schema

package
v4.39.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2025 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SHA1Lower   = "sha1"
	SHA224Lower = "sha224"
	SHA256Lower = "sha256"
	SHA384Lower = "sha384"
	SHA512Lower = "sha512"
)
View Source 
const (
	// TLSVersion13 is the textual representation of TLS 1.3.
	TLSVersion13 = "TLS1.3"

	// TLSVersion12 is the textual representation of TLS 1.2.
	TLSVersion12 = "TLS1.2"

	// TLSVersion11 is the textual representation of TLS 1.1.
	TLSVersion11 = "TLS1.1"

	// TLSVersion10 is the textual representation of TLS 1.0.
	TLSVersion10 = "TLS1.0"

	// SSLVersion30 is the textual representation of SSL 3.0.
	SSLVersion30 = "SSL3.0"

	// Version13 is the textual representation of version 1.3.
	Version13 = "1.3"

	// Version12 is the textual representation of version 1.2.
	Version12 = "1.2"

	// Version11 is the textual representation of version 1.1.
	Version11 = "1.1"

	// Version10 is the textual representation of version 1.0.
	Version10 = "1.0"
)
View Source 
const (
	// ProfileRefreshAlways represents a value for refresh_interval that's the same as 0ms.
	ProfileRefreshAlways = "always"

	// ProfileRefreshDisabled represents a Value for refresh_interval that disables the check entirely.
	ProfileRefreshDisabled = "disable"

	// RefreshIntervalDefault represents the default value of refresh_interval.
	RefreshIntervalDefault = time.Minute * 5
)
View Source 
const (
	// LDAPImplementationCustom is the string for the custom LDAP implementation.
	LDAPImplementationCustom = "custom"

	// LDAPImplementationActiveDirectory is the string for the Active Directory LDAP implementation.
	LDAPImplementationActiveDirectory = "activedirectory"

	// LDAPImplementationRFC2307bis is the string for the RFC2307bis LDAP implementation.
	LDAPImplementationRFC2307bis = "rfc2307bis"

	// LDAPImplementationFreeIPA is the string for the FreeIPA LDAP implementation.
	LDAPImplementationFreeIPA = "freeipa"

	// LDAPImplementationLLDAP is the string for the lldap LDAP implementation.
	LDAPImplementationLLDAP = "lldap"

	// LDAPImplementationGLAuth is the string for the GLAuth LDAP implementation.
	LDAPImplementationGLAuth = "glauth"
)
View Source 
const (
	// LDAPGroupSearchModeFilter is the string for the filter group search mode.
	LDAPGroupSearchModeFilter = "filter"

	// LDAPGroupSearchModeMemberOf is the string for the memberOf group search mode.
	LDAPGroupSearchModeMemberOf = "memberof"
)
View Source 
const (
	TOTPAlgorithmSHA1   = "SHA1"
	TOTPAlgorithmSHA256 = "SHA256"
	TOTPAlgorithmSHA512 = "SHA512"
)

TOTP Algorithm.

View Source 
const (
	// TOTPSecretSizeDefault is the default secret size.
	TOTPSecretSizeDefault = 32

	// TOTPSecretSizeMinimum is the minimum secret size.
	TOTPSecretSizeMinimum = 20
)
View Source 
const (
	SchemeBasic  = "basic"
	SchemeBearer = "bearer"
)

Authorization Schemes.

View Source 
const (
	AuthzEndpointNameLegacy      = "legacy"
	AuthzEndpointNameAuthRequest = "auth-request"
	AuthzEndpointNameExtAuthz    = "ext-authz"
	AuthzEndpointNameForwardAuth = "forward-auth"

	AuthzImplementationLegacy      = "Legacy"
	AuthzImplementationAuthRequest = "AuthRequest"
	AuthzImplementationExtAuthz    = "ExtAuthz"
	AuthzImplementationForwardAuth = "ForwardAuth"

	AuthzStrategyHeaderCookieSession                 = "CookieSession"
	AuthzStrategyHeaderAuthorization                 = "HeaderAuthorization"
	AuthzStrategyHeaderProxyAuthorization            = "HeaderProxyAuthorization"
	AuthzStrategyHeaderAuthRequestProxyAuthorization = "HeaderAuthRequestProxyAuthorization"
	AuthzStrategyHeaderLegacy                        = "HeaderLegacy"
)

Authz values.

View Source 
const (
	AddressSchemeTCP            = "tcp"
	AddressSchemeTCP4           = "tcp4"
	AddressSchemeTCP6           = "tcp6"
	AddressSchemeUDP            = "udp"
	AddressSchemeUDP4           = "udp4"
	AddressSchemeUDP6           = "udp6"
	AddressSchemeUnix           = "unix"
	AddressSchemeLDAP           = "ldap"
	AddressSchemeLDAPS          = "ldaps"
	AddressSchemeLDAPI          = "ldapi"
	AddressSchemeSMTP           = "smtp"
	AddressSchemeSUBMISSION     = "submission"
	AddressSchemeSUBMISSIONS    = "submissions"
	AddressSchemeFileDescriptor = "fd"
)

Address Schemes.

View Source 
const (
	// RememberMeDisabled represents the duration for a disabled remember me session configuration.
	RememberMeDisabled = time.Second * -1
)

Variables

View Source 
var DefaultACLRule = []AccessControlRule{
	{
		Domains: []string{"public.example.com"},
		Policy:  "bypass",
	},
	{
		Domains: []string{"singlefactor.example.com"},
		Policy:  "one_factor",
	},
	{
		Domains: []string{"secure.example.com"},
		Policy:  policyTwoFactor,
	},
}

DefaultACLRule represents the default configuration related to access control rule configuration.

View Source 
var DefaultCIPasswordConfig = AuthenticationBackendFilePassword{
	Algorithm: argon2,
	Argon2: AuthenticationBackendFilePasswordArgon2{
		Iterations:  3,
		Memory:      64,
		Parallelism: 4,
		KeyLength:   32,
		SaltLength:  16,
	},
	SHA2Crypt: AuthenticationBackendFilePasswordSHA2Crypt{
		Variant:    SHA512Lower,
		Iterations: 50000,
		SaltLength: 16,
	},
}

DefaultCIPasswordConfig represents the default configuration related to Argon2id hashing for CI.

View Source 
var DefaultIdentityValidation = IdentityValidation{
	ResetPassword: IdentityValidationResetPassword{
		JWTExpiration: time.Minute * 5,
		JWTAlgorithm:  "HS256",
	},
	ElevatedSession: IdentityValidationElevatedSession{
		CodeLifespan:      time.Minute * 5,
		ElevationLifespan: time.Minute * 10,
		Characters:        8,
	},
}

DefaultIdentityValidation has the default values for the IdentityValidation configuration.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = AuthenticationBackendLDAP{
	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
	GroupsFilter:    "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
	GroupSearchMode: ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		DistinguishedName: ldapAttrDistinguishedName,
		Username:          ldapAttrSAMAccountName,
		DisplayName:       ldapAttrDisplayName,
		FamilyName:        ldapAttrSurname,
		GivenName:         ldapAttrGivenName,
		MiddleName:        ldapAttrMiddleName,
		Website:           "wWWHomePage",
		Mail:              ldapAttrMail,
		PhoneNumber:       "telephoneNumber",
		StreetAddress:     "streetAddress",
		Locality:          "l",
		Region:            "st",
		PostalCode:        "postalCode",
		Country:           "c",
		MemberOf:          ldapAttrMemberOf,
		GroupName:         ldapAttrCommonName,
	},
	Timeout: time.Second * 5,
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory represents the default LDAP config for the LDAPImplementationActiveDirectory Implementation.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = AuthenticationBackendLDAP{
	GroupSearchMode: ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		Username:    ldapAttrUserID,
		DisplayName: ldapAttrDisplayName,
		Mail:        ldapAttrMail,
		GroupName:   ldapAttrCommonName,
	},
	Timeout: time.Second * 20,
	Pooling: AuthenticationBackendLDAPPooling{
		Count:   5,
		Retries: 2,
		Timeout: time.Second * 10,
	},
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationCustom represents the default LDAP config.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = AuthenticationBackendLDAP{
	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
	GroupsFilter:    "(&(member={dn})(objectClass=groupOfNames))",
	GroupSearchMode: ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		Username:    ldapAttrUserID,
		DisplayName: ldapAttrDisplayName,
		Mail:        ldapAttrMail,
		MemberOf:    ldapAttrMemberOf,
		GroupName:   ldapAttrCommonName,
	},
	Timeout: time.Second * 5,
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA represents the default LDAP config for the LDAPImplementationFreeIPA Implementation.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth = AuthenticationBackendLDAP{
	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
	GroupsFilter:    "(&(uniqueMember={dn})(objectClass=posixGroup))",
	GroupSearchMode: ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		Username:    ldapAttrCommonName,
		DisplayName: ldapAttrDescription,
		Mail:        ldapAttrMail,
		MemberOf:    ldapAttrMemberOf,
		GroupName:   ldapAttrCommonName,
	},
	Timeout: time.Second * 5,
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth represents the default LDAP config for the LDAPImplementationGLAuth Implementation.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = AuthenticationBackendLDAP{
	AdditionalUsersDN:  "OU=people",
	AdditionalGroupsDN: "OU=groups",
	UsersFilter:        "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
	GroupsFilter:       "(&(member={dn})(objectClass=groupOfUniqueNames))",
	GroupSearchMode:    ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		Username:    ldapAttrUserID,
		DisplayName: ldapAttrCommonName,
		Mail:        ldapAttrMail,
		MemberOf:    ldapAttrMemberOf,
		GroupName:   ldapAttrCommonName,
	},
	Timeout: time.Second * 5,
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP represents the default LDAP config for the LDAPImplementationLLDAP Implementation.

View Source 
var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = AuthenticationBackendLDAP{
	UsersFilter:     "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
	GroupsFilter:    "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))(!(pwdReset=TRUE)))",
	GroupSearchMode: ldapGroupSearchModeFilter,
	Attributes: AuthenticationBackendLDAPAttributes{
		Username:    ldapAttrUserID,
		DisplayName: ldapAttrDisplayName,
		Mail:        ldapAttrMail,
		MemberOf:    ldapAttrMemberOf,
		GroupName:   ldapAttrCommonName,
	},
	Timeout: time.Second * 5,
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis represents the default LDAP config for the LDAPImplementationRFC2307bis Implementation.

View Source 
var DefaultLoggingConfiguration = Log{
	Level:  "info",
	Format: "text",
}

DefaultLoggingConfiguration is the default logging configuration.

View Source 
var DefaultMySQLStorageConfiguration = StorageMySQL{
	StorageSQL: StorageSQL{
		Address: &AddressTCP{Address{true, false, -1, 3306, nil, &url.URL{Scheme: AddressSchemeTCP, Host: "localhost:3306"}}},
		TLS: &TLS{
			MinimumVersion: TLSVersion{tls.VersionTLS12},
		},
	},
}

DefaultMySQLStorageConfiguration represents the default MySQL configuration.

View Source 
var DefaultNTPConfiguration = NTP{
	Address:       &AddressUDP{Address{valid: true, socket: false, port: 123, url: &url.URL{Scheme: AddressSchemeUDP, Host: "time.cloudflare.com:123"}}},
	Version:       4,
	MaximumDesync: time.Second * 3,
}

DefaultNTPConfiguration represents default configuration parameters for the NTP server.

