# The base path of Dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to Dex. If a
# path is provided, Dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where Dex stores its state.
# Supported options include:
#   - SQL flavors
#   - key-value stores (eg. etcd)
#   - Kubernetes Custom Resources
#
# See the documentation (https://dexidp.io/docs/storage/) for further information.
storage:
  type: memory

  # type: sqlite3
  # config:
  #   file: /var/dex/dex.db

  # type: mysql
  # config:
  #   host: 127.0.0.1
  #   port: 3306
  #   database: dex
  #   user: mysql
  #   password: mysql
  #   ssl:
  #     mode: "false"

  # type: postgres
  # config:
  #   host: 127.0.0.1
  #   port: 5432
  #   database: dex
  #   user: postgres
  #   password: postgres
  #   ssl:
  #     mode: disable

  # type: etcd
  # config:
  #   endpoints:
  #     - http://127.0.0.1:2379
  #   namespace: dex/

  # type: kubernetes
  # config:
  #   kubeConfigFile: $HOME/.kube/config

# HTTP service configuration
web:
  http: 127.0.0.1:5556

  # Uncomment to enable HTTPS endpoint.
  # https: 127.0.0.1:5554
  # tlsCert: /etc/dex/tls.crt
  # tlsKey: /etc/dex/tls.key
  # tlsMinVersion: 1.2
  # tlsMaxVersion: 1.3

# Dex UI configuration
# frontend:
#   issuer: dex
#   logoURL: theme/logo.png
#   dir: ""
#   theme: light

# Telemetry configuration
# telemetry:
#   http: 127.0.0.1:5558

# logger:
#   level: "debug"
#   format: "text" # can also be "json"
#   # Drop these attribute keys from all log output (useful for GDPR/PII suppression).
#   # excludeFields: [email, username, preferred_username, groups]

# gRPC API configuration
# Uncomment this block to enable the gRPC API.
# See the documentation (https://dexidp.io/docs/api/) for further information.
# grpc:
#   addr: 127.0.0.1:5557
#   tlsCert: examples/grpc-client/server.crt
#   tlsKey: examples/grpc-client/server.key
#   tlsClientCA: examples/grpc-client/ca.crt

# Expiration configuration for tokens, signing keys, etc.
# expiry:
#   deviceRequests: "5m"
#   signingKeys: "6h"
#   idTokens: "24h"
#   refreshTokens:
#     disableRotation: false
#     reuseInterval: "3s"
#     validIfNotUsedFor: "2160h" # 90 days
#     absoluteLifetime: "3960h" # 165 days

# OAuth2 configuration
# oauth2:
#   # use ["code", "token", "id_token"] to enable implicit flow for web-only clients
#   responseTypes: [ "code" ] # also allowed are "token" and "id_token"
#
#   # By default, Dex will ask for approval to share data with application
#   # (approval for sharing data from connected IdP to Dex is separate process on IdP)
#   skipApprovalScreen: false
#
#   # If only one authentication method is enabled, the default behavior is to
#   # go directly to it. For connected IdPs, this redirects the browser away
#   # from application to upstream provider such as the Google login page
#   alwaysShowLoginScreen: false
#
#   # Uncomment to use a specific connector for password grants
#   passwordConnector: local
#
#   # PKCE (Proof Key for Code Exchange) configuration
#   pkce:
#     # If true, PKCE is required for all authorization code flows (OAuth 2.1).
#     enforce: false
#     # Supported code challenge methods. Defaults to ["S256", "plain"].
#     codeChallengeMethodsSupported: ["S256", "plain"]

# Static clients registered in Dex by default.
#
# Alternatively, clients may be added through the gRPC API.
# staticClients:
#   - id: example-app
#     redirectURIs:
#       - 'http://127.0.0.1:5555/callback'
#     name: 'Example App'
#     secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#
#   # Example using environment variables
#   # These fields are mutually exclusive with id and secret respectively.
#   - idEnv: DEX_CLIENT_ID
#     secretEnv: DEX_CLIENT_SECRET
#     redirectURIs:
#       - 'https://app.example.com/callback'
#     name: 'Production App'
#
#   # Example of a public client (no secret required)
#   - id: example-device-client
#     redirectURIs:
#       - /device/callback
#     name: 'Static Client for Device Flow'
#     public: true
#
#   # Example of a client restricted to specific connectors
#   - id: restricted-client
#     secret: restricted-client-secret
#     redirectURIs:
#       - 'https://app.example.com/callback'
#     name: 'Restricted Client'
#     allowedConnectors:
#       - github
#       - google

# Connectors are used to authenticate users against upstream identity providers.
#
# See the documentation (https://dexidp.io/docs/connectors/) for further information.
# connectors: []

# Enable the password database.
#
# It's a "virtual" connector (identity provider) that stores
# login credentials in Dex's store.
enablePasswordDB: true

# If this option isn't chosen users may be added through the gRPC API.
# A static list of passwords for the password connector.
#
# Alternatively, passwords my be added/updated through the gRPC API.
# staticPasswords:
#  - email: "user@example.com"
#    # bcrypt hash of the string "password"
#    hash: "$2a$10$examplehash..."
#    username: "user-login"
#    # Optional. Maps to OIDC "name" claim. Defaults to username.
#    name: "User Full Name"
#    # Optional. Maps to OIDC "email_verified" claim. Defaults to true.
#    emailVerified: true
#    # Optional. Maps to OIDC "preferred_username" claim.
#    preferredUsername: "user-public"
#    # Optional. Maps to OIDC "groups" claim (when 'groups' scope is requested).
#    groups:
#      - "team-a"
#      - "team-a/admins"
#    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"