provider = "oidc"
oidc_issuer_url = "http://dex.auth.svc.cluster.local:5556/dex"
scope = "profile email groups openid"
email_domains = [ "*" ]

# serve a static HTTP 200 upstream on for authentication success
# we are using oauth2-proxy as an ExtAuthz to "check" each request, not pass it on
upstreams = [ "static://200" ]

# skip authentication for these paths
skip_auth_routes = [
  "^/dex/",
]

# requests to paths matching these regex patterns will receive a 401 Unauthorized response
# when not authenticated, instead of being redirected to the login page with a 302,
# this prevents background requests being redirected to the login page,
# and the accumulation of CSRF cookies
api_routes = [
  # Generic
  # NOTE: included because most background requests contain these paths
  "/api/",
  "/apis/",

  # Kubeflow Pipelines
  # NOTE: included because KFP UI makes MANY background requests to these paths but because they are
  #       not `application/json` requests, oauth2-proxy will redirect them to the login page
  "^/ml_metadata",
]

# OIDC Discovery has to be skipped and login url has to be provided directly
# in order to enable relative auth redirect. Using OIDC Discovery would set
# the redirect location to http://dex.auth.svc.cluster.local:5556 in the example
# installation. This address is usually not available through the Web Browser.
# If you have a setup where dex has it's url as other than the in-cluster
# service, this is optional.
skip_oidc_discovery = true
login_url = "/dex/auth"
redeem_url = "http://dex.auth.svc.cluster.local:5556/dex/token"
oidc_jwks_url = "http://dex.auth.svc.cluster.local:5556/dex/keys"

# if `false`, a sign-in page is displayed before starting the login flow
# prevents background requests starting their own login flow on token expiry,
# which can lead to many CSRF cookies, potentially exceeding the cookie limit
skip_provider_button = false

# style the sign-in page
provider_display_name = "Dex"
custom_sign_in_logo = "/custom-theme/kubeflow-logo.svg"
banner = "-"
footer = "-"

# oauth2-proxy sends "force" by default, which causes dex to always prompt for login
# https://github.com/dexidp/dex/pull/3086
prompt = "none"

# set Authorization Bearer response header. This is needed in order to
# forward the Authorization Bearer token to Istio and enable authorization
# based on JWT.
set_authorization_header = true

# set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and
# X-Auth-Request-Preferred-Username. This is optional for Kubeflow but you
# may have other services that use standard auth headers.
set_xauthrequest = true

cookie_name = "oauth2_proxy_kubeflow"

# Dex default cookie expiration is 24h.
# If set to 168h (default oauth2-proxy), Istio will not be able to use the JWT after 24h,
# but oauth2-proxy will still consider the cookie valid.
# It's possible to configure the JWT Refresh Token to enable longer login session.
cookie_expire = "24h"
cookie_refresh = 0

code_challenge_method = "S256"

redirect_url = "/oauth2/callback"
relative_redirect_url = true