authentication-methods/oauth/apple
      #
      # Required if provider is enabled.
      #
      #
      client_id: "CHANGE_ME"
      ##
      #
      # The generated secret of your Apple credentials.
      # Valid for max. 6 months. Must be regenerated before expiration.
      #  https://docs.hanko.io/guides/authentication-methods/oauth/apple
      #
      # Required if provider is enabled.
      #
      secret: "CHANGE_ME"
    ##
    #
    # The Google provider configuration
    #
    google:
      ##
      #
      # Enable or disable the Google provider.
      #
      # Default: false
      #
      enabled: false
      ##
      #
      # The client ID of your Google OAuth credentials.
      # See: https://docs.hanko.io/guides/authentication-methods/oauth/google
      #
      # Required if provider is enabled.
      #
      client_id: "CHANGE_ME"
      ##
      #
      # The secret of your Google OAuth credentials
      # See: https://docs.hanko.io/guides/authentication-methods/oauth/google
      #
      # Required if provider is enabled.
      #
      secret: "CHANGE_ME"
    ##
    #
    # The GitHub provider configuration
    #
    github:
      ##
      #
      # Enable or disable the GitHub provider.
      #
      # Default: false
      #
      enabled: false
      ##
      #
      # The client ID of your GitHub OAuth credentials.
      # See: https://docs.hanko.io/guides/authentication-methods/oauth/github
      #
      # Required if provider is enabled.
      #
      client_id: "CHANGE_ME"
      ##
      #
      # The secret of your GitHub OAuth credentials.
      # See: https://docs.hanko.io/guides/authentication-methods/oauth/github
      #
      # Required if provider is enabled.
      #
      secret: "CHANGE_ME"
log:
  ## log_health_and_metrics
  #
  # If turned on (true) also logs invocations of the /health and /metrics endpoints
  #
  # Default: false
  #
  log_health_and_metrics: false
account:
  ## allow_deletion
  #
  # The user account can be deleted by the current user when turned on, otherwise the corresponding API route will not
  # be available.
  #
  # Default: false
  #
  allow_deletion: false
  ## allow_signup
  #
  # Users are able to sign up new accounts.
  #
  # Default: true
  #
  allow_signup: true
##
#
# SAML Feature (Enterprise Edition)
#
saml:
  ##
  #
  # Allow usage of SAML SSO
  #
  # Default: false
  enabled: false
  ##
  #
  # API Endpoint-URL for all saml features
  # Required if saml is enabled
  #
  # NOTE: MUST NOT have trailing slash
  #
  # Example: http://localhost:8000
  #
  endpoint_url: "<ENDPOINT_URL>"
  ##
  #
  # uri needed to identify audience for IDP
  # Required if saml is enabled
  #
  audience_uri: "urn:hanko:application"
  ##
  #
  # Required if any providers are enabled. URL the backend redirects to if an error occurs during SAML sign-in. Errors are provided
  # as 'error' and 'error_description' query params in the redirect location URL.
  #
  # When using the Hanko web components it should be the URL of the page that embeds the web component such that
  # errors can be processed properly by the web component.
  #
  # You do not have to add this URL to the 'allowed_redirect_urls', it is automatically included when validating
  # redirect URLs.
  #
  # NOTE: MUST NOT have trailing slash
  #
  # Example:
  # - http://localhost:8888/error
  #
  default_redirect_url: <YOUR_APPLICATION_DEFAULT_URL>
  ##
  #
  # Required if any providers are enabled.
  # List of URLS the backend is allowed to redirect to after SAML sign-in was successful.
  # (see also the 'redirect_to' parameter for the saml initialization endpoint
  # - https://docs.hanko.io/api/public#tag/SAML/operation/get-saml-auth)
  #
  # Supports wildcard matching through globbing. e.g. https://*.example.com will allow https://foo.example.com and https://bar.example.com to be accepted.
