diff --git a/light-graphql-4j/src/main/resources/templates/graphql/clientYml.rocker.raw b/light-graphql-4j/src/main/resources/templates/graphql/clientYml.rocker.raw index 6cd378ecd..642f868fd 100644 --- a/light-graphql-4j/src/main/resources/templates/graphql/clientYml.rocker.raw +++ b/light-graphql-4j/src/main/resources/templates/graphql/clientYml.rocker.raw @@ -4,9 +4,9 @@ tls: # if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate # or load truststore that contains the self-signed cretificate. - verifyHostname: true + verifyHostname: ${client.verifyHostname:true} # The default trustedNames group used to created default SSL context. This is used to create Http2Client.SSL if set. - defaultGroupKey: trustedNames.local + defaultGroupKey: ${client.defaultGroupKey:trustedNames.local} # trusted hostnames, service names, service Ids, and so on. # Note: localhost and 127.0.0.1 are not trustable hostname/ip in general. So, these values should not be used as trusted names in production. trustedNames: @@ -14,48 +14,48 @@ tls: negativeTest: invalidhost empty: # trust store contains certifictes that server needs. Enable if tls is used. - loadTrustStore: true + loadTrustStore: ${client.loadTrustStore:true} # trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword - trustStore: client.truststore + trustStore: ${client.trustStore:client.truststore} # trust store password - trustStorePass: password + trustStorePass: ${client.trustStorePass:password} # key store contains client key and it should be loaded if two-way ssl is uesed. - loadKeyStore: false + loadKeyStore: ${client.loadKeyStore:false} # key store location - keyStore: client.keystore + keyStore: ${client.keyStore:client.keystore} # key store password - keyStorePass: password + keyStorePass: ${client.keyStorePass:password} # private key password - keyPass: password + keyPass: ${client.keyPass:password} # settings for OAuth2 server communication oauth: # OAuth 2.0 token endpoint configuration token: cache: #capacity of caching TOKENs - capacity: 200 + capacity: ${client.tokenCacheCapacity:200} # The scope token will be renewed automatically 1 minutes before expiry - tokenRenewBeforeExpired: 60000 + tokenRenewBeforeExpired: ${client.tokenRenewBeforeExpired:60000} # if scope token is expired, we need short delay so that we can retry faster. - expiredRefreshRetryDelay: 2000 + expiredRefreshRetryDelay: ${client.expiredRefreshRetryDelay:2000} # if scope token is not expired but in renew windown, we need slow retry delay. - earlyRefreshRetryDelay: 4000 + earlyRefreshRetryDelay: ${client.earlyRefreshRetryDelay:4000} # token server url. The default port number for token service is 6882. - server_url: https://localhost:6882 + server_url: ${client.tokenServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.tokenServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenEnableHttp2:true} # the following section defines uri and parameters for authorization code grant type authorization_code: # token endpoint for authorization code grant - uri: "/oauth2/token" + uri: ${client.tokenAcUri:"/oauth2/token"} # client_id for authorization code grant flow. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenAcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for authorization code grant flow. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenAcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the web server uri that will receive the redirected authorization code - redirect_uri: https://localhost:8080/authorization_code + redirect_uri: ${client.tokenAcRedirectUri:https://localhost:8080/authorization_code} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -63,22 +63,22 @@ oauth: # the following section defines uri and parameters for client credentials grant type client_credentials: # token endpoint for client credentials grant - uri: "/oauth2/token" + uri: ${client.tokenCcUri:"/oauth2/token"} # client_id for client credentials grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenCcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for client credentials grant flow. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenCcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r - petstore.w refresh_token: # token endpoint for refresh token grant - uri: "/oauth2/token" + uri: ${client.tokenRtUri:"/oauth2/token"} # client_id for refresh token grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenRtClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for refresh token - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenRtClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -86,66 +86,68 @@ oauth: # light-oauth2 key distribution endpoint configuration for token verification key: # key distribution server url for token verification. It will be used if it is configured. - server_url: https://localhost:6886 + server_url: ${client.tokenKeyServerUrl:https://localhost:6886} # key serviceId for key distribution service, it will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.tokenKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.tokenKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenKeyEnableHttp2:true} # sign endpoint configuration sign: # token server url. The default port number for token service is 6882. If this url exists, it will be used. - server_url: https://localhost:6882 + server_url: ${client.signServerUrl:https://localhost:6882} # token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.signServiceId:com.networknt.oauth2-token-1.0.0} # signing endpoint for the sign request - uri: "/oauth2/token" + uri: ${client.signUri:"/oauth2/token"} # timeout in milliseconds - timeout: 2000 + timeout: ${client.signTimeout:2000} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signEnableHttp2:true} # client_id for client authentication - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret for client authentication and it can be encrypted here. