dex/examples/config-dev.yaml

# DEPRECATED: use config.yaml.dist and config.dev.yaml examples in the repository root.
# TODO: keep this until all references are updated.

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the documentation (https://dexidp.io/docs/storage/) for further information.
storage:
  type: sqlite3
  config:
    file: examples/dex.db

  # type: mysql
  # config:
  #   host: localhost
  #   port: 3306
  #   database: dex
  #   user: mysql
  #   password: mysql
  #   ssl:
  #     mode: "false"

  # type: postgres
  # config:
  #   host: localhost
  #   port: 5432
  #   database: dex
  #   user: postgres
  #   password: postgres
  #   ssl:
  #     mode: disable

  # type: etcd
  # config:
  #   endpoints:
  #     - http://localhost:2379
  #   namespace: dex/

  # type: kubernetes
  # config:
  #   kubeConfigFile: $HOME/.kube/config

# Configuration for the HTTP endpoints.
web:
  http: 0.0.0.0:5556
  # Uncomment for HTTPS options.
  # https: 127.0.0.1:5554
  # tlsCert: /etc/dex/tls.crt
  # tlsKey: /etc/dex/tls.key

# Configuration for dex appearance
# frontend:
#   issuer: dex
#   logoURL: theme/logo.png
#   dir: web/
#   theme: light

# Configuration for telemetry
telemetry:
  http: 0.0.0.0:5558
  # enableProfiling: true

# Uncomment this block to enable the gRPC API. This values MUST be different
# from the HTTP endpoints.
# grpc:
#   addr: 127.0.0.1:5557
#   tlsCert: examples/grpc-client/server.crt
#   tlsKey: examples/grpc-client/server.key
#   tlsClientCA: examples/grpc-client/ca.crt

# Uncomment this block to enable configuration for the expiration time durations.
# Is possible to specify units using only s, m and h suffixes.
# expiry:
#   deviceRequests: "5m"
#   signingKeys: "6h"
#   idTokens: "24h"
#   refreshTokens:
#     reuseInterval: "3s"
#     validIfNotUsedFor: "2160h" # 90 days
#     absoluteLifetime: "3960h" # 165 days

# Options for controlling the logger.
# logger:
#   level: "debug"
#   format: "text" # can also be "json"

# Default values shown below
# oauth2:
    # use ["code", "token", "id_token"] to enable implicit flow for web-only clients
#   responseTypes: [ "code" ] # also allowed are "token" and "id_token"
    # By default, Dex will ask for approval to share data with application
    # (approval for sharing data from connected IdP to Dex is separate process on IdP)
#   skipApprovalScreen: false
    # If only one authentication method is enabled, the default behavior is to
    # go directly to it. For connected IdPs, this redirects the browser away
    # from application to upstream provider such as the Google login page
#   alwaysShowLoginScreen: false
    # Uncomment the passwordConnector to use a specific connector for password grants
#   passwordConnector: local

# Instead of reading from an external storage, use this list of clients.
#
# If this option isn't chosen clients may be added through the gRPC API.
staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#  - id: example-device-client
#    redirectURIs:
#      - /device/callback
#    name: 'Static Client for Device Flow'
#    public: true
connectors:
- type: mockCallback
  id: mock
  name: Example
# - type: google
#   id: google
#   name: Google
#   config:
#     issuer: https://accounts.google.com
#     # Connector config values starting with a "$" will read from the environment.
#     clientID: $GOOGLE_CLIENT_ID
#     clientSecret: $GOOGLE_CLIENT_SECRET
#     redirectURI: http://127.0.0.1:5556/dex/callback
#     hostedDomains:
#     - $GOOGLE_HOSTED_DOMAIN

# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true

# A static list of passwords to login the end user. By identifying here, dex
# won't look in its underlying storage for passwords.
#
# If this option isn't chosen users may be added through the gRPC API.
staticPasswords:
- email: "admin@example.com"
  # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
  username: "admin"
  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
chore: add new development configuration Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> 2021-01-23 22:55:47 +05:30			`# DEPRECATED: use config.yaml.dist and config.dev.yaml examples in the repository root.`
			`# TODO: keep this until all references are updated.`

*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`# The base path of dex and the external name of the OpenID Connect service.`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# This is the canonical URL that all clients MUST use to refer to dex. If a`
			`# path is provided, dex's HTTP service will listen at a non-root URL.`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`issuer: http://127.0.0.1:5556/dex`

			`# The storage configuration determines where dex stores its state. Supported`
			`# options include SQL flavors and Kubernetes third party resources.`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`#`
chore: rename the docs directory Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> 2021-01-14 21:06:59 +05:30			`# See the documentation (https://dexidp.io/docs/storage/) for further information.`
*: load static clients from config file 2016-08-05 22:20:22 +05:30			`storage:`
*: add sql storage options to dex application 2016-10-04 01:16:49 +05:30			`type: sqlite3`
			`config:`
			`file: examples/dex.db`
*: load static clients from config file 2016-08-05 22:20:22 +05:30
add docker-compose for local testing 2019-08-03 18:32:54 +05:30			`# type: mysql`
			`# config:`
			`# host: localhost`
			`# port: 3306`
			`# database: dex`
			`# user: mysql`
			`# password: mysql`
			`# ssl:`
			`# mode: "false"`