View Source 
var DefaultOpenIDConnectClientConfiguration = IdentityProvidersOpenIDConnectClient{
	AuthorizationPolicy:            policyTwoFactor,
	Scopes:                         []string{"openid", "groups", "profile", "email"},
	ResponseTypes:                  []string{"code"},
	ResponseModes:                  []string{"form_post"},
	AuthorizationSignedResponseAlg: "RS256",
	IDTokenSignedResponseAlg:       "RS256",
	AccessTokenSignedResponseAlg:   "none",
	UserinfoSignedResponseAlg:      "none",
	IntrospectionSignedResponseAlg: "none",
	RequestedAudienceMode:          "explicit",
	ConsentMode:                    "auto",
	ConsentPreConfiguredDuration:   &defaultOIDCClientConsentPreConfiguredDuration,
}

DefaultOpenIDConnectClientConfiguration contains defaults for OIDC Clients.

View Source 
var DefaultOpenIDConnectConfiguration = IdentityProvidersOpenIDConnect{
	Lifespans: IdentityProvidersOpenIDConnectLifespans{
		IdentityProvidersOpenIDConnectLifespanToken: IdentityProvidersOpenIDConnectLifespanToken{
			AccessToken:   time.Hour,
			AuthorizeCode: time.Minute,
			IDToken:       time.Hour,
			RefreshToken:  time.Minute * 90,
		},
		DeviceCode: time.Minute * 10,
	},
	EnforcePKCE: "public_clients_only",
}

DefaultOpenIDConnectConfiguration contains defaults for OIDC.

View Source 
var DefaultOpenIDConnectPolicyConfiguration = IdentityProvidersOpenIDConnectPolicy{
	DefaultPolicy: policyTwoFactor,
}
View Source 
var DefaultPasswordConfig = AuthenticationBackendFilePassword{
	Algorithm: argon2,
	Argon2: AuthenticationBackendFilePasswordArgon2{
		Variant:     argon2id,
		Iterations:  3,
		Memory:      64 * 1024,
		Parallelism: 4,
		KeyLength:   32,
		SaltLength:  16,
	},
	SHA2Crypt: AuthenticationBackendFilePasswordSHA2Crypt{
		Variant:    SHA512Lower,
		Iterations: 50000,
		SaltLength: 16,
	},
	PBKDF2: AuthenticationBackendFilePasswordPBKDF2{
		Variant:    SHA512Lower,
		Iterations: defaultIterationsPBKDF2SHA512,
		SaltLength: 16,
	},
	Bcrypt: AuthenticationBackendFilePasswordBcrypt{
		Variant: "standard",
		Cost:    12,
	},
	Scrypt: AuthenticationBackendFilePasswordScrypt{
		Variant:     "scrypt",
		Iterations:  16,
		BlockSize:   8,
		Parallelism: 1,
		KeyLength:   32,
		SaltLength:  16,
	},
}

DefaultPasswordConfig represents the default configuration related to Argon2id hashing.

View Source 
var DefaultPasswordPolicyConfiguration = PasswordPolicy{
	Standard: PasswordPolicyStandard{
		MinLength: 8,
		MaxLength: 0,
	},
	ZXCVBN: PasswordPolicyZXCVBN{
		MinScore: 3,
	},
}

DefaultPasswordPolicyConfiguration is the default password policy configuration.

View Source 
var DefaultPostgreSQLStorageConfiguration = StoragePostgreSQL{
	StorageSQL: StorageSQL{
		Address: &AddressTCP{Address{true, false, -1, 5432, nil, &url.URL{Scheme: AddressSchemeTCP, Host: "localhost:5432"}}},
		TLS: &TLS{
			MinimumVersion: TLSVersion{tls.VersionTLS12},
		},
	},
	Servers: []StoragePostgreSQLServer{
		{
			Address: &AddressTCP{Address{true, false, -1, 5432, nil, &url.URL{Scheme: AddressSchemeTCP, Host: "localhost:5432"}}},
			TLS: &TLS{
				MinimumVersion: TLSVersion{tls.VersionTLS12},
			},
		},
	},
	Schema: "public",
	SSL: &StoragePostgreSQLSSL{
		Mode: "disable",
	},
}

DefaultPostgreSQLStorageConfiguration represents the default PostgreSQL configuration.

View Source 
var DefaultRedisConfiguration = SessionRedis{
	Port:                     6379,
	Timeout:                  time.Second * 5,
	MaxRetries:               0,
	MaximumActiveConnections: 8,
	TLS: &TLS{
		MinimumVersion: TLSVersion{Value: tls.VersionTLS12},
	},
}

DefaultRedisConfiguration is the default redis configuration.

View Source 
var DefaultRedisHighAvailabilityConfiguration = SessionRedis{
	Port:                     26379,
	Timeout:                  time.Second * 5,
	MaxRetries:               0,
	MaximumActiveConnections: 8,
	TLS: &TLS{
		MinimumVersion: TLSVersion{Value: tls.VersionTLS12},
	},
}

DefaultRedisHighAvailabilityConfiguration is the default redis configuration.

View Source 
var DefaultRegulationConfiguration = Regulation{
	Modes:      []string{"user"},
	MaxRetries: 3,
	FindTime:   time.Minute * 2,
	BanTime:    time.Minute * 5,
}

DefaultRegulationConfiguration represents default configuration parameters for the regulator.

View Source 
var DefaultSMTPNotifierConfiguration = NotifierSMTP{
	Address:             &AddressSMTP{Address{true, false, -1, 25, nil, &url.URL{Scheme: AddressSchemeSMTP, Host: "localhost:25"}}},
	Timeout:             time.Second * 5,
	Subject:             "[Authelia] {title}",
	Identifier:          "localhost",
	StartupCheckAddress: mail.Address{Name: "Authelia Test", Address: "test@authelia.com"},
	TLS: &TLS{
		MinimumVersion: TLSVersion{tls.VersionTLS12},
	},
}

DefaultSMTPNotifierConfiguration represents default configuration parameters for the SMTP notifier.

View Source 
var DefaultSQLStorageConfiguration = StorageSQL{
	Timeout: 5 * time.Second,
}

DefaultSQLStorageConfiguration represents the default SQL configuration.

View Source 
var DefaultServerConfiguration = Server{
	Address: &AddressTCP{Address{true, false, -1, 9091, nil, &url.URL{Scheme: AddressSchemeTCP, Host: ":9091", Path: "/"}}},
	Buffers: ServerBuffers{
		Read:  4096,
		Write: 4096,
	},
	Timeouts: ServerTimeouts{
		Read:  time.Second * 6,
		Write: time.Second * 6,
		Idle:  time.Second * 30,
	},
	Endpoints: ServerEndpoints{
		Authz: map[string]ServerEndpointsAuthz{
			AuthzEndpointNameLegacy: {
				Implementation: AuthzImplementationLegacy,
				AuthnStrategies: []ServerEndpointsAuthzAuthnStrategy{
					{
						Name: AuthzStrategyHeaderLegacy,
					},
					{
						Name: AuthzStrategyHeaderCookieSession,
					},
				},
			},
			AuthzEndpointNameAuthRequest: {
				Implementation: AuthzImplementationAuthRequest,
				AuthnStrategies: []ServerEndpointsAuthzAuthnStrategy{
					{
						Name:    AuthzStrategyHeaderAuthorization,
						Schemes: []string{SchemeBasic},
					},
					{
						Name: AuthzStrategyHeaderCookieSession,
					},
				},
			},
			AuthzEndpointNameExtAuthz: {
				Implementation: AuthzImplementationExtAuthz,
				AuthnStrategies: []ServerEndpointsAuthzAuthnStrategy{
					{
						Name:    AuthzStrategyHeaderAuthorization,
						Schemes: []string{SchemeBasic},
					},
					{
						Name: AuthzStrategyHeaderCookieSession,
					},
				},
			},
			AuthzEndpointNameForwardAuth: {
				Implementation: AuthzImplementationForwardAuth,
				AuthnStrategies: []ServerEndpointsAuthzAuthnStrategy{
					{
						Name:    AuthzStrategyHeaderAuthorization,
						Schemes: []string{SchemeBasic},
					},
					{
						Name: AuthzStrategyHeaderCookieSession,
					},
				},
			},
		},
		RateLimits: ServerEndpointRateLimits{
			ResetPasswordStart: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 10 * time.Minute, Requests: 5},
					{Period: 15 * time.Minute, Requests: 10},
					{Period: 30 * time.Minute, Requests: 15},
				},
			},
			ResetPasswordFinish: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 1 * time.Minute, Requests: 10},
					{Period: 2 * time.Minute, Requests: 15},
				},
			},
			SecondFactorTOTP: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 1 * time.Minute, Requests: 30},
					{Period: 2 * time.Minute, Requests: 40},
					{Period: 10 * time.Minute, Requests: 50},
				},
			},
			SecondFactorDuo: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 1 * time.Minute, Requests: 10},
					{Period: 2 * time.Minute, Requests: 15},
				},
			},
			SessionElevationStart: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 1, Requests: 3},
					{Period: 2, Requests: 5},
					{Period: 12, Requests: 15},
				},
			},
			SessionElevationFinish: ServerEndpointRateLimit{
				Buckets: []ServerEndpointRateLimitBucket{
					{Period: 1, Requests: 3},
					{Period: 2, Requests: 5},
					{Period: 6, Requests: 15},
				},
			},
		},
	},
}

DefaultServerConfiguration represents the default values of the Server.

View Source 
var DefaultSessionConfiguration = Session{
	SessionCookieCommon: SessionCookieCommon{
		Name:       "authelia_session",
		Expiration: time.Hour,
		Inactivity: time.Minute * 5,
		RememberMe: time.Hour * 24 * 30,
		SameSite:   "lax",
	},
}

DefaultSessionConfiguration is the default session configuration.

View Source 
var DefaultTOTPConfiguration = TOTP{
	Issuer:            "Authelia",
	DefaultAlgorithm:  TOTPAlgorithmSHA1,
	DefaultDigits:     6,
	DefaultPeriod:     30,
	Skew:              &defaultTOTPSkew,
	SecretSize:        TOTPSecretSizeDefault,
	AllowedAlgorithms: []string{TOTPAlgorithmSHA1},
	AllowedDigits:     []int{6},
	AllowedPeriods:    []int{30},
}

DefaultTOTPConfiguration represents default configuration parameters for TOTP generation.

View Source 
var DefaultTelemetryConfig = Telemetry{
	Metrics: TelemetryMetrics{
		Address: &AddressTCP{Address{true, false, -1, 9959, nil, &url.URL{Scheme: AddressSchemeTCP, Host: ":9959", Path: "/metrics"}}},
		Buffers: ServerBuffers{
			Read:  4096,
			Write: 4096,
		},
		Timeouts: ServerTimeouts{
			Read:  time.Second * 6,
			Write: time.Second * 6,
			Idle:  time.Second * 30,
		},
	},
}

DefaultTelemetryConfig is the default telemetry configuration.

View Source 
var DefaultWebAuthnConfiguration = WebAuthn{
	DisplayName: "Authelia",
	Timeout:     time.Second * 60,

	ConveyancePreference: protocol.PreferIndirectAttestation,
	Metadata: WebAuthnMetadata{
		Enabled:                       false,
		ValidateTrustAnchor:           true,
		ValidateEntry:                 true,
		ValidateEntryPermitZeroAAGUID: false,
		ValidateStatus:                true,
		ValidateStatusPermitted:       []metadata.AuthenticatorStatus{},
		ValidateStatusProhibited: []metadata.AuthenticatorStatus{
			metadata.AttestationKeyCompromise,
			metadata.UserVerificationBypass,
			metadata.UserKeyRemoteCompromise,
			metadata.UserKeyPhysicalCompromise,
			metadata.Revoked,
		},
	},
}

DefaultWebAuthnConfiguration describes the default values for the WebAuthn.

View Source 
var ErrTLSVersionNotSupported = errors.New("supplied tls version isn't supported")

ErrTLSVersionNotSupported returned when an unknown TLS version supplied.

View Source 
var Keys = []string{}/* 484 elements not displayed */

Keys is a list of valid schema keys detected by reflecting over a schema.Configuration struct.

