{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://catalog.lintel.tools/schemas/schemastore/ory-hydra-configuration/_shared/latest--config.json",
"title": "Ory Hydra Configuration",
"x-lintel": {
"source": "https://raw.githubusercontent.com/ory/hydra/v2.0.2/spec/config.json",
"sourceSha256": "30f9a48c425627c5520e5e85b7d3cdce89fdb2368d0b787b74ef8f8c1d24c17f"
},
"type": "object",
"properties": {
"db": {
"type": "object",
"properties": {
"ignore_unknown_table_columns": {
"type": "boolean",
"description": "Ignore scan errors when columns in the SQL result have no fields in the destination struct",
"default": false
}
},
"description": "Configures the database connection",
"additionalProperties": false
},
"log": {
"type": "object",
"properties": {
"level": {
"type": "string",
"description": "Sets the log level.",
"enum": [
"panic",
"fatal",
"error",
"warn",
"info",
"debug",
"trace"
],
"default": "info"
},
"leak_sensitive_values": {
"type": "boolean",
"description": "Logs sensitive values such as cookie and URL parameter.",
"default": false
},
"redaction_text": {
"type": "string",
"title": "Sensitive log value redaction text",
"description": "Text to use, when redacting sensitive log value."
},
"format": {
"type": "string",
"description": "Sets the log format.",
"enum": [
"json",
"json_pretty",
"text"
],
"default": "text"
}
},
"description": "Configures the logger",
"additionalProperties": false
},
"serve": {
"type": "object",
"properties": {
"public": {
"type": "object",
"properties": {
"port": {
"default": 4444,
"type": "integer",
"allOf": [
{
"$ref": "#/$defs/portNumber"
}
]
},
"host": {
"type": "string",
"description": "The interface or unix socket Ory Hydra should listen and handle public API requests on. Use the prefix `unix:` to specify a path to a unix socket. Leave empty to listen on all interfaces.",
"default": "",
"examples": [
"localhost"
]
},
"cors": {
"$ref": "#/$defs/cors"
},
"socket": {
"$ref": "#/$defs/socket"
},
"request_log": {
"type": "object",
"properties": {
"disable_for_health": {
"type": "boolean",
"description": "Disable access log for health endpoints.",
"default": false
}
},
"description": "Access Log configuration for public server.",
"additionalProperties": false
},
"tls": {
"$ref": "#/$defs/tls_config"
}
},
"description": "Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json",
"additionalProperties": false
},
"admin": {
"type": "object",
"properties": {
"port": {
"default": 4445,
"type": "integer",
"allOf": [
{
"$ref": "#/$defs/portNumber"
}
]
},
"host": {
"type": "string",
"description": "The interface or unix socket Ory Hydra should listen and handle administrative API requests on. Use the prefix `unix:` to specify a path to a unix socket. Leave empty to listen on all interfaces.",
"default": "",
"examples": [
"localhost"
]
},
"cors": {
"$ref": "#/$defs/cors"
},
"socket": {
"$ref": "#/$defs/socket"
},
"request_log": {
"type": "object",
"properties": {
"disable_for_health": {
"type": "boolean",
"description": "Disable access log for health endpoints.",
"default": false
}
},
"description": "Access Log configuration for admin server.",
"additionalProperties": false
},
"tls": {
"allOf": [
{
"$ref": "#/$defs/tls_config"
}
]
}
},
"additionalProperties": false
},
"tls": {
"$ref": "#/$defs/tls_config"
},
"cookies": {
"type": "object",
"properties": {
"same_site_mode": {
"type": "string",
"description": "Specify the SameSite mode that cookies should be sent with.",
"enum": [
"Strict",
"Lax",
"None"
],
"default": "None"
},
"same_site_legacy_workaround": {
"type": "boolean",
"description": "Some older browser versions don’t work with SameSite=None. This option enables the workaround defined in which essentially stores a second cookie without SameSite as a fallback.",
"default": false,
"examples": [
true
]
},
"domain": {
"title": "HTTP Cookie Domain",
"description": "Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!",
"type": "string"
},
"secure": {