			`# type: postgres`
			`# config:`
			`# host: localhost`
			`# port: 5432`
			`# database: dex`
			`# user: postgres`
			`# password: postgres`
			`# ssl:`
			`# mode: disable`

			`# type: etcd`
			`# config:`
			`# endpoints:`
			`# - http://localhost:2379`
			`# namespace: dex/`

			`# type: kubernetes`
			`# config:`
			`# kubeConfigFile: $HOME/.kube/config`

*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# Configuration for the HTTP endpoints.`
*: load static clients from config file 2016-08-05 22:20:22 +05:30			`web:`
*: add theme based frontend configuration This PR reworks the web layout so static files can be provided and a "themes" directory to allow a certain degree of control over logos, styles, etc. This PR does NOT add general support for frontend customization, only enough to allow us to start exploring theming internally. The dex binary also must now be run from the root directory since templates are no longer "compiled into" the binary. The docker image has been updated with frontend assets. 2016-12-01 03:56:54 +05:30			`http: 0.0.0.0:5556`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# Uncomment for HTTPS options.`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`# https: 127.0.0.1:5554`
			`# tlsCert: /etc/dex/tls.crt`
			`# tlsKey: /etc/dex/tls.key`
*: load static clients from config file 2016-08-05 22:20:22 +05:30
chore: add frontend section to dev config (#1913) * chore: add frontend section to dev config Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2021-01-12 23:50:38 +05:30			`# Configuration for dex appearance`
			`# frontend:`
			`# issuer: dex`
			`# logoURL: theme/logo.png`
			`# dir: web/`
			`# theme: light`

*: Add go runtime, process, HTTP and gRPC metrics 2017-12-20 20:33:32 +05:30			`# Configuration for telemetry`
			`telemetry:`
			`http: 0.0.0.0:5558`
feat: enable profiling endpoints Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2022-04-12 13:42:37 +05:30			`# enableProfiling: true`
*: Add go runtime, process, HTTP and gRPC metrics 2017-12-20 20:33:32 +05:30
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# Uncomment this block to enable the gRPC API. This values MUST be different`
			`# from the HTTP endpoints.`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`# grpc:`
			`# addr: 127.0.0.1:5557`
chore: add frontend section to dev config (#1913) * chore: add frontend section to dev config Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2021-01-12 23:50:38 +05:30			`# tlsCert: examples/grpc-client/server.crt`
			`# tlsKey: examples/grpc-client/server.key`
			`# tlsClientCA: examples/grpc-client/ca.crt`
*: load static clients from config file 2016-08-05 22:20:22 +05:30
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# Uncomment this block to enable configuration for the expiration time durations.`
chore: add note about units to expire config Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2021-04-02 17:42:43 +05:30			`# Is possible to specify units using only s, m and h suffixes.`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# expiry:`
Device flow token code exchange (#2) * Added /device/token handler with associated business logic and storage tests. Perform user code exchange, flag the device code as complete. Moved device handler code into its own file for cleanliness. Cleanup * Removed PKCE code * Rate limiting for /device/token endpoint based on ietf standards * Configurable Device expiry Signed-off-by: justin-slowik <justin.slowik@thermofisher.com> 2020-01-29 00:44:30 +05:30			`# deviceRequests: "5m"`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# signingKeys: "6h"`
			`# idTokens: "24h"`
feat: Add refresh token expiration and rotation settings Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2020-10-28 11:56:34 +05:30			`# refreshTokens:`
			`# reuseInterval: "3s"`
chore: add note about units to expire config Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2021-04-02 17:42:43 +05:30			`# validIfNotUsedFor: "2160h" # 90 days`
			`# absoluteLifetime: "3960h" # 165 days`
*: readme updates for v2 2016-11-09 01:21:59 +05:30
examples: add logger fields 2016-12-16 03:17:37 +05:30			`# Options for controlling the logger.`
			`# logger:`
			`# level: "debug"`
			`# format: "text" # can also be "json"`