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the key distribution sever config for sign. It can be different then token key distribution server. key: # key distribution server url. It will be used to establish connection if it exists. - server_url: https://localhost:6886 + server_url: ${client.signKeyServerUrl:https://localhost:6886} # the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.signKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.signKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signKeyEnableHttp2:true} # de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider. deref: # Token service server url, this might be different than the above token server url. The static url will be used if it is configured. - server_url: https://localhost:6882 + server_url: ${client.derefServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.derefServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.derefEnableHttp2:true} # the path for the key distribution endpoint - uri: "/oauth2/deref" + uri: ${client.derefUri:"/oauth2/deref"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.derefClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for deref - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.derefClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # circuit breaker configuration for the client request: # number of timeouts/errors to break the circuit - errorThreshold: 2 + errorThreshold: ${client.errorThreshold:2} # timeout in millisecond to indicate a client error. - timeout: 3000 + timeout: ${client.timeout:3000} # reset the circuit after this timeout in millisecond - resetTimeout: 7000 + resetTimeout: ${client.resetTimeout:7000} + # if open tracing is enable. traceability, correlation and metrics should not be in the chain if opentracing is used. + injectOpenTracing: ${client.injectOpenTracing:false} diff --git a/light-hybrid-4j/src/main/resources/templates/hybrid/clientYml.rocker.raw b/light-hybrid-4j/src/main/resources/templates/hybrid/clientYml.rocker.raw index 6cd378ecd..642f868fd 100644 --- a/light-hybrid-4j/src/main/resources/templates/hybrid/clientYml.rocker.raw +++ b/light-hybrid-4j/src/main/resources/templates/hybrid/clientYml.rocker.raw @@ -4,9 +4,9 @@ tls: # if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate # or load truststore that contains the self-signed cretificate. - verifyHostname: true + verifyHostname: ${client.verifyHostname:true} # The default trustedNames group used to created default SSL context. This is used to create Http2Client.SSL if set. - defaultGroupKey: trustedNames.local + defaultGroupKey: ${client.defaultGroupKey:trustedNames.local} # trusted hostnames, service names, service Ids, and so on. # Note: localhost and 127.0.0.1 are not trustable hostname/ip in general. So, these values should not be used as trusted names in production. trustedNames: @@ -14,48 +14,48 @@ tls: negativeTest: invalidhost empty: # trust store contains certifictes that server needs. Enable if tls is used. - loadTrustStore: true + loadTrustStore: ${client.loadTrustStore:true} # trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword - trustStore: client.truststore + trustStore: ${client.trustStore:client.truststore} # trust store password - trustStorePass: password + trustStorePass: ${client.trustStorePass:password} # key store contains client key and it should be loaded if two-way ssl is uesed. - loadKeyStore: false + loadKeyStore: ${client.loadKeyStore:false} # key store location - keyStore: client.keystore + keyStore: ${client.keyStore:client.keystore} # key store password - keyStorePass: password + keyStorePass: ${client.keyStorePass:password} # private key password - keyPass: password + keyPass: ${client.keyPass:password} # settings for OAuth2 server communication oauth: # OAuth 2.0 token endpoint configuration token: cache: #capacity of caching TOKENs - capacity: 200 + capacity: ${client.tokenCacheCapacity:200} # The scope token will be renewed automatically 1 minutes before expiry - tokenRenewBeforeExpired: 60000 + tokenRenewBeforeExpired: ${client.tokenRenewBeforeExpired:60000} # if scope token is expired, we need short delay so that we can retry faster. - expiredRefreshRetryDelay: 2000 + expiredRefreshRetryDelay: ${client.expiredRefreshRetryDelay:2000} # if scope token is not expired but in renew windown, we need slow retry delay. - earlyRefreshRetryDelay: 4000 + earlyRefreshRetryDelay: ${client.earlyRefreshRetryDelay:4000} # token server url. The default port number for token service is 6882. - server_url: https://localhost:6882 + server_url: ${client.tokenServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.tokenServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenEnableHttp2:true} # the following section defines uri and parameters for authorization code grant type authorization_code: # token endpoint for authorization code grant - uri: "/oauth2/token" + uri: ${client.tokenAcUri:"/oauth2/token"} # client_id for authorization code grant flow. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenAcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for authorization code grant flow. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenAcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the web server uri that will receive the redirected authorization code - redirect_uri: https://localhost:8080/authorization_code + redirect_uri: ${client.tokenAcRedirectUri:https://localhost:8080/authorization_code} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -63,22 +63,22 @@ oauth: # the following section defines uri and parameters for client credentials grant type client_credentials: # token endpoint for client credentials grant - uri: "/oauth2/token" + uri: ${client.tokenCcUri:"/oauth2/token"} # client_id for client credentials grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenCcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for client credentials grant flow. