Cloudentity Platform Configuration Reference
Regardless of the deployment type you run, the Cloudentity platform shares common configuration reference that can be used to adjust the platform settings to any business need.
# logging logging: level: info # logging level (panic, fatal, error, warn, info, debug, trace) # http server server: system_tenant: system # name of the system tenant url: https://localhost:8443 # server url template mtls_url: "" # mtls server url template vanity_url_template: "" # vanity url template (https://{{vanityID}}.vanity.cloudentity.io) vanity_mtls_url_template: "" # vanity mtls url template (https://{{vanityID}}.mtls.vanity.cloudentity.io) assets_url: "" # url template to cdn with static files image_proxy_url: "" # url template to image proxy grpc_url: localhost:9443 # grpc url port: 8443 # http server port grpc_port: 9443 # grpc server port do_not_print_audit_logs_for_static_files: true # do not print audit logs for static files timeout: 10s # http server timeout etag_backoff: 200ms # etag backoff duration etag_retries: 25 # max number of etag retries audit_logs: true # enable audit logs disable_audit_logs_in_stdout: false # disable publishing audit logs to stdout http_logs: false # enable http request and response logging max_size_bytes: 1048576 # max size of http request body dangerous_disable_tls: false # disable tls disable_cache: false # disable cache disable_gzip: true # disable http gzip encoding disable_csrf: false # disable csrf protection disable_security: false # disable security middleware client_auth_type: RequestClientCert # mtls http server client auth type # http server tls certificate: password: "" # key passphrase cert_path: ./certs/srv/cert.pem # path to the certificate PEM file key_path: ./certs/srv/cert-key.pem # path to the key PEM file cert: "" # base64 encoded cert PEM key: "" # base64 encoded key PEM generated_key_type: rsa # type for generated key if cert and key are not provided (rsa or ecda) disable_monitoring: false # disable /metrics endpoint http_metrics_per_tenant: false # enable http metrics per tenant disable_async_processing: false # disable async processing (streams,queue) # http security configuration (github.com/unrolled/secure) security: browserxssfilter: true contenttypenosniff: true forcestsheader: false framedeny: true isdevelopment: false sslredirect: true sslforcehost: false ssltemporaryredirect: false stsincludesubdomains: true stspreload: true contentsecuritypolicy: | default-src 'self'; script-src 'self' $NONCE 'unsafe-eval'; worker-src 'self' 'strict-dynamic' $NONCE; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; img-src 'self' data: https:; connect-src 'self' wss:; frame-src 'self' https://www.google.com; contentsecuritypolicyreportonly: "" custombrowserxssvalue: "" customframeoptionsvalue: SAMEORIGIN publickey: "" referrerpolicy: same-origin featurepolicy: "" permissionspolicy: accelerometer=(),camera=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),usb=() crossoriginopenerpolicy: "" sslhost: "" allowedhosts: [] allowedhostsareregex: false hostsproxyheaders: - X-Forwarded-Host sslproxyheaders: X-Forwarded-Proto: https stsseconds: 31536000 expectctheader: "" securecontextkey: "" # cors configuration cors: allowedorigins: - '*' allowedheaders: - Content-Type - Authorization - If-Match allowedmethods: - GET - POST - PUT - DELETE # gateway authorizer packages packages: apigeeedge: file: /enforcement/apigee-edge-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url apigeex: file: /enforcement/apigee-x-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url aws: file: /enforcement/cloudentity-mp-aws-gw-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url istio: file: /enforcement/istio-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url kong: file: /enforcement/kong-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url kusk: file: /enforcement/standalone-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url pyron: file: /enforcement/pyron-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url standalone: file: /enforcement/standalone-authorizer.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url # openbanking packages openbanking_packages: br: file: /packages/openbanking/openbanking-quickstart-br.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url cdr: file: /packages/openbanking/openbanking-quickstart-cdr.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url fdx: file: /packages/openbanking/openbanking-quickstart-fdx.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url generic: file: /packages/openbanking/openbanking-quickstart-generic.