9bbdc721d5
* Added /device/token handler with associated business logic and storage tests. Perform user code exchange, flag the device code as complete. Moved device handler code into its own file for cleanliness. Cleanup * Removed PKCE code * Rate limiting for /device/token endpoint based on ietf standards * Configurable Device expiry Signed-off-by: justin-slowik <justin.slowik@thermofisher.com>
129 lines
3.8 KiB
YAML
129 lines
3.8 KiB
YAML
# The base path of dex and the external name of the OpenID Connect service.
|
|
# This is the canonical URL that all clients MUST use to refer to dex. If a
|
|
# path is provided, dex's HTTP service will listen at a non-root URL.
|
|
issuer: http://127.0.0.1:5556/dex
|
|
|
|
# The storage configuration determines where dex stores its state. Supported
|
|
# options include SQL flavors and Kubernetes third party resources.
|
|
#
|
|
# See the storage document at Documentation/storage.md for further information.
|
|
storage:
|
|
type: sqlite3
|
|
config:
|
|
file: examples/dex.db
|
|
|
|
# type: mysql
|
|
# config:
|
|
# host: localhost
|
|
# port: 3306
|
|
# database: dex
|
|
# user: mysql
|
|
# password: mysql
|
|
# ssl:
|
|
# mode: "false"
|
|
|
|
# type: postgres
|
|
# config:
|
|
# host: localhost
|
|
# port: 5432
|
|
# database: dex
|
|
# user: postgres
|
|
# password: postgres
|
|
# ssl:
|
|
# mode: disable
|
|
|
|
# type: etcd
|
|
# config:
|
|
# endpoints:
|
|
# - http://localhost:2379
|
|
# namespace: dex/
|
|
|
|
# type: kubernetes
|
|
# config:
|
|
# kubeConfigFile: $HOME/.kube/config
|
|
|
|
# Configuration for the HTTP endpoints.
|
|
web:
|
|
http: 0.0.0.0:5556
|
|
# Uncomment for HTTPS options.
|
|
# https: 127.0.0.1:5554
|
|
# tlsCert: /etc/dex/tls.crt
|
|
# tlsKey: /etc/dex/tls.key
|
|
|
|
# Configuration for telemetry
|
|
telemetry:
|
|
http: 0.0.0.0:5558
|
|
|
|
# Uncomment this block to enable the gRPC API. This values MUST be different
|
|
# from the HTTP endpoints.
|
|
# grpc:
|
|
# addr: 127.0.0.1:5557
|
|
# tlsCert: examples/grpc-client/server.crt
|
|
# tlsKey: examples/grpc-client/server.key
|
|
# tlsClientCA: /etc/dex/client.crt
|
|
|
|
# Uncomment this block to enable configuration for the expiration time durations.
|
|
# expiry:
|
|
# deviceRequests: "5m"
|
|
# signingKeys: "6h"
|
|
# idTokens: "24h"
|
|
|
|
# Options for controlling the logger.
|
|
# logger:
|
|
# level: "debug"
|
|
# format: "text" # can also be "json"
|
|
|
|
# Default values shown below
|
|
# oauth2:
|
|
# use ["code", "token", "id_token"] to enable implicit flow for web-only clients
|
|
# responseTypes: [ "code" ] # also allowed are "token" and "id_token"
|
|
# By default, Dex will ask for approval to share data with application
|
|
# (approval for sharing data from connected IdP to Dex is separate process on IdP)
|
|
# skipApprovalScreen: false
|
|
# If only one authentication method is enabled, the default behavior is to
|
|
# go directly to it. For connected IdPs, this redirects the browser away
|
|
# from application to upstream provider such as the Google login page
|
|
# alwaysShowLoginScreen: false
|
|
# Uncommend the passwordConnector to use a specific connector for password grants
|
|
# passwordConnector: local
|
|
|
|
# Instead of reading from an external storage, use this list of clients.
|
|
#
|
|
# If this option isn't chosen clients may be added through the gRPC API.
|
|
staticClients:
|
|
- id: example-app
|
|
redirectURIs:
|
|
- 'http://127.0.0.1:5555/callback'
|
|
name: 'Example App'
|
|
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
|
|
|
|
connectors:
|
|
- type: mockCallback
|
|
id: mock
|
|
name: Example
|
|
# - type: google
|
|
# id: google
|
|
# name: Google
|
|
# config:
|
|
# issuer: https://accounts.google.com
|
|
# # Connector config values starting with a "$" will read from the environment.
|
|
# clientID: $GOOGLE_CLIENT_ID
|
|
# clientSecret: $GOOGLE_CLIENT_SECRET
|
|
# redirectURI: http://127.0.0.1:5556/dex/callback
|
|
# hostedDomains:
|
|
# - $GOOGLE_HOSTED_DOMAIN
|
|
|
|
# Let dex keep a list of passwords which can be used to login to dex.
|
|
enablePasswordDB: true
|
|
|
|
# A static list of passwords to login the end user. By identifying here, dex
|
|
# won't look in its underlying storage for passwords.
|
|
#
|
|
# If this option isn't chosen users may be added through the gRPC API.
|
|
staticPasswords:
|
|
- email: "admin@example.com"
|
|
# bcrypt hash of the string "password"
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
|
username: "admin"
|
|
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
|