Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
# Security configuration for graphql-security in light-graphql-4j. It is a specific config
# for GraphQL framework security. It is introduced to support multiple frameworks in the
# same server instance. If this file cannot be found, the generic security.yml will be
# loaded for backward compatibility.
---
# Enable the JWT verification flag. The JwtVerifierHandler will skip the JWT token verification
# if this flag is false. It should only be set to false on the dev environment for testing
# purposes. If you have some endpoints that want to skip the JWT verification, you can put the
# request path prefix in skipPathPrefixes.
enableVerifyJwt: ${graphql-security.enableVerifyJwt:true}
# Enable the SWT verification flag. The SwtVerifierHandler will skip the SWT token verification
# if this flag is false. It should only be set to false on the dev environment for testing
# purposes. If you have some endpoints that want to skip the SWT verification, you can put the
# request path prefix in skipPathPrefixes.
enableVerifySwt: ${graphql-security.enableVerifySwt:false}
# swt clientId header name. When light-gateway is used and the consumer app does not want to save
# the client secret in the configuration file, it can be passed in the header.
swtClientIdHeader: ${security.swtClientIdHeader:swt-client}
# swt clientSecret header name. When light-gateway is used and the consumer app does not want to save
# the client secret in the configuration file, it can be passed in the header.
swtClientSecretHeader: ${graphql-security.swtClientSecretHeader:swt-secret}
# Extract JWT scope token from the X-Scope-Token header and validate the JWT token
enableExtractScopeToken: ${graphql-security.enableExtractScopeToken:true}
# Enable JWT scope verification. This flag is valid when enableVerifyJwt is true. When using the
# light gateway as a centralized gateway without backend API specifications, you can still enable
# this flag to allow the admin endpoints to have scopes verified. And all backend APIs without
# specifications skip the scope verification if the spec does not exist with the skipVerifyScopeWithoutSpec
# flag to true. Also, you need to have the openapi.yml specification file in the config folder to
# enable it, as the scope verification compares the scope from the JWT token and the scope in the
# endpoint specification.
enableVerifyScope: ${graphql-security.enableVerifyScope:true}
# Users should only use this flag in a shared light gateway if the backend API specifications are
# unavailable in the gateway config folder. If this flag is true and the enableVerifyScope is true,
# the security handler will invoke the scope verification for all endpoints. However, if the endpoint
# doesn't have a specification to retrieve the defined scopes, the handler will skip the scope verification.
skipVerifyScopeWithoutSpec: ${graphql-security.skipVerifyScopeWithoutSpec:false}
# If set true, the JWT verifier handler will pass if the JWT token is expired already. Unless
# you have a strong reason, please use it only on the dev environment if your OAuth 2 provider
# doesn't support long-lived token for dev environment or test automation.
ignoreJwtExpiry: ${graphql-security.ignoreJwtExpiry:false}
# set true if you want to allow http 1/1 connections to be upgraded to http/2 using the UPGRADE method (h2c).
# By default, this is set to false for security reasons. If you choose to enable it make sure you can handle http/2 w/o tls.
enableH2c: ${graphql-security.enableH2c:false}
# User for test only. should be always be false on official environment.
enableMockJwt: ${graphql-security.enableMockJwt:false}
# Enables relaxed verification for jwt. e.g. Disables key length requirements.
# Should be used in test environments only.
enableRelaxedKeyValidation: ${graphql-security.enableRelaxedKeyValidation:false}
# JWT signature public certificates. kid and certificate path mappings.
jwt:
certificate: ${graphql-security.certificate:100=primary.crt&101=secondary.crt}
# '100': primary.crt
# '101': secondary.crt
clockSkewInSeconds: ${graphql-security.clockSkewInSeconds:60}
# Key distribution server standard: JsonWebKeySet for other OAuth 2.0 provider| X509Certificate for light-oauth2
keyResolver: ${graphql-security.keyResolver:JsonWebKeySet}
# Enable or disable JWT token logging for audit. This is to log the entire token
# or choose the next option that only logs client_id, user_id and scope.
logJwtToken: ${graphql-security.logJwtToken:true}
# Enable or disable client_id, user_id and scope logging if you don't want to log
# the entire token. Choose this option or the option above.
logClientUserScope: ${graphql-security.logClientUserScope:false}
# Enable JWT token cache to speed up verification. This will only verify expired time
# and skip the signature verification as it takes more CPU power and a long time. If
# each request has a different jwt token, like authorization code flow, this indicator
# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
# and the cache can grow bigger if the number of requests is very high. This will cause
# memory kill in a Kubernetes pod if the memory setting is limited.
enableJwtCache: ${graphql-security.enableJwtCache:true}
# If enableJwtCache is true, then an error message will be shown up in the log if the
# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
# cache problem if many distinct tokens flood the cache in a short period of time. If
# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
# or increase the cache full size to a bigger number from the default 100.
jwtCacheFullSize: ${graphql-security.jwtCacheFullSize:100}
# If you are using light-oauth2, then you don't need to have oauth subfolder for public
# key certificate to verify JWT token, the key will be retrieved from key endpoint once
# the first token is arrived. Default to false for dev environment without oauth2 server
# or official environment that use other OAuth 2.0 providers.
bootstrapFromKeyService: ${graphql-security.bootstrapFromKeyService:false}
# Used in light-oauth2 and oauth-kafka key service for federated deployment. Each instance
# will have a providerId, and it will be part of the kid to allow each instance to get the
# JWK from other instance based on the providerId in the kid.
providerId: ${graphql-security.providerId:}
# Define a list of path prefixes to skip the security to ease the configuration for the
# handler.yml so that users can define some endpoint without security even through it uses
# the default chain. This is particularly useful in the light-gateway use case as the same
# instance might be shared with multiple consumers and providers with different security
# requirement. The format is a list of strings separated with commas or a JSON list in
# values.yml definition from config server, or you can use yaml format in this file.
skipPathPrefixes: ${graphql-security.skipPathPrefixes:}
# When light-gateway or http-sidecar is used for security, sometimes, we need to pass some
# claims from the JWT or SWT to the backend API for further verification or audit. You can
# select some claims to pass to the backend API with HTTP headers. The format is a map of
# claim in the token and a header name that the downstream API is expecting. You can use
# both JSON or YAML format.
# When SwtVerifyHandler is used, the claim names are in https://github.com/networknt/light-4j/blob/master/client/src/main/java/com/networknt/client/oauth/TokenInfo.java
# When JwtVerifyHandler is used, the claim names is the JwtClaims claimName.
# YAML
# graphql-security.passThroughClaims:
# clientId: client_id
# tokenType: token_type
# JSON
# graphql-security.passThroughClaims: {"clientId":"client_id","tokenType":"token_type"}
passThroughClaims: ${graphql-security.passThroughClaims:}