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url uk: file: /packages/openbanking/openbanking-quickstart-uk.zip # path to package file url: "" # url to package username: "" # basic auth username for url password: "" # basic auth password for url templates_dir: ./web/templates # path to dir with templates static_dir: ./web/static # path to the dir with static files for templates app_static_dir: ./web/app/build/static # path to the dir with static files for react frontend app app_dir: ./web/app/build # path to the dir with react frontend app for acp swagger_dir: ./web/swagger # path to the dir with swagger ui swagger_path_template: ./api/handler/{{module}}.yaml # path to the swagger-{{module}}.yaml redirect_to_default_tenant: false # enable redirection to default tenant client_certificate_header: "" # default client http TLS certificate header name client_certificate_format_header: X-SSL-CERT-FORMAT # format of tls certificate injected as a header region: default # The name of the region in which this node is running # public path prefix for openbanking brazil endpoints obbr_base_paths: [] # external integrations configuration e.g. hubspot integrations: # hubspot configuration hubspot: enabled: false # enabled script_src: "" # script source # Google Analytics configuration google_analytics: enabled: false # enabled measurement_id: "" # measurement id # Google Custom Search JSON API configuration google_images: api_key: "" # Google Custom Search JSON API key cx: "" # The identifier of the Google Programmable Search Engine. rate_limiting_threshold: 0 # fine grained rate limiting threshold in number of requests per second # licensing configuration licensing: default_license_type: trial # DefaultLicenseType is the default license type for new tenants default_license_duration: 1440h0m0s # DefaultLicenseDuration is the default license duration for new tenants # sql encryption secret secrets: - id: "1" # secret id key: FmIQrzqf7dT57SjVH3g52SEVx45WH9pE # secret key # pbkdf2 secret hashing configuration hashing: number_of_iterations: 4096 # number of iterations key_length: 128 # key length salt: WuD0izLakS24Uyft65JP # salt (at least 8 characters) function: SHA-512 # SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512 # system tenant system: secret: n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq # system client secret # limits limits: max_number_of_client_rotated_secrets: 1 # max number of client rotated secrets # send otp per address global limit send_otp_limit: enabled: true # enable rate limiter period: 1m0s # period rate: 2 # rate burst: 1 # max burst # limits for admin websocket notifications notifications: audit_event: 3s scope_grants: 3s batch_size: 1000 # brute force limits brute_force_limits: enabled: true mfa: max_attempts: 5 block_duration: 1m0s client_authentication: max_attempts: 5 block_duration: 1m0s device_handling: max_attempts: 5 block_duration: 1m0s identity_code_inspect: max_attempts: 5 block_duration: 1m0s identity_code_verify: max_attempts: 5 block_duration: 1m0s identity_change_password: max_attempts: 5 block_duration: 1m0s identity_confirm_password: max_attempts: 5 block_duration: 1m0s identity_verify_password: max_attempts: 5 block_duration: 1m0s identity_registration: max_attempts: 5 block_duration: 1m0s identity_set_credential: max_attempts: 5 block_duration: 1m0s identity_self_register: max_attempts: 5 block_duration: 1m0s identity_activate_self_registered: max_attempts: 5 block_duration: 1m0s identity_self_activation: max_attempts: 5 block_duration: 1m0s identity_self_change_password: max_attempts: 5 block_duration: 1m0s identity_authentication: max_attempts: 5 block_duration: 1m0s identity_address_verification: max_attempts: 5 block_duration: 1m0s # feature flags features: dev_mode: false # hot reloading of templates demo_app: false # demo app swagger_ui: false # swagger ui disable_embedded_sms_provider: false # disable embedded sms provider debug: false # enable additional debug logs block_non_vanity_domain_access: false # block access to a tenant's resources from traffic not originating from the tenant's vanity domain dedicated_faas: false # allow the usage of dedicated FaaS Rego/JS environments client_secrets_stored_as_one_way_hash: false # stores client secrets as one-way hashes admin_workspace_access: true # admin workspace access system_workspace_access: true # system workspace access insecure_disable_csrf: false # disable csrf insecure_token_exchange_public_clients: false # insecure token exchange public clients disable_audit_events: false # disable audit events cache_access_tokens: false # cache access tokens cdr_disable_unique_software_id: false # disable unique software id for CDR do_not_validate_cert_for_private_key_jwt: false # do not validate cert for private key jwt drop_tokens_on_password_reset: false # drop tokens on password reset initialize_demo_workspace: false # when enabled and the display_workspace_wizard feature