config.yml

# vouch config

# you should probably start with one of the other configs in the example directory
# vouch proxy does a fairly good job of setting its config to sane defaults

# be aware of your indentation, the only top level elements are `vouch` and `oauth`.

vouch:
  logLevel: debug
  # logLevel: info

  # testing - force all 302 redirects to be rendered as a webpage with a link
  # if you're having problems, turn on testing
  testing: true

  listen: 0.0.0.0
  port: 9090

  # domains -
  # each of these domains must serve the url https://vouch.$domains[0] https://vouch.$domains[1] ...
  # so that the cookie which stores the JWT can be set in the relevant domain
  # you usually *don't* want to list every individual website that will be protected
  # if you have siteA.internal.yourdomain.com and siteB.internal.yourdomain.com
  # then your domains should be set as yourdomain.com or perhaps internal.yourdomain.com
  # usually you'll just have one.
  # Comment `domains:` out if you set allowAllUser:true
  domains:
   - sub.domain.com

  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
  allowAllUsers: false

  # Setting publicAccess: true will accept all requests, even without a cookie.
  # If the user is logged in, the cookie will be validated and the user header will be set.
  # You will need to direct people to the Vouch Proxy login page from your application.
  # publicAccess: false

  # whiteList - (optional) allows only the listed usernames
  # usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise
  whiteList:
  - [email protected]
  - [email protected]
  - [email protected]

  jwt:
    # secret - a random string used to cryptographically sign the jwt
    # Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
    # if the secret is not set here then..
    # look for the secret in `./config/secret`
    # if `./config/secret` doesn't exist then randomly generate a secret and store it there
    # in order to run multiple instances of vouch on multiple servers (perhaps purely for validating the jwt),
    # you'll want them all to have the same secret
    secret: mGwbsK2MPnzyi8mCpQdCWpWwqoEy7DMYc5kjaAseihFVUJMn7Z
    issuer: Vouch
    # number of minutes until jwt expires
    maxAge: 240
    # compress the jwt
    compress: true

  cookie:
    # name of cookie to store the jwt
    name: VouchCookie
    # optionally force the domain of the cookie to set
    # domain: yourdomain.com
    secure: true
    httpOnly: true
    # Set cookie maxAge to 0 to delete the cookie every time the browser is closed.
    maxAge: 14400

  session:
    # name of session variable stored locally
    name: VouchSession
    # key - a cryptographic string used to store the session variable
    # if the key is not set here then it is generated at startup and stored in memory
    # Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
    # you only want to set this if you're running multiple user facing vouch.yourdomain.com instances
    key: mGwbsK2MPnzyi8mCpQdCWpWwqoEy7DMYc5kjaAseihFVUJMn7Z


  headers:
    jwt: X-Vouch-Token
    querystring: access_token
    redirect: X-Vouch-Requested-URI

    # GENERAL WARNING ABOUT claims AND tokens
    # all of these config elements can cause performance impacts due to the amount of information being
    # moved around.  They will get added to the Vouch cookie and (possibly) make it large.  The Vouch cookie will
    # get split up into several cookies. Every request will process the cookies in order to extract and create the
    # additional headers which get returned.  But if you need it, you need it.
    # With large cookies and headers it will require additional nginx config to open up the buffers a bit..
    # see `large_client_header_buffers` http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
    # and `proxy_buffer_size` http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size

    # claims - a list of claims that will be stored in the JWT and passed down to applications via headers
    # By default claims are sent down as headers with a prefix of X-Vouch-IdP-Claims-ClaimKey
    # Only when a claim is found in the user's info will the header exist.  This is optional.  These are case sensitive.
    claims:
      - groups
      - given_name
    # these will result in two headers being passed back to nginx
    # X-Vouch-IdP-Claims-groups
    # X-Vouch-IdP-Claims-given_name

    # claimheader - Customizable claim header prefix (instead of default `X-Vouch-IdP-Claims-`)
    # claimheader: My-Custom-Claim-Prefix

    # accesstoken - Pass the user's access token from the provider.  This is useful if you need to pass the IdP token to a downstream
    # application. This is optional.
    # accesstoken: X-Vouch-IdP-AccessToken
    # idtoken - Pass the user's Id token from the provider.  This is useful if you need to pass this token to a downstream
    # application. This is optional.
    # idtoken: X-Vouch-IdP-IdToken

  db:
    file: data/vouch_bolt.db

  # test_url - add this URL to the page which vouch displays
  test_url: http://yourdomain.com
  # webapp - WIP for web interface to vouch (mostly logs)
  # webapp: true

oauth:
  provider: oidc
  client_id: 0oa11gjiqk1m5kYHD4x6
  client_secret: I_LY1Rt6UiG8m6Q6mWjHOQkh920fqn_GgAChgv52
  auth_url: https://dev-number-admin.okta.com/oauth2/default/v1/authorize
  token_url: https://dev-number-admin.okta.com/oauth2/default/v1/token
  user_info_url: https://dev-number-admin.okta.com/oauth2/default/v1/userinfo
  scopes:
    - openid
    - email
  # Set the callback URL to the domain that Vouch is running on
  callback_url: https://sub.domain.com/stats/auth