cyberware-rust/modules/system/authn-resolver/plugins/oidc-authn-plugin/docs/config-example.yaml at main · virtuozzo/cyberware-rust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# OIDC AuthN Resolver Plugin — example operator configuration.
#
# Reference docs:
#   - DESIGN.md §3.2 (component configuration tables, authoritative defaults)
#   - DESIGN.md §3.6 (reliability architecture)
#   - PRD.md §5.6 (resilience & timeouts functional requirements)
#
# YAML key paths match the dotted paths documented in DESIGN.md component
# tables (e.g. `jwt.claim_mapping.subject_tenant_id`, `circuit_breaker.enabled`).
# Durations use humantime format: "100ms", "5s", "30s", "1h", "24h".
#
# Defaults shown match DESIGN.md; tune per deployment.

# =============================================================================
# JWT validation & claim mapping (Token Validator + Claim Mapper components)
# =============================================================================
jwt:
  supported_algorithms: ["RS256", "ES256"]      # `none` is always rejected
  clock_skew_leeway: 60s              # tolerated drift for `exp`/`iat`; hard cap 300s
  require_audience: false             # when true, tokens missing `aud` are rejected
  expected_audience:                  # `*` is a substring wildcard (only wildcard supported)
    - "https://api.example.com"
    - "https://*.api.example.com"

  # Ordered allowlist — first matching entry wins. Each entry MUST define
  # exactly one of `issuer` (exact match) or `issuer_pattern` (regex).
  # `discovery_url` is optional; when omitted the matched token `iss` is used.
  # `{issuer}` inside `discovery_url` is replaced with the actual `iss` after matching.
  trusted_issuers:
    - issuer_pattern: '^https://keycloak\.base\.url/realms/[^/]+$'
      discovery_url: "{issuer}"
    - issuer: "https://idp.corp.example.com"

  # Claim name mapping — translates IdP-specific JWT claims to SecurityContext fields.
  claim_mapping:
    subject_id: "sub"                 # parsed as UUID; non-UUID values rejected
    subject_tenant_id: "tenant_id"    # REQUIRED — tokens missing this claim are rejected
    subject_type: "sub_type"          # optional; omit to leave SecurityContext.subject_type = None
    token_scopes: "scope"             # split on spaces

  required_claims: []                 # extra claims that MUST be present beyond subject_id/tenant_id

  first_party_clients:                # clients that receive `["*"]` scope regardless of token scopes
    - "platform-portal"
    - "platform-cli"

# =============================================================================
# Caches (OIDC Discovery component)
# =============================================================================
discovery_cache:
  ttl: 1h
  max_entries: 10                     # LRU eviction on overflow

jwks_cache:
  ttl: 1h                             # fresh window
  stale_ttl: 24h                      # served only while IdP is unreachable; 0 disables stale-while-revalidate
  max_entries: 10
  refresh_on_unknown_kid: true        # force refresh when the token `kid` is not in cache (key rotation)
  refresh_min_interval: 30s           # per-issuer DoS guard; single in-flight refresh per issuer

# =============================================================================
# Outbound HTTP resilience (applies to discovery, JWKS, S2S token endpoint)
# HTTP Client + Retry Policy + Circuit Breaker components.
# =============================================================================
http_client:
  request_timeout: 5s                 # per attempt; replaces the former `discovery_timeout`

retry_policy:
  max_attempts: 3                     # retries AFTER the initial call; 0 disables retries
  initial_backoff: 100ms              # doubles each retry (exponential)
  max_backoff: 2s                     # upper bound on the computed backoff per retry
  jitter: true                        # full jitter in [0, computed_backoff] — false = wait exactly computed_backoff
  # Retryable: connection errors (DNS, refused, TLS, reset), HTTP 5xx, HTTP 429 (Retry-After honored)
  # NOT retried: request timeout, HTTP 4xx other than 429, 2xx with unparseable body.
  # Retries run INSIDE each circuit-breaker call — one logical operation = one breaker attempt.

circuit_breaker:
  enabled: true                       # global toggle; `false` = pass-through for every host (retry + timeout still apply)
  failure_threshold: 5                # consecutive failures PER HOST before that host's breaker opens
  reset_timeout: 30s                  # duration before a host's breaker transitions Open → Half-Open
  # Keying is per outbound HTTP host — one trip affects only calls to the failing host.
  # Other hosts (e.g. a healthy alternate IdP) remain fully operational.

# =============================================================================
# Service-to-service client credentials exchange (background tasks)
# Token Client (S2S) component.
# =============================================================================
s2s_oauth:
  discovery_url: "https://idp.example.com"   # MUST yield an `issuer` present in `jwt.trusted_issuers`

  # Optional — falls back to top-level `jwt.claim_mapping` when unset.
  # claim_mapping:
  #   subject_id: "azp"
  #   subject_tenant_id: "tenant_id"

  # Fallback `subject_type` when the S2S token lacks the claim (common with client_credentials tokens).
  default_subject_type: "gts.cf.core.security.subject_user.v1~"

  token_cache:
    ttl: 300s                         # TTL is min(expires_in, this value)
    max_entries: 100                  # LRU eviction on overflow