flag is set to true, a demo workspace with a set of preconfigured IDPs is created and no welcome screen is displayed scope_transient_otp: false # scope transient_otp cloudentity_idp: false # Cloudentity IDP add_fake_tenant_url_to_login_request_for_non_default_routing: false # add fake tenantUrl to query params for routing other than default (needed for backward compatibility with CIP for vanity domains) rar: false # rich authorization requests connect_id: false # connectID profile identity_assurance: false # identity assurance connect_id_consent_page_face_lifting: false # connect ID consent page facelifting simple_api_integration: false # simple api integration openbanking_ksa: false # openbanking ksa workspace and security profile tree_dump_tenant: false # hierarchical dumps tenant APIs cdr_arrangement_cache: false # arrangement cache for CDR mark_address_as_verified_on_any_proof_of_possession: true # mark address as verified on any proof of possession of the address identity_pool_mfa: false # Identity Pool MFA cdr_amend_audit_event_with_previous_arrangement: false # add previous arrangement to CDR amend audit event saml_v2: false # Enable SAML V2 jit_permissions: false # Enforce JIT users roles scripts_runtime_versions: false # Scripts runtime versions admin_portal_face_lifting: false # Admin portal face lifting permissions: false # Permissions roles: false # Roles organizations: false # Organizations identifier_based_discovery: false # Identifier-based discovery self_service: false # Self-service # http client client: timeout: 5s # http client timeout retry_wait_min: 10ms # minimum time to wait between retries retry_wait_max: 100ms # maximum time to wait between retries retry_max: 2 # maximum number of retries root_ca: "" # file path to the root ca that this client should trust (defaults to system root ca) root_ca_pem: "" # PEM encoded root ca that this client should trust insecure_skip_verify: false # disable cert verification # client TLS configuration tls: certificate: "" # file path to the client certificate key: "" # file path to the client key certificate_pem: "" # client certificate PEM encoded key_pem: "" # client key PEM encoded disable_follow_redirects: false # disable follow redirects disable_retry: false # disable retry # sql client sql: url: postgres://root@crdb:26257/defaultdb?sslmode=disable # sql connection url type: "" # sql db type cockroachdb or postgresql # urls to replicas in master/slave mode replicas: [] max_open_conns: 8 # max number of open connection max_idle_conns: 0 # max number of idle connection # migrations configuration migrations: disable: false # disable migrations path: ./migrations # path to the migrations timeout: 1m0s # timeout for running migrations down: false # DANGEROUS run all migrations down (removes all data from the database) with_cockroachdb_enterprise: false # turn on cockroachdb enterprise features # garbage collection ttl per table (default 24h) gc: audit_events: 1h6m40s refresh_tokens: 1h6m40s cockroachdb_use_limit_ordering_for_streaming_group_by: false # enable optimizer_use_limit_ordering_for_streaming_group_by feature flag for cockroachdb available from version 22.2.3 # timescale client timescale: enabled: false # enable timescaledb url: postgres://postgres:password@timescale/acp?sslmode=disable # sql connection url # urls to replicas in master/slave mode replicas: [] max_open_conns: 8 # max number of open connection max_idle_conns: 0 # max number of idle connection # migrations configuration migrations: disable: false # disable migrations path: ./migrations/timescale # path to the migrations timeout: 1m0s # timeout for running migrations down: false # DANGEROUS run all migrations down (removes all data from the database) data_retention: 2160h0m0s # data retention duration # spicedb client for external permissions (permission systems) spicedb: enabled: false # enable spicedb dry_run: false # turn off enforcement url: spicedb:50051 # spicedb endpoint url token: secret # bearer token ca: "" # path to the root ca insecure_skip_verify: false # skip tls verification # spicedb client for internal permissions (roles) internal_spicedb: enabled: false # enable spicedb dry_run: false # turn off enforcement url: internal-spicedb:50051 # spicedb endpoint url token: secret # bearer token ca: "" # path to the root ca insecure_skip_verify: false # skip tls verification # redis client redis: id: redis # redis database id region: local # region id scan_count: 100 # Number of entries fetched using SCAN push_limit: 1024 # at-least-once delivery queue push limit number_of_workers: 8 # number of workers for stream handlers # Either a single address or a seed list of host:port addresses addrs: - 127.0.0.1:6379 db: 0 # Database to be selected after connecting to the server. master_name: "" # The sentinel master name. username: "" # username password: "" # password sentinel_password: "" # sentinel password max_retries: 3 # max retires min_retry_backoff: 8ms # min retry backoff max_retry_backoff: 512ms # max retry backoff dial_timeout: 5s # dial timeout read_timeout: 3s # read timeout write_timeout: 3s # write timeout pool_size: 0 # pool size min_idle_conns: 0 # min idle connections max_conn_age: 0s # max connection age pool_timeout: 4s # pool timeout idle_timeout: 5m0s # idle timeout idle_check_frequency: 1m0s # idle check frequency max_redirects: 3 # max redirects read_only: false # read only route_by_latency: false # route by latency route_randomly: false # route randomly # redis search indexes indexes: - name: tokens # redis search index name # redis search index prefixes prefix: - access_tokens - authorization_codes - device_codes - openid_tokens - pkce_sessions - refresh_tokens - authorize_requesters # redis search tags for index tags: - tenant_id - server_id - client_id - subject - token_type - collection - consent_id - consent_type - customer_id - sso_session_id - name: users # redis search index name # redis search index prefixes prefix: - users - user_identifiers - user_verified_addresses - user_codes # redis search tags for index tags: - tenant_id - pool_id - user_id - name: sessions # redis search index name # redis search index prefixes prefix: - sso_sessions # redis search tags for index tags: - tenant_id - server_id - subject - name: mfa_sessions # redis search index name # redis search index prefixes prefix: - mfa_sessions # redis search tags for index tags: - tenant_id - user_pool_id - user_id # redis streams configuration streams: max_length: 100000 # max length for streams max_ttl: 24h0m0s # max ttl for entries in streams trim_interval: 1m0s # trim max ttl interval disable_trim: false # disable trimming count: 128 # number of events to read from a stream block: 1s # duration until timeout handler_timeout: 30s # stream handler timeout stats_interval: 10s # streams stats interval # streams auto claim count auto_claim: interval: 1s # streams auto claim interval min_idle: 30s # streams auto claim min idle count: 100 # streams auto claim count sleep: 100ms # sleep between reads max_retries: 10 # max number of retries prefix: "" # redis stream name prefix auto_ack: false # automatically ack all messages when there is no error # etags configuration etag: duration: 1m0s # max duration to wait for confirmation size: 10000 # max size of confirmations queue # redis tls configuration tls: enabled: false # enable tls cert: "" # path to the public key cert PEM file key: "" # path to the private key PEM file ca: "" # path to the root ca PEM file insecure_skip_verify: false # skip host name verification max_backoff_retries: 5 # constant backoff max number of retries backoff_duration: 10ms # constant backoff duration # consumer group configuration - option to override global settings for a given consumer group consumer_groups: analytics: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 0 # count of messages in a singe batch, 0 for default size max_retries: -1 audit_logs_timescale: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 200 # count of messages in a singe batch, 0 for default size max_retries: -1 gateway: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 100 # count of messages in a singe batch, 0 for default size max_retries: 0 identity_cleanup: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 1 # count of messages in a singe batch, 0 for default size max_retries: 0 # optional local redis client (uses redis client configuration if addrs is empty) local_redis: id: local-redis # redis database id region: local # region id scan_count: 100 # Number of entries fetched using SCAN push_limit: 1024 # at-least-once delivery queue push limit number_of_workers: 8 # number of workers for stream handlers # Either a single address or a seed list of host:port addresses addrs: [] db: 0 # Database to be selected after connecting to the server. master_name: "" # The sentinel master name. username: "" # username password: "" # password sentinel_password: "" # sentinel password max_retries: 3 # max retires min_retry_backoff: 8ms # min retry backoff max_retry_backoff: 512ms # max retry backoff dial_timeout: 5s # dial timeout read_timeout: 3s # read timeout write_timeout: 3s # write timeout pool_size: 0 # pool size min_idle_conns: 0 # min idle connections max_conn_age: 0s # max connection age pool_timeout: 4s # pool timeout idle_timeout: 5m0s # idle timeout idle_check_frequency: 1m0s # idle check frequency max_redirects: 3 # max redirects read_only: false # read only route_by_latency: false # route by latency route_randomly: false # route randomly # redis search indexes indexes: - name: tokens # redis search index name # redis search index prefixes prefix: - access_tokens - authorization_codes - device_codes - openid_tokens - pkce_sessions - refresh_tokens - authorize_requesters # redis search tags for index tags: - tenant_id - server_id - client_id - subject - token_type - collection - consent_id - consent_type - customer_id - sso_session_id - name: users # redis search index name # redis search index prefixes prefix: - users - user_identifiers - user_verified_addresses - user_codes # redis search tags for index tags: - tenant_id - pool_id - user_id - name: sessions # redis search index name # redis search index prefixes prefix: - sso_sessions # redis search tags for index tags: - tenant_id - server_id - subject - name: mfa_sessions # redis search index name # redis search index prefixes prefix: - mfa_sessions # redis search tags for index tags: - tenant_id - user_pool_id - user_id # redis streams configuration streams: max_length: 100000 # max length for streams max_ttl: 24h0m0s # max ttl for entries in streams trim_interval: 1m0s # trim max ttl interval disable_trim: false # disable trimming count: 128 # number of events to read from a stream block: 1s # duration until timeout handler_timeout: 30s # stream handler timeout stats_interval: 10s # streams stats interval # streams auto claim count auto_claim: interval: 1s # streams auto claim interval min_idle: 30s # streams auto claim min idle count: 100 # streams auto claim count sleep: 100ms # sleep between reads max_retries: 10 # max number of retries prefix: "" # redis stream name prefix auto_ack: false # automatically ack all messages when there is no error # etags configuration etag: duration: 1m0s # max duration to wait for confirmation size: 10000 # max size of confirmations queue # redis tls configuration tls: enabled: false # enable tls cert: "" # path to the public key cert PEM file key: "" # path to the private key PEM file ca: "" # path to the root ca PEM file insecure_skip_verify: false # skip host name verification max_backoff_retries: 5 # constant backoff max number of retries backoff_duration: 10ms # constant backoff duration # consumer group configuration - option to override global settings for a given consumer group consumer_groups: analytics: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 0 # count of messages in a singe batch, 0 for default size max_retries: -1 audit_logs_timescale: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 200 # count of messages in a singe batch, 0 for default size max_retries: -1 gateway: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 100 # count of messages in a singe batch, 0 for default size max_retries: 0 identity_cleanup: timeout: 0s # timeout for all handlers in a given consumer group, 0 for default timeout batch_size: 1 # count of messages in a singe batch, 0 for default size max_retries: 0 # sql queue queue: disabled: false # disable queue worker pool tenant_id: "" # Limit sql queue handler to a single tenant count: 1 # number of pool workers limit: 10 # poll limit heartbeat_interval: 30s # heartbeat interval expiration_interval: 1m0s # expiration interval polling_interval: 1s # polling interval max_backoff: 10s # max backoff error_limit: 0.1 # error rate limit # storage config storage: # refresh tokens storage configuration refresh_tokens: enabled: true # enable storing refresh tokens in sql, stored in kv if false batch_limit: 1000 # refresh token batch delete limit # expired consents storage configuration consents: batch_limit: 1000 # expired consents batch delete limit # audit events strorage configuration audit_events: enabled: true # enable storing audit events in sql # audit events retention config retention: enabled: true # enable audit events retention global: true # when true, audit events retention is executed globally, not per tenant batch_limit: 1000 # audit events retention batch delete limit max_age: 168h0m0s # remove audit events older than max age # recurring jobs jobs: auditEventsRetention: tenant_id: system # tenant id id: auditEventsRetention # job id queue: execute_retention # queue name cron: 15 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload cdrExpiredArrangements: tenant_id: system # tenant id id: cdrExpiredArrangements # job id queue: openbanking_set_expired_cdr_arrangements # queue name cron: 0 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload cdrSyncRegisters: tenant_id: system # tenant id id: cdrSyncRegisters # job id queue: openbanking_cdr_sync_registers # queue name cron: '*/4 * * * *' # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload cibaSimulatorExpiredAuthentications: tenant_id: system # tenant id id: cibaSimulatorExpiredAuthentications # job id queue: ciba_simulator_remove_expired_authentications # queue name cron: '*/1 * * * *' # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload expiredTokens: tenant_id: system # tenant id id: expiredTokens # job id queue: remove_expired_refresh_tokens # queue name cron: 0 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload fdxExpiredConsents: tenant_id: system # tenant id id: fdxExpiredConsents # job id queue: openbanking_set_expired_fdx_consents # queue name cron: 0 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload identityStats: tenant_id: system # tenant id id: identityStats # job id queue: identity_stats # queue name cron: 45 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload openbankingExpiredConsents: tenant_id: system # tenant id id: openbankingExpiredConsents # job id queue: openbanking_remove_expired_consents # queue name cron: 0 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload openbankingOrphanedConsents: tenant_id: system # tenant id id: openbankingOrphanedConsents # job id queue: openbanking_remove_orphaned_consents # queue name cron: 0 * * * * # cron expression # next execution time scheduled_at: {} # job starting from starting_from: {} paused: false # is paused payload: null # payload # lru cache cache: redis_ttl: 10m0s local_ttl: 1m0s local_max_size: 1000 locks: 256 disabled: false # stats cache stats: redis_ttl: 1m0s local_ttl: 10s local_max_size: 1000 locks: 0 disabled: false # themes cache themes_cache: redis_ttl: 1h0m0s local_ttl: 10m0s local_max_size: 100 locks: 0 disabled: false # demo apps demo: client: root_ca: /certs/ca.pem cert: /certs/cid2/cert.pem key: /certs/cid2/cert-key.pem client_id: cid2 client_secret: xYA0YnXldHNNjgWBjXGr5xBzIjf8PW-jXWkdZZ_l0WB scopes: - introspect_openbanking_tokens directory: redirect_uris: - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValueMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedMtlsPaymentsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValueMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedMtlsAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtAccountsObbrDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValuePrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedPrivateKeyJwtOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponseByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmByValueMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/PlainResponsePushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback - https://fapi-test:8444/test/a/JarmPushedMtlsOpinDcrFapiTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValueMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmPushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponsePushedMtlsDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValueMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmPushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponsePushedMtlsWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests/callback?dummy1=lorem&dummy2=ipsum - https://obbr-test:8445/test/a/PlainResponsePushedPrivateKeyJwtAutomaticPaymentsWebhookObbrTests/callback webhook_hosts: - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWithoutBrowserWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/JarmByValueMtlsWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValueMtlsWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/JarmPushedMtlsWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedMtlsWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/JarmByValuePrivateKeyJwtWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/PlainResponseByValuePrivateKeyJwtWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/JarmPushedPrivateKeyJwtWebhookDcrObbrTests - https://obbr-test-mtls:8445/test-mtls/a/PlainResponsePushedPrivateKeyJwtWebhookDcrObbrTests # faas provider faas: provider: "" # Available node executor env versions (sorted from oldest to the newest). node_env_versions: - version: "4" # Environment version valid_until: "" # Nodejs package json package_json: # NodeJS dependencies dependencies: async: 3.2.3 async-lock: 1.4.0 aws-sdk: 2.1404.0 axios: 0.25.0 axios-retry: 3.8.0 body-parser: 1.19.2 chalk: 5.0.0 co: 4.6.0 debug: 4.3.3 express: 4.17.3 express-timeout-handler: ^2.2.2 graphql: 16.8.1 immutable: 4.0.0 invariant: 2.2.4 js-yaml: 4.1.0 jsonwebtoken: 8.5.1 ldapjs: 2.3.1 lodash: 4.17.21 log4js: 6.4.1 lru_map: 0.4.1 minimist: 1.2.6 mongodb: 5.9.2 mongoose: 7.6.8 morgan: 1.10.0 mysql: 2.18.1 mz: 2.7.0 node-fetch: 3.3.2 qs: 6.10.3 ramda: 0.28.0 request: 2.88.2 request-promise-native: 1.0.9 rxjs: 7.5.4 uglify-js: 3.15.1 underscore: 1.13.2 uuid: 8.3.2 validator: 13.7.0 ws: 8.5.0 xml2js: 0.5.0 # NodeJS engine version engines: node: v16 # NodeJS engine version - version: "5" # Environment version valid_until: "" # Nodejs package json package_json: # NodeJS dependencies dependencies: async: 3.2.5 async-lock: 1.4.1 aws-sdk: 2.1541.0 axios: 1.6.5 axios-retry: 4.0.0 body-parser: 1.20.2 chalk: 5.3.0 co: 4.6.0 debug: 4.3.4 express: 4.18.2 express-timeout-handler: 2.2.2 graphql: 16.8.1 immutable: 4.3.4 invariant: 2.2.4 js-yaml: 4.1.0 jsonwebtoken: 9.0.2 ldapjs: 3.0.7 lodash: 4.17.21 log4js: 6.9.1 lru_map: 0.4.1 minimist: 1.2.8 mongodb: 6.3.0 mongoose: 8.1.0 morgan: 1.10.0 mysql: 2.18.1 mz: 2.7.0 node-fetch: 3.3.2 qs: 6.11.2 ramda: 0.29.1 rxjs: 7.8.1 uglify-js: 3.17.4 underscore: 1.13.6 uuid: 9.0.1 validator: 13.11.0 ws: 8.16.0 xml2js: 0.6.2 # NodeJS engine version engines: node: v18 # NodeJS engine version # Available rego executor env versions (sorted from oldest to the newest). rego_env_versions: - version: "5" # Environment version valid_until: "" package_json: null # Nodejs package json # fission function as a service provider fission: namespace: acp-faas # Kubernetes namespace where functions should be created # Runtime configuration for runtime v1 envs: js: nodejs # Name of the fission environment for JS rego: rego # Name of the fission environment for Rego # Runtime configuration for runtime v2 envs_v2: js: nodejs-v2 # Name of the fission environment for JS rego: rego-v2 # Name of the fission environment for Rego url: http://router.fission # URL to the fission router max_backoff_retries: 3 # Max backoff retries in case of 404 error package_template: |- # k8s package template apiVersion: fission.io/v1 kind: Package metadata: name: {{ .ID }} namespace: {{ .Namespace }} spec: deployment: literal: {{ .Base64EncodedBody }} type: literal environment: name: {{ .Env }} namespace: {{ .Namespace }} status: buildstatus: succeeded function_template: |- # k8s function template apiVersion: fission.io/v1 kind: Function metadata: name: {{ .ID }} namespace: {{ .Namespace }} spec: InvokeStrategy: ExecutionStrategy: ExecutorType: poolmgr SpecializationTimeout: 30 StrategyType: execution concurrency: {{ .MaxPodsCount }} requestsPerPod: {{ .MaxRequestsPerPod }} environment: name: {{ .Env }} namespace: {{ .Namespace }} functionTimeout: {{ .ExecutionTimeout }} idletimeout: {{ .IdleTimeout }} package: packageref: name: {{ .ID }} namespace: {{ .Namespace }} resourceversion: "{{ .ResourceVersion }}" # kube config kube: timeout: 0s kubeconfig: "" max_pod_age: 0s # max pod age - set 0 to unlimited # function settings function_settings: execution_timeout: 30s # max function execution time idle_timeout: 1m0s # max function idle duration max_pods_count: 2 # maximum pod count number max_requests_per_pod: 5000 # maximum numer of requests per pod # fission resource watcher configuration resource_watcher: interval: 1m0s # how often check for aged resources timeout: 10s # check timeout # docker function as a service provider docker: node_url: http://node-env:8888 rego_url: http://rego-env:8888 shared_node_url: http://node-env:8888 shared_rego_url: http://rego-env:8888 # opentelemetry configuration otel: service_name: acp # service name exporter: jaeger # opentelemetry exporter (jaeger or otlp) # enabled propagators (b3, baggage, tracecontext, ottrace, jaeger) propagators: - jaeger # jaeger opentelemetry exporter jaeger: agent_host: localhost # agent host agent_port: "6831" # agent port header: uber-trace-id # header name # opentelemetry protocol exporter otlp: endpoint: localhost:4318 # otlp endpoint path: /v1/traces # otlp path root_ca: "" # otlp root ca # additional headers headers: {} insecure_skip_verify: false # disable cert verification insecure_http: false # use http instead of https # consul client https://github.com/hashicorp/consul/blob/master/api/api.go consul: address: 127.0.0.1:8500 scheme: http pathprefix: "" datacenter: "" transport: null httpclient: null httpauth: null waittime: 0s token: "" tokenfile: "" namespace: "" partition: "" tlsconfig: address: "" cafile: "" capath: "" capem: [] certfile: "" certpem: [] keyfile: "" keypem: [] insecureskipverify: false # vault client vault: address: "" # Address is the address of the Vault server. agent_address: "" # AgentAddress is the address of the local Vault agent. max_retries: 0 # MaxRetries controls the maximum number of times to retry when a 5xx error occurs. timeout: 0s # Timeout is for setting custom timeout parameter in the HttpClient token: "" # Access token # TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault. tls: cacert: "" cacertbytes: [] capath: "" clientcert: "" clientkey: "" tlsservername: "" insecure: false # Authentication auth: approle: roleid: "" secretid: "" # embedded smtp gateway configuration email: from: Cloudentity # From address username: "" # Username password: "" # Password auth: PLAIN host: smtp.gmail.com # SMTP server host port: 25 # SMTP server port timeout: 10s # Timeout start_tls: false # Send an email over TLS using STARTTLS