RelyAuth Reference
RelyAuthConfig
RelyAuthConfig is the data structure for authentication configurations.
| Key | Value | Required | Description |
|---|---|---|---|
version | v1 | true | Version of the authentication config. |
kind | RelyAuth | true | Kind of the resource which is always RelyAuth. |
definition | RelyAuthDefinition | true | List of authenticator configurations. |
RelyAuthDefinition
RelyAuthDefinition defines authentication modes and settings.
| Key | Value | Required | Description |
|---|---|---|---|
settings | RelyAuthSettings | false | Global settings of the auth config. |
modes | [RelyAuthMode] | true | List of authenticator modes. |
RelyAuthMode
One of the following values:
| Value | Description |
|---|---|
| RelyAuthAPIKeyConfig | Configurations for HTTP authentication with static secrets |
| RelyAuthJWTConfig | Configurations to which the incoming JWT will be verified and decoded to extract the session variable claims |
| RelyAuthNoAuthConfig | The session variables configuration for unauthenticated users |
| RelyAuthWebhookConfig | Configurations for the webhook authentication mode |
RelyAuthWebhookConfig
Configurations for the webhook authentication mode
| Key | Value | Required | Description |
|---|---|---|---|
mode | webhook | true | Authentication mode which is always webhook |
description | string | false | Brief description of the auth config |
url | EnvString | true | The URL of the authentication webhook |
httpClient | HTTPClientConfig | false | Configurations for the HTTP client |
customResponse | WebhookAuthCustomResponseConfig | false | The configuration for transforming response bodies |
securityRules | RelyAuthSecurityRulesConfig | false | Configurations for extra security rules |
WebhookAuthCustomResponseConfig
WebhookAuthCustomResponseConfig is the configuration for transforming response bodies.
| Key | Value | Required | Description |
|---|---|---|---|
response | TemplateTransformerConfig | false | The template to transform the response body. |
TemplateTransformerConfig
The template to transform the response body.
One of the following values:
| Value | Description |
|---|---|
| TemplateTransformerJMESPathConfig | Transform responses using the standard JMESPath template |
| TemplateTransformerGoTemplateConfig | Transform responses using the standard Go template |
TemplateTransformerGoTemplateConfig
Transform responses using the standard Go template
| Key | Value | Required | Description |
|---|---|---|---|
type | gotmpl | true | Template type to be used for transforming response |
contentType | string | true | The expected content type to be transformed |
template | string | true | Template content to be transformed |
TemplateTransformerJMESPathConfig
Transform responses using the standard JMESPath template
| Key | Value | Required | Description |
|---|---|---|---|
type | jmespath | true | Template type to be used for transforming response |
template | FieldMappingConfig | true | Template content to be transformed |
FieldMappingConfig
Represents a generic field mapping config
One of the following values:
| Value | Description |
|---|---|
| FieldMappingObjectConfig | Mapping configurations for object fields |
| FieldMappingEntryConfig | The mapping configuration for an entry field |
FieldMappingObjectConfig
FieldMappingObjectConfig represents configurations for the object field mapping.
| Key | Value | Required | Description |
|---|---|---|---|
properties | map[string]any | true | Properties of the field mapping object. |
type | object | true | Type of the field mapping config |
HTTPClientConfig
HTTPClientConfig contains configurations to create client.
| Key | Value | Required | Description |
|---|---|---|---|
timeout | string | false | Default maximum timeout duration that is applied for all requests. |
transport | HTTPTransportConfig | false | Transport stores the http.Transport configuration for the http client. |
tls | TLSConfig | false | The transport layer security (LTS) configuration for the mutualTLS authentication. |
retry | HTTPRetryConfig | false | Retry policy of client requests. |
authentication | HTTPClientAuthConfig | false | Authentication configuration. |
HTTPClientAuthConfig
Define authentication configurations
One of the following values:
| Value | Description |
|---|---|
| BasicAuthConfig | Configuration for the basic authentication |
| HTTPAuthConfig | Configuration for the http and API Key authentication |
| OAuth2Config | Configuration for the OAuth2 authentication |
OAuth2Config
OAuth2Config contains configurations for OAuth 2.0 with client_credentials type.