"title": "HTTP Cookie Secure Flag in Development Mode",
"description": "Sets the HTTP Cookie secure flag in development mode. HTTP Cookies always have the secure flag in production mode.",
"type": "boolean",
"default": false
},
"names": {
"title": "Cookie Names",
"description": "Sets the session cookie name. Use with care!",
"type": "object",
"properties": {
"login_csrf": {
"type": "string",
"title": "CSRF Cookie Name",
"default": "ory_hydra_login_csrf"
},
"consent_csrf": {
"type": "string",
"title": "CSRF Cookie Name",
"default": "ory_hydra_consent_csrf"
},
"session": {
"type": "string",
"title": "Session Cookie Name",
"default": "ory_hydra_session"
}
}
}
},
"additionalProperties": false
}
},
"description": "Controls the configuration for the http(s) daemon(s).",
"additionalProperties": false
},
"dsn": {
"type": "string",
"description": "Sets the data source name. This configures the backend where Ory Hydra persists data. If dsn is `memory`, data will be written to memory and is lost when you restart this instance. Ory Hydra supports popular SQL databases. For more detailed configuration information go to: "
},
"clients": {
"title": "Global outgoing network settings",
"description": "Configure how outgoing network calls behave.",
"type": "object",
"properties": {
"http": {
"title": "Global HTTP client configuration",
"description": "Configure how outgoing HTTP calls behave.",
"type": "object",
"properties": {
"disallow_private_ip_ranges": {
"title": "Disallow private IP ranges",
"description": "Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.",
"type": "boolean",
"default": false
}
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"hsm": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"library": {
"type": "string",
"description": "Full path (including file extension) of the HSM vendor PKCS#11 library"
},
"pin": {
"type": "string",
"description": "PIN code for token operations"
},
"slot": {
"type": "integer",
"description": "Slot ID of the token to use (if label is not specified)"
},
"token_label": {
"type": "string",
"description": "Label of the token to use (if slot is not specified). If both slot and label are set, token label takes preference over slot. In this case first slot, that contains this label is used."
},
"key_set_prefix": {
"type": "string",
"description": "Key set prefix can be used in case of multiple Ory Hydra instances need to store keys on the same HSM partition. For example if `hsm.key_set_prefix=app1.` then key set `hydra.openid.id-token` would be generated/requested/deleted on HSM with `CKA_LABEL=app1.hydra.openid.id-token`.",
"default": ""
}
},
"description": "Configures Hardware Security Module.",
"additionalProperties": false
},
"webfinger": {
"type": "object",
"properties": {
"jwks": {
"type": "object",
"properties": {
"broadcast_keys": {
"type": "array",
"description": "A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.",
"items": {
"type": "string"
},
"default": [
"hydra.openid.id-token"
],
"examples": [
"hydra.jwt.access-token"
]
}
},
"description": "Configures the /.well-known/jwks.json endpoint.",
"additionalProperties": false
},
"oidc_discovery": {
"type": "object",
"properties": {
"jwks_url": {
"type": "string",
"description": "Overwrites the JWKS URL",
"format": "uri-reference",
"examples": [
"https://my-service.com/.well-known/jwks.json"
]
},
"token_url": {
"type": "string",
"description": "Overwrites the OAuth2 Token URL",
"format": "uri-reference",
"examples": [
"https://my-service.com/oauth2/token"
]
},
"auth_url": {
"type": "string",
"description": "Overwrites the OAuth2 Auth URL",
"format": "uri-reference",
"examples": [
"https://my-service.com/oauth2/auth"
]
},
"client_registration_url": {
"description": "Sets the OpenID Connect Dynamic Client Registration Endpoint",
"type": "string",
"format": "uri-reference",
"examples": [
"https://my-service.com/clients"
]
},
"supported_claims": {
"type": "array",
"description": "A list of supported claims to be broadcasted. Claim `sub` is always included.",
