1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
# (Mandatory)
#
# Set AuthType
#AuthType oauth2
# (Optional)
#
# Configures a symmetric encryption key for cache values.
# When not defined, the passphrase will be auto-generated which means it does not survive restarts.
#
#OAuth2CryptoPassphrase <string>
#
# (Optional)
#
# Configures a cache.
# Note that this directive must be defined before any OAuth2TokenVerify directive that uses it.
#
# type shm|file|redis|memcache cache backend type for access token validation results, default is shm
# options <options> cache backend specific options in query encoded format, see Cache Options
# e.g name=myname&password=mypassword&encrypt=false
#
#OAuth2Cache <type> [<options-in-query-encoded-format>]
#
#
# OAuth2Cache Options:
#
# <name> <value> (default) <description>
#
# generic:
#
# name <string> (default) the name of the (named) cache to refer to from e.g. OAuth2TokenVerify
# key_hash_algo <string> (sha256) hash algorithm for the cache key (or "none")
# encrypt true|false (true) encrypt the cache value (default is "false" for the shm cache backend)
# passphrase_hash_algo <string> (sha256) hash algorithm to apply to the passphrase before using it as an encryption key
#
# shm:
#
# max_key_size <number> (65) maximum size of the cache key in bytes (see also: key_hash_algo)
# max_val_size <number> (8193) maximum size of a single cache value
# max_entries <number> (1000) maximum number of entries in the cache (FIFO policy, overruns will result in a warning in the log)
#
# file:
#
# dir <path> (/tmp or C:\\Temp) cache file directory
# clean_interval <seconds> (60) minimum interval to loop over the cache directories looking to delete expired entries
#
# memcache:
#
# config_string <string> (--SERVER=localhost) memcached specific server configuration string, see: https://www.systutorials.com/docs/linux/man/3-memcached/
#
# redis:
#
# host <string> (localhost) Redis server hostname
# port <number> (6379) Redis servver port
# username <string> (<no authentication>) username used to authenticate to the Redis server
# password <string> (<no authentication>) password used to authenticate to the Redis server
#
# Set token verification method and options.
#
# This primitive can be used multiple times in which case the access token will be verified in
# order - according to each consecutive primitive - until it validates or reaches the end of the list.
# See below for a detailed list of (fine-grained) configuration options.
#
#OAuth2TokenVerify <type> <value> [<options-in-query-encoded-format>]
#
# Samples:
#
# OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate
# OAuth2TokenVerify jwks_uri https://pingfed:9031/ext/one jwks_uri.ssl_verify=false
#
# Types:
#
# <type> <value> <description> <options> (provided in query-encoded format)
#
# introspect <url> RFC7662 introspection URL introspect.ssl_verify, introspect.auth, introspect.cache, introspect.expiry, introspect.token_param_name,
# introspect.params, type, introspect.http_retries, introspect.http_retry_interval
# jwks_uri <url> JWKS URI that serves the public keys jwks_uri.ssl_verify, jwks_uri.cache, jwks_uri.expiry, type, jwks_uri.http_retries,
# jwks_uri.http_retry_interval,
# verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
# jwk <json> JWK JSON representation of a symmetric kid (overrides kid in JWK), verify.iss, verify.exp, verify.iat, type,
# key or a public key verify.iat.slack_before, verify.iat.slack_after
# metadata <url> RFC8414 Authorization Server Metadata metadata.ssl_verify, introspect.*, jwks_uri.*
# URL that contains a JWKs URI in jwks_uri
# plain <string> symmetric key (password) in plain text kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# base64 <string> base64-encoded symmetric key kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# base64url <string> base64url-encoded symmetric key kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# hex <string> hex-encoded symmetric key kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# pem <string> PEM formatted X.509 certificate kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# that contains an RSA public key
# pubkey <string> PEM formatted RSA public key kid, verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after, type
# eckey_uri <url> URL on wich the Elliptic Curve key is eckey_uri.ssl_verify, eckey_uri.cache, eckey_uri.expiry,
# published as a PEM (Amazon ALB