# The issuer url to be used. MUST point to this server
issuer: "https://mytoken.example.com"
# Details about the service operator. Will be displayed in the privacy page.
service_operator:
# The name of the service operator
name: "Example Foundation"
homepage: "https://example.com"
# An email address where users can contact the service operator. It is recommend to use a email list for this
mail_contact: "mytoken@example.com"
# A dedicated email address for privacy related topics can be given. If you do not have a dedicated mail for privacy, it can be omitted.
mail_privacy: "mytoken-privacy@example.com"
# Configuration for the mytoken server
server:
# If TLS is not enabled, mytoken will listen on this port, default: 8000
port: 8000
tls:
# Unless false TLS is enabled if 'cert' and 'key' are given
enabled: true
# Unless false port 80 is redirected to 443
redirect_http: true
# The TLS certificate file
cert:
# The TLS certificate key file
key:
# If behind a load balancer or reverse proxy, set this option. Mytoken will read the client's ip address from this header.
# proxy_header: "X-FORWARDED-FOR"
# Configure the request limits (these are per IP)
request_limits:
# Unless false request limits are enabled
enabled: true
# The number of requests that are allowed within the specified time window, e.g. 10/1s 100/5min 1000/1h
max_requests: 100
# The time window in which the maximum number of requests is allowed, i.e. the quota is reseted after this time.
# The time is given in seconds.
window: 300
# Use the list to exclude hosts from the request limit. You can specify single IP addresses as well as subnets.
always_allow:
- "127.0.0.1"
# The database file for ip geo location. Will be installed by setup to this location.
geo_ip_db_file: "/IP2LOCATION-LITE-DB1.IPV6.BIN"
# Configuration of the mytoken API
api:
# Mytoken can support multiple api versions at the same time; this is the minimal version that is supported; older version won't be supported. Currently only 0 is supported.
min_supported_version: 0
# Configuration for the database
database:
hosts:
- "localhost"
user: "mytoken"
password: "mytoken"
# Read the db password from this file
password_file:
db: "mytoken"
# The interval (in seconds) in which mytoken tries to reconnect to db nodes that are down
try_reconnect_interval: 60
# Configuration for token signing
signing:
# The used algorithm
alg: "ES512"
# The file with the signing key
key_file: "/mytoken.key"
# If an RSA-based algorithm is used, this is the key len. Only needed when generating a new rsa key.
rsa_key_len: 2048
# Configuration for logging
logging:
# The web server access logs
access:
# The directory where the log file should be placed
dir: "/var/log/mytoken"
# Indicates if mytoken should log additionally to stderr
stderr: false
# The mytoken internal logs
internal:
# The directory where the log file should be placed
dir: "/var/log/mytoken"
# Indicates if mytoken should log additionally to stderr
stderr: false
# The minimal log level that should be logged
level: "error"
# URL with documentation about the service
service_documentation: "https://mytoken-docs.data.kit.edu/"
# Configuration and enabling/disabling for different features
features:
# The supported oidc flows
oidc_flows:
- "authorization_code" # Always enabled
# Specify restriction keys to disable support for them; on default all restriction keys are supported.
unsupported_restrictions:
# - nbf
# - exp
# - scope
# - audience
# - ip
# - geoip_allow
# - geoip_disallow
# - usages_AT
# - usages_other
# Revocation for tokens issued by mytoken. Only disable this if you have good reasons for it.
token_revocation:
enabled: true
# Endpoint to obtain different information about mytokens issued by this instance.
tokeninfo:
# Basic mytoken introspection (token-content useful when using short mytokens). Also gives information about validity and how often the token was used before.
# Must be enabled for usage with the web interface.
introspect:
enabled: true
# If enabled allows to query the tokeninfo endpoint to obtain the history of events for a given mytoken
event_history:
enabled: true
# If enabled allows to query the tokeninfo endpoint for a list (tree) of all subtokens for a given mytoken
subtoken_tree:
enabled: true
# If enabled allows a user to query the tokeninfo endpoint for a list of all its mytokens (the mytoken itself won't be returned)
list_mytokens:
enabled: true
# Support for short mytokens
short_tokens:
enabled: true
len: 64 # Default 64, min 32
# Support for transfer codes for mytokens; transfer codes have the same len as polling codes and expire after the same time
transfer_codes:
enabled: true
# Support for polling codes that are used by native applications. Only disable this if you have good reasons for it.
polling_codes:
enabled: true
len: 8 # Default 8, max 64, MUST be different from short_tokens len
expires_after: 300 # The time in seconds how long a polling code can be used
polling_interval: 5 # The interval in seconds the native application should wait between two polling attempts
# Support for rotation mytokens; users can enable rotation/disable rotation for their mytokens; if enabled a new mytoken will be returned after each usages and old mytokens can no longer be used.
token_rotation:
enabled: true
# Support for the access_token grant, i.e. a user can use an AT to obtain an ST.
access_token_grant:
enabled: true
# Support for the private_key_jwt grant, i.e. a user can use an signed jwt to obtain an ST.
signed_jwt_grant:
enabled: true
# Provides a web interface for in browser usage
web_interface:
enabled: true
# The list of supported providers
providers:
- issuer: "https://example.provider.com/"
name: "Example provider"
client_id: "clientid"
client_secret: "clientsecret"
scopes:
- openid
- profile
# Maximum lifetime for mytokens for this issuer, given in seconds. On default the lifetime of mytokens is not restricted.
# Setting this value to 0, means that there is no maximum lifetime.
mytokens_max_lifetime: 0