zot-wo-auth/examples/config-openid.json

{
  "distSpecVersion": "1.1.0-dev",
  "storage": {
    "rootDirectory": "/tmp/zot",
    "dedupe": true
  },
  "http": {
    "address": "127.0.0.1",
    "port": "8080",
    "externalUrl": "http://127.0.0.1:8080",
    "realm": "zot",
    "auth": {
      "htpasswd": {
        "path": "test/data/htpasswd"
      },
      "apikey": true,
      "openid": {
        "providers": {
          "github": {
            "clientid": "client_id",
            "clientsecret": "client_secret",
            "keypath": "",
            "scopes": ["read:org", "user", "repo"]
          },
          "google": {
            "issuer": "https://accounts.google.com",
            "clientid": "client_id",
            "clientsecret": "client_secret",
            "scopes": ["openid", "email"]
          },
          "gitlab": {
            "issuer": "https://gitlab.com",
            "clientid": "client_id",
            "clientsecret": "client_secret",
            "scopes": ["openid", "read_api", "read_user", "profile", "email"]
          },
          "oidc": {
            "name": "Corporate SSO",
            "issuer": "http://127.0.0.1:5556/dex",
            "clientid": "client_id",
            "clientsecret": "client_secret",
            "scopes": ["openid", "user", "email", "groups"]
          }
        }
      },
      "failDelay": 5
    },
    "accessControl": {
      "repositories": {
        "**": {
          "policies": [
            {
              "users": [
                "test"
              ],
              "actions": [
                "read",
                "create"
              ]
            }
          ],
          "defaultPolicy": ["read"]
        }
      }
    }
  },
  "log": {
    "level": "debug"
  },
  "extensions": {}
}
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro> 2023-07-07 19:27:10 +03:00			`{`
			`"distSpecVersion": "1.1.0-dev",`
			`"storage": {`
			`"rootDirectory": "/tmp/zot",`
			`"dedupe": true`
			`},`
			`"http": {`
			`"address": "127.0.0.1",`
			`"port": "8080",`
fix(authn): handle the case where zot with openid runs behind a proxy (#1675) added a new config option under 'http' called externalURL which is used by openid/oauth2 clients to redirect back to zot Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2023-08-09 19:11:21 +03:00			`"externalUrl": "http://127.0.0.1:8080",`
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro> 2023-07-07 19:27:10 +03:00			`"realm": "zot",`
			`"auth": {`
			`"htpasswd": {`
			`"path": "test/data/htpasswd"`
			`},`
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-08-02 21:58:34 +03:00			`"apikey": true,`
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro> 2023-07-07 19:27:10 +03:00			`"openid": {`
			`"providers": {`
			`"github": {`
			`"clientid": "client_id",`
			`"clientsecret": "client_secret",`
			`"keypath": "",`
			`"scopes": ["read:org", "user", "repo"]`
			`},`
			`"google": {`
			`"issuer": "https://accounts.google.com",`
			`"clientid": "client_id",`
			`"clientsecret": "client_secret",`
			`"scopes": ["openid", "email"]`
			`},`
			`"gitlab": {`
			`"issuer": "https://gitlab.com",`
			`"clientid": "client_id",`
			`"clientsecret": "client_secret",`
			`"scopes": ["openid", "read_api", "read_user", "profile", "email"]`
			`},`
feat(authn): add generic oidc and allow customizable name (#1691) Rebased and squashed Signed-off-by: Damien Degois <damien@degois.info> 2023-08-24 12:33:35 +03:00			`"oidc": {`
			`"name": "Corporate SSO",`
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro> 2023-07-07 19:27:10 +03:00			`"issuer": "http://127.0.0.1:5556/dex",`
			`"clientid": "client_id",`
			`"clientsecret": "client_secret",`
			`"scopes": ["openid", "user", "email", "groups"]`
			`}`
			`}`
			`},`
			`"failDelay": 5`
			`},`
			`"accessControl": {`
			`"repositories": {`
			`"**": {`
			`"policies": [`
			`{`
			`"users": [`
			`"test"`
			`],`
			`"actions": [`
			`"read",`
			`"create"`
			`]`
			`}`
			`],`
			`"defaultPolicy": ["read"]`
			`}`
			`}`
			`}`
			`},`
			`"log": {`
			`"level": "debug"`
			`},`
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-08-02 21:58:34 +03:00			`"extensions": {}`
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro> 2023-07-07 19:27:10 +03:00			`}`