^\./.*\.schema\.json$
Must be at least 1 characters long
Must be at most 64 characters long
If null http.*_key authentication methods will be disabled.
Api key secret used to protect api endpoints, this secret will be used as http Basic authentication with 'infinite' login. It will be preferred over OAuth2 method if both are specified.
Must be at least 1 characters long
Must contain a maximum of 7 items
optional directory api vhost for backend or administration usage, if specified this vhost will not accept client security schemes. Using separate vhosts allows to implement custom security rules (mTLS, ip filtering, ...) on the http gate based on api usage.
No Additional PropertiesAllow to disable specified api endpoints.
No Additional PropertiesIf set, docstoreeditor gui (/directory/docstoreeditor) will be available. This gui should not be used in production.
Unset this to disable /directory/api/directorysession/requestsuperadminregistrationcode and /directory/api/backend/registersuperadmin.
If set, web api documentation will be available under /directory/webapidoc/. This is not recommanded for production servers.
Allows to restrict security flows accepted on this vhost
Accept all security schemes
List of security flows accepted by the ∞Directory.
Must contain a minimum of 1 items
Allows to restrict security schemes accepted on this vhost
Accept all security schemes
List of security schemes accepted by the ∞Directory.
Must contain a minimum of 1 items
directory api url for public usage. The port has to be explicited as this attribute is part of the license.
Must match regular expression:^https?:\/\/[^@\/A-Z]+?(:[1-9][0-9]{0,4})(\/.*)?\/directory$
Must be at most 1024 characters long
bind port for ∞Directory api http implementation
Value must be greater or equal to 1 and lesser or equal to 65535
If true, authorization and vhost check will be disabled for /api/getversion endpoint. This is useful to run healthcheck of containers behind a load balancer were load balancer will use internal IP or hostname.
Define which headers should be used to determine host and port used by the client.Unfortunately 2 sets of headers ('Forwarded' and 'X-Forwarded-*') exist for reverse proxy. So depending on your infrastructure you might need to change evaluation order. Evaluation will stop on the first header found. If no headers were found the 'Host' header will be used. Sometimes exotic configuration (like AWS) may preserve the Host header, add X-forwarded-port and discard X-forwarded-Host, in this case, the policy host-with-x-forwarded-port may be used.
All items must be unique
No Additional Itemsenables log of received http requests
how long (in secondes) a bearer is kept in cache
Value must be greater or equal to 0 and lesser or equal to 500
specify if directory api http implementation should listen on any addresses, if false only loopback will be bound
main directory vhost always used by client applications. If a backendvhost security schemes is defined, implicit restrictions will be applied to this vhost. Should use HTTPS !
No Additional PropertiesAllow to disable specified api endpoints.
No Additional PropertiesIf set, docstoreeditor gui (/directory/docstoreeditor) will be available. This gui should not be used in production.
Unset this to disable /directory/api/directorysession/requestsuperadminregistrationcode and /directory/api/backend/registersuperadmin.
If set, web api documentation will be available under /directory/webapidoc/. This is not recommanded for production servers.
Allows to restrict security flows accepted on this vhost
Accept all security schemes
List of security flows accepted by the ∞Directory.
Must contain a minimum of 1 items
Allows to restrict security schemes accepted on this vhost
Accept all security schemes
List of security schemes accepted by the ∞Directory.
Must contain a minimum of 1 items
directory api url for public usage. The port has to be explicited as this attribute is part of the license.
Must match regular expression:^https?:\/\/[^@\/A-Z]+?(:[1-9][0-9]{0,4})(\/.*)?\/directory$
Must be at most 1024 characters long
filer storage implemented using OS or network share filesystem. Used folder should be dedicated to this ∞Directory as it will automatically create/delete files !
No Additional Propertiesfolder in which data will be stored. If relative, will be resolved relative to job file.
Must be at least 1 characters long
"filesystem"
filer storage implemented using a Microsoft Azure storage account. This storage account should be dedicated to this ∞Directory as it will automatically create/delete blob containers !
No Additional Propertieshttp configuration for calls to Azure blob rest api
No Additional PropertiesUse global configuration
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Use global configuration
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Use global configuration
Set this value to false to disable ssl peer verification
azure storage account name. Storage account name could not be deduced from the url as url format might differ due to use of reverse proxy or azurite. Example is the default storage account for Azurite emulator.
Must be at least 1 characters long
"azureblob"
azure storage account url.
Must be at least 1 characters long
Filer storage implemented using an Amazon S3 or Minio bucket storage. This bucket should be dedicated to this ∞Directory !