insecure_skip_verify: false # Skip TLS cert verification # embedded twilio gateway configuration sms: from: Cloudentity # From number sid: "" # The Twilio Account SID auth_token: "" # The Twilio Auth Token # messaging config messaging: # email templates emails: # verify otp otp: subject: OTP # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: Dear Customer, [[otp]] is your single-use verification code. # Text template used if tile template is not set message_template: | # Default message template We've received a OTP Code request. [[otp]] Here is the OTP code that you have requested. # Email's attachments attachments: [] # activate account with code activate_account_with_code: subject: Account activation # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Excellent! Your account is almost ready. Enter the code below on the account activation page to activate you account. [[code]] # Email's attachments attachments: [] # activate account with link activate_account_with_link: subject: Account activation # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Excellent! Your account is almost ready. Just one more step to access it Activate account Alternatively, copy this link and follow it in your browser [[link]] # Email's attachments attachments: [] # reset credentials with code reset_credentials_with_code: subject: Credentials reset # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Credentials reset We've received a request to reset your credentials. Your credentials reset code is: [[code]] # Email's attachments attachments: [] # reset credentials with link reset_credentials_with_link: subject: Credentials reset # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Credentials reset We've received a request to reset your credentials. Reset credentials Alternatively, copy this link and follow it in your browser [[link]] # Email's attachments attachments: [] # identifier used identifier_used: subject: Account already exists # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Account already exists The email you provided is already registered with an account. # Email's attachments attachments: [] # address verification with link address_verification_with_link: subject: Address verification # Email's subject file_template: ./web/emails/ce.html # Path to the file template text_template: "" # Text template used if tile template is not set message_template: | # Default message template Address verification We've received a request to verify your address. Verify address Alternatively, copy this link and follow it in your browser [[link]] # Email's attachments attachments: [] # sms templates smses: # verify otp otp: message_template: Dear Customer, [[otp]] is your single-use verification code. # Message template # activate account with code activate_account_with_code: message_template: Dear Customer, use [[code]] to activate your account. # Message template # activate account with code activate_account_with_link: message_template: 'Dear Customer, use the link to activate your account: [[link]]' # Message template # reset credentials with code reset_credentials_with_code: message_template: Dear Customer, use [[code]] to reset your credentials. # Message template # reset credentials with code reset_credentials_with_link: message_template: 'Dear Customer, use the link to reset your credentials: [[link]]' # Message template # identifier used identifier_used: message_template: Dear Customer, this number is associated with an existing account. # Message template # address verification with link address_verification_with_link: message_template: 'Dear Customer, use the link to verify your address: [[link]]' # Message template # embedded IDPs embedded_idps: cookie_domain: "" # cookie domain # github idp github: client_id: "" # client id client_secret: "" # client secret # google idp google: client_id: "" # client id client_secret: "" # client secret # global rate limits rate_limits: oauth2: enabled: false # enable rate limiter period: 1m0s # period rate: 60 # rate burst: 10 # max burst # rate limits cache rate_limits_cache: redis_ttl: 1h0m0s local_ttl: 10m0s local_max_size: 1000 locks: 0 disabled: false # token exchange verifier token_exchange_verifier: idp_client_timeout: 5s # http client timeout when calling IDP endpoints # subject config subject: default_format: legacy # subject default format for new workspaces # identity pools captcha configuration captcha: enabled: false site_key: 6LdPYcYeAAAAAF5f6K9Pv5jkPEDFsOtfkwxP2a5k secret_key: 6LdPYcYeAAAAACiRY1ZG2iSPsHXOhYSaqTO_Ycqz whitelist: [] # Limits for asynchronous delete of Identity Pools async_delete_identity_pool: delete_users_batch_size: 100 delete_users_iterations_count: 30 create_tenant_with_default_admin_identity_pool: true # Default Admin Identity Pool IDP for new tenant