diff --git a/cli.go b/cli.go
index ad93475e8d9fc59a92245c6377c0042a42fcf58b..2e86318ad9ba73cf776f2e1f37febbf965f92dec 100644
--- a/cli.go
+++ b/cli.go
@@ -21,17 +21,14 @@ import (
"os/signal"
"reflect"
"syscall"
+ "time"
"github.com/urfave/cli"
)
-//
// newOauthProxyApp creates a new cli application and runs it
-//
func newOauthProxyApp() *cli.App {
config := newDefaultConfig()
-
- // step: create the cli application
app := cli.NewApp()
app.Name = prog
app.Usage = description
@@ -50,7 +47,6 @@ func newOauthProxyApp() *cli.App {
// step: set the default action
app.Action = func(cx *cli.Context) error {
configFile := cx.String("config")
-
// step: do we have a configuration file?
if configFile != "" {
if err := readConfigFile(configFile, config); err != nil {
@@ -93,278 +89,67 @@ func newOauthProxyApp() *cli.App {
// getCLIOptions returns the command line options
func getCLIOptions() []cli.Flag {
defaults := newDefaultConfig()
- return []cli.Flag{
- cli.StringFlag{
- Name: "config",
- Usage: "the path to the configuration file for the keycloak proxy",
- EnvVar: "PROXY_CONFIG_FILE",
- },
- cli.StringFlag{
- Name: "listen",
- Usage: "the interface the service should be listening on",
- Value: defaults.Listen,
- EnvVar: "PROXY_LISTEN",
- },
- cli.StringFlag{
- Name: "listen-http",
- Usage: "the interface you want the http-only service to use on",
- EnvVar: "PROXY_HTTP_LISTEN",
- },
- cli.StringFlag{
- Name: "discovery-url",
- Usage: "the discovery url to retrieve the openid configuration",
- EnvVar: "PROXY_DISCOVERY_URL",
- },
- cli.StringFlag{
- Name: "client-secret",
- Usage: "the client secret used to authenticate to the oauth server (access_type: confidential)",
- EnvVar: "PROXY_CLIENT_SECRET",
- },
- cli.StringFlag{
- Name: "client-id",
- Usage: "the client id used to authenticate to the oauth service",
- EnvVar: "PROXY_CLIENT_ID",
- },
- cli.StringSliceFlag{
- Name: "scopes",
- Usage: "a variable list of scopes requested when authenticating the user",
- },
- cli.BoolFlag{
- Name: "token-validate-only",
- Usage: "validate the token and roles only, no required implement oauth",
- },
- cli.StringFlag{
- Name: "redirection-url",
- Usage: fmt.Sprintf("redirection url for the oauth callback url (%s is added)", oauthURL),
- EnvVar: "PROXY_REDIRECTION_URL",
- },
- cli.StringFlag{
- Name: "revocation-url",
- Usage: "the url for the revocation endpoint to revoke refresh token",
- EnvVar: "PROXY_REVOCATION_URL",
- },
- cli.StringFlag{
- Name: "store-url",
- Usage: "url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file",
- EnvVar: "PROXY_STORE_URL",
- },
- cli.StringFlag{
- Name: "upstream-url",
- Usage: "the url for the upstream endpoint you wish to proxy to",
- Value: defaults.Upstream,
- EnvVar: "PROXY_UPSTREAM_URL",
- },
- cli.BoolTFlag{
- Name: "upstream-keepalives",
- Usage: "enables or disables the keepalive connections for upstream endpoint",
- },
- cli.DurationFlag{
- Name: "upstream-timeout",
- Usage: "is the maximum amount of time a dial will wait for a connect to complete",
- Value: defaults.UpstreamTimeout,
- },
- cli.DurationFlag{
- Name: "upstream-keepalive-timeout",
- Usage: "specifies the keep-alive period for an active network connection",
- Value: defaults.UpstreamKeepaliveTimeout,
- },
- cli.BoolTFlag{
- Name: "secure-cookie",
- Usage: "enforces the cookie to be secure, default to true",
- },
- cli.BoolFlag{
- Name: "http-only-cookie",
- Usage: "enforces the cookie is in http only mode, default to false",
- },
- cli.StringFlag{
- Name: "cookie-domain",
- Usage: "a domain the access cookie is available to, defaults host header",
- },
