89 lines
2.9 KiB
YAML
89 lines
2.9 KiB
YAML
# Ory Kratos — identity & self-service auth. Identity schema (email, name) +
|
|
# password login; recovery & verification run on email codes. Every self-service
|
|
# flow returns the browser to our own themed routes (§4 renders the fields). DSN +
|
|
# prod courier/secrets come from the env. SSO, session tuning, and the JWT
|
|
# tokenizer land in later §3/§4 items.
|
|
serve:
|
|
public:
|
|
base_url: http://127.0.0.1:4433/
|
|
cors:
|
|
enabled: false
|
|
admin:
|
|
base_url: http://kratos:4434/
|
|
|
|
selfservice:
|
|
default_browser_return_url: http://127.0.0.1:3000/
|
|
allowed_return_urls:
|
|
- http://127.0.0.1:3000
|
|
methods:
|
|
password:
|
|
enabled: true
|
|
code: # email one-time code — powers recovery + verification (not login)
|
|
enabled: true
|
|
# Social sign-in (Google, Microsoft, or SAML via an OIDC bridge like Ory Polis —
|
|
# OSS Kratos has no native SAML). OFF by default → a clean clone is password-only.
|
|
# Activate WITHOUT code changes by supplying env (the whole-array form is the only
|
|
# env-settable one Kratos offers); providers reference the committed claims mapper,
|
|
# and §4 derives the buttons from this list:
|
|
# SELFSERVICE_METHODS_OIDC_ENABLED=true
|
|
# SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":"google","provider":"google",
|
|
# "client_id":"…","client_secret":"…","scope":["openid","email","profile"],
|
|
# "mapper_url":"file:///etc/config/kratos/oidc/claims.jsonnet"}]
|
|
oidc:
|
|
enabled: false
|
|
config:
|
|
providers: []
|
|
flows:
|
|
error:
|
|
ui_url: http://127.0.0.1:3000/error
|
|
login:
|
|
ui_url: http://127.0.0.1:3000/login
|
|
registration:
|
|
ui_url: http://127.0.0.1:3000/registration
|
|
after:
|
|
password:
|
|
hooks:
|
|
- hook: session # log in immediately after sign-up
|
|
- hook: show_verification_ui
|
|
settings:
|
|
ui_url: http://127.0.0.1:3000/settings
|
|
privileged_session_max_age: 15m
|
|
required_aal: highest_available
|
|
recovery:
|
|
enabled: true
|
|
use: code
|
|
ui_url: http://127.0.0.1:3000/recovery
|
|
verification:
|
|
enabled: true
|
|
use: code
|
|
ui_url: http://127.0.0.1:3000/verification
|
|
after:
|
|
default_browser_return_url: http://127.0.0.1:3000/
|
|
logout:
|
|
after:
|
|
default_browser_return_url: http://127.0.0.1:3000/login
|
|
|
|
# Dev mail catcher (compose.override.yml). Prod overrides via COURIER_SMTP_CONNECTION_URI.
|
|
courier:
|
|
smtp:
|
|
connection_uri: smtp://mailpit:1025/?disable_starttls=true
|
|
from_address: no-reply@plainpages.local
|
|
from_name: Plainpages
|
|
|
|
identity:
|
|
default_schema_id: default
|
|
schemas:
|
|
- id: default
|
|
url: file:///etc/config/kratos/identity.schema.json
|
|
|
|
# Dev throwaways — production supplies real secrets via env (§3). cipher = 32 chars.
|
|
secrets:
|
|
cookie:
|
|
- PLEASE-CHANGE-ME-dev-kratos-cookie-secret
|
|
cipher:
|
|
- 0123456789abcdef0123456789abcdef
|
|
|
|
log:
|
|
level: info
|
|
format: text
|