"items": {
"type": "string"
},
"examples": [
[
"email",
"username"
]
]
},
"supported_scope": {
"type": "array",
"description": "The scope OAuth 2.0 Clients may request. Scope `offline`, `offline_access`, and `openid` are always included.",
"items": {
"type": "string"
},
"examples": [
[
"email",
"whatever",
"read.photos"
]
]
},
"userinfo_url": {
"type": "string",
"description": "A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.",
"format": "uri-reference",
"examples": [
"https://example.org/my-custom-userinfo-endpoint"
]
}
},
"description": "Configures OpenID Connect Discovery (/.well-known/openid-configuration).",
"additionalProperties": false
}
},
"description": "Configures ./well-known/ settings.",
"additionalProperties": false
},
"oidc": {
"type": "object",
"properties": {
"subject_identifiers": {
"type": "object",
"examples": [
{
"supported_types": [
"public",
"pairwise"
],
"pairwise": {
"salt": "some-random-salt"
}
}
],
"description": "Configures the Subject Identifier algorithm. For more information please head over to the documentation: ",
"properties": {
"supported_types": {
"type": "array",
"description": "A list of algorithms to enable.",
"default": [
"public"
],
"items": {
"type": "string",
"enum": [
"public",
"pairwise"
]
}
},
"pairwise": {
"type": "object",
"required": [
"salt"
],
"description": "Configures the pairwise algorithm.",
"properties": {
"salt": {
"type": "string"
}
},
"additionalProperties": false
}
},
"anyOf": [
{
"if": {
"properties": {
"supported_types": {
"contains": {
"const": "pairwise"
}
}
}
},
"then": {
"required": [
"pairwise"
]
}
},
{
"not": {
"required": [
"supported_types"
]
}
}
],
"additionalProperties": false
},
"dynamic_client_registration": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Enable dynamic client registration.",
"default": false
},
"default_scope": {
"type": "array",
"description": "The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the `scope` key in the registration payload, effectively disabling the concept of whitelisted scopes.",
"items": {
"type": "string"
},
"examples": [
[
"openid",
"offline",
"offline_access"
]
]
}
},
"description": "Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...).",
"additionalProperties": false
}
},
"description": "Configures OpenID Connect features.",
"additionalProperties": false
},
"urls": {
"type": "object",
"properties": {
"self": {
"type": "object",
"properties": {
"issuer": {
"type": "string",
"description": "This value will be used as the `issuer` in access and ID tokens. It must be specified and using HTTPS protocol, unless --dev is set. This should typically be equal to the public value.",
"format": "uri",
"examples": [
"https://localhost:4444/"
]
},
"public": {
"type": "string",
"description": "This is the base location of the public endpoints of your Ory Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.",
"format": "uri",
"examples": [
"https://localhost:4444/"
]
},
"admin": {
"type": "string",
"description": "This is the base location of the admin endpoints of your Ory Hydra installation.",
"format": "uri",
"examples": [
"https://localhost:4445/"
]
}
},
"additionalProperties": false
},
"login": {
"type": "string",
"description": "Sets the OAuth2 Login Endpoint URL of the OAuth2 User Login & Consent flow. Defaults to an internal fallback URL showing an error.",
"format": "uri-reference",
"examples": [
"https://my-login.app/login",
"/ui/login"
]
},
"consent": {
"type": "string",
"description": "Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error.",
"format": "uri-reference",
"examples": [
"https://my-consent.app/consent",
"/ui/consent"
]
},
"logout": {
"type": "string",
"description": "Sets the logout endpoint. Defaults to an internal fallback URL showing an error.",
"format": "uri-reference",
"examples": [
"https://my-logout.app/logout",
"/ui/logout"
]
},
"error": {
"type": "string",
"description": "Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL showing an error.",