| Key | Value | Required | Description |
|---|---|---|---|
type | oauth2 | true | Type of the oauth2 authenticator. |
flows | OAuth2Flows | true | An object containing configuration information for the flow types supported. |
description | string | false | A description for security scheme. |
tokenLocation | TokenLocation | false | The location where the auth credential will be injected. |
OAuth2Flows
OAuth2Flows contain configuration information for the flow types supported.
| Key | Value | Required | Description |
|---|---|---|---|
clientCredentials | ClientCredentialsOAuthFlow | true | OAuth2 flow for client_credentials |
ClientCredentialsOAuthFlow
ClientCredentialsOAuthFlow contains flow configurations for OAuth 2.0 client credential flow.
| Key | Value | Required | Description |
|---|---|---|---|
tokenUrl | EnvString | false | The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
refreshUrl | EnvString | false | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. |
scopes | [string] | false | The available scopes for the OAuth2 security scheme. |
clientId | EnvString | false | Client ID of the OAuth2 client. |
clientSecret | EnvString | false | Client secret of the OAuth2 client. |
endpointParams | map[string]EnvString | false | Optional query parameters for the endpoint. |
HTTPAuthConfig
HTTPAuthConfig contains configurations for http authentication If the scheme is bearer, the authenticator follows OpenAPI 3 specification.
| Key | Value | Required | Description |
|---|---|---|---|
in | header / query / cookie | true | The location enum for setting authentication value |
name | string | true | Name of the field to validate, for example, Authorization header. |
scheme | string | false | The name of the HTTP Authentication scheme to be used in the Authorization header as defined in RFC7235. The values used SHOULD be registered in the IANA Authentication Scheme registry. https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml The value is case-insensitive, as defined in RFC7235. |
type | http | true | Type of the http authenticator. |
value | EnvString | true | Value of the access token. |
description | string | false | A description for security scheme. |
BasicAuthConfig
BasicAuthConfig contains configurations for the basic authentication.
| Key | Value | Required | Description |
|---|---|---|---|
type | basic | true | Type of the basic authenticator. |
header | string | false | Header where the credential will be set. |
username | EnvString | true | Username to authenticate. |
password | EnvString | true | Password to authenticate. |
description | string | false | A description for security scheme. |
HTTPRetryConfig
HTTPRetryConfig represents retry policy settings.
| Key | Value | Required | Description |
|---|---|---|---|
maxAttempts | EnvInt | false | Maximum number of retry attempts. |
delay | integer | false | The initial wait time in milliseconds before a retry is attempted. Must be >0. Defaults to 1 second. |
maxDelay | integer | false | The max delay in milliseconds of the exponentially backing off. If the max delay is smaller or equal the base delay. The delay is constant. |
httpStatus | [integer] | false | HTTPStatus retries if the remote service returns one of these http status |
multiplier | number | false | How much should the reconnection time grow on subsequent attempts. Must be >=1; 1 = constant interval. Defaults to 1.5. |
jitter | integer | false | For each retry delay, a random portion of the jitter will be added or subtracted to the delay. For example: a jitter of 100 milliseconds will randomly add between -100 and 100 milliseconds to each retry delay. Replaces any previously configured jitter factor. |
jitterFactor | number | false | For each retry delay, a random portion of the delay multiplied by the jitterFactor will be added or subtracted to the delay. For example: a retry delay of 100 milliseconds and a jitterFactor of .25 will result in a random retry delay between 75 and 125 milliseconds. Replaces any previously configured jitter duration. |
EnvInt
Maximum number of retry attempts.
| Key | Value | Required | Description |
|---|---|---|---|
value | integer | false | Default literal value if the env is empty |
env | string | false | Environment variable to be evaluated |
TLSConfig
TLSConfig represents the transport layer security (LTS) configuration for the mutualTLS authentication.