View Source 
var (
	// TOTPPossibleAlgorithms is a list of valid TOTP Algorithms.
	TOTPPossibleAlgorithms = []string{TOTPAlgorithmSHA1, TOTPAlgorithmSHA256, TOTPAlgorithmSHA512}
)

Functions

func DecodeAlgorithmDigest added in v4.38.0 

func DecodeAlgorithmDigest(encodedDigest string) (digest algorithm.Digest, err error)

DecodeAlgorithmDigest returns a new algorithm.Digest if it can be decoded.

func PBKDF2VariantDefaultIterations added in v4.39.5 

func PBKDF2VariantDefaultIterations(variant string) int

Types

type AccessControl added in v4.38.0 

type AccessControl struct {
	// The default policy if no other policy matches the request.
	DefaultPolicy string `` /* 336-byte string literal not displayed */

	// Represents a list of named network groups.
	Networks []AccessControlNetwork `` /* 217-byte string literal not displayed */

	// The ACL rules list.
	Rules []AccessControlRule `` /* 186-byte string literal not displayed */
}

AccessControl represents the configuration related to ACLs.

type AccessControlNetwork added in v4.38.0 

type AccessControlNetwork struct {
	Name     string       `` /* 226-byte string literal not displayed */
	Networks []*net.IPNet `` /* 234-byte string literal not displayed */
}

AccessControlNetwork represents one ACL network group entry.

type AccessControlRule added in v4.38.0 

type AccessControlRule struct {
	Domains      AccessControlRuleDomains   `` /* 255-byte string literal not displayed */
	DomainsRegex AccessControlRuleRegex     `` /* 278-byte string literal not displayed */
	Policy       string                     `` /* 259-byte string literal not displayed */
	Subjects     AccessControlRuleSubjects  `` /* 207-byte string literal not displayed */
	Networks     []*net.IPNet               `` /* 252-byte string literal not displayed */
	Resources    AccessControlRuleRegex     `` /* 235-byte string literal not displayed */
	Methods      AccessControlRuleMethods   `` /* 358-byte string literal not displayed */
	Query        [][]AccessControlRuleQuery `` /* 194-byte string literal not displayed */
}

AccessControlRule represents one ACL rule entry.

type AccessControlRuleDomains added in v4.38.0 

type AccessControlRuleDomains []string

func (AccessControlRuleDomains) JSONSchema added in v4.38.0 

func (AccessControlRuleDomains) JSONSchema() *jsonschema.Schema

type AccessControlRuleMethods added in v4.38.0 

type AccessControlRuleMethods []string

func (AccessControlRuleMethods) JSONSchema added in v4.38.0 

func (AccessControlRuleMethods) JSONSchema() *jsonschema.Schema

type AccessControlRuleQuery added in v4.38.0 

type AccessControlRuleQuery struct {
	Operator string `` /* 284-byte string literal not displayed */
	Key      string `` /* 177-byte string literal not displayed */
	Value    any    `` /* 173-byte string literal not displayed */
}

AccessControlRuleQuery represents the ACL query criteria.

type AccessControlRuleRegex added in v4.38.0 

type AccessControlRuleRegex []regexp.Regexp

AccessControlRuleRegex represents the ACL AccessControlRuleSubjects type.

func (AccessControlRuleRegex) JSONSchema added in v4.38.0 

func (AccessControlRuleRegex) JSONSchema() *jsonschema.Schema

type AccessControlRuleSubjects added in v4.38.0 

type AccessControlRuleSubjects [][]string

AccessControlRuleSubjects represents the ACL AccessControlRuleSubjects type.

func (AccessControlRuleSubjects) JSONSchema added in v4.38.0 

func (AccessControlRuleSubjects) JSONSchema() *jsonschema.Schema

type Address added in v4.36.0 

type Address struct {
	// contains filtered or unexported fields
}

Address represents an address.

func NewAddress added in v4.36.0 

func NewAddress(value string) (address *Address, err error)

NewAddress returns an *Address and error depending on the ability to parse the string as an Address. It also assumes any value without a scheme which looks like a path is the 'unix' scheme, and everything else without a scheme is the 'tcp' scheme.

func NewAddressDefault added in v4.38.0 

func NewAddressDefault(value, schemeDefault, schemeDefaultPath string) (address *Address, err error)

NewAddressDefault returns an *Address and error depending on the ability to parse the string as an Address. It also assumes any value without a scheme which looks like a path is the schemeDefaultPath scheme, and everything else without a scheme is the schemeDefault scheme.

func NewAddressFromNetworkPathValues added in v4.38.0 

func NewAddressFromNetworkPathValues(network, host string, port uint16, path string) Address

NewAddressFromNetworkPathValues returns an *Address from network values and a path.

func NewAddressFromNetworkValues added in v4.38.0 

func NewAddressFromNetworkValues(network, host string, port uint16) Address

NewAddressFromNetworkValues returns an *Address from network values.

func NewAddressFromNetworkValuesDefault added in v4.38.0 

func NewAddressFromNetworkValuesDefault(value string, port uint16, schemeDefault, schemeDefaultPath string) (address *Address, err error)

NewAddressFromNetworkValuesDefault returns an *Address and error depending on the ability to parse the string as an Address. It also assumes any value without a scheme which looks like a path is the schemeDefaultPath scheme, and everything else without a scheme is the schemeDefault scheme.

func NewAddressFromURL added in v4.36.2 

func NewAddressFromURL(u *url.URL) (addr *Address, err error)

NewAddressFromURL returns an *Address and error depending on the ability to parse the *url.URL as an Address.

func NewAddressUnix added in v4.38.0 

func NewAddressUnix(path string) Address

NewAddressUnix returns an *Address from a path value.

func (*Address) Dial added in v4.38.0 

func (a *Address) Dial() (net.Conn, error)

Dial creates and returns a dialed net.Conn.

func (*Address) Host added in v4.38.0 

func (a *Address) Host() string

Host returns the *url.URL Host field.

func (*Address) Hostname added in v4.38.0 

func (a *Address) Hostname() string

Hostname returns the output of the *url.URL Hostname func.

func (*Address) IsExplicitlySecure added in v4.38.0 

func (a *Address) IsExplicitlySecure() bool

IsExplicitlySecure returns true if the address is an explicitly secure.

func (*Address) IsFileDescriptor added in v4.39.0 

func (a *Address) IsFileDescriptor() bool

IsFileDescriptor returns true if the address has been determined to be a File Descriptor.

func (*Address) IsTCP added in v4.38.0 

func (a *Address) IsTCP() bool

IsTCP returns true if the address is one of the TCP schemes (not including application schemes that use TCP).

func (*Address) IsUDP added in v4.38.0 

func (a *Address) IsUDP() bool

IsUDP returns true if the address is one of the UDP schemes (not including application schemes that use UDP).

func (*Address) IsUnixDomainSocket added in v4.38.0 

func (a *Address) IsUnixDomainSocket() bool

IsUnixDomainSocket returns true if the address has been determined to be a Unix Domain Socket.

func (Address) JSONSchema added in v4.38.0 

func (Address) JSONSchema() *jsonschema.Schema

JSONSchema returns the appropriate *jsonschema.Schema for this type.

func (*Address) Listener added in v4.36.0 

func (a *Address) Listener() (ln net.Listener, err error)

Listener creates and returns a net.Listener.

func (*Address) Network added in v4.38.0 

func (a *Address) Network() string

Network returns the Scheme() if it's appropriate for the net packages network arguments otherwise it returns tcp.

func (*Address) NetworkAddress added in v4.38.0 

func (a *Address) NetworkAddress() string

NetworkAddress returns a string representation of the Address with just the host and port.

func (*Address) Path added in v4.38.0 

func (a *Address) Path() string

Path returns the path.

func (*Address) Port added in v4.36.0 

func (a *Address) Port() uint16

Port returns the port.

func (*Address) RouterPath added in v4.38.0 

func (a *Address) RouterPath() string

RouterPath returns the path the server router uses for serving up requests. Should be the same as Path unless the path query parameter has been set.

func (*Address) Scheme added in v4.36.0 

func (a *Address) Scheme() string

Scheme returns the *url.URL Scheme field.

func (*Address) SetHostname added in v4.38.0 

func (a *Address) SetHostname(hostname string)

SetHostname sets the hostname preserving the port.

func (*Address) SetPath added in v4.38.0 

func (a *Address) SetPath(path string)

SetPath sets the path.

func (*Address) SetPort added in v4.38.0 

func (a *Address) SetPort(port uint16)

SetPort sets the port preserving the hostname.

func (*Address) SocketHostname added in v4.38.0 

func (a *Address) SocketHostname() string

SocketHostname returns the correct hostname for a socket connection.

func (*Address) String added in v4.36.0 

func (a *Address) String() string

String returns a string representation of the Address.

func (*Address) Umask added in v4.38.0 

func (a *Address) Umask() string

Umask returns the formatted umask or an empty string.

func (*Address) Valid added in v4.36.0 

func (a *Address) Valid() bool

Valid returns true if the Address is valid.

func (*Address) ValidateHTTP added in v4.38.0 

func (a *Address) ValidateHTTP() error

ValidateHTTP returns true if the Address is valid for a HTTP connection listener.

func (*Address) ValidateLDAP added in v4.38.0 

func (a *Address) ValidateLDAP() error

ValidateLDAP returns true if the Address has a value Scheme for an LDAP connection opener.

func (*Address) ValidateListener added in v4.38.0 

func (a *Address) ValidateListener() error

ValidateListener returns true if the Address is valid for a connection listener.

func (*Address) ValidateSMTP added in v4.38.0 

func (a *Address) ValidateSMTP() error

ValidateSMTP returns true if the Address is valid for a remote SMTP connection opener.

func (*Address) ValidateSQL added in v4.38.0 

func (a *Address) ValidateSQL() error

ValidateSQL returns true if the Address is valid for a remote SQL connection opener.

type AddressLDAP added in v4.38.0 

type AddressLDAP struct {
	Address
}

AddressLDAP is just a type with an underlying type of Address.

func (AddressLDAP) JSONSchema added in v4.38.0 

func (AddressLDAP) JSONSchema() *jsonschema.Schema

JSONSchema returns the appropriate *jsonschema.Schema for this type.

type AddressSMTP added in v4.38.0 

type AddressSMTP struct {
	Address
}

AddressSMTP is just a type with an underlying type of Address.

func NewSMTPAddress added in v4.38.0 

func NewSMTPAddress(scheme, host string, port uint16) *AddressSMTP

NewSMTPAddress returns an *AddressSMTP from SMTP values.

func (AddressSMTP) JSONSchema added in v4.38.0 

func (AddressSMTP) JSONSchema() *jsonschema.Schema

JSONSchema returns the appropriate *jsonschema.Schema for this type.

type AddressTCP added in v4.38.0 

type AddressTCP struct {
	Address
}

AddressTCP is just a type with an underlying type of Address.

func (AddressTCP) JSONSchema added in v4.38.0 

func (AddressTCP) JSONSchema() *jsonschema.Schema

JSONSchema returns the appropriate *jsonschema.Schema for this type.

type AddressUDP added in v4.38.0 

type AddressUDP struct {
	Address
}

AddressUDP is just a type with an underlying type of Address.

func (AddressUDP) JSONSchema added in v4.38.0 

func (AddressUDP) JSONSchema() *jsonschema.Schema

JSONSchema returns the appropriate *jsonschema.Schema for this type.

type AuthenticationBackend added in v4.37.0 

type AuthenticationBackend struct {
	PasswordReset  AuthenticationBackendPasswordReset  `` /* 231-byte string literal not displayed */
	PasswordChange AuthenticationBackendPasswordChange `` /* 235-byte string literal not displayed */