"format": "uri-reference",
"examples": [
"https://my-error.app/error",
"/ui/error"
]
},
"post_logout_redirect": {
"type": "string",
"description": "When a user agent requests to logout, it will be redirected to this url afterwards per default.",
"format": "uri-reference",
"examples": [
"https://my-example.app/logout-successful",
"/ui"
]
}
},
"additionalProperties": false
},
"strategies": {
"type": "object",
"properties": {
"scope": {
"type": "string",
"description": "Defines how scopes are matched. For more details have a look at ",
"enum": [
"exact",
"wildcard"
],
"default": "wildcard"
},
"access_token": {
"type": "string",
"description": "Defines access token type. jwt is a bad idea, see ",
"enum": [
"opaque",
"jwt"
],
"default": "opaque"
}
},
"additionalProperties": false
},
"ttl": {
"type": "object",
"properties": {
"login_consent_request": {
"description": "Configures how long a user login and consent flow may take.",
"default": "30m",
"allOf": [
{
"$ref": "#/$defs/duration"
}
]
},
"access_token": {
"description": "Configures how long access tokens are valid.",
"default": "1h",
"allOf": [
{
"$ref": "#/$defs/duration"
}
]
},
"refresh_token": {
"description": "Configures how long refresh tokens are valid. Set to -1 for refresh tokens to never expire.",
"default": "720h",
"oneOf": [
{
"$ref": "#/$defs/duration"
},
{
"enum": [
"-1",
-1
]
}
]
},
"id_token": {
"description": "Configures how long id tokens are valid.",
"default": "1h",
"allOf": [
{
"$ref": "#/$defs/duration"
}
]
},
"auth_code": {
"description": "Configures how long auth codes are valid.",
"default": "10m",
"allOf": [
{
"$ref": "#/$defs/duration"
}
]
}
},
"description": "Configures time to live.",
"additionalProperties": false
},
"oauth2": {
"type": "object",
"properties": {
"expose_internal_errors": {
"type": "boolean",
"description": "Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors.",
"default": false,
"examples": [
true
]
},
"session": {
"type": "object",
"properties": {
"encrypt_at_rest": {
"type": "boolean",
"default": true,
"title": "Encrypt OAuth2 Session",
"description": "If set to true (default) Ory Hydra encrypt OAuth2 and OpenID Connect session data using AES-GCM and the system secret before persisting it in the database."
}
}
},
"exclude_not_before_claim": {
"type": "boolean",
"description": "Set to true if you want to exclude claim `nbf (not before)` part of access token.",
"default": false,
"examples": [
true
]
},
"allowed_top_level_claims": {
"type": "array",
"description": "A list of custom claims which are allowed to be added top level to the Access Token. They cannot override reserved claims.",
"items": {
"type": "string"
},
"examples": [
[
"username",
"email",
"user_uuid"
]
]
},
"hashers": {
"type": "object",
"properties": {
"algorithm": {
"title": "Password hashing algorithm",
"description": "One of the values: pbkdf2, bcrypt.\n\nWarning! This value can not be changed once set as all existing OAuth 2.0 Clients will not be able to sign in any more.",
"type": "string",
"default": "pbkdf2",
"enum": [
"pbkdf2",
"bcrypt"
]
},
"bcrypt": {
"type": "object",
"properties": {
"cost": {
"type": "integer",
"description": "Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.",
"default": 10,
"minimum": 4,
"maximum": 31
}
},
"description": "Configures the BCrypt hashing algorithm used for hashing OAuth 2.0 Client Secrets.",
"additionalProperties": false
},
"pbkdf2": {
"type": "object",
"properties": {
"iterations": {
"type": "integer",
"description": "Sets the PBKDF2 iterations. The higher the value, the more CPU time is being used to generate hashes.",
"default": 25000,
"minimum": 1
}
},
"description": "Configures the PBKDF2 hashing algorithm used for hashing OAuth 2.0 Client Secrets.",
"additionalProperties": false
}
},
"description": "Configures hashing algorithms. Supports only BCrypt and PBKDF2 at the moment.",
"additionalProperties": false
},
"pkce": {
"type": "object",
"properties": {