- cli.StringFlag{
- Name: "cookie-access-name",
- Usage: "the name of the cookie use to hold the access token",
- Value: defaults.CookieAccessName,
- },
- cli.StringFlag{
- Name: "cookie-refresh-name",
- Usage: "the name of the cookie used to hold the encrypted refresh token",
- Value: defaults.CookieRefreshName,
- },
- cli.StringFlag{
- Name: "encryption-key",
- Usage: "the encryption key used to encrpytion the session state",
- },
- cli.BoolFlag{
- Name: "no-redirects",
- Usage: "do not have back redirects when no authentication is present, 401 them",
- },
- cli.StringSliceFlag{
- Name: "hostname",
- Usage: "a list of hostnames the service will respond to, defaults to all",
- },
- cli.BoolTFlag{
- Name: "enable-https-redirection",
- Usage: "enable the http to https redirection on the http service",
- },
- cli.BoolTFlag{
- Name: "enable-login-handler",
- Usage: "this enables the login hanlder /oauth/login, by default this is disabled",
- },
- cli.BoolTFlag{
- Name: "enable-authorization-header",
- Usage: "adds the authorization header to the proxy request",
- },
- cli.BoolTFlag{
- Name: "enable-refresh-tokens",
- Usage: "enables the handling of the refresh tokens",
- },
- cli.BoolTFlag{
- Name: "enable-metrics",
- Usage: "enable the prometheus metrics collector on /oauth/metrics",
- },
- cli.BoolFlag{
- Name: "enable-proxy-protocol",
- Usage: "whether to enable proxy protocol",
- },
- cli.BoolFlag{
- Name: "enable-forwarding",
- Usage: "enables the forwarding proxy mode, signing outbound request",
- },
- cli.BoolTFlag{
- Name: "enable-profiling",
- Usage: "switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc",
- },
- cli.BoolTFlag{
- Name: "enable-security-filter",
- Usage: "enables the security filter handler",
- },
- cli.BoolTFlag{
- Name: "localhost-only-metrics",
- Usage: "enforces the metrics page can only been requested from 127.0.0.1",
- },
- cli.StringFlag{
- Name: "forwarding-username",
- Usage: "the username to use when logging into the openid provider",
- },
- cli.StringFlag{
- Name: "forwarding-password",
- Usage: "the password to use when logging into the openid provider",
- },
- cli.StringSliceFlag{
- Name: "forwarding-domains",
- Usage: "a list of domains which should be signed; everything else is relayed unsigned",
- },
- cli.StringFlag{
- Name: "tls-cert",
- Usage: "the path to a certificate file used for TLS",
- },
- cli.StringFlag{
- Name: "tls-private-key",
- Usage: "the path to the private key for TLS support",
- },
- cli.StringFlag{
- Name: "tls-ca-certificate",
- Usage: "the path to the ca certificate used for mutual TLS",
- },
- cli.StringFlag{
- Name: "tls-ca-key",
- Usage: "the path the ca private key, used by the forward signing proxy",
- },
- cli.StringFlag{
- Name: "tls-client-certificate",
- Usage: "the path to the client certificate, used to outbound connections in reverse and forwarding proxy modes",
- },
- cli.BoolTFlag{
- Name: "skip-upstream-tls-verify",
- Usage: "whether to skip the verification of any upstream TLS (defaults to true)",
- },
- cli.BoolTFlag{
- Name: "skip-openid-provider-tls-verify",
- Usage: "whether to skip the verification of any TLS communication with the openid provider (defaults to false)",
- },
- cli.StringSliceFlag{
- Name: "match-claims",
- Usage: "keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*",
- },
- cli.StringSliceFlag{
- Name: "add-claims",
- Usage: "retrieve extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name",
- },
- cli.StringSliceFlag{
- Name: "resource",
- Usage: "a list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'",
- },
- cli.StringSliceFlag{