	RefreshInterval RefreshIntervalDuration `` /* 269-byte string literal not displayed */

	// The file authentication backend configuration.
	File *AuthenticationBackendFile `` /* 182-byte string literal not displayed */
	LDAP *AuthenticationBackendLDAP `` /* 182-byte string literal not displayed */
}

AuthenticationBackend represents the configuration related to the authentication backend.

type AuthenticationBackendExtraAttribute added in v4.39.0 

type AuthenticationBackendExtraAttribute struct {
	MultiValued bool   `` /* 176-byte string literal not displayed */
	ValueType   string `` /* 237-byte string literal not displayed */
}

func (AuthenticationBackendExtraAttribute) GetValueType added in v4.39.0 

func (a AuthenticationBackendExtraAttribute) GetValueType() (vtype string)

func (AuthenticationBackendExtraAttribute) IsMultiValued added in v4.39.0 

func (a AuthenticationBackendExtraAttribute) IsMultiValued() (multi bool)

type AuthenticationBackendFile added in v4.38.0 

type AuthenticationBackendFile struct {
	Path  string `` /* 163-byte string literal not displayed */
	Watch bool   `` /* 203-byte string literal not displayed */

	Password AuthenticationBackendFilePassword `` /* 266-byte string literal not displayed */

	Search AuthenticationBackendFileSearch `` /* 178-byte string literal not displayed */

	ExtraAttributes map[string]AuthenticationBackendExtraAttribute `` /* 273-byte string literal not displayed */
}

AuthenticationBackendFile represents the configuration related to file-based backend.

type AuthenticationBackendFilePassword added in v4.38.0 

type AuthenticationBackendFilePassword struct {
	Algorithm string `` /* 269-byte string literal not displayed */

	Argon2    AuthenticationBackendFilePasswordArgon2    `` /* 187-byte string literal not displayed */
	SHA2Crypt AuthenticationBackendFilePasswordSHA2Crypt `` /* 205-byte string literal not displayed */
	PBKDF2    AuthenticationBackendFilePasswordPBKDF2    `` /* 187-byte string literal not displayed */
	Bcrypt    AuthenticationBackendFilePasswordBcrypt    `` /* 187-byte string literal not displayed */
	Scrypt    AuthenticationBackendFilePasswordScrypt    `` /* 187-byte string literal not displayed */

	// Deprecated: Use individual password options instead.
	Iterations int `koanf:"iterations" yaml:"iterations" toml:"iterations" json:"iterations" jsonschema:"deprecated,title=Iterations"`

	// Deprecated: Use individual password options instead.
	Memory int `koanf:"memory" yaml:"memory" toml:"memory" json:"memory" jsonschema:"deprecated,title=Memory"`

	// Deprecated: Use individual password options instead.
	Parallelism int `koanf:"parallelism" yaml:"parallelism" toml:"parallelism" json:"parallelism" jsonschema:"deprecated,title=Parallelism"`

	// Deprecated: Use individual password options instead.
	KeyLength int `koanf:"key_length" yaml:"key_length" toml:"key_length" json:"key_length" jsonschema:"deprecated,title=Key Length"`

	// Deprecated: Use individual password options instead.
	SaltLength int `koanf:"salt_length" yaml:"salt_length" toml:"salt_length" json:"salt_length" jsonschema:"deprecated,title=Salt Length"`
}

AuthenticationBackendFilePassword represents the configuration related to password hashing.

type AuthenticationBackendFilePasswordArgon2 added in v4.38.0 

type AuthenticationBackendFilePasswordArgon2 struct {
	Variant     string `` /* 230-byte string literal not displayed */
	Iterations  int    `` /* 195-byte string literal not displayed */
	Memory      int    `` /* 217-byte string literal not displayed */
	Parallelism int    `` /* 228-byte string literal not displayed */
	KeyLength   int    `` /* 197-byte string literal not displayed */
	SaltLength  int    `` /* 196-byte string literal not displayed */
}

AuthenticationBackendFilePasswordArgon2 represents the argon2 hashing settings.

type AuthenticationBackendFilePasswordBcrypt added in v4.39.2 

type AuthenticationBackendFilePasswordBcrypt struct {
	Variant string `` /* 216-byte string literal not displayed */
	Cost    int    `` /* 158-byte string literal not displayed */
}

AuthenticationBackendFilePasswordBcrypt represents the bcrypt hashing settings.

type AuthenticationBackendFilePasswordPBKDF2 added in v4.38.0 

type AuthenticationBackendFilePasswordPBKDF2 struct {
	Variant    string `` /* 246-byte string literal not displayed */
	Iterations int    `` /* 210-byte string literal not displayed */
	SaltLength int    `` /* 207-byte string literal not displayed */
}

AuthenticationBackendFilePasswordPBKDF2 represents the PBKDF2 hashing settings.

type AuthenticationBackendFilePasswordSHA2Crypt added in v4.38.0 

type AuthenticationBackendFilePasswordSHA2Crypt struct {
	Variant    string `` /* 215-byte string literal not displayed */
	Iterations int    `` /* 228-byte string literal not displayed */
	SaltLength int    `` /* 202-byte string literal not displayed */
}

AuthenticationBackendFilePasswordSHA2Crypt represents the sha2crypt hashing settings.

type AuthenticationBackendFilePasswordScrypt added in v4.39.2 

type AuthenticationBackendFilePasswordScrypt struct {
	Variant     string `` /* 213-byte string literal not displayed */
	Iterations  int    `` /* 193-byte string literal not displayed */
	BlockSize   int    `` /* 207-byte string literal not displayed */
	Parallelism int    `` /* 212-byte string literal not displayed */
	KeyLength   int    `` /* 203-byte string literal not displayed */
	SaltLength  int    `` /* 201-byte string literal not displayed */
}

AuthenticationBackendFilePasswordScrypt represents the scrypt hashing settings.

type AuthenticationBackendFileSearch added in v4.38.0 

type AuthenticationBackendFileSearch struct {
	Email           bool `` /* 209-byte string literal not displayed */
	CaseInsensitive bool `` /* 232-byte string literal not displayed */
}

AuthenticationBackendFileSearch represents the configuration related to file-based backend searching.

type AuthenticationBackendLDAP added in v4.38.0 

type AuthenticationBackendLDAP struct {
	Address        *AddressLDAP  `` /* 184-byte string literal not displayed */
	Implementation string        `` /* 337-byte string literal not displayed */
	Timeout        time.Duration `` /* 207-byte string literal not displayed */
	StartTLS       bool          `` /* 164-byte string literal not displayed */
	TLS            *TLS          `` /* 175-byte string literal not displayed */

	Pooling AuthenticationBackendLDAPPooling `` /* 182-byte string literal not displayed */

	BaseDN string `` /* 188-byte string literal not displayed */

	AdditionalUsersDN string `` /* 286-byte string literal not displayed */
	UsersFilter       string `` /* 216-byte string literal not displayed */

	AdditionalGroupsDN string `` /* 292-byte string literal not displayed */
	GroupsFilter       string `` /* 222-byte string literal not displayed */
	GroupSearchMode    string `` /* 296-byte string literal not displayed */

	Attributes AuthenticationBackendLDAPAttributes `koanf:"attributes" yaml:"attributes,omitempty" toml:"attributes,omitempty" json:"attributes,omitempty"`

	PermitReferrals               bool `` /* 203-byte string literal not displayed */
	PermitUnauthenticatedBind     bool `` /* 295-byte string literal not displayed */
	PermitFeatureDetectionFailure bool `` /* 336-byte string literal not displayed */

	User     string `` /* 173-byte string literal not displayed */
	Password string `` /* 192-byte string literal not displayed */
}

AuthenticationBackendLDAP represents the configuration related to LDAP server.

type AuthenticationBackendLDAPAttributes added in v4.38.0 

type AuthenticationBackendLDAPAttributes struct {
	DistinguishedName string `` /* 294-byte string literal not displayed */
	Username          string `` /* 237-byte string literal not displayed */
	DisplayName       string `` /* 261-byte string literal not displayed */
	FamilyName        string `` /* 250-byte string literal not displayed */
	GivenName         string `` /* 244-byte string literal not displayed */
	MiddleName        string `` /* 250-byte string literal not displayed */
	Nickname          string `` /* 232-byte string literal not displayed */
	Gender            string `` /* 220-byte string literal not displayed */
	Birthdate         string `` /* 238-byte string literal not displayed */
	Website           string `` /* 230-byte string literal not displayed */
	Profile           string `` /* 230-byte string literal not displayed */
	Picture           string `` /* 230-byte string literal not displayed */
	ZoneInfo          string `` /* 253-byte string literal not displayed */
	Locale            string `` /* 232-byte string literal not displayed */
	PhoneNumber       string `` /* 256-byte string literal not displayed */
	PhoneExtension    string `` /* 274-byte string literal not displayed */
	StreetAddress     string `` /* 268-byte string literal not displayed */
	Locality          string `` /* 232-byte string literal not displayed */
	Region            string `` /* 220-byte string literal not displayed */
	PostalCode        string `` /* 250-byte string literal not displayed */
	Country           string `` /* 226-byte string literal not displayed */
	Mail              string `` /* 232-byte string literal not displayed */
	MemberOf          string `` /* 252-byte string literal not displayed */
	GroupName         string `` /* 245-byte string literal not displayed */

	Extra map[string]AuthenticationBackendLDAPAttributesAttribute `` /* 229-byte string literal not displayed */
}

AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes.

type AuthenticationBackendLDAPAttributesAttribute added in v4.39.0 

type AuthenticationBackendLDAPAttributesAttribute struct {
	Name string `` /* 235-byte string literal not displayed */

	AuthenticationBackendExtraAttribute `koanf:",squash"`
}

type AuthenticationBackendLDAPPooling added in v4.39.0 

type AuthenticationBackendLDAPPooling struct {
	Enable  bool          `` /* 153-byte string literal not displayed */
	Count   int           `` /* 180-byte string literal not displayed */
	Retries int           `` /* 204-byte string literal not displayed */
	Timeout time.Duration `` /* 251-byte string literal not displayed */
}

type AuthenticationBackendPasswordChange added in v4.39.0 

type AuthenticationBackendPasswordChange struct {
	Disable bool `` /* 163-byte string literal not displayed */
}

AuthenticationBackendPasswordChange represents the configuration related to password reset functionality.

type AuthenticationBackendPasswordReset added in v4.38.0 

type AuthenticationBackendPasswordReset struct {
	Disable   bool    `` /* 162-byte string literal not displayed */
	CustomURL url.URL `` /* 252-byte string literal not displayed */
}

AuthenticationBackendPasswordReset represents the configuration related to password reset functionality.

type CSPTemplate added in v4.38.0 

type CSPTemplate string

type Configuration 

type Configuration struct {
	Theme                 string `` /* 248-byte string literal not displayed */
	CertificatesDirectory string `` /* 308-byte string literal not displayed */
	Default2FAMethod      string `` /* 321-byte string literal not displayed */

	Log                   Log                   `` /* 145-byte string literal not displayed */
	IdentityProviders     IdentityProviders     `` /* 231-byte string literal not displayed */
	AuthenticationBackend AuthenticationBackend `` /* 255-byte string literal not displayed */
	Session               Session               `` /* 165-byte string literal not displayed */
	TOTP                  TOTP                  `` /* 171-byte string literal not displayed */
	DuoAPI                DuoAPI                `` /* 165-byte string literal not displayed */
	AccessControl         AccessControl         `` /* 207-byte string literal not displayed */
	NTP                   NTP                   `` /* 159-byte string literal not displayed */
	Regulation            Regulation            `` /* 183-byte string literal not displayed */
	Storage               Storage               `` /* 165-byte string literal not displayed */
	Notifier              Notifier              `` /* 171-byte string literal not displayed */
	Server                Server                `` /* 159-byte string literal not displayed */
	Telemetry             Telemetry             `` /* 177-byte string literal not displayed */
	WebAuthn              WebAuthn              `` /* 171-byte string literal not displayed */
	PasswordPolicy        PasswordPolicy        `` /* 213-byte string literal not displayed */
	PrivacyPolicy         PrivacyPolicy         `` /* 207-byte string literal not displayed */
	IdentityValidation    IdentityValidation    `` /* 237-byte string literal not displayed */
	Definitions           Definitions           `` /* 223-byte string literal not displayed */