No Additional PropertiesThe 'public' access key
Must be at least 1 characters long
http configuration for calls to bucket storage rest api
No Additional PropertiesUse global configuration
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Use global configuration
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Use global configuration
Set this value to false to disable ssl peer verification
AWS region, for Minio use us-east-1
Must be at least 1 characters long
The 'private' secret key
Must be at least 1 characters long
"s3bucket"
Bucket url.
Must be at least 1 characters long
http configuration
No Additional Propertiesfile path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Set this value to false to disable ssl peer verification
rfDebug output that should be omitted
All items must be unique
No Additional ItemsMust be at least 1 characters long
loglevel should be used instead. Enables DEBUG log level. This SHOULD NOT BE MAINTAINED IN PRODUCTION as it will log sensitive data and have a negative impact on overall performances.
change default log location. If relative, will be resolved relative to configuration or job file.
Must be at least 1 characters long
use default log location
Must be at least 0 characters long
Must be at most 0 characters long
disable file logging
enable log output to console
Specifies log level. INFO > DEBUG > TRACE. A log level lower than INFO SHOULD NOT BE MAINTAINED IN PRODUCTION as it will log sensitive data and have a negative impact on overall performances.
Configuration for Grafana Loki http push log handler
No Additional Propertieshttp configuration for calls to calls to loki endpoint
No Additional PropertiesUse global configuration
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Use global configuration
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Use global configuration
Set this value to false to disable ssl peer verification
optional labels that will be added to loki streams
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:^(?!log$).*$
Must be at least 1 characters long
Must be at most 64 characters long
Additional Properties of any type are allowed.
Type: objectloki connection login
maximum size in bytes of log message send to loki, if log entry is longer it will be truncated. If zero full message will not be truncated.
Value must be greater or equal to 0
loki connection password
an url that should point to an endpoint compatible with POST /loki/api/v1/push, body will be gziped json, this endpoint is expected to return 200 or 204 on success. Url should not contains credentials.
Must match regular expression:^https?:\/\/[^@\/]+?(\/.*)$
Must be at most 1024 characters long
Maximum log file size
Value must be greater or equal to 16 and lesser or equal to 1024
Number of backup log to keep, if -1 all logs will be kept
Value must be greater or equal to -1 and lesser or equal to 512
Enable time base log rotation
common OpenID connect settings
No Additional PropertiesOpenID Provider configuration url (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest)
Must match regular expression:^https:\/\/([^\/]*?)\/.*$
Must be at most 1024 characters long
http configuration for calls to calls to the OpenID server
No Additional PropertiesUse global configuration
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Use global configuration
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Use global configuration
Set this value to false to disable ssl peer verification
No OAuth2 configuration for machine to machine communication, http.m2m_bearer will be disabled and api key will be used.
Configure OAuth2 machine to machine identification using OpenID Connect client credentials flow. See http.m2m_bearer authentication method. Those settings will be used to acquire a token and to validate received tokens.
No Additional Propertiesspecifies additional query parameters that should be added to oidc endpoint calls
No Additional Propertiesadditional query parameters for token_endpoint
No Additional PropertiesAll properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:^(?!scope$).*$
Additional scope string that will be passed to the OpenID server on the token call to obtain and access_token. infinite.* scopes will be added automatically.
Must match regular expression:^(()|([\x21\x23-\x5B\x5d-\x7e]+)( [\x21\x23-\x5B\x5d-\x7e]+)*)$
Must be at least 0 characters long
Must be at most 1024 characters long
List of algorithm that will be allowed for JWT (idtoken and accesstoken) delivered by the OpenID server
All items must be unique
No Additional ItemsOpenID application id
Must be at least 1 characters long
OpenID application secret
Must be at least 1 characters long
audience (aud) value is assumed to contain client_id.
disable aud field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
value that should be contained in access tokens aud field.
Must be at least 1 characters long
list of potential aud field values. At least one should be equal to access tokens aud field.
Must contain a minimum of 1 items
Must contain a maximum of 16 items
value that should be contained in access tokens aud field.
Must be at least 1 characters long
Authorized party (azp) value is assumed to contain client_id
disable azp field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
list of accepted azp values, at least one should be contained in access tokens azp field
Must contain a minimum of 1 items
Must contain a maximum of 32 items
All items must be unique
No Additional ItemsMust be at least 1 characters long
issuer (iss) value will be retrieved from configuration endpoint.
disable iss field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
value that should be contained in access tokens iss field.
Must be at least 1 characters long
list of potential iss field values. At least one should be equal to access tokens iss field.
Must contain a minimum of 1 items
Must contain a maximum of 16 items
value that should be contained in access tokens iss field.