- Name: "headers",
- Usage: "Add custom headers to the upstream request, key=value",
- },
- cli.StringFlag{
- Name: "sign-in-page",
- Usage: "a custom template displayed for signin",
- },
- cli.StringFlag{
- Name: "forbidden-page",
- Usage: "a custom template used for access forbidden",
- },
- cli.StringSliceFlag{
- Name: "tag",
- Usage: "keypair's passed to the templates at render,e.g title='My Page'",
- },
- cli.StringSliceFlag{
- Name: "cors-origins",
- Usage: "list of origins to add to the CORE origins control (Access-Control-Allow-Origin)",
- },
- cli.StringSliceFlag{
- Name: "cors-methods",
- Usage: "the method permitted in the access control (Access-Control-Allow-Methods)",
- },
- cli.StringSliceFlag{
- Name: "cors-headers",
- Usage: "a set of headers to add to the CORS access control (Access-Control-Allow-Headers)",
- },
- cli.StringSliceFlag{
- Name: "cors-exposes-headers",
- Usage: "set the expose cors headers access control (Access-Control-Expose-Headers)",
- },
- cli.DurationFlag{
- Name: "cors-max-age",
- Usage: "the max age applied to cors headers (Access-Control-Max-Age)",
- },
- cli.BoolTFlag{
- Name: "cors-credentials",
- Usage: "the credentials access control header (Access-Control-Allow-Credentials)",
- },
- cli.BoolTFlag{
- Name: "filter-browser-xss",
- Usage: "enable the adds the X-XSS-Protection header with mode=block",
- },
- cli.BoolTFlag{
- Name: "filter-content-nosniff",
- Usage: "adds the X-Content-Type-Options header with the value nosniff",
- },
- cli.BoolFlag{
- Name: "skip-token-verification",
- Usage: "TESTING ONLY; bypass token verification, only expiration and roles enforced",
- },
- cli.BoolTFlag{
- Name: "json-logging",
- Usage: "switch on json logging rather than text (defaults true)",
- },
- cli.BoolTFlag{
- Name: "log-requests",
- Usage: "switch on logging of all incoming requests (defaults true)",
- },
- cli.BoolTFlag{
- Name: "verbose",
- Usage: "switch on debug / verbose logging",
- },
+ var flags []cli.Flag
+ count := reflect.TypeOf(Config{}).NumField()
+ for i := 0; i < count; i++ {
+ field := reflect.TypeOf(Config{}).Field(i)
+ usage, found := field.Tag.Lookup("usage")
+ if !found {
+ continue
+ }
+ envName := field.Tag.Get("env")
+ if envName != "" {
+ envName = envPrefix + envName
+ }
+ optName := field.Tag.Get("yaml")
+
+ switch t := field.Type; t.Kind() {
+ case reflect.Bool:
+ dv := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).Bool()
+ msg := fmt.Sprintf("%s (default: %t)", usage, dv)
+ flags = append(flags, cli.BoolTFlag{
+ Name: optName,
+ Usage: msg,
+ EnvVar: envName,
+ })
+ case reflect.String:
+ defaultValue := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).String()
+ flags = append(flags, cli.StringFlag{
+ Name: optName,
+ Usage: usage,
+ EnvVar: envName,
+ Value: defaultValue,
+ })
+ case reflect.Slice:
+ fallthrough
+ case reflect.Map:
+ flags = append(flags, cli.StringSliceFlag{
+ Name: optName,
+ Usage: usage,
+ })
+ case reflect.Int64:
+ switch t.String() {
+ case "time.Duration":
+ dv := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).Int()
+ flags = append(flags, cli.DurationFlag{
+ Name: optName,
+ Usage: usage,
+ Value: time.Duration(dv),
+ })
+ default:
+ panic("unknown uint64 type in the Config struct")
+ }
+ default:
+ errMsg := fmt.Sprintf("field: %s, type: %s, kind: %s is not being handled", field.Name, t.String(), t.Kind())
+ panic(errMsg)
+ }
}
+
+ return flags
}
-//
// parseCLIOptions parses the command line options and constructs a config object
// @TODO look for a shorter way of doing this, we're maintaining the same options in multiple places, it's tedious!
