serve:
  proxy:
    port: 4455
  api:
    port: 4456

log:
  level: info
  format: json

errors:
  fallback:
    - json

access_rules:
  repositories:
    - file:///tmp/oathkeeper/rules.active.json

authenticators:
  noop:
    enabled: true
  cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
  oauth2_introspection:
    enabled: true
    config:
      introspection_url: http://hydra:4444/oauth2/introspect
      pre_authorization:
        enabled: true
        client_id: ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
        client_secret: ${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
        token_url: http://hydra:4444/oauth2/token
  jwt:
    enabled: true
    config:
      jwks_urls:
        - http://hydra:4444/.well-known/jwks.json
      trusted_issuers:
        - http://hydra:4444/
      scope_strategy: none

authorizers:
  allow:
    enabled: true
  remote_json:
    enabled: true
    config:
      remote: http://keto:4466/check
      payload: |
        {
          "namespace": "permissions",
          "object": "{{ print .Request.URL.Path }}",
          "relation": "access",
          "subject_id": "{{ print .Subject }}"
        }

mutators:
  noop:
    enabled: true
  id_token:
    enabled: true
    config:
      issuer_url: http://127.0.0.1:4456/
      jwks_url: file:///etc/config/oathkeeper/jwks.json