Configuration

The ezoidc server requires a configuration file to be provided to start. If no arguments are provided, the server will look for the configuration file config.yaml in the current working directory. A custom path to the configuration file can be provided using the --config flag.

ezoidc-server start --config path/to/config.yaml

Required

The following properties must be provided in the configuration file.

policy

The policy that grants access to variables. See the policy reference for more details.

config.yaml

policy: |
  allow.read("public_variable")

  allow.read("secret_variable") if {
    # validate issuer, subject, claims
  }

audience

This value is a string or a list of strings that the ezoidc server will accept as the audience of OIDC tokens.

config.yaml

audience: https://test.ezoidc.dev

audience:
- https://test.ezoidc.dev
- https://test.example.com

By default, the ezoidc client will use to token’s audience to determine the URL of the ezoidc server. Therefore, this option should be set to a URL that is accessible where the ezoidc client is used. Otherwise, the client has the option to override the host of the server.

variables

A map of variables available to the server’s policy. The map’s key is the variable name.

Field	Type	Default	Description
value	string, provider	Required	A literal value or variable provider.
export	string	""	The name of the environment variable to export the variable (optional).
redact	boolean	true	If true, the variable value will be redacted from logs where possible (default: true).

config.yaml

variables:
  public_variable:
    value: public
    export: PUBLIC_VARIABLE
    redact: false

  env_variable:
    value: { env: ENV_VARIABLE }

  ssm:
    value: { aws.ssm: parameterName }

issuers

The list of issuers that the server will accept tokens from. The signing keys of the issuer can be configured in multiple ways:

• When only issuer is provided, the server will use OpenID discovery to retrieve the JWKs URI.
• If jwks_uri is provided, the OIDC discovery is skipped and keys are fetched from the provided URI on startup.
• For instances where the ezoidc server cannot reach the issuer’s JWKs URI, the issuer can be configured with a static JWKs as a string in jwks.

config.yaml

issuers:
  github:
    issuer: https://token.actions.githubusercontent.com

  gitlab:
    issuer: https://gitlab.com
    jwks_uri: https://gitlab.com/oauth/discovery/keys

  selfhosted:
    issuer: https://kubernetes.default.svc.cluster.local
    jwks: |
      {"keys": [{"alg": "RS256", "use": "sig", "n": "..."}]}

Note

Remote JWKS are currently only loaded when the server starts.

Optional

The following properties are optional.

listen

The host and port the ezoidc HTTP API server should bind to. By default, the server will listen on 0.0.0.0:3501.

config.yaml

listen: 0.0.0.0:3501

If this property is unset, the environment variable PORT can be set to specify the port to listen on 0.0.0.0.

log_level

Configures the log level of the server. The default log level is info.

algorithms

The allowed algorithms to validate JWT tokens. By default, the server will accept RS256 and ES256.

config.yaml

algorithms:
  - RS256
  - ES256