log: (1)
level: debug
tracing:
enabled: false
metrics:
enabled: false
mechanisms: (2)
authenticators:
- id: deny_all (3)
type: unauthorized
- id: anon (4)
type: anonymous
- id: auth (5)
type: generic
config:
identity_info_endpoint: http://oauth2-proxy:4180/oauth2/userinfo
authentication_data_source:
- cookie: SESSION
forward_cookies:
- SESSION
subject:
id: "user"
authorizers:
- id: cel (6)
type: cel
config:
expressions:
- expression: "true == false"
finalizers:
- id: create_jwt (7)
type: jwt
config:
signer:
key_store:
path: /etc/heimdall/signer.pem
claims: |
{{- dict "attrs" .Subject.Attributes | toJson -}}
- id: noop (8)
type: noop
error_handlers: (9)
- id: redirect_to_idp
type: redirect
config:
to: http://127.0.0.1:9090/oauth2/start?rd={{ .Request.URL | urlenc }}
- id: redirect_to_error_page
type: redirect
config:
to: https://www.google.com/search?q=access+denied&udm=2
default_rule: (10)
execute:
- authenticator: deny_all
- finalizer: create_jwt
on_error:
- error_handler: redirect_to_error_page
if: |
type(Error) in [authorization_error, authentication_error] &&
Request.Header("Accept").contains("text/html")
providers: (11)
file_system:
src: /etc/heimdall/rules
watch: true