	// Deprecated: Use the session cookies option with the same name instead.
	DefaultRedirectionURL *url.URL `` /* 223-byte string literal not displayed */
}

Configuration object extracted from YAML configuration file.

type CryptographicKey added in v4.38.0 

type CryptographicKey any

CryptographicKey represents an artificial cryptographic public or private key.

type CryptographicPrivateKey added in v4.37.0 

type CryptographicPrivateKey interface {
	Public() crypto.PublicKey
	Equal(x crypto.PrivateKey) bool
}

CryptographicPrivateKey represents the actual crypto.PrivateKey interface.

type Definitions added in v4.39.0 

type Definitions struct {
	Network        map[string][]*net.IPNet  `` /* 228-byte string literal not displayed */
	UserAttributes map[string]UserAttribute `` /* 229-byte string literal not displayed */
}

type DuoAPI added in v4.38.0 

type DuoAPI struct {
	Disable              bool   `` /* 159-byte string literal not displayed */
	Hostname             string `` /* 212-byte string literal not displayed */
	IntegrationKey       string `` /* 238-byte string literal not displayed */
	SecretKey            string `` /* 208-byte string literal not displayed */
	EnableSelfEnrollment bool   `` /* 234-byte string literal not displayed */
}

DuoAPI represents the configuration related to Duo API.

type ErrorContainer 

type ErrorContainer interface {
	Push(err error)
	PushWarning(err error)
	HasErrors() bool
	HasWarnings() bool
	Errors() []error
	Warnings() []error
}

ErrorContainer represents a container where we can add errors and retrieve them.

type IdentityProviders added in v4.38.0 

type IdentityProviders struct {
	OIDC *IdentityProvidersOpenIDConnect `koanf:"oidc" yaml:"oidc,omitempty" toml:"oidc,omitempty" json:"oidc,omitempty"`
}

IdentityProviders represents the Identity Providers configuration for Authelia.

type IdentityProvidersOpenIDConnect added in v4.38.0 

type IdentityProvidersOpenIDConnect struct {
	HMACSecret  string `` /* 206-byte string literal not displayed */
	JSONWebKeys []JWK  `` /* 214-byte string literal not displayed */

	EnableClientDebugMessages bool `` /* 278-byte string literal not displayed */
	MinimumParameterEntropy   int  `` /* 267-byte string literal not displayed */

	EnforcePKCE              string `` /* 322-byte string literal not displayed */
	EnablePKCEPlainChallenge bool   `` /* 303-byte string literal not displayed */

	EnableJWTAccessTokenStatelessIntrospection bool `` /* 401-byte string literal not displayed */

	DiscoverySignedResponseAlg   string `` /* 475-byte string literal not displayed */
	DiscoverySignedResponseKeyID string `` /* 401-byte string literal not displayed */

	RequirePushedAuthorizationRequests bool `` /* 334-byte string literal not displayed */

	CORS IdentityProvidersOpenIDConnectCORS `` /* 183-byte string literal not displayed */

	Clients []IdentityProvidersOpenIDConnectClient `` /* 179-byte string literal not displayed */

	AuthorizationPolicies map[string]IdentityProvidersOpenIDConnectPolicy       `` /* 255-byte string literal not displayed */
	Lifespans             IdentityProvidersOpenIDConnectLifespans               `` /* 183-byte string literal not displayed */
	ClaimsPolicies        map[string]IdentityProvidersOpenIDConnectClaimsPolicy `` /* 249-byte string literal not displayed */
	Scopes                map[string]IdentityProvidersOpenIDConnectScope        `` /* 160-byte string literal not displayed */

	Discovery IdentityProvidersOpenIDConnectDiscovery `json:"-"` // MetaData value. Not configurable by users.

	IssuerCertificateChain X509CertificateChain `` /* 314-byte string literal not displayed */
	IssuerPrivateKey       *rsa.PrivateKey      `` /* 279-byte string literal not displayed */
}

IdentityProvidersOpenIDConnect represents the configuration for OpenID Connect 1.0.

type IdentityProvidersOpenIDConnectCORS added in v4.38.0 

type IdentityProvidersOpenIDConnectCORS struct {
	Endpoints      []string   `` /* 350-byte string literal not displayed */
	AllowedOrigins []*url.URL `` /* 246-byte string literal not displayed */

	AllowedOriginsFromClientRedirectURIs bool `` /* 365-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectCORS represents an OpenID Connect 1.0 CORS config.

type IdentityProvidersOpenIDConnectClaimsPolicy added in v4.39.0 

type IdentityProvidersOpenIDConnectClaimsPolicy struct {
	IDToken     []string `` /* 250-byte string literal not displayed */
	AccessToken []string `` /* 278-byte string literal not displayed */

	IDTokenAudienceMode string `` /* 364-byte string literal not displayed */

	CustomClaims IdentityProvidersOpenIDConnectCustomClaims `` /* 251-byte string literal not displayed */
}

type IdentityProvidersOpenIDConnectClient added in v4.38.0 

type IdentityProvidersOpenIDConnectClient struct {
	ID                  string          `` /* 158-byte string literal not displayed */
	Name                string          `` /* 192-byte string literal not displayed */
	Secret              *PasswordDigest `` /* 207-byte string literal not displayed */
	SectorIdentifierURI *url.URL        `` /* 285-byte string literal not displayed */
	Public              bool            `` /* 153-byte string literal not displayed */

	RedirectURIs IdentityProvidersOpenIDConnectClientURIs `` /* 197-byte string literal not displayed */
	RequestURIs  IdentityProvidersOpenIDConnectClientURIs `` /* 191-byte string literal not displayed */

	Audience      []string `` /* 179-byte string literal not displayed */
	Scopes        []string `` /* 325-byte string literal not displayed */
	GrantTypes    []string `` /* 370-byte string literal not displayed */
	ResponseTypes []string `` /* 350-byte string literal not displayed */
	ResponseModes []string `` /* 334-byte string literal not displayed */

	AuthorizationPolicy string `` /* 247-byte string literal not displayed */
	Lifespan            string `` /* 202-byte string literal not displayed */
	ClaimsPolicy        string `` /* 205-byte string literal not displayed */

	RequestedAudienceMode        string         `` /* 292-byte string literal not displayed */
	ConsentMode                  string         `` /* 256-byte string literal not displayed */
	ConsentPreConfiguredDuration *time.Duration `` /* 360-byte string literal not displayed */

	RequirePushedAuthorizationRequests bool `` /* 380-byte string literal not displayed */
	RequirePKCE                        bool `` /* 234-byte string literal not displayed */

	PKCEChallengeMethod string `` /* 280-byte string literal not displayed */

	AuthorizationSignedResponseAlg      string `` /* 559-byte string literal not displayed */
	AuthorizationSignedResponseKeyID    string `` /* 484-byte string literal not displayed */
	AuthorizationEncryptedResponseAlg   string `` /* 746-byte string literal not displayed */
	AuthorizationEncryptedResponseEnc   string `` /* 570-byte string literal not displayed */
	AuthorizationEncryptedResponseKeyID string `` /* 548-byte string literal not displayed */

	IDTokenSignedResponseAlg      string `` /* 529-byte string literal not displayed */
	IDTokenSignedResponseKeyID    string `` /* 449-byte string literal not displayed */
	IDTokenEncryptedResponseAlg   string `` /* 716-byte string literal not displayed */
	IDTokenEncryptedResponseEnc   string `` /* 540-byte string literal not displayed */
	IDTokenEncryptedResponseKeyID string `` /* 508-byte string literal not displayed */

	AccessTokenSignedResponseAlg      string `` /* 562-byte string literal not displayed */
	AccessTokenSignedResponseKeyID    string `` /* 477-byte string literal not displayed */
	AccessTokenEncryptedResponseAlg   string `` /* 740-byte string literal not displayed */
	AccessTokenEncryptedResponseEnc   string `` /* 564-byte string literal not displayed */
	AccessTokenEncryptedResponseKeyID string `` /* 540-byte string literal not displayed */

	UserinfoSignedResponseAlg      string `` /* 538-byte string literal not displayed */
	UserinfoSignedResponseKeyID    string `` /* 449-byte string literal not displayed */
	UserinfoEncryptedResponseAlg   string `` /* 716-byte string literal not displayed */
	UserinfoEncryptedResponseEnc   string `` /* 540-byte string literal not displayed */
	UserinfoEncryptedResponseKeyID string `` /* 508-byte string literal not displayed */

	IntrospectionSignedResponseAlg      string `` /* 568-byte string literal not displayed */
	IntrospectionSignedResponseKeyID    string `` /* 484-byte string literal not displayed */
	IntrospectionEncryptedResponseAlg   string `` /* 746-byte string literal not displayed */
	IntrospectionEncryptedResponseEnc   string `` /* 570-byte string literal not displayed */
	IntrospectionEncryptedResponseKeyID string `` /* 548-byte string literal not displayed */

	RequestObjectSigningAlg    string `` /* 466-byte string literal not displayed */
	RequestObjectEncryptionAlg string `` /* 681-byte string literal not displayed */
	RequestObjectEncryptionEnc string `` /* 504-byte string literal not displayed */

	TokenEndpointAuthMethod     string `` /* 437-byte string literal not displayed */
	TokenEndpointAuthSigningAlg string `` /* 476-byte string literal not displayed */

	RevocationEndpointAuthMethod     string `` /* 467-byte string literal not displayed */
	RevocationEndpointAuthSigningAlg string `` /* 506-byte string literal not displayed */

	IntrospectionEndpointAuthMethod     string `` /* 485-byte string literal not displayed */
	IntrospectionEndpointAuthSigningAlg string `` /* 524-byte string literal not displayed */

	PushedAuthorizationRequestEndpointAuthMethod string `` /* 575-byte string literal not displayed */
	PushedAuthorizationRequestAuthSigningAlg     string `` /* 614-byte string literal not displayed */

	AllowMultipleAuthenticationMethods bool `` /* 410-byte string literal not displayed */

	JSONWebKeysURI *url.URL `` /* 307-byte string literal not displayed */
	JSONWebKeys    []JWK    `` /* 261-byte string literal not displayed */

	Discovery IdentityProvidersOpenIDConnectDiscovery `yaml:"-" json:"-"` // MetaData value. Not configurable by users.
}

IdentityProvidersOpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client.

