projects/nexus-5-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nexus-5-auth/nexus-5-auth-kratos/config/kratos.yml
Damien Coles a9fa1a0a0f public-ready-init
2026-01-26 11:15:52 -05:00

163 lines
4.1 KiB
YAML
Raw Permalink Blame History

version: v1.1.0
dsn: env://DSN
serve:
public:
base_url: env://SERVE_PUBLIC_BASE_URL
cors:
enabled: false
# CORS is handled by Oathkeeper proxy to avoid duplicate headers
admin:
base_url: env://SERVE_ADMIN_BASE_URL
selfservice:
default_browser_return_url: https://account.example.com
allowed_return_urls:
- https://account.example.com
- https://auth.example.com
- https://app.example.com
- https://admin.example.com
- http://localhost:5173
- https://local.example.com:5173
- http://localhost:4455
methods:
password:
enabled: true
config:
haveibeenpwned_enabled: true
min_password_length: 8
identifier_similarity_check_enabled: true
totp:
enabled: true
config:
issuer: Nexus Nexus
webauthn:
enabled: true
config:
rp:
display_name: Nexus Nexus
id: example.com
origins:
- https://account.example.com
- https://auth.example.com
- https://app.example.com
- https://admin.example.com
- http://localhost:5173
- https://local.example.com:5173
- http://localhost:4455
link:
enabled: true
code:
enabled: true
flows:
error:
ui_url: https://account.example.com/error
settings:
ui_url: https://account.example.com/settings
privileged_session_max_age: 15m
required_aal: highest_available
recovery:
enabled: true
ui_url: https://account.example.com/recovery
use: code
lifespan: 4h # Extended to give users more time to recover their account
after:
default_browser_return_url: https://account.example.com/settings
verification:
enabled: true
ui_url: https://account.example.com/verification
use: code
lifespan: 24h # Extended to give users a full day to verify their email
after:
default_browser_return_url: https://account.example.com/
logout:
after:
default_browser_return_url: https://account.example.com/login
login:
ui_url: https://account.example.com/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: https://account.example.com/registration
after:
default_browser_return_url: https://account.example.com/
password:
hooks:
- hook: session
log:
level: env://LOG_LEVEL
format: text
leak_sensitive_values: false
secrets:
cookie:
- env://SECRETS_COOKIE
cipher:
- env://SECRETS_CIPHER
default:
- env://SECRETS_DEFAULT
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 12
identity:
default_schema_id: nexus-v2
schemas:
- id: default
url: file:///etc/kratos/identity.schema.json
- id: nexus-v2
url: file:///etc/kratos/identity.v2.schema.json
cookies:
domain: .example.com
same_site: Lax
# Leading dot allows cookies to be shared across subdomains (account.example.com <-> auth.example.com)
session:
lifespan: 24h
earliest_possible_extend: 1h
cookie:
domain: .example.com
same_site: Lax
persistent: true
courier:
smtp:
connection_uri: env://COURIER_SMTP_CONNECTION_URI
from_address: env://COURIER_SMTP_FROM_ADDRESS
from_name: env://COURIER_SMTP_FROM_NAME
templates:
verification_code:
valid:
email:
body:
html: file:///etc/kratos/courier-templates/verification_code_valid.email.body.html.gotmpl
plaintext: file:///etc/kratos/courier-templates/verification_code_valid.email.body.plaintext.gotmpl
subject: file:///etc/kratos/courier-templates/verification_code_valid.email.subject.gotmpl
recovery_code:
valid:
email:
body:
html: file:///etc/kratos/courier-templates/recovery_code_valid.email.body.html.gotmpl
plaintext: file:///etc/kratos/courier-templates/recovery_code_valid.email.body.plaintext.gotmpl
subject: file:///etc/kratos/courier-templates/recovery_code_valid.email.subject.gotmpl
Reference in New Issue View Git Blame Copy Permalink