-//
func parseCLIOptions(cx *cli.Context, config *Config) (err error) {
// step: we can ignore these options in the Config struct
ignoredOptions := []string{"tag-data", "match-claims", "resources", "headers"}
diff --git a/doc.go b/doc.go
index 783026213a0f6ddce938e32b98353a57f3e5e3cb..4b83a47f7719591ce1d35da480ffc4b5804ab746 100644
--- a/doc.go
+++ b/doc.go
@@ -40,6 +40,7 @@ const (
userContextName = "identity"
authorizationHeader = "Authorization"
versionHeader = "X-Auth-Proxy-Version"
+ envPrefix = "PROXY_"
oauthURL = "/oauth"
authorizationURL = "/authorize"
@@ -103,142 +104,142 @@ type Cors struct {
// Config is the configuration for the proxy
type Config struct {
+ // ConfigFile is the binding interface
+ ConfigFile string `json:"config" yaml:"config" usage:"path the a configuration file" env:"CONFIG_FILE"`
// Listen is the binding interface
- Listen string `json:"listen" yaml:"listen"`
+ Listen string `json:"listen" yaml:"listen" usage:"the interface the service should be listening on" env:"LISTEN"`
// ListenHTTP is the interface to bind the http only service on
- ListenHTTP string `json:"listen-http" yaml:"listen-http"`
+ ListenHTTP string `json:"listen-http" yaml:"listen-http" usage:"interface we should be listening" env:"LISTEN_HTTP"`
// DiscoveryURL is the url for the keycloak server
- DiscoveryURL string `json:"discovery-url" yaml:"discovery-url"`
+ DiscoveryURL string `json:"discovery-url" yaml:"discovery-url" usage:"discovery url to retrieve the openid configuration" env:"DISCOVERY_URL"`
// ClientID is the client id
- ClientID string `json:"client-id" yaml:"client-id"`
+ ClientID string `json:"client-id" yaml:"client-id" usage:"client id used to authenticate to the oauth service" env:"CLIENT_ID"`
// ClientSecret is the secret for AS
- ClientSecret string `json:"client-secret" yaml:"client-secret"`
+ ClientSecret string `json:"client-secret" yaml:"client-secret" usage:"client secret used to authenticate to the oauth service" env:"CLIENT_SECERT"`
// RedirectionURL the redirection url
- RedirectionURL string `json:"redirection-url" yaml:"redirection-url"`
+ RedirectionURL string `json:"redirection-url" yaml:"redirection-url" usage:"redirection url for the oauth callback url" env:"REDIRECTION_URL"`
// RevocationEndpoint is the token revocation endpoint to revoke refresh tokens
- RevocationEndpoint string `json:"revocation-url" yaml:"revocation-url"`
+ RevocationEndpoint string `json:"revocation-url" yaml:"revocation-url" usage:"url for the revocation endpoint to revoke refresh token" env:"REVOCATION_URL"`
// SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
- SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify"`
+ SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify" usage:"skip the verification of any TLS communication with the openid provider"`
// Scopes is a list of scope we should request
- Scopes []string `json:"scopes" yaml:"scopes"`
+ Scopes []string `json:"scopes" yaml:"scopes" usage:"list of scopes requested when authenticating the user"`
// Upstream is the upstream endpoint i.e whom were proxying to
- Upstream string `json:"upstream-url" yaml:"upstream-url"`
+ Upstream string `json:"upstream-url" yaml:"upstream-url" usage:"url for the upstream endpoint you wish to proxy" env:"UPSTREAM_URL"`
// Resources is a list of protected resources
- Resources []*Resource `json:"resources" yaml:"resources"`
+ Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"`
// Headers permits adding customs headers across the board
- Headers map[string]string `json:"headers" yaml:"headers"`
+ Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
// EnableForwarding enables the forwarding proxy
- EnableForwarding bool `json:"enable-forwarding" yaml:"enable-forwarding"`
+ EnableForwarding bool `json:"enable-forwarding" yaml:"enable-forwarding" usage:"enables the forwarding proxy mode, signing outbound request"`
// EnableSecurityFilter enabled the security handler
- EnableSecurityFilter bool `json:"enable-security-filter" yaml:"enable-security-filter"`
+ EnableSecurityFilter bool `json:"enable-security-filter" yaml:"enable-security-filter" usage:"enables the security filter handler"`
// EnableRefreshTokens indicate's you wish to ignore using refresh tokens and re-auth on expiration of access token
- EnableRefreshTokens bool `json:"enable-refresh-tokens" yaml:"enable-refresh-tokens"`