type IdentityProvidersOpenIDConnectClientURIs added in v4.38.7 

type IdentityProvidersOpenIDConnectClientURIs []string

func (IdentityProvidersOpenIDConnectClientURIs) JSONSchema added in v4.38.7 

func (IdentityProvidersOpenIDConnectClientURIs) JSONSchema() *jsonschema.Schema

type IdentityProvidersOpenIDConnectCustomClaim added in v4.39.0 

type IdentityProvidersOpenIDConnectCustomClaim struct {
	Name      string `` /* 136-byte string literal not displayed */
	Attribute string `` /* 193-byte string literal not displayed */
}

type IdentityProvidersOpenIDConnectCustomClaims added in v4.39.5 

type IdentityProvidersOpenIDConnectCustomClaims map[string]IdentityProvidersOpenIDConnectCustomClaim

func (IdentityProvidersOpenIDConnectCustomClaims) GetCustomClaimByName added in v4.39.5 

func (c IdentityProvidersOpenIDConnectCustomClaims) GetCustomClaimByName(name string) IdentityProvidersOpenIDConnectCustomClaim

type IdentityProvidersOpenIDConnectDiscovery added in v4.38.0 

type IdentityProvidersOpenIDConnectDiscovery struct {
	Claims                           []string
	Scopes                           []string
	AuthorizationPolicies            []string
	Lifespans                        []string
	DefaultSigKeyIDs                 map[string]string
	DefaultEncKeyIDs                 map[string]string
	DefaultKeyID                     string
	ResponseObjectSigningKeyIDs      []string
	ResponseObjectEncryptionKeyIDs   []string
	ResponseObjectSigningAlgs        []string
	ResponseObjectEncryptionAlgs     []string
	RequestObjectSigningAlgs         []string
	JWTResponseAccessTokens          bool
	BearerAuthorization              bool
	ClientSecretPlainText            bool
	ResponseObjectSymmetricSigEncAlg bool
	RequestObjectSymmetricSigEncAlg  bool
}

IdentityProvidersOpenIDConnectDiscovery is information discovered during validation reused for the discovery handlers.

type IdentityProvidersOpenIDConnectLifespan added in v4.38.0 

type IdentityProvidersOpenIDConnectLifespan struct {
	IdentityProvidersOpenIDConnectLifespanToken `koanf:",squash"`

	DeviceCode time.Duration `` /* 232-byte string literal not displayed */

	Grants IdentityProvidersOpenIDConnectLifespanGrants `` /* 204-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectLifespan allows tuning the lifespans for OpenID Connect 1.0 issued tokens.

type IdentityProvidersOpenIDConnectLifespanGrants added in v4.38.0 

type IdentityProvidersOpenIDConnectLifespanGrants struct {
	AuthorizeCode     IdentityProvidersOpenIDConnectLifespanToken `` /* 247-byte string literal not displayed */
	DeviceCode        IdentityProvidersOpenIDConnectLifespanToken `` /* 229-byte string literal not displayed */
	Implicit          IdentityProvidersOpenIDConnectLifespanToken `` /* 220-byte string literal not displayed */
	ClientCredentials IdentityProvidersOpenIDConnectLifespanToken `` /* 271-byte string literal not displayed */
	RefreshToken      IdentityProvidersOpenIDConnectLifespanToken `` /* 241-byte string literal not displayed */
	JWTBearer         IdentityProvidersOpenIDConnectLifespanToken `` /* 223-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectLifespanGrants allows tuning the lifespans for each grant type.

type IdentityProvidersOpenIDConnectLifespanToken added in v4.38.0 

type IdentityProvidersOpenIDConnectLifespanToken struct {
	AccessToken   time.Duration `` /* 238-byte string literal not displayed */
	RefreshToken  time.Duration `` /* 243-byte string literal not displayed */
	IDToken       time.Duration `` /* 214-byte string literal not displayed */
	AuthorizeCode time.Duration `` /* 252-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectLifespanToken allows tuning the lifespans for each token type.

type IdentityProvidersOpenIDConnectLifespans added in v4.38.0 

type IdentityProvidersOpenIDConnectLifespans struct {
	IdentityProvidersOpenIDConnectLifespanToken `koanf:",squash"`

	DeviceCode              time.Duration `` /* 232-byte string literal not displayed */
	JWTSecuredAuthorization time.Duration `` /* 319-byte string literal not displayed */

	Custom map[string]IdentityProvidersOpenIDConnectLifespan `` /* 214-byte string literal not displayed */
}

type IdentityProvidersOpenIDConnectPolicy added in v4.38.0 

type IdentityProvidersOpenIDConnectPolicy struct {
	DefaultPolicy string `` /* 262-byte string literal not displayed */

	Rules []IdentityProvidersOpenIDConnectPolicyRule `` /* 167-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectPolicy configuration for OpenID Connect 1.0 authorization policies.

type IdentityProvidersOpenIDConnectPolicyRule added in v4.38.0 

type IdentityProvidersOpenIDConnectPolicyRule struct {
	Policy   string                    `` /* 213-byte string literal not displayed */
	Subjects AccessControlRuleSubjects `` /* 209-byte string literal not displayed */
	Networks []*net.IPNet              `` /* 215-byte string literal not displayed */
}

IdentityProvidersOpenIDConnectPolicyRule configuration for OpenID Connect 1.0 authorization policies rules.

type IdentityProvidersOpenIDConnectScope added in v4.39.0 

type IdentityProvidersOpenIDConnectScope struct {
	Claims []string `` /* 269-byte string literal not displayed */
}

type IdentityValidation added in v4.38.0 

type IdentityValidation struct {
	ResetPassword   IdentityValidationResetPassword   `` /* 234-byte string literal not displayed */
	ElevatedSession IdentityValidationElevatedSession `` /* 300-byte string literal not displayed */
}

IdentityValidation represents the configuration for identity verification actions/flows.

type IdentityValidationElevatedSession added in v4.38.0 

type IdentityValidationElevatedSession struct {
	CodeLifespan        time.Duration `` /* 280-byte string literal not displayed */
	ElevationLifespan   time.Duration `` /* 310-byte string literal not displayed */
	Characters          int           `` /* 211-byte string literal not displayed */
	RequireSecondFactor bool          `` /* 280-byte string literal not displayed */
	SkipSecondFactor    bool          `` /* 281-byte string literal not displayed */
}

IdentityValidationElevatedSession represents the tunable aspects of the credential control identity verification action/flow.

type IdentityValidationResetPassword added in v4.38.0 

type IdentityValidationResetPassword struct {
	JWTExpiration time.Duration `` /* 288-byte string literal not displayed */
	JWTAlgorithm  string        `` /* 309-byte string literal not displayed */
	JWTSecret     string        `` /* 227-byte string literal not displayed */
}

IdentityValidationResetPassword represents the tunable aspects of the reset password identity verification action/flow.

type JWK added in v4.38.0 

type JWK struct {
	KeyID            string               `` /* 171-byte string literal not displayed */
	Use              string               `` /* 164-byte string literal not displayed */
	Algorithm        string               `` /* 311-byte string literal not displayed */
	Key              CryptographicKey     `` /* 165-byte string literal not displayed */
	CertificateChain X509CertificateChain `` /* 283-byte string literal not displayed */
}

JWK represents a JWK.

type Log added in v4.38.0 

type Log struct {
	Level      string `` /* 255-byte string literal not displayed */
	Format     string `` /* 185-byte string literal not displayed */
	FilePath   string `` /* 308-byte string literal not displayed */
	KeepStdout bool   `` /* 202-byte string literal not displayed */
}

Log represents the logging configuration.

type NTP added in v4.38.0 

type NTP struct {
	Address             *AddressUDP   `` /* 184-byte string literal not displayed */
	Version             int           `` /* 154-byte string literal not displayed */
	MaximumDesync       time.Duration `` /* 242-byte string literal not displayed */
	DisableStartupCheck bool          `` /* 237-byte string literal not displayed */
	DisableFailure      bool          `` /* 253-byte string literal not displayed */
}

NTP represents the configuration related to ntp server.

type Notifier added in v4.38.0 

type Notifier struct {
	DisableStartupCheck bool                `` /* 234-byte string literal not displayed */
	FileSystem          *NotifierFileSystem `` /* 184-byte string literal not displayed */
	SMTP                *NotifierSMTP       `` /* 146-byte string literal not displayed */
	TemplatePath        string              `` /* 214-byte string literal not displayed */
}

Notifier represents the configuration of the notifier to use when sending notifications to users.

type NotifierFileSystem added in v4.38.0 

type NotifierFileSystem struct {
	Filename string `` /* 183-byte string literal not displayed */
}

NotifierFileSystem represents the configuration of the notifier writing emails in a file.

type NotifierSMTP added in v4.38.0 

type NotifierSMTP struct {
	Address             *AddressSMTP  `` /* 195-byte string literal not displayed */
	Timeout             time.Duration `` /* 196-byte string literal not displayed */
	Username            string        `` /* 185-byte string literal not displayed */
	Password            string        `` /* 185-byte string literal not displayed */
	Identifier          string        `` /* 225-byte string literal not displayed */
	Sender              mail.Address  `` /* 163-byte string literal not displayed */
	Subject             string        `` /* 194-byte string literal not displayed */
	StartupCheckAddress mail.Address  `` /* 311-byte string literal not displayed */
	DisableRequireTLS   bool          `` /* 424-byte string literal not displayed */
	DisableHTMLEmails   bool          `` /* 266-byte string literal not displayed */
	DisableStartTLS     bool          `` /* 320-byte string literal not displayed */
	TLS                 *TLS          `` /* 165-byte string literal not displayed */

	// Deprecated: use address instead.
	Host string `koanf:"host" yaml:"host,omitempty" toml:"host,omitempty" json:"host,omitempty" jsonschema:"deprecated"`

	// Deprecated: use address instead.
	Port int `koanf:"port" yaml:"port" toml:"port" json:"port" jsonschema:"deprecated"`
}

NotifierSMTP represents the configuration of the SMTP server to send emails with.

type PasswordDigest added in v4.37.0 

type PasswordDigest struct {
	algorithm.Digest
}

PasswordDigest is a configuration type for the crypt.Digest.

func DecodePasswordDigest added in v4.37.3 

func DecodePasswordDigest(encodedDigest string) (digest *PasswordDigest, err error)

DecodePasswordDigest returns a new PasswordDigest if it can be decoded.

func NewPasswordDigest added in v4.37.0 

func NewPasswordDigest(digest algorithm.Digest) *PasswordDigest

NewPasswordDigest returns a new *PasswordDigest from an algorithm.Digest.

func (*PasswordDigest) GetPlainTextValue added in v4.38.0 

func (d *PasswordDigest) GetPlainTextValue() (value []byte, err error)

GetPlainTextValue returns a *plaintext.Digest's byte value from Key() and an error. If the PasswordDigest is not a plaintext.Digest then it returns nil and an error, otherwise it returns the value and nil.

func (*PasswordDigest) IsPlainText added in v4.38.0 

func (d *PasswordDigest) IsPlainText() (is bool)

IsPlainText returns true if the underlying algorithm.Digest is a *plaintext.Digest.

func (PasswordDigest) JSONSchema added in v4.38.0 

func (PasswordDigest) JSONSchema() *jsonschema.Schema

JSONSchema returns the JSON Schema information for the PasswordDigest type.

func (*PasswordDigest) MarshalYAML added in v4.39.2 

func (d *PasswordDigest) MarshalYAML() (value any, err error)

func (*PasswordDigest) PlainText added in v4.38.0 

func (d *PasswordDigest) PlainText() (digest *plaintext.Digest, ok bool)

PlainText returns a *plaintext.Digest and boolean. If the PasswordDigest is not a plaintext.Digest then it returns nil, false, otherwise it returns the value and true.

func (*PasswordDigest) UnmarshalYAML added in v4.38.0 

func (d *PasswordDigest) UnmarshalYAML(value *yaml.Node) (err error)

func (*PasswordDigest) Valid added in v4.38.8 

func (d *PasswordDigest) Valid() (valid bool)

Valid returns true if this digest has a value.

type PasswordPolicy added in v4.38.0 

type PasswordPolicy struct {
	Standard PasswordPolicyStandard `` /* 184-byte string literal not displayed */
	ZXCVBN   PasswordPolicyZXCVBN   `` /* 172-byte string literal not displayed */
}

PasswordPolicy represents the configuration related to password policy.