specific) verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
# aws_alb <string> ALB ARN alb_base_url, aws_alb.ssl_verify, aws_alb.auth, aws_alb.cache, aws_alb.expiry
# verify.iss, verify.exp, verify.iat, verify.iat.slack_before, verify.iat.slack_after
#
# OAuth2TokenVerify Options:
#
# <name> <value> <description>
#
# kid <string> JWK kid value to be found in JWT header
# verify.iss skip|optional|required how to validate the "iss" claim in the JWT: skip it, verify if present, require claim to be present and validate
# verify.exp skip|optional|required how to validate the "exp" claim in the JWT: skip it, verify if present, require claim to be present and validate
# verify.iat skip|optional|required how to validate the "iat" claim in the JWT: skip it, verify if present, require claim to be present and validate
# verify.iat.slack_before <number> acceptable clock drift in seconds for the "iat" claim: anything issued before now-number will be rejected
# verify.iat.slack_after <number> acceptable clock drift in seconds for the "iat" claim: anything issued after now+number will be rejected
# type [mtls|dpop] type of proof of possession, mtls.policy=[optional|required]
# verify.cache <string> cache backend name for access token validation results,
# default is "default", otherwise must refer to a named cache defined with OAuth2Cache
# expiry <number> cache expiry in seconds for access token validation results
# introspect.auth <auth> endpoint authentication, see Authentication Options
# introspect.token_param_name <string> name of the parameter in which the access token is sent, if is not the default "token"
# introspect.params <form-encoded-string> form-encoded extra POST parameters sent to the introspectoin endpoint e.g. key1%3Done%26key2%3Dtwo
# *.ssl_verify true|false verify the TLS certificate presented on the configured HTTPs URL
# *.cache <string> [introspect|jwks_uri|eckey_uri|aws_alb] cache backend name for content resolved from a URI
# default is "default", otherwise must refer to a named cache defined with OAuth2Cache
# *.expiry <number> [introspect|jwks_uri|eckey_uri|aws_alb] cache expiry for content resolved from a URI
# *.http_retries <number> [introspect|jwks_uri|eckey_uri|aws_alb] number of HTTP retries towards the endpoint
# *.http_retry_interval <number> [introspect|jwks_uri|eckey_uri|aws_alb] interval in milliseconds between HTTP retries towards the endpoint
#
# Authentication Options:
#
# <value> <options> <description>
#
# none no authentication towards the endpoint is used
# client_secret_basic client_id, client_secret OIDC client secret basic authentication, URL-encoded values in HTTP Basic Authentication
# client_secret_post client_id, client_secret OIDC client secret post based authentication, values in HTTP POST parameters
# client_secret_jwt client_id, client_secret, aud OIDC client secret JWT, providing a symmetric key in the client_secret value
# private_key_jwt client_id, jwk, aud OIDC private key JWT, providing a JWK in escaped JSON string representation
# client_cert cert, key TLS Client Certificate authentication, providing paths to PEM-formatted files
# basic username,password HTTP basic authentication
#
# (Optional)
#
# Configures in which format access tokens can be presented. Can be provided multiple times.
#
# <type> <options> <description>
#
# environment name=<string> retrieve from environment variable <name>
# header name=<string>&type=<string> retrieve from header <name> using separator <type> (default="bearer")
# query name=<string> retrieve from query parameter <name>
# post name=<string> retrieve from HTTP form post parameter <name>
# cookie name=<string> retrieve from cookie <name>
# basic retrieve from basic authentication header password value
#
#OAuth2AcceptTokenIn <type> [<options-in-query-encoded-format>]
# (Optional)
#
# Configures in which format claims and informations from the token validation results are passed to the target application.
#
# <option name> <option value> (default) <description>
#
# envvars On|Off (On) set claims in environment variables
# headers On|Off (On) set claims in headers
# authn_header <name> (-) set remote user in authentication header <name>
# prefix <string> (OAUTH2_CLAIM_) append prefix to claim names (in headers/envvars)
# remote_user_claim <name> (sub) obtain remote user from claim <name>
# json_payload_claim <name> (-) set the JSON payload in header/envar <prefix><name>
#OAuth2TargetPass <options-in-query-encoded-format>
|