"enforced": {
"type": "boolean",
"description": "Sets whether PKCE should be enforced for all clients.",
"examples": [
true
]
},
"enforced_for_public_clients": {
"type": "boolean",
"description": "Sets whether PKCE should be enforced for public clients.",
"examples": [
true
]
}
},
"additionalProperties": false
},
"client_credentials": {
"type": "object",
"properties": {
"default_grant_allowed_scope": {
"type": "boolean",
"description": "Automatically grant authorized OAuth2 Scope in OAuth2 Client Credentials Flow. Each OAuth2 Client is allowed to request a predefined OAuth2 Scope (for example `read write`). If this option is enabled, the full\nscope is automatically granted when performing the OAuth2 Client Credentials flow.\n\nIf disabled, the OAuth2 Client has to request the scope in the OAuth2 request by providing the `scope` query parameter. Setting this option to true is common if you need compatibility with MITREid.",
"examples": [
false
]
}
},
"additionalProperties": false
},
"grant": {
"type": "object",
"properties": {
"jwt": {
"type": "object",
"properties": {
"jti_optional": {
"type": "boolean",
"description": "Configures if the JSON Web Token ID (`jti`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523). If set to `false`, the `jti` claim is required. Set this value to `true` only after careful consideration.",
"default": false
},
"iat_optional": {
"type": "boolean",
"description": "Configures if the issued at (`iat`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523). If set to `false`, the `iat` claim is required. Set this value to `true` only after careful consideration.",
"default": false
},
"max_ttl": {
"description": "Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be. This feature uses the `exp` claim and `iat` claim to calculate assertion age. Assertions exceeding the max age will be denied. Useful as a safety measure and recommended to keep below 720h. This governs the `grant.jwt.max_ttl` setting.",
"default": "720h",
"allOf": [
{
"$ref": "#/$defs/duration"
}
]
}
},
"description": "Authorization Grants using JWT configuration",
"additionalProperties": false
}
},
"additionalProperties": false
},
"refresh_token_hook": {
"type": "string",
"description": "Sets the refresh token hook endpoint. If set it will be called during token refresh to receive updated token claims.",
"format": "uri",
"examples": [
"https://my-example.app/token-refresh-hook"
]
}
},
"additionalProperties": false
},
"secrets": {
"type": "object",
"properties": {
"system": {
"description": "The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
"type": "array",
"items": {
"type": "string",
"minLength": 16
},
"examples": [
[
"this-is-the-primary-secret",
"this-is-an-old-secret",
"this-is-another-old-secret"
]
]
},
"cookie": {
"type": "array",
"description": "A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
"items": {
"type": "string",
"minLength": 16
},
"examples": [
[
"this-is-the-primary-secret",
"this-is-an-old-secret",
"this-is-another-old-secret"
]
]
}
},
"description": "The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: ",
"additionalProperties": false
},
"profiling": {
"type": "string",
"description": "Enables profiling if set. For more details on profiling, head over to: ",
"enum": [
"cpu",
"mem"
],
"examples": [
"cpu"
]
},
"tracing": {
"type": "object",
"properties": {
"provider": {
"type": "string",
"description": "Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin DataDog, Elastic APM and Instana. If omitted or empty, tracing will be disabled. Use environment variables to configure DataDog (see .",
"enum": [
"jaeger",
"zipkin",
"datadog",
"elastic-apm",
"instana",
"otel"
],
"examples": [
"jaeger"
]
},
"service_name": {
"type": "string",
"description": "Specifies the service name to use on the tracer.",
"examples": [
"Ory Hydra"
]
},
"providers": {
"type": "object",
"properties": {
"jaeger": {
"type": "object",
"properties": {
"local_agent_address": {
"type": "string",