+ EnableRefreshTokens bool `json:"enable-refresh-tokens" yaml:"enable-refresh-tokens" usage:"nables the handling of the refresh tokens" env:"ENABLE_SECURITY_FILTER"`
// EnableLoginHandler indicates we want the login handler enabled
- EnableLoginHandler bool `json:"enable-login-handler" yaml:"enable-login-handler"`
+ EnableLoginHandler bool `json:"enable-login-handler" yaml:"enable-login-handler" usage:"enables the handling of the refresh tokens" env:"ENABLE_LOGIN_HANDLER"`
// EnableAuthorizationHeader indicates we should pass the authorization header
- EnableAuthorizationHeader bool `json:"enable-authorization-header" yaml:"enable-authorization-header"`
+ EnableAuthorizationHeader bool `json:"enable-authorization-header" yaml:"enable-authorization-header" usage:"adds the authorization header to the proxy request"`
// EnableHTTPSRedirect indicate we should redirection http -> https
- EnableHTTPSRedirect bool `json:"enable-https-redirection" yaml:"enable-https-redirection"`
+ EnableHTTPSRedirect bool `json:"enable-https-redirection" yaml:"enable-https-redirection" usage:"enable the http to https redirection on the http service"`
// EnableProfiling indicates if profiles is switched on
- EnableProfiling bool `json:"enable-profiling" yaml:"enable-profiling"`
+ EnableProfiling bool `json:"enable-profiling" yaml:"enable-profiling" usage:"switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc"`
// EnableMetrics indicates if the metrics is enabled
- EnableMetrics bool `json:"enable-metrics" yaml:"enable-metrics"`
- // EnableURIMetrics indicates we want to keep metrics on uri request times
- EnableURIMetrics bool `json:"enable-uri-metrics" yaml:"enable-uri-metrics"`
+ EnableMetrics bool `json:"enable-metrics" yaml:"enable-metrics" usage:"enable the prometheus metrics collector on /oauth/metrics"`
// EnableBrowserXSSFilter indicates you want the filter on
- EnableBrowserXSSFilter bool `json:"filter-browser-xss" yaml:"filter-browser-xss"`
+ EnableBrowserXSSFilter bool `json:"filter-browser-xss" yaml:"filter-browser-xss" usage:"enable the adds the X-XSS-Protection header with mode=block"`
// EnableContentNoSniff indicates you want the filter on
- EnableContentNoSniff bool `json:"filter-content-nosniff" yaml:"filter-content-nosniff"`
+ EnableContentNoSniff bool `json:"filter-content-nosniff" yaml:"filter-content-nosniff" usage:"adds the X-Content-Type-Options header with the value nosniff"`
// EnableFrameDeny indicates the filter is on
- EnableFrameDeny bool `json:"filter-frame-deny" yaml:"filter-frame-deny"`
+ EnableFrameDeny bool `json:"filter-frame-deny" yaml:"filter-frame-deny" usage:"enable to the frame deny header"`
// ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value
- ContentSecurityPolicy string `json:"content-security-policy" yaml:"content-security-policy"`
+ ContentSecurityPolicy string `json:"content-security-policy" yaml:"content-security-policy" usage:"specify the content security policy"`
// LocalhostMetrics indicated the metrics can only be consume via localhost
- LocalhostMetrics bool `json:"localhost-metrics" yaml:"localhost-metrics"`
+ LocalhostMetrics bool `json:"localhost-metrics" yaml:"localhost-metrics" usage:"enforces the metrics page can only been requested from 127.0.0.1"`
// CookieDomain is a list of domains the cookie is available to
- CookieDomain string `json:"cookie-domain" yaml:"cookie-domain"`
+ CookieDomain string `json:"cookie-domain" yaml:"cookie-domain" usage:"domain the access cookie is available to, defaults host header"`
// CookieAccessName is the name of the access cookie holding the access token
- CookieAccessName string `json:"cookie-access-name" yaml:"cookie-access-name"`
+ CookieAccessName string `json:"cookie-access-name" yaml:"cookie-access-name" usage:"name of the cookie use to hold the access token"`
// CookieRefreshName is the name of the refresh cookie
- CookieRefreshName string `json:"cookie-refresh-name" yaml:"cookie-refresh-name"`
+ CookieRefreshName string `json:"cookie-refresh-name" yaml:"cookie-refresh-name" usage:"name of the cookie used to hold the encrypted refresh token"`
// SecureCookie enforces the cookie as secure
- SecureCookie bool `json:"secure-cookie" yaml:"secure-cookie"`
+ SecureCookie bool `json:"secure-cookie" yaml:"secure-cookie" usage:"enforces the cookie to be secure"`