| Key | Value | Required | Description |
|---|---|---|---|
rootCAFile | [EnvString] | false | RootCAFile represents paths to root certificates. For a client this verifies the server certificate. For a server this verifies client certificates. If empty uses system root CA. |
rootCAPem | [EnvString] | false | RootCAPem is the alternative to rootCAFile. Provide the CA cert contents as a base64-encoded string instead of a filepath. |
caFile | [EnvString] | false | CAFile is the path to the CA cert. For a client this verifies the server certificate. For a server this verifies client certificates. If empty uses system root CA. |
caPem | [EnvString] | false | CAPem is alternative to caFile. Provide the CA cert contents as a base64-encoded string instead of a filepath. |
certificates | [TLSClientCertificate] | false | Certificates contains the list of client certificates. |
insecureSkipVerify | EnvBool | false | InsecureSkipVerify you can configure TLS to be enabled but skip verifying the server's certificate chain. |
includeSystemCACertsPool | EnvBool | false | IncludeSystemCACertsPool whether to load the system certificate authorities pool alongside the certificate authority. |
minVersion | string | false | Minimum acceptable TLS version. |
maxVersion | string | false | Maximum acceptable TLS version. |
cipherSuites | [string] | false | Explicit cipher suites can be set. If left blank, a safe default list is used. See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites. |
serverName | EnvString | false | ServerName requested by client for virtual hosting. This sets the ServerName in the TLSConfig. Please refer to https://godoc.org/crypto/tls#Config for more information. (optional) |
EnvBool
InsecureSkipVerify you can configure TLS to be enabled but skip verifying the server's certificate chain.
| Key | Value | Required | Description |
|---|---|---|---|
value | boolean | false | Default literal value if the env is empty |
env | string | false | Environment variable to be evaluated |
TLSClientCertificate
TLSClientCertificate represents a cert and key pair certificate.
| Key | Value | Required | Description |
|---|---|---|---|
certFile | EnvString | false | CertFile is the path to the TLS cert to use for TLS required connections. |
certPem | EnvString | false | CertPem is alternative to certFile. Provide the certificate contents as a base64-encoded string instead of a filepath. |
keyFile | EnvString | false | KeyFile is the path to the TLS key to use for TLS required connections. |
keyPem | EnvString | false | KeyPem is the alternative to keyFile. Provide the key contents as a base64-encoded string instead of a filepath. |
HTTPTransportConfig
HTTPTransportConfig stores the http.Transport configuration for the http client.
| Key | Value | Required | Description |
|---|---|---|---|
dialer | HTTPDialerConfig | false | Options the http.Dialer to connect to an address |
idleConnTimeout | string | false | Idle connection timeout. The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. Zero means no limit. |
responseHeaderTimeout | string | false | Response header timeout, if non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request (including its body, if any). This time does not include the time to read the response body. This timeout is used to cover cases where the tcp connection works but the server never answers. |
tlsHandshakeTimeout | string | false | TLS handshake timeout is the maximum amount of time to wait for a TLS handshake. Zero means no timeout. |
expectContinueTimeout | string | false | Expect continue timeout, if non-zero, specifies the amount of time to wait for a server's first response headers after fully writing the request headers if the request has an "Expect: 100-continue" header. |
maxIdleConns | integer | false | |
maxIdleConnsPerHost | integer | false | |
maxConnsPerHost | integer | false | |
maxResponseHeaderBytes | integer | false | |
readBufferSize | integer | false | |
writeBufferSize | integer | false | |
disableKeepAlives | boolean | false | DisableKeepAlives, if true, disables HTTP keep-alives and will only use the connection to the server for a single HTTP request. This is unrelated to the similarly named TCP keep-alives. |
forceAttemptHTTP2 | boolean | false | ForceAttemptHTTP2 controls whether HTTP/2 is enabled when a non-zero Dial, DialTLS, or DialContext func or TLSClientConfig is provided. Default is true. |
HTTPDialerConfig
HTTPDialerConfig contains options the http.Dialer to connect to an address.