Must be at least 1 characters long
configure user identification and session access token using OpenID Connect code flow
No Additional Propertiesspecifies additional query parameters that should be added to oidc endpoint calls
No Additional Propertiesadditional query parameters for revocation_endpoint
Each additional property must conform to the following schema
Type: stringadditional query parameters for token_endpoint
No Additional PropertiesAll properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:^(?!scope$).*$
Additional scope string that will be passed to the OpenID server to obtain access_token that will be passed to the client
Must match regular expression:^(()|([\x21\x23-\x5B\x5d-\x7e]+)( [\x21\x23-\x5B\x5d-\x7e]+)*)$
Must be at least 0 characters long
Must be at most 1024 characters long
Additional scope string that will be passed to the OpenID server on the authorize call to obtain first idtoken and accesstoken that will be passed to authentication_webhook
Must match regular expression:^(()|([\x21\x23-\x5B\x5d-\x7e]+)( [\x21\x23-\x5B\x5d-\x7e]+)*)$
Must be at least 0 characters long
Must be at most 1024 characters long
List of algorithm that will be allowed for JWT (idtoken and accesstoken) delivered by the OpenID server
All items must be unique
No Additional ItemsNo authentication webhook
Define authentication webhook that will be called on each user identification
No Additional Propertieshttp configuration for calls to calls to the authentication webhook
No Additional PropertiesUse global configuration
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
Use global configuration
Enforce use of provided http proxy for http calls
Must match regular expression:^https?:\/\/.*$
Must be at most 1024 characters long
Disable use of any http proxy for http calls
Enforce use of the automatic http proxy configuration from the system for http calls
Use global configuration
Set this value to false to disable ssl peer verification
^https:\/\/.*$
Must be at most 1024 characters long
OpenID application id
Must be at least 1 characters long
OpenID application secret
Must be at least 1 characters long
set to null if HS* sign algorithm are not allowed
OpenID secret for HS* sign algorithm, only supported of id_token. If not null HS256, HS384 and HS512 alg will be accepted.
Must be at least 0 characters long
Allows to copy and optionally remap id_token extra fields (except some sensitive ones) to standard fields to customize user information display. Object keys are extra field name to copy
No Additional PropertiesAll properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:^(?!client_id$|nonce$|aud$|azp$|exp$|iat$|nbf$|acr$|iss$).*$
remap target field name.
only copy
audience (aud) value is assumed to contain client_id.
disable aud field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
value that should be contained in access tokens aud field.
Must be at least 1 characters long
list of potential aud field values. At least one should be equal to access tokens aud field.
Must contain a minimum of 1 items
Must contain a maximum of 16 items
value that should be contained in access tokens aud field.
Must be at least 1 characters long
Authorized party (azp) value is assumed to contain client_id
disable azp field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
list of accepted azp values, at least one should be contained in access tokens azp field
Must contain a minimum of 1 items
Must contain a maximum of 32 items
All items must be unique
No Additional ItemsMust be at least 1 characters long
issuer (iss) value will be retrieved from configuration endpoint.
disable iss field validation. Not recommanded but could be usefull when dealing with a weird oidc server.
Specific value:false
value that should be contained in access tokens iss field.
Must be at least 1 characters long
list of potential iss field values. At least one should be equal to access tokens iss field.
Must contain a minimum of 1 items
Must contain a maximum of 16 items
value that should be contained in access tokens iss field.
Must be at least 1 characters long
Enable use of Proof Key for Code Exchange (rfc7636) (https://tools.ietf.org/html/rfc7636)
Enable use of accesstoken (OpendID server should also return a refreshtoken) delivered by OpenID server to protect ∞Directory and ∞Proxy api calls from client applications (http.session_bearer security scheme). If disabled, tokens delivered by the Directory will be used.
Define which field of id token will be used as user unique id.
oidc : sub of OpenId id
email : user email /!\ email should not be reused later for an other user
azureoid : Azure AD user object id
maximum wait duration per host while trying to establish a connection. Value is in secondes.
Value must be greater or equal to 2
target database name
Must be at least 1 characters long
list of host, allowing to specify primary and replicat servers. Connection attempt will respect list order, to distribute read-only load on hot standby servers, put them first in the list.
Must contain a minimum of 1 items
Must contain a maximum of 8 items
hostname or ip
Must be at least 1 characters long
tcp port
Value must be greater or equal to 1 and lesser or equal to 65535
PostgreSQL database connection login, could be empty if using SSPI or GSS authentication.
Must be at least 0 characters long
PostgreSQL database connection password, could be empty if using SSPI or GSS authentication.
Must be at least 0 characters long
file path to client PEM certificate
Must be at least 1 characters long
file path to client PEM private key
Must be at least 1 characters long
private key password if any
file path to client P12 certificate
Must be at least 1 characters long
private key password if any
Disable use of certificate
should we use ssl connection
file path to rootCA.crt that will be used to verify server certificat, if empty default libpq cert location will be used
if disabled, server certificat will not be validated