// HTTPOnlyCookie enforces the cookie as http only
- HTTPOnlyCookie bool `json:"http-only-cookie" yaml:"http-only-cookie"`
+ HTTPOnlyCookie bool `json:"http-only-cookie" yaml:"http-only-cookie" usage:"enforces the cookie is in http only mode"`
// MatchClaims is a series of checks, the claims in the token must match those here
- MatchClaims map[string]string `json:"match-claims" yaml:"match-claims"`
+ MatchClaims map[string]string `json:"match-claims" yaml:"match-claims" usage:"keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*"`
// AddClaims is a series of claims that should be added to the auth headers
- AddClaims []string `json:"add-claims" yaml:"add-claims"`
+ AddClaims []string `json:"add-claims" yaml:"add-claims" usage:"extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name"`
// TLSCertificate is the location for a tls certificate
- TLSCertificate string `json:"tls-cert" yaml:"tls-cert"`
+ TLSCertificate string `json:"tls-cert" yaml:"tls-cert" usage:"path to ths TLS certificate"`
// TLSPrivateKey is the location of a tls private key
- TLSPrivateKey string `json:"tls-private-key" yaml:"tls-private-key"`
+ TLSPrivateKey string `json:"tls-private-key" yaml:"tls-private-key" usage:"path to the private key for TLS"`
// TLSCaCertificate is the CA certificate which the client cert must be signed
- TLSCaCertificate string `json:"tls-ca-certificate" yaml:"tls-ca-certificate"`
+ TLSCaCertificate string `json:"tls-ca-certificate" yaml:"tls-ca-certificate" usage:"path to the ca certificate used for signing requests"`
// TLSCaPrivateKey is the CA private key used for signing
- TLSCaPrivateKey string `json:"tls-ca-key" yaml:"tls-ca-key"`
+ TLSCaPrivateKey string `json:"tls-ca-key" yaml:"tls-ca-key" usage:"path the ca private key, used by the forward signing proxy"`
// TLSClientCertificate is path to a client certificate to use for outbound connections
- TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate"`
+ TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes"`
// SkipUpstreamTLSVerify skips the verification of any upstream tls
- SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify"`
+ SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify" usage:"skip the verification of any upstream TLS"`
// CorsOrigins is a list of origins permitted
- CorsOrigins []string `json:"cors-origins" yaml:"cors-origins"`
+ CorsOrigins []string `json:"cors-origins" yaml:"cors-origins" usage:"origins to add to the CORE origins control (Access-Control-Allow-Origin)"`
// CorsMethods is a set of access control methods
- CorsMethods []string `json:"cors-methods" yaml:"cors-methods"`
+ CorsMethods []string `json:"cors-methods" yaml:"cors-methods" usage:"methods permitted in the access control (Access-Control-Allow-Methods)"`
// CorsHeaders is a set of cors headers
- CorsHeaders []string `json:"cors-headers" yaml:"cors-headers"`
+ CorsHeaders []string `json:"cors-headers" yaml:"cors-headers" usage:"set of headers to add to the CORS access control (Access-Control-Allow-Headers)"`
// CorsExposedHeaders are the exposed header fields
- CorsExposedHeaders []string `json:"cors-exposed-headers" yaml:"cors-exposed-headers"`
+ CorsExposedHeaders []string `json:"cors-exposed-headers" yaml:"cors-exposed-headers" usage:"expose cors headers access control (Access-Control-Expose-Headers)"`
// CorsCredentials set the creds flag
- CorsCredentials bool `json:"cors-credentials" yaml:"cors-credentials"`
+ CorsCredentials bool `json:"cors-credentials" yaml:"cors-credentials" usage:"credentials access control header (Access-Control-Allow-Credentials)"`
// CorsMaxAge is the age for CORS
- CorsMaxAge time.Duration `json:"cors-max-age" yaml:"cors-max-age"`
+ CorsMaxAge time.Duration `json:"cors-max-age" yaml:"cors-max-age" usage:"max age applied to cors headers (Access-Control-Max-Age)"`
// Hostname is a list of hostname's the service should response to
- Hostnames []string `json:"hostnames" yaml:"hostnames"`
+ Hostnames []string `json:"hostnames" yaml:"hostnames" usage:"list of hostnames the service will respond to"`
// Store is a url for a store resource, used to hold the refresh tokens
- StoreURL string `json:"store-url" yaml:"store-url"`
+ StoreURL string `json:"store-url" yaml:"store-url" usage:"url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file"`
// EncryptionKey is the encryption key used to encrypt the refresh token