"description": "The address of the jaeger-agent where spans should be sent to.",
"oneOf": [
{
"pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
},
{
"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}:([0-9]*)$"
},
{
"format": "uri"
}
],
"examples": [
"127.0.0.1:6831"
]
},
"propagation": {
"type": "string",
"description": "The tracing header format",
"examples": [
"jaeger"
]
},
"max_tag_value_length": {
"type": "integer",
"description": "The value passed to the max tag value length that has been configured.",
"minimum": 0
},
"sampling": {
"type": "object",
"propertyNames": {
"enum": [
"type",
"value",
"server_url"
]
},
"allOf": [
{
"oneOf": [
{
"properties": {
"type": {
"description": "The type of the sampler you want to use.",
"const": "const"
},
"value": {
"type": "integer",
"description": "The value passed to the sampler type that has been configured.",
"minimum": 0,
"maximum": 1
}
}
},
{
"properties": {
"type": {
"description": "The type of the sampler you want to use.",
"const": "rateLimiting"
},
"value": {
"type": "integer",
"description": "The value passed to the sampler type that has been configured.",
"minimum": 0
}
}
},
{
"properties": {
"type": {
"description": "The type of the sampler you want to use.",
"const": "probabilistic"
},
"value": {
"type": "number",
"description": "The value passed to the sampler type that has been configured.",
"minimum": 0,
"maximum": 1
}
}
}
]
},
{
"properties": {
"server_url": {
"type": "string",
"description": "The address of jaeger-agent's HTTP sampling server",
"format": "uri"
}
}
}
],
"examples": [
{
"type": "const",
"value": 1,
"server_url": "http://localhost:5778/sampling"
}
]
}
},
"description": "Configures the jaeger tracing backend.",
"additionalProperties": false
},
"zipkin": {
"type": "object",
"examples": [
{
"server_url": "http://localhost:9411/api/v2/spans"
}
],
"description": "Configures the zipkin tracing backend.",
"properties": {
"server_url": {
"type": "string",
"description": "The address of Zipkin server where spans should be sent to.",
"format": "uri"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
},
"description": "Ory Hydra supports distributed tracing.",
"additionalProperties": false
},
"sqa": {
"type": "object",
"examples": [
{
"opt_out": true
}
],
"description": "Software Quality Assurance telemetry configuration section",
"properties": {
"opt_out": {
"type": "boolean",
"description": "Disables anonymized telemetry reports - for more information please visit ",
"default": false,
"examples": [
true
]
}
},
"additionalProperties": true
},
"version": {
"type": "string",
"title": "The Hydra version this config is written for.",
"description": "SemVer according to prefixed with `v` as in our releases.",
"pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"
},
"cgroups": {
"type": "object",
"properties": {
"v1": {
"type": "object",
"properties": {
"auto_max_procs_enabled": {
"type": "boolean",
"description": "Set GOMAXPROCS automatically according to cgroups limits",
"default": false,
"examples": [
true
]
}
},
"description": "Configures parameters using cgroups v1 hierarchy",
"additionalProperties": false
}
},
"description": "Ory Hydra can respect Linux container CPU quota",
"additionalProperties": false
},
"dev": {
"type": "boolean",
"title": "Enable development mode",
"description": "If true, disables critical security measures to allow easier local development. Do not use in production.",
"default": false
}
},
"additionalProperties": false,
"$defs": {
"http_method": {
"type": "string",
"enum": [
"POST",
"GET",
"PUT",
"PATCH",
"DELETE",
"CONNECT",
"HEAD",
"OPTIONS",
"TRACE"
]
},
"portNumber": {
"description": "The port to listen on.",
"minimum": 1,
"maximum": 65535
},
"socket": {
"type": "object",
"properties": {
"owner": {
"type": "string",
"description": "Owner of unix socket. If empty, the owner will be the user running hydra.",
"default": ""
},
"group": {
"type": "string",