| Key | Value | Required | Description |
|---|---|---|---|
timeout | string | false | The maximum amount of time a dial will wait for a connect to complete. If Deadline is also set, it may fail earlier. |
keepAliveEnabled | boolean | false | Keep-alive probes are enabled by default. |
keepAliveInterval | string | false | KeepAliveInterval is the time between keep-alive probes. If zero, a default value of 15 seconds is used. |
keepAliveCount | integer | false | |
keepAliveIdle | string | false | KeepAliveIdle is the time that the connection must be idle before the first keep-alive probe is sent. If zero, a default value of 15 seconds is used. |
fallbackDelay | string | false | FallbackDelay specifies the length of time to wait before spawning a RFC 6555 Fast Fallback connection. That is, this is the amount of time to wait for IPv6 to succeed before assuming that IPv6 is misconfigured and falling back to IPv4. If zero, a default delay of 300ms is used. A negative value disables Fast Fallback support. |
RelyAuthNoAuthConfig
RelyAuthNoAuthConfig contains the session variables configuration for unauthenticated users.
| Key | Value | Required | Description |
|---|---|---|---|
id | string | false | Unique identity of the auth config. If not set, ID will be the index of the array. |
mode | noAuth | true | Authentication mode which is always noAuth. |
sessionVariables | map[string]EnvAny | true | Custom session variables for this auth mode. |
securityRules | RelyAuthSecurityRulesConfig | false | Configurations for extra security rules |
RelyAuthJWTConfig
RelyAuthJWTConfig holds configurations to which the incoming JWT will be verified and decoded to extract the session variable claims.
| Key | Value | Required | Description |
|---|---|---|---|
id | string | false | Unique identity of the auth config. If not set, ID will be the index of the array. |
mode | jwt | true | Authentication mode which is always jwt. |
description | string | false | Brief description of the auth config. |
audience | [string] | false | Validation to check that the aud field is a member of the audience received, otherwise will throw error. Required if there are many JWT auth configurations. |
issuer | string | false | Validation to check that the iss field is a member of the iss received, otherwise will throw error. Required if there are many JWT auth configurations. |
allowedSkew | integer | false | The allowed leeway (in seconds) to the exp validation to account for clock skew. |
tokenLocation | TokenLocation | true | Source of the JWT authentication token. |
key | JWTKey | true | Information of the JWT key to verify the token. |
claimsConfig | JWTClaimsConfig | true | Configuration to describe how and where the engine should look for the claims within the decoded token. You can vary the format and location of the claims. |
securityRules | RelyAuthSecurityRulesConfig | false | Configurations for extra security rules |
JWTClaimsConfig
JWTClaimsConfig represents the claims config. Either specified via claims mappings or namespace.
| Key | Value | Required | Description |
|---|---|---|---|
namespace | JWTClaimsNamespace | false | Used when all of JWT claims are present in a single object within the decoded JWT. |
locations | map[string]FieldMappingEntryConfig | false | Can be used when JWT claims are not all present in the single object, but individual claims are provided a JSON pointer within the decoded JWT and optionally a default value. |
FieldMappingEntryConfig
FieldMappingEntryConfig is the entry config to lookup field values with the specified JMES path.
| Key | Value | Required | Description |
|---|---|---|---|
path | string | false | JMESPath expression to find a value in the input data |
default | EnvAny | false | Default value to be used when no value is found |
type | field | true | Type of the field mapping config |
JWTClaimsNamespace
JWTClaimsNamespace is used when all of JWT claims are present in a single object within the decoded JWT.
| Key | Value | Required | Description |
|---|---|---|---|
location | string | true | Path to lookup the Hasura claims within the decoded claims. |
claimsFormat | Json / StringifiedJson | true | Format in which the Hasura claims will be present. |
JWTKey
Information of the JWT key to verify the token.