- EncryptionKey string `json:"encryption-key" yaml:"encryption-key"`
+ EncryptionKey string `json:"encryption-key" yaml:"encryption-key" usage:"encryption key used to encrpytion the session state"`
// LogRequests indicates if we should log all the requests
- LogRequests bool `json:"log-requests" yaml:"log-requests"`
+ LogRequests bool `json:"log-requests" yaml:"log-requests" usage:"enable http logging of the requests"`
// LogFormat is the logging format
- LogJSONFormat bool `json:"json-format" yaml:"json-format"`
+ LogJSONFormat bool `json:"json-format" yaml:"json-format" usage:"switch on json logging rather than text"`
// NoRedirects informs we should hand back a 401 not a redirect
- NoRedirects bool `json:"no-redirects" yaml:"no-redirects"`
+ NoRedirects bool `json:"no-redirects" yaml:"no-redirects" usage:"do not have back redirects when no authentication is present, 401 them"`
// SkipTokenVerification tells the service to skipp verifying the access token - for testing purposes
- SkipTokenVerification bool `json:"skip-token-verification" yaml:"skip-token-verification"`
+ SkipTokenVerification bool `json:"skip-token-verification" yaml:"skip-token-verification" usage:"TESTING ONLY; bypass token verification, only expiration and roles enforced"`
// UpstreamKeepalives specifies whether we use keepalives on the upstream
- UpstreamKeepalives bool `json:"upstream-keepalives" yaml:"upstream-keepalives"`
+ UpstreamKeepalives bool `json:"upstream-keepalives" yaml:"upstream-keepalives" usage:"enables or disables the keepalive connections for upstream endpoint"`
// UpstreamTimeout is the maximum amount of time a dial will wait for a connect to complete
- UpstreamTimeout time.Duration `json:"upstream-timeout" yaml:"upstream-timeout"`
+ UpstreamTimeout time.Duration `json:"upstream-timeout" yaml:"upstream-timeout" usage:"maximum amount of time a dial will wait for a connect to complete"`
// UpstreamKeepaliveTimeout
- UpstreamKeepaliveTimeout time.Duration `json:"upstream-keepalive-timeout" yaml:"upstream-keepalive-timeout"`
+ UpstreamKeepaliveTimeout time.Duration `json:"upstream-keepalive-timeout" yaml:"upstream-keepalive-timeout" usage:"specifies the keep-alive period for an active network connection"`
// Verbose switches on debug logging
- Verbose bool `json:"verbose" yaml:"verbose"`
+ Verbose bool `json:"verbose" yaml:"verbose" usage:"switch on debug / verbose logging"`
// EnableProxyProtocol controls the proxy protocol
- EnableProxyProtocol bool `json:"enabled-proxy-protocol" yaml:"enabled-proxy-protocol"`
+ EnableProxyProtocol bool `json:"enabled-proxy-protocol" yaml:"enabled-proxy-protocol" usage:"enable proxy protocol"`
// SignInPage is the relative url for the sign in page
- SignInPage string `json:"sign-in-page" yaml:"sign-in-page"`
+ SignInPage string `json:"sign-in-page" yaml:"sign-in-page" usage:"path to custom template displayed for signin"`
// ForbiddenPage is a access forbidden page
- ForbiddenPage string `json:"forbidden-page" yaml:"forbidden-page"`
+ ForbiddenPage string `json:"forbidden-page" yaml:"forbidden-page" usage:"path to custom template used for access forbidden"`
// TagData is passed to the templates
- TagData map[string]string `json:"tag-data" yaml:"tag-data"`
+ TagData map[string]string `json:"tag-data" yaml:"tag-data" usage:"keypair's passed to the templates at render,e.g title=Page"`
// ForwardingUsername is the username to login to the oauth service
- ForwardingUsername string `json:"forwarding-username" yaml:"forwarding-username"`
+ ForwardingUsername string `json:"forwarding-username" yaml:"forwarding-username" usage:"username to use when logging into the openid provider"`
// ForwardingPassword is the password to use for the above
- ForwardingPassword string `json:"forwarding-password" yaml:"forwarding-password"`
+ ForwardingPassword string `json:"forwarding-password" yaml:"forwarding-password" usage:"password to use when logging into the openid provider"`
// ForwardingDomains is a collection of domains to signs
- ForwardingDomains []string `json:"forwarding-domains" yaml:"forwarding-domains"`
+ ForwardingDomains []string `json:"forwarding-domains" yaml:"forwarding-domains" usage:"list of domains which should be signed; everything else is relayed unsigned"`
}
// store is used to hold the offline refresh token, assuming you don't want to use