type PasswordPolicyStandard added in v4.38.0 

type PasswordPolicyStandard struct {
	Enabled          bool `` /* 171-byte string literal not displayed */
	MinLength        int  `` /* 156-byte string literal not displayed */
	MaxLength        int  `` /* 166-byte string literal not displayed */
	RequireUppercase bool `` /* 206-byte string literal not displayed */
	RequireLowercase bool `` /* 206-byte string literal not displayed */
	RequireNumber    bool `` /* 189-byte string literal not displayed */
	RequireSpecial   bool `` /* 195-byte string literal not displayed */
}

PasswordPolicyStandard represents the configuration related to standard parameters of password policy.

type PasswordPolicyZXCVBN added in v4.38.0 

type PasswordPolicyZXCVBN struct {
	Enabled  bool `` /* 169-byte string literal not displayed */
	MinScore int  `` /* 170-byte string literal not displayed */
}

PasswordPolicyZXCVBN represents the configuration related to ZXCVBN parameters of password policy.

type PrivacyPolicy added in v4.38.0 

type PrivacyPolicy struct {
	Enabled               bool     `` /* 168-byte string literal not displayed */
	RequireUserAcceptance bool     `` /* 262-byte string literal not displayed */
	PolicyURL             *url.URL `` /* 188-byte string literal not displayed */
}

PrivacyPolicy is the privacy policy configuration.

type RefreshIntervalDuration added in v4.38.0 

type RefreshIntervalDuration struct {
	// contains filtered or unexported fields
}

RefreshIntervalDuration is a special time.Duration for the refresh interval.

func NewRefreshIntervalDuration added in v4.38.0 

func NewRefreshIntervalDuration(value time.Duration) RefreshIntervalDuration

NewRefreshIntervalDuration returns a RefreshIntervalDuration given a time.Duration.

func NewRefreshIntervalDurationAlways added in v4.38.0 

func NewRefreshIntervalDurationAlways() RefreshIntervalDuration

NewRefreshIntervalDurationAlways returns a RefreshIntervalDuration with an always value.

func NewRefreshIntervalDurationNever added in v4.38.0 

func NewRefreshIntervalDurationNever() RefreshIntervalDuration

NewRefreshIntervalDurationNever returns a RefreshIntervalDuration with a never value.

func (RefreshIntervalDuration) Always added in v4.38.0 

func (d RefreshIntervalDuration) Always() bool

Always returns true if the interval is always.

func (RefreshIntervalDuration) JSONSchema added in v4.38.0 

func (RefreshIntervalDuration) JSONSchema() *jsonschema.Schema

JSONSchema provides the json-schema formatting.

func (RefreshIntervalDuration) Never added in v4.38.0 

func (d RefreshIntervalDuration) Never() bool

Never returns true if the interval is never.

func (RefreshIntervalDuration) Update added in v4.38.0 

func (d RefreshIntervalDuration) Update() bool

Update returns true if the session could require updates.

func (RefreshIntervalDuration) Valid added in v4.38.0 

func (d RefreshIntervalDuration) Valid() bool

Valid returns true if the value was correctly newed up.

func (RefreshIntervalDuration) Value added in v4.38.0 

func (d RefreshIntervalDuration) Value() time.Duration

Value returns the time.Duration.

type Regulation added in v4.38.0 

type Regulation struct {
	Modes      []string      `` /* 207-byte string literal not displayed */
	MaxRetries int           `` /* 217-byte string literal not displayed */
	FindTime   time.Duration `` /* 249-byte string literal not displayed */
	BanTime    time.Duration `` /* 264-byte string literal not displayed */
}

Regulation represents the configuration related to regulation.

type Server added in v4.38.0 

type Server struct {
	Address            *AddressTCP `` /* 189-byte string literal not displayed */
	AssetPath          string      `` /* 212-byte string literal not displayed */
	DisableHealthcheck bool        `` /* 226-byte string literal not displayed */

	TLS       ServerTLS       `` /* 152-byte string literal not displayed */
	Headers   ServerHeaders   `` /* 176-byte string literal not displayed */
	Endpoints ServerEndpoints `` /* 188-byte string literal not displayed */

	Buffers  ServerBuffers  `` /* 176-byte string literal not displayed */
	Timeouts ServerTimeouts `` /* 182-byte string literal not displayed */
}

Server represents the configuration of the http server.

type ServerBuffers added in v4.36.4 

type ServerBuffers struct {
	Read  int `` /* 132-byte string literal not displayed */
	Write int `` /* 138-byte string literal not displayed */
}

ServerBuffers represents server buffer configurations.

type ServerEndpointRateLimit added in v4.39.0 

type ServerEndpointRateLimit struct {
	Enable  bool                            `koanf:"enable" yaml:"enable" toml:"enable" json:"enable"`
	Buckets []ServerEndpointRateLimitBucket `koanf:"buckets" yaml:"buckets,omitempty" toml:"buckets,omitempty" json:"buckets,omitempty"`
}

type ServerEndpointRateLimitBucket added in v4.39.0 

type ServerEndpointRateLimitBucket struct {
	Period   time.Duration `` /* 179-byte string literal not displayed */
	Requests int           `` /* 218-byte string literal not displayed */
}

type ServerEndpointRateLimits added in v4.39.0 

type ServerEndpointRateLimits struct {
	ResetPasswordStart     ServerEndpointRateLimit `` /* 142-byte string literal not displayed */
	ResetPasswordFinish    ServerEndpointRateLimit `` /* 146-byte string literal not displayed */
	SecondFactorTOTP       ServerEndpointRateLimit `` /* 134-byte string literal not displayed */
	SecondFactorDuo        ServerEndpointRateLimit `` /* 130-byte string literal not displayed */
	SessionElevationStart  ServerEndpointRateLimit `` /* 154-byte string literal not displayed */
	SessionElevationFinish ServerEndpointRateLimit `` /* 158-byte string literal not displayed */
}

type ServerEndpoints added in v4.38.0 

type ServerEndpoints struct {
	EnablePprof   bool `` /* 275-byte string literal not displayed */
	EnableExpvars bool `` /* 287-byte string literal not displayed */

	RateLimits ServerEndpointRateLimits `koanf:"rate_limits" yaml:"rate_limits,omitempty" toml:"rate_limits,omitempty" json:"rate_limits,omitempty"`

	Authz map[string]ServerEndpointsAuthz `` /* 172-byte string literal not displayed */
}

ServerEndpoints is the endpoints configuration for the HTTP server.

type ServerEndpointsAuthz added in v4.38.0 

type ServerEndpointsAuthz struct {
	Implementation string `` /* 305-byte string literal not displayed */

	AuthnStrategies []ServerEndpointsAuthzAuthnStrategy `` /* 251-byte string literal not displayed */
}

ServerEndpointsAuthz is the Authz endpoints configuration for the HTTP server.

type ServerEndpointsAuthzAuthnStrategy added in v4.38.0 

type ServerEndpointsAuthzAuthnStrategy struct {
	Name                     string        `` /* 307-byte string literal not displayed */
	Schemes                  []string      `` /* 268-byte string literal not displayed */
	SchemeBasicCacheLifespan time.Duration `` /* 313-byte string literal not displayed */
}

ServerEndpointsAuthzAuthnStrategy is the Authz endpoints configuration for the HTTP server.

type ServerHeaders added in v4.38.0 

type ServerHeaders struct {
	CSPTemplate CSPTemplate `` /* 205-byte string literal not displayed */
}

ServerHeaders represents the customization of the http server headers.

type ServerTLS added in v4.38.0 

type ServerTLS struct {
	Certificate        string   `` /* 187-byte string literal not displayed */
	Key                string   `` /* 147-byte string literal not displayed */
	ClientCertificates []string `` /* 265-byte string literal not displayed */
}

ServerTLS represents the configuration of the http servers TLS options.

type ServerTimeouts added in v4.36.4 

type ServerTimeouts struct {
	Read  time.Duration `` /* 163-byte string literal not displayed */
	Write time.Duration `` /* 169-byte string literal not displayed */
	Idle  time.Duration `` /* 164-byte string literal not displayed */
}

ServerTimeouts represents server timeout configurations.

type Session added in v4.38.0 

type Session struct {
	SessionCookieCommon `koanf:",squash"`

	Secret string `` /* 178-byte string literal not displayed */

	Cookies []SessionCookie `` /* 180-byte string literal not displayed */

	Redis *SessionRedis `` /* 170-byte string literal not displayed */

	// Deprecated: Use the session cookies option with the same name instead.
	Domain string `koanf:"domain" yaml:"domain,omitempty" toml:"domain,omitempty" json:"domain,omitempty" jsonschema:"deprecated,title=Domain"`
}

Session represents the configuration related to user sessions.

type SessionCookie added in v4.38.0 

type SessionCookie struct {
	SessionCookieCommon `koanf:",squash"`

	Domain                string   `` /* 203-byte string literal not displayed */
	AutheliaURL           *url.URL `` /* 260-byte string literal not displayed */
	DefaultRedirectionURL *url.URL `` /* 300-byte string literal not displayed */

	Legacy bool `json:"-"`
}

SessionCookie represents the configuration for a cookie domain.

type SessionCookieCommon added in v4.38.0 

type SessionCookieCommon struct {
	Name       string        `` /* 166-byte string literal not displayed */
	SameSite   string        `` /* 215-byte string literal not displayed */
	Expiration time.Duration `` /* 218-byte string literal not displayed */
	Inactivity time.Duration `` /* 190-byte string literal not displayed */
	RememberMe time.Duration `` /* 219-byte string literal not displayed */

	DisableRememberMe bool `json:"-"`
}

type SessionRedis added in v4.38.0 

type SessionRedis struct {
	Host                     string        `` /* 150-byte string literal not displayed */
	Port                     int           `` /* 133-byte string literal not displayed */
	Timeout                  time.Duration `` /* 197-byte string literal not displayed */
	MaxRetries               int           `` /* 197-byte string literal not displayed */
	Username                 string        `` /* 167-byte string literal not displayed */
	Password                 string        `` /* 167-byte string literal not displayed */
	DatabaseIndex            int           `` /* 183-byte string literal not displayed */
	MaximumActiveConnections int           `` /* 280-byte string literal not displayed */
	MinimumIdleConnections   int           `` /* 256-byte string literal not displayed */
	TLS                      *TLS          `koanf:"tls" yaml:"tls,omitempty" toml:"tls,omitempty" json:"tls,omitempty"`

	HighAvailability *SessionRedisHighAvailability `` /* 130-byte string literal not displayed */
}

SessionRedis represents the configuration related to redis session store.

type SessionRedisHighAvailability added in v4.38.0 

type SessionRedisHighAvailability struct {
	SentinelName     string `` /* 207-byte string literal not displayed */
	SentinelUsername string `` /* 232-byte string literal not displayed */
	SentinelPassword string `` /* 232-byte string literal not displayed */
	RouteByLatency   bool   `` /* 203-byte string literal not displayed */
	RouteRandomly    bool   `` /* 191-byte string literal not displayed */

	Nodes []SessionRedisHighAvailabilityNode `` /* 191-byte string literal not displayed */
}

SessionRedisHighAvailability holds configuration variables for Redis Cluster/Sentinel.

type SessionRedisHighAvailabilityNode added in v4.38.0 

type SessionRedisHighAvailabilityNode struct {
	Host string `` /* 157-byte string literal not displayed */
	Port int    `` /* 141-byte string literal not displayed */
}

SessionRedisHighAvailabilityNode Represents a Node.

type Storage added in v4.38.0 

type Storage struct {
	Local      *StorageLocal      `` /* 182-byte string literal not displayed */
	MySQL      *StorageMySQL      `` /* 182-byte string literal not displayed */
	PostgreSQL *StoragePostgreSQL `` /* 196-byte string literal not displayed */

	EncryptionKey string `` /* 268-byte string literal not displayed */
}

Storage represents the configuration of the storage backend.

type StorageLocal added in v4.38.0 

type StorageLocal struct {
	Path string `` /* 167-byte string literal not displayed */
}