Add examples for recent additions to oauth2 configuration options 2019-08-09 22:25:25 +05:30			`# Default values shown below`
examples: document explicit flow in example config 2017-06-23 23:57:49 +05:30			`# oauth2:`
Add examples for recent additions to oauth2 configuration options 2019-08-09 22:25:25 +05:30			`# use ["code", "token", "id_token"] to enable implicit flow for web-only clients`
			`# responseTypes: [ "code" ] # also allowed are "token" and "id_token"`
			`# By default, Dex will ask for approval to share data with application`
			`# (approval for sharing data from connected IdP to Dex is separate process on IdP)`
			`# skipApprovalScreen: false`
			`# If only one authentication method is enabled, the default behavior is to`
			`# go directly to it. For connected IdPs, this redirects the browser away`
			`# from application to upstream provider such as the Google login page`
			`# alwaysShowLoginScreen: false`
chore: add frontend section to dev config (#1913) * chore: add frontend section to dev config Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> 2021-01-12 23:50:38 +05:30			`# Uncomment the passwordConnector to use a specific connector for password grants`
Add support for password grant #926 2018-01-03 08:45:01 +05:30			`# passwordConnector: local`
examples: document explicit flow in example config 2017-06-23 23:57:49 +05:30
*: add the ability to define passwords statically 2016-10-06 05:20:02 +05:30			`# Instead of reading from an external storage, use this list of clients.`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`#`
*: fix spelling using github.com/client9/misspell 2017-03-20 21:46:56 +05:30			`# If this option isn't chosen clients may be added through the gRPC API.`
*: load static clients from config file 2016-08-05 22:20:22 +05:30			`staticClients:`
			`- id: example-app`
			`redirectURIs:`
			`- 'http://127.0.0.1:5555/callback'`
			`name: 'Example App'`
			`secret: ZXhhbXBsZS1hcHAtc2VjcmV0`
Added device flow static client to config-dev.yaml Signed-off-by: justin-slowik <justin.slowik@thermofisher.com> 2020-05-12 18:59:15 +05:30			`# - id: example-device-client`
			`# redirectURIs:`
better support for /device/callback redirect uris with public clients. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com> 2020-05-14 01:08:43 +05:30			`# - /device/callback`
Added device flow static client to config-dev.yaml Signed-off-by: justin-slowik <justin.slowik@thermofisher.com> 2020-05-12 18:59:15 +05:30			`# name: 'Static Client for Device Flow'`
better support for /device/callback redirect uris with public clients. Signed-off-by: justin-slowik <justin.slowik@thermofisher.com> 2020-05-14 01:08:43 +05:30			`# public: true`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`connectors:`
			`- type: mockCallback`
			`id: mock`
			`name: Example`
Allow the "google" connector to work without a service account Fixes #1718 2020-05-20 23:30:06 +05:30			`# - type: google`
*: expand environment variables in config Allow users to define config values which are read form environemnt variables. Helpful for sensitive variables such as OAuth2 client IDs or LDAP credentials. 2016-10-23 02:06:31 +05:30			`# id: google`
			`# name: Google`
			`# config:`
			`# issuer: https://accounts.google.com`
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# # Connector config values starting with a "$" will read from the environment.`
*: expand environment variables in config Allow users to define config values which are read form environemnt variables. Helpful for sensitive variables such as OAuth2 client IDs or LDAP credentials. 2016-10-23 02:06:31 +05:30			`# clientID: $GOOGLE_CLIENT_ID`
			`# clientSecret: $GOOGLE_CLIENT_SECRET`
Fix Google OIDC callback url 2016-11-21 23:55:16 +05:30			`# redirectURI: http://127.0.0.1:5556/dex/callback`
connector/oidc: fix hosted domain support. 2017-07-22 04:18:21 +05:30			`# hostedDomains:`
			`# - $GOOGLE_HOSTED_DOMAIN`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30
*: readme updates for v2 2016-11-09 01:21:59 +05:30			`# Let dex keep a list of passwords which can be used to login to dex.`
*: add the ability to define passwords statically 2016-10-06 05:20:02 +05:30			`enablePasswordDB: true`

			`# A static list of passwords to login the end user. By identifying here, dex`
*: add more comments to the example config 2016-10-14 21:28:57 +05:30			`# won't look in its underlying storage for passwords.`
			`#`
*: fix spelling using github.com/client9/misspell 2017-03-20 21:46:56 +05:30			`# If this option isn't chosen users may be added through the gRPC API.`
*: add the ability to define passwords statically 2016-10-06 05:20:02 +05:30			`staticPasswords:`
			`- email: "admin@example.com"`
Include explanation in comment: https://github.com/dexidp/dex/pull/2218#discussion_r679873279 Signed-off-by: Jesse Glick <jglick@cloudbees.com> 2021-07-30 17:58:04 +05:30			`# bcrypt hash of the string "password": $(echo password \| htpasswd -BinC 10 admin \| cut -d: -f2)`
cmd/dex: only expand from env for storages and connectors Bcrypt'd hashes have "$" characters in them. This means that #667 (accepting actually bcrypted values) combined with #627 (expanding config with environment variables) broke the example config. For now, allow storages and connectors to expand their configs from the environment, but don't do this anywhere else. 2016-11-04 09:38:50 +05:30			`hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"`
*: add the ability to define passwords statically 2016-10-06 05:20:02 +05:30			`username: "admin"`
			`userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"`