  # Globbing is also supported for paths, e.g. https://foo.example.com/* will match https://foo.example.com/page1 and https://foo.example.com/page2.
  # A double asterisk (`**`) acts as a "super"-wildcard/match-all.
  #
  # More on globbing: https://pkg.go.dev/github.com/gobwas/glob#Compile
  #
  # NOTE: URLs in the list MUST NOT have trailing slash
  #
  # Examples:
  # - http://localhost:8888
  #
  allowed_redirect_urls:
    - "<A_REDIRECT_URL>"
  ##
  #
  # Optional feature toggles for Service Provider - Identity Provider Communication
  #
  options:
    ##
    # toggle for signing authn-requests which are used to start the auth flow
    #
    # Default: true
    #
    sign_authn_requests: true
    ##
    #
    # Enforces the IDP to show a login window to the user
    #
    # Default: false
    #
    force_login: false
    ##
    #
    # Also validates the encryption certificate of the IDP
    #
    # Default: true
    #
    validate_encryption_cert: true
    ##
    #
    # Disables the validation of signature of the IDP Response
    #
    # Default: false
    #
    skip_signature_validation: false
    ##
    #
    # Allows the processing of SAMLResponses with less attributes than stated in the IDP metadata file
    #
    # Default: true
    #
    allow_missing_attributes: true
  ##
  #
  # List of available identity providers (Identity Provider = IDP)
  #
  identity_providers:
    ##
    #
    # Allows using this identity provider
    #
    # Default: false
    #
    - enabled: true
      ##
      #
      # Human-readable name of the identity provider
      #
      name: "<CHOOSE_A_NAME>"
      ##
      #
      # Domain for which this IDP is used
      # Required when IDP is enabled
      #
      # Example: test.example
      #
      domain: "<YOUR_EMAIL_DOMAIN>"
      ##
      #
      # URL where the Service Provider can fetch metadata of the IDP
      # Required when IDP is enabled
      #
      metadata_url: "<URL_TO_THE_METADATA_OF_YOUR_IDP>"
      ##
      #
      # Skips checking the email_verified attribute of the IDP
      #
      # Default: false
      #
      skip_email_verification: false
      ##
      #
      # Mapping of IDP-Attributes to Hanko specific fields
      #
      attribute_map:
        ##
        #
        # username-attribute of the user
        #
        # Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        #
        name: "<NAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # family name - attribute of the user
        #
        # Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
        #
        family_name: "<FAMILY_NAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # given name - attribute of the user
        #
        # Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
        #
        given_name: "<GIVEN_NAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # middle name - attribute of the user
        #
        middle_name: "<MIDDLE_NAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # nickname - attribute of the user
        #
        nickname: "<NICKNAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # preferred username - attribute of the user
        #
        preferred_username: "<PREFERRED_USERNAME_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # profile - attribute of the user
        #
        profile: "<PROFILE_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # picture - attribute of the user
        #
        picture: "<PICTURE_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # website - attribute of the user
        #
        website: "<WEBSITE_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # gender - attribute of the user
        #
        gender: "<GENDER_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # birthdate - attribute of the user
        #
        birthdate: "<BIRTHDAY_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # zone info - attribute of the user
        #
        zone_info: "<ZONE_INFO_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # locale - attribute of the user
        #
        locale: "<LOCALE_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # Last Update - attribute of the user
        #
        update_at: "<UPDATED_AT_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # E-Mail - attribute of the user
        #
        # Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        #
        email: "<EMAIL_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # E-Mail Verified - attribute of the user
        #
        # NOTE: Will be checked if skip_email_verification is set to false
        #
        # Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        #
        email_verified: "<EMAIL_VERIFIED_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # Phone - attribute of the user
        #
        phone: "<PHONE_ATTRIBUTE_IN_IDP_ASSERTION>"
        ##
        #
        # E-Phone Verified - attribute of the user
        #
        phone_verified: "<PHONE_VERIFIED_ATTRIBUTE_IN_IDP_ASSERTION>"