"description": "Group of unix socket. If empty, the group will be the primary group of the user running hydra.",
"default": ""
},
"mode": {
"type": "integer",
"description": "Mode of unix socket in numeric form",
"default": 493,
"minimum": 0,
"maximum": 511
}
},
"description": "Sets the permissions of the unix socket",
"additionalProperties": false
},
"cors": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Sets whether CORS is enabled.",
"default": false
},
"allowed_origins": {
"type": "array",
"description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: . Only one wildcard can be used per origin.",
"items": {
"type": "string",
"minLength": 1,
"not": {
"type": "string",
"description": "does match all strings that contain two or more (*)",
"pattern": ".*\\*.*\\*.*"
},
"anyOf": [
{
"format": "uri"
},
{
"const": "*"
}
]
},
"uniqueItems": true,
"default": [],
"examples": [
[
"*",
"https://example.com",
"https://*.example.com",
"https://*.foo.example.com"
]
]
},
"allowed_methods": {
"type": "array",
"description": "A list of HTTP methods the user agent is allowed to use with cross-domain requests.",
"default": [
"POST",
"GET",
"PUT",
"PATCH",
"DELETE",
"CONNECT",
"HEAD",
"OPTIONS",
"TRACE"
],
"items": {
"type": "string",
"enum": [
"POST",
"GET",
"PUT",
"PATCH",
"DELETE",
"CONNECT",
"HEAD",
"OPTIONS",
"TRACE"
]
}
},
"allowed_headers": {
"type": "array",
"description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
"default": [
"Accept",
"Content-Type",
"Content-Length",
"Accept-Language",
"Content-Language",
"Authorization"
],
"items": {
"type": "string"
}
},
"exposed_headers": {
"type": "array",
"description": "Sets which headers are safe to expose to the API of a CORS API specification.",
"default": [
"Cache-Control",
"Expires",
"Last-Modified",
"Pragma",
"Content-Length",
"Content-Language",
"Content-Type"
],
"items": {
"type": "string"
}
},
"allow_credentials": {
"type": "boolean",
"description": "Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.",
"default": true
},
"max_age": {
"type": "integer",
"description": "Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.",
"default": 0,
"minimum": 0
},
"debug": {
"type": "boolean",
"description": "Adds additional log output to debug server side CORS issues.",
"default": false
}
},
"description": "Configures Cross Origin Resource Sharing for public endpoints.",
"additionalProperties": false
},
"cidr": {
"description": "CIDR address range.",
"type": "string",
"oneOf": [
{
"pattern": "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
{
"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
}
],
"examples": [
"127.0.0.1/32"
]
},
"pem_file": {
"type": "object",
"oneOf": [
{
"properties": {
"path": {
"type": "string",
"description": "The path to the pem file.",
"examples": [
"/path/to/file.pem"
]
}
},
"required": [
"path"
],
"additionalProperties": false,
"type": "object"
},
{
"properties": {
"base64": {
"type": "string",
"description": "The base64 encoded string (without padding).",
"contentEncoding": "base64",
"contentMediaType": "application/x-pem-file",
"examples": [
"b3J5IGh5ZHJhIGlzIGF3ZXNvbWUK"
]
}
},
"required": [
"base64"
],
"additionalProperties": false,
"type": "object"
}
]
},
"duration": {
"type": "string",
"pattern": "^(\\d+(ns|us|ms|s|m|h))+$",
"examples": [
"1h",
"1h5m1s"
]
},
"tls_config": {
"type": "object",
"description": "Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.",
"properties": {
"enabled": {
"type": "boolean",
"description": "Setting enabled to false drops the TLS requirement for the admin endpoint, even if TLS is enabled on the public endpoint."
},
"key": {
"description": "Configures the private key (pem encoded).",
"allOf": [
{
"$ref": "#/$defs/pem_file"
}
]
},
"cert": {
"description": "Configures the public certificate (pem encoded).",
"allOf": [
{
"$ref": "#/$defs/pem_file"
}
]
},
"allow_termination_from": {
"type": "array",
"description": "Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.",
"items": {
"$ref": "#/$defs/cidr"
}
}
}
}
}
}