const auth_config = { default_provider: env('AUTH_DEFAULT_PROVIDER', 'flitter'), default_login_route: '/dash', iam: { default_permissions: [ { target_type: 'machine', permission: 'sudo', }, { target_type: 'machine_group', permission: 'sudo', }, { target_type: 'vault', permission: 'view', }, { target_type: 'vault', permission: 'read', }, { target_type: 'vault', permission: 'update', }, { target_type: 'vault', permission: 'delete', }, ], }, mfa: { secret_length: env('MFA_SECRET_LENGTH', 20) }, servers: { // OAuth2 authorization server oauth2: { enable: env('OAUTH2_SERVER_ENABLE', true), // Grants that are available to clients. Supported types are authorization_code, password grants: ['authorization_code'], // Built in data retrieval endpoints. These are protected by user-specific OAuth2 tokens built_in_endpoints: { // Get the token user's data user: { // enable: env('OAUTH2_SERVER_ENABLE', false), enable: false, // Fields to return to the endpoint // The keys are the keys in the request. The values are the keys in the user. fields: { username: 'uid', id: 'uuid', // Data is a special key. It's key-value pairs are included, // unserialized, from the user's JSON data. data: { // Fields stored in serialized data can be included here: // special_field: 'some_json_data_field', }, }, }, }, }, }, // Auth provider configurations // You can have multiple of the same 'type' of auth source, but they // must have unique names. The name is the key of the source config. // Valid types are (by default): FlitterProvider, LdapProvider, Oauth2Provider sources: { // Default, database-backed auth provider flitter: { type: 'FlitterProvider', enable: env('AUTH_FLITTER_ENABLE', true), registration: env('AUTH_FLITTER_REGISTRATION', true), min_password_length: env('AUTH_MIN_PASSWORD_LENGTH', 8), }, // LDAP-backed auth provider example_ldap: { type: 'LdapProvider', enable: env('AUTH_LDAP_ENABLE', false), host: env('AUTH_LDAP_HOST', 'localhost'), port: env('AUTH_LDAP_PORT', 389), secure: env('AUTH_LDAP_BIND_SECURE', false), bind_dn: env('AUTH_LDAP_BIND_DN', 'uid=auth_agent,ou=people,dc=domain,dc=local'), bind_secret: env('AUTH_LDAP_BIND_PW'), user_search_base: env('AUTH_LDAP_SEARCH_BASE', 'ou=people,dc=domain,dc=local'), user_filter: env('AUTH_LDAP_USER_FILTER', '(uid=%u)'), // %u is the login provided username min_password_length: env('AUTH_MIN_PASSWORD_LENGTH', 8), // Maps flitter-auth roles to LDAP groups role_groups: { // Should correspond to existing auth roles // role_name: 'cn=somegroup,ou=groups,dc=domain,dc=local', }, // Maps user attributes to LDAP data attributes attributes: { uid: env('AUTH_LDAP_ATTR_UID', 'uid'), first_name: env('AUTH_LDAP_ATTR_FIRST_NAME', 'cn'), last_name: env('AUTH_LDAP_ATTR_LAST_NAME', 'sn'), email: env('AUTH_LDAP_ATTR_EMAIL', 'mail'), // Special case - used to determine group memberships group_membership: env('AUTH_LDAP_ATTR_GROUPS', 'memberOf'), }, registration: env('AUTH_LDAP_REGISTRATION', false), // Default attributes for new registered users // %u can be used to interpolate the registered user's uid registration_merge_attributes: { objectClass: ['posixAccount', 'shadowAccount', 'inetOrgPerson'], sn: '%u', cn: '%u', gecos: '%u', uidNumber: -1, gidNumber: -1, homeDirectory: '/dev/null', }, }, example_oauth: { type: 'Oauth2Provider', enable: env('AUTH_OAUTH2_ENABLE', false), source_name: env('AUTH_OAUTH2_SOURCE_NAME', 'GitHub'), source_client_id: env('AUTH_OAUTH2_CLIENT_ID'), source_client_secret: env('AUTH_OAUTH2_CLIENT_SECRET'), // Login page destination where the user will be redirected to on login // %c will be interpolated with the client id // %r will be interpolated with the redirect callback url // NOTE: This url is the same as the login page - /auth/oauth2/login source_login_page: env('AUTH_OAUTH2_LOGIN_REDIRECT', 'https://github.com/login/oauth/authorize?client_id=%c'), // Information about the OAuth2 Callback callback: { // URL query parameter name with the authorization_code token // e.g. ?code=XXXXXXXXXX token_key: 'code', }, // Information about the endpoint flitter-auth will use to redeem // the authorization_code token for a bearer token source_token: { endpoint: 'https://github.com/login/oauth/access_token', // Field name where the authorization_code token will be specified in the request token_key: 'code', // Field name for the client id client_id_key: 'client_id', // Field name for the client secret client_secret_key: 'client_secret', // Field name for the grant_type ('authorization_type') grant_type_key: 'grant_type', // Field name where the bearer token will be specified in the response response_token_key: 'access_token', }, // Information about the endpoint flitter-auth will use to get // user information after it retrieves a bearer token user_data: { endpoint: 'https://api.github.com/user', method: 'get', // 'get' or 'post' only // In the response data, what key is the user data in? // e.g. if 'data', then {'data': { ... }} // Set falsy to assume the data exists in the root: { ... } // data_root: 'data', // Value that prefixes the token in the 'Authorization: ' header. // e.g. 'token ' would mean 'token a0fw93ja0w93ja093wj' // 'Bearer ' would be 'Bearer 0329j0239dj209j3209jd' token_prefix: 'token ', // Mapping of user model attributes to OAuth2 return data from the endpoint // Note that uuid is not allowed, and uid is required attributes: { uid: 'login', }, }, }, }, roles: { // Roles can be defined here as arrays of permissions: // 'role_name': [ 'permission1', 'permission2' ], // Then, users with that role will automatically inherit the permissions. ldap_admin: ['ldap'], ldap_client: ['ldap:bind', 'ldap:search'], coreid_base: ['my:profile'], saml_admin: ['v1:saml', 'saml'], radius_admin: ['v1:radius', 'radius'], base_user: [ // Message Service 'v1:message:banners', // Permission Checks 'v1:reflect:check_permissions', // Profile 'v1:profile', // Password API 'v1:password', // LDAP Binding 'ldap:bind', 'ldap:search:users:me', ], root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam', 'radius'], }, } module.exports = auth_config