One of the following values:
| Value | Description |
|---|---|
| JWTFixedKeyConfig | Configurations for an inline JWT key secret |
| JWTRemoteKeyConfig | Configurations for a remote URL where publishes JSON Web Keys |
JWTRemoteKeyConfig
Configurations for a remote URL where publishes JSON Web Keys
| Key | Value | Required | Description |
|---|---|---|---|
algorithm | ES256 / ES384 / ES512 / EdDSA / HS256 / HS384 / HS512 / PS256 / PS384 / PS512 / RS256 / RS384 / RS512 | false | Algorithm to be used for verifying the signature |
jwkFromUrl | EnvString | true | A URL where a provider publishes their JWKs (JSON Web Keys - which are used for signing the JWTs). The URL must publish the JWKs in the standard format as described in the RFC 7517 specification. |
JWTFixedKeyConfig
Configurations for an inline JWT key secret
| Key | Value | Required | Description |
|---|---|---|---|
algorithm | ES256 / ES384 / ES512 / EdDSA / HS256 / HS384 / HS512 / PS256 / PS384 / PS512 / RS256 / RS384 / RS512 | true | Algorithm to be used for verifying the signature |
key | EnvString | true | Inline value of the key to use for decoding the JWT |
RelyAuthAPIKeyConfig
RelyAuthAPIKeyConfig contains configurations for HTTP authentication with static secrets.
| Key | Value | Required | Description |
|---|---|---|---|
id | string | false | Unique identity of the auth config. If not set, ID will be the index of the array. |
mode | apiKey | true | Authentication mode which is always apiKey. |
description | string | false | Brief description of the auth config. |
tokenLocation | TokenLocation | true | Source of the authentication token. |
sessionVariables | map[string]EnvAny | true | Custom session variables for this auth mode. |
value | EnvString | true | Value of the static API key to be compared. |
securityRules | RelyAuthSecurityRulesConfig | false | Configurations for extra security rules |
RelyAuthSecurityRulesConfig
RelyAuthSecurityRulesConfig defines configurations of security rules.
| Key | Value | Required | Description |
|---|---|---|---|
allowedIPs | RelyAuthIPAllowListConfig | false | Configure the list of allowed IPs. |
headerRules | map[string]RelyAuthAllowListConfig | false | Configure the map of header rules. |
RelyAuthAllowListConfig
RelyAuthAllowListConfig represents a common setting for allow list.
| Key | Value | Required | Description |
|---|---|---|---|
include | EnvStringSlice | false | List of allowed patterns. |
exclude | EnvStringSlice | false | List of disallowed patterns. |
RelyAuthIPAllowListConfig
RelyAuthIPAllowListConfig represents a setting for IP allow list.
| Key | Value | Required | Description |
|---|---|---|---|
include | EnvStringSlice | false | List of allowed patterns. |
exclude | EnvStringSlice | false | List of disallowed patterns. |
headers | [string] | false | The client IP could be in this header list. Use default client IP headers if empty. |
EnvStringSlice
List of allowed patterns.
| Key | Value | Required | Description |
|---|---|---|---|
value | [string] | false | Default literal value if the env is empty |
env | string | false | Environment variable to be evaluated |
EnvString
Value of the static API key to be compared.
| Key | Value | Required | Description |
|---|---|---|---|
value | string | false | Default literal value if the env is empty |
env | string | false | Environment variable to be evaluated |
EnvAny
| Key | Value | Required | Description |
|---|---|---|---|
value | false | Default literal value if the env is empty | |
env | string | false | Environment variable to be evaluated |
TokenLocation
TokenLocation contains the configuration for the location of the access token.
| Key | Value | Required | Description |
|---|---|---|---|
in | header / query / cookie | true | The location enum for setting authentication value |
name | string | true | Name of the field to validate, for example, Authorization header. |
scheme | string | false | The name of the HTTP Authentication scheme to be used in the Authorization header as defined in RFC7235. The values used SHOULD be registered in the IANA Authentication Scheme registry. https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml The value is case-insensitive, as defined in RFC7235. |
RelyAuthSettings
RelyAuthSettings holds global settings for the authenticators.
| Key | Value | Required | Description |
|---|---|---|---|
reloadInterval | integer | false | The interval in seconds to reload JSON web keys from the remote URL. If the value is zero or negative, disables the process. |