StorageLocal represents the configuration when using local storage.

type StorageMySQL added in v4.38.0 

type StorageMySQL struct {
	StorageSQL `koanf:",squash"`
}

StorageMySQL represents the configuration of a MySQL database.

type StoragePostgreSQL added in v4.38.0 

type StoragePostgreSQL struct {
	StorageSQL `koanf:",squash"`

	Schema string `` /* 184-byte string literal not displayed */

	Servers []StoragePostgreSQLServer `` /* 234-byte string literal not displayed */

	// Deprecated: Use the TLS configuration instead.
	SSL *StoragePostgreSQLSSL `koanf:"ssl" yaml:"ssl,omitempty" toml:"ssl,omitempty" json:"ssl,omitempty" jsonschema:"deprecated,title=SSL"`
}

StoragePostgreSQL represents the configuration of a PostgreSQL database.

type StoragePostgreSQLSSL added in v4.38.0 

type StoragePostgreSQLSSL struct {
	Mode            string `` /* 263-byte string literal not displayed */
	RootCertificate string `` /* 281-byte string literal not displayed */
	Certificate     string `` /* 251-byte string literal not displayed */
	Key             string `` /* 211-byte string literal not displayed */
}

StoragePostgreSQLSSL represents the SSL configuration of a PostgreSQL database.

type StoragePostgreSQLServer added in v4.39.0 

type StoragePostgreSQLServer struct {
	Address *AddressTCP `` /* 180-byte string literal not displayed */
	TLS     *TLS        `koanf:"tls" yaml:"tls,omitempty" toml:"tls,omitempty" json:"tls,omitempty"`
}

type StorageSQL added in v4.38.0 

type StorageSQL struct {
	Address  *AddressTCP   `` /* 173-byte string literal not displayed */
	Database string        `` /* 202-byte string literal not displayed */
	Username string        `` /* 184-byte string literal not displayed */
	Password string        `` /* 184-byte string literal not displayed */
	Timeout  time.Duration `` /* 201-byte string literal not displayed */
	TLS      *TLS          `koanf:"tls" yaml:"tls,omitempty" toml:"tls,omitempty" json:"tls,omitempty"`
}

StorageSQL represents the configuration of the SQL database.

type StructValidator 

type StructValidator struct {
	// contains filtered or unexported fields
}

StructValidator is a validator for structs.

func NewStructValidator 

func NewStructValidator() *StructValidator

NewStructValidator is a constructor of struct validator.

func (*StructValidator) Clear 

func (v *StructValidator) Clear()

Clear errors and warnings.

func (*StructValidator) Errors 

func (v *StructValidator) Errors() []error

Errors returns the errors.

func (*StructValidator) HasErrors 

func (v *StructValidator) HasErrors() bool

HasErrors checks whether the validator contains errors.

func (*StructValidator) HasWarnings 

func (v *StructValidator) HasWarnings() bool

HasWarnings checks whether the validator contains warning errors.

func (*StructValidator) Push 

func (v *StructValidator) Push(err error)

Push an error to the validator.

func (*StructValidator) PushWarning 

func (v *StructValidator) PushWarning(err error)

PushWarning error to the validator.

func (*StructValidator) Warnings 

func (v *StructValidator) Warnings() []error

Warnings returns the warnings.

type TLS added in v4.38.0 

type TLS struct {
	MinimumVersion TLSVersion `` /* 231-byte string literal not displayed */
	MaximumVersion TLSVersion `` /* 231-byte string literal not displayed */

	SkipVerify bool   `` /* 194-byte string literal not displayed */
	ServerName string `` /* 237-byte string literal not displayed */

	PrivateKey       CryptographicPrivateKey `` /* 179-byte string literal not displayed */
	CertificateChain X509CertificateChain    `` /* 215-byte string literal not displayed */
}

TLS is a representation of the TLS configuration.

type TLSVersion added in v4.37.0 

type TLSVersion struct {
	Value uint16
}

TLSVersion is a struct which handles tls.Config versions.

func NewTLSVersion added in v4.37.0 

func NewTLSVersion(input string) (version *TLSVersion, err error)

NewTLSVersion returns a new TLSVersion given a string.

func (TLSVersion) JSONSchema added in v4.38.0 

func (TLSVersion) JSONSchema() *jsonschema.Schema

JSONSchema returns the JSON Schema information for the TLSVersion type.

func (TLSVersion) MarshalYAML added in v4.39.2 

func (v TLSVersion) MarshalYAML() (any, error)

func (*TLSVersion) MaxVersion added in v4.37.0 

func (v *TLSVersion) MaxVersion() uint16

MaxVersion returns the value of this as a MaxVersion value.

func (*TLSVersion) MinVersion added in v4.37.0 

func (v *TLSVersion) MinVersion() uint16

MinVersion returns the value of this as a MinVersion value.

func (*TLSVersion) String added in v4.37.0 

func (v *TLSVersion) String() string

String provides the Stringer.

type TOTP added in v4.38.0 

type TOTP struct {
	Disable          bool   `` /* 163-byte string literal not displayed */
	Issuer           string `` /* 196-byte string literal not displayed */
	DefaultAlgorithm string `` /* 244-byte string literal not displayed */
	DefaultDigits    int    `` /* 173-byte string literal not displayed */
	DefaultPeriod    int    `` /* 160-byte string literal not displayed */
	Skew             *int   `` /* 181-byte string literal not displayed */
	SecretSize       int    `` /* 195-byte string literal not displayed */

	AllowedAlgorithms []string `` /* 321-byte string literal not displayed */
	AllowedDigits     []int    `` /* 274-byte string literal not displayed */
	AllowedPeriods    []int    `` /* 267-byte string literal not displayed */

	DisableReuseSecurityPolicy bool `` /* 301-byte string literal not displayed */
}

TOTP represents the configuration related to TOTP options.

type Telemetry added in v4.38.0 

type Telemetry struct {
	Metrics TelemetryMetrics `` /* 186-byte string literal not displayed */
}

Telemetry represents the telemetry config.

type TelemetryMetrics added in v4.38.0 

type TelemetryMetrics struct {
	Enabled bool        `` /* 154-byte string literal not displayed */
	Address *AddressTCP `` /* 212-byte string literal not displayed */

	Buffers  ServerBuffers  `` /* 199-byte string literal not displayed */
	Timeouts ServerTimeouts `` /* 205-byte string literal not displayed */
}

TelemetryMetrics represents the telemetry metrics config.

type UserAttribute added in v4.39.0 

type UserAttribute struct {
	Expression string `` /* 244-byte string literal not displayed */
}

type WebAuthn added in v4.38.0 

type WebAuthn struct {
	Disable              bool   `` /* 167-byte string literal not displayed */
	EnablePasskeyLogin   bool   `` /* 230-byte string literal not displayed */
	EnablePasskey2FA     bool   `` /* 500-byte string literal not displayed */
	EnablePasskeyUpgrade bool   `` /* 481-byte string literal not displayed */
	DisplayName          string `` /* 243-byte string literal not displayed */

	ConveyancePreference protocol.ConveyancePreference `` /* 377-byte string literal not displayed */

	Timeout time.Duration `` /* 210-byte string literal not displayed */

	Filtering         WebAuthnFiltering         `` /* 195-byte string literal not displayed */
	SelectionCriteria WebAuthnSelectionCriteria `` /* 211-byte string literal not displayed */
	Metadata          WebAuthnMetadata          `` /* 155-byte string literal not displayed */
}

WebAuthn represents the webauthn config.

type WebAuthnFiltering added in v4.39.0 

type WebAuthnFiltering struct {
	ProhibitBackupEligibility bool        `` /* 340-byte string literal not displayed */
	PermittedAAGUIDs          []uuid.UUID `` /* 268-byte string literal not displayed */
	ProhibitedAAGUIDs         []uuid.UUID `` /* 290-byte string literal not displayed */
}

type WebAuthnMetadata added in v4.39.0 

type WebAuthnMetadata struct {
	Enabled bool `` /* 176-byte string literal not displayed */

	CachePolicy string `` /* 223-byte string literal not displayed */

	ValidateTrustAnchor           bool `` /* 258-byte string literal not displayed */
	ValidateEntry                 bool `` /* 259-byte string literal not displayed */
	ValidateEntryPermitZeroAAGUID bool `` /* 311-byte string literal not displayed */

	ValidateStatus           bool                           `` /* 207-byte string literal not displayed */
	ValidateStatusPermitted  []metadata.AuthenticatorStatus `` /* 748-byte string literal not displayed */
	ValidateStatusProhibited []metadata.AuthenticatorStatus `` /* 763-byte string literal not displayed */
}

type WebAuthnSelectionCriteria added in v4.39.0 

type WebAuthnSelectionCriteria struct {
	Attachment       protocol.AuthenticatorAttachment     `` /* 252-byte string literal not displayed */
	Discoverability  protocol.ResidentKeyRequirement      `` /* 331-byte string literal not displayed */
	UserVerification protocol.UserVerificationRequirement `` /* 327-byte string literal not displayed */
}

type X509CertificateChain added in v4.37.0 

type X509CertificateChain struct {
	// contains filtered or unexported fields
}

X509CertificateChain is a helper struct that holds a list of *x509.Certificate's.

func NewX509CertificateChain added in v4.37.0 

func NewX509CertificateChain(in string) (chain *X509CertificateChain, err error)

NewX509CertificateChain creates a new *X509CertificateChain from a given string, parsing each PEM block one by one.

func NewX509CertificateChainFromCerts added in v4.38.0 

func NewX509CertificateChainFromCerts(in []*x509.Certificate) (chain X509CertificateChain)

NewX509CertificateChainFromCerts returns a chain from a given list of certificates without validation.

func (*X509CertificateChain) Certificates added in v4.37.0 

func (c *X509CertificateChain) Certificates() (certificates []*x509.Certificate)

Certificates for this X509CertificateChain.

func (*X509CertificateChain) CertificatesRaw added in v4.37.0 

func (c *X509CertificateChain) CertificatesRaw() (certificates [][]byte)

CertificatesRaw for this X509CertificateChain.

func (*X509CertificateChain) EncodePEM added in v4.38.0 

func (c *X509CertificateChain) EncodePEM() (encoded []byte, err error)

EncodePEM encodes the entire chain as PEM bytes.

func (*X509CertificateChain) Equal added in v4.37.0 

func (c *X509CertificateChain) Equal(other *x509.Certificate) (equal bool)

Equal checks if the provided *x509.Certificate is equal to the first *x509.Certificate in the chain.

func (*X509CertificateChain) EqualKey added in v4.37.0 

func (c *X509CertificateChain) EqualKey(other any) (equal bool)

EqualKey checks if the provided key (public or private) has a public key equal to the first public key in this chain.

func (*X509CertificateChain) HasCertificates added in v4.37.0 

func (c *X509CertificateChain) HasCertificates() (has bool)

HasCertificates returns true if the chain has any certificates.

func (X509CertificateChain) JSONSchema added in v4.38.0 

func (X509CertificateChain) JSONSchema() *jsonschema.Schema

JSONSchema returns the JSON Schema information for the X509CertificateChain type.

func (*X509CertificateChain) Leaf added in v4.37.0 

func (c *X509CertificateChain) Leaf() (leaf *x509.Certificate)

Leaf returns the first certificate if available for use with tls.Certificate.

func (*X509CertificateChain) Thumbprint added in v4.37.0 

func (c *X509CertificateChain) Thumbprint(hash crypto.Hash) []byte

Thumbprint returns the Thumbprint for the first certificate.

func (*X509CertificateChain) Validate added in v4.37.0 

func (c *X509CertificateChain) Validate() (err error)

Validate the X509CertificateChain ensuring the certificates were provided in the correct order (with nth being signed by the nth+1), and that all of the certificates are valid based on the current time.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.