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenCcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r - petstore.w refresh_token: # token endpoint for refresh token grant - uri: "/oauth2/token" + uri: ${client.tokenRtUri:"/oauth2/token"} # client_id for refresh token grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenRtClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for refresh token - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenRtClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -86,66 +86,68 @@ oauth: # light-oauth2 key distribution endpoint configuration for token verification key: # key distribution server url for token verification. It will be used if it is configured. - server_url: https://localhost:6886 + server_url: ${client.tokenKeyServerUrl:https://localhost:6886} # key serviceId for key distribution service, it will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.tokenKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.tokenKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenKeyEnableHttp2:true} # sign endpoint configuration sign: # token server url. The default port number for token service is 6882. If this url exists, it will be used. - server_url: https://localhost:6882 + server_url: ${client.signServerUrl:https://localhost:6882} # token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.signServiceId:com.networknt.oauth2-token-1.0.0} # signing endpoint for the sign request - uri: "/oauth2/token" + uri: ${client.signUri:"/oauth2/token"} # timeout in milliseconds - timeout: 2000 + timeout: ${client.signTimeout:2000} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signEnableHttp2:true} # client_id for client authentication - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret for client authentication and it can be encrypted here. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the key distribution sever config for sign. It can be different then token key distribution server. key: # key distribution server url. It will be used to establish connection if it exists. - server_url: https://localhost:6886 + server_url: ${client.signKeyServerUrl:https://localhost:6886} # the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.signKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.signKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signKeyEnableHttp2:true} # de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider. deref: # Token service server url, this might be different than the above token server url. The static url will be used if it is configured. - server_url: https://localhost:6882 + server_url: ${client.derefServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.derefServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.derefEnableHttp2:true} # the path for the key distribution endpoint - uri: "/oauth2/deref" + uri: ${client.derefUri:"/oauth2/deref"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.derefClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for deref - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.derefClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # circuit breaker configuration for the client request: # number of timeouts/errors to break the circuit - errorThreshold: 2 + errorThreshold: ${client.errorThreshold:2} # timeout in millisecond to indicate a client error. - timeout: 3000 + timeout: ${client.timeout:3000} # reset the circuit after this timeout in millisecond - resetTimeout: 7000 + resetTimeout: ${client.resetTimeout:7000} + # if open tracing is enable. traceability, correlation and metrics should not be in the chain if opentracing is used. + injectOpenTracing: ${client.injectOpenTracing:false} diff --git a/light-rest-4j/src/main/resources/templates/rest/clientYml.rocker.raw b/light-rest-4j/src/main/resources/templates/rest/clientYml.rocker.raw index 01e8fc027..642f868fd 100644 --- a/light-rest-4j/src/main/resources/templates/rest/clientYml.rocker.raw +++ b/light-rest-4j/src/main/resources/templates/rest/clientYml.rocker.raw @@ -33,29 +33,29 @@ oauth: token: cache: #capacity of caching TOKENs - capacity: 200 + capacity: ${client.tokenCacheCapacity:200} # The scope token will be renewed automatically 1 minutes before expiry - tokenRenewBeforeExpired: 60000 + tokenRenewBeforeExpired: ${client.tokenRenewBeforeExpired:60000} # if scope token is expired, we need short delay so that we can retry faster. - expiredRefreshRetryDelay: 2000 + expiredRefreshRetryDelay: ${client.expiredRefreshRetryDelay:2000} # if scope token is not expired but in renew windown, we need slow retry delay. - earlyRefreshRetryDelay: 4000 + earlyRefreshRetryDelay: ${client.earlyRefreshRetryDelay:4000} # token server url. The default port number for token service is 6882. - server_url: ${client.server_url:https://localhost:6882} + server_url: ${client.tokenServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.tokenServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenEnableHttp2:true} # the following section defines uri and parameters for authorization code grant type authorization_code: # token endpoint for authorization code grant - uri: "/oauth2/token" + uri: ${client.tokenAcUri:"/oauth2/token"} # client_id for authorization code grant flow. - client_id: ${client.client_id:f7d42348-c647-4efb-a52d-4c5787421e72} + client_id: ${client.tokenAcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for authorization code grant flow. - client_secret: ${client.client_secret:f6h1FTI8Q3-7UScPZDzfXA} + client_secret: ${client.tokenAcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the web server uri that will receive the redirected authorization code - redirect_uri: https://localhost:8080/authorization_code + redirect_uri: ${client.tokenAcRedirectUri:https://localhost:8080/authorization_code} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -63,22 +63,22 @@ oauth: # the following section defines uri and parameters for client credentials grant type client_credentials: # token endpoint for client credentials grant - uri: "/oauth2/token" + uri: ${client.tokenCcUri:"/oauth2/token"} # client_id for client credentials grant flow. client_secret is in secret.yml - client_id: ${client.client_id:f7d42348-c647-4efb-a52d-4c5787421e72} + client_id: ${client.tokenCcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for client credentials grant flow. - client_secret: ${client.client_secret:f6h1FTI8Q3-7UScPZDzfXA} + client_secret: ${client.tokenCcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r - petstore.w refresh_token: # token endpoint for refresh token grant - uri: "/oauth2/token" + uri: ${client.tokenRtUri:"/oauth2/token"} # client_id for refresh token grant flow. client_secret is in secret.yml - client_id: ${client.client_id:f7d42348-c647-4efb-a52d-4c5787421e72} + client_id: ${client.tokenRtClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for refresh token - client_secret: ${client.client_secret:f6h1FTI8Q3-7UScPZDzfXA} + client_secret: ${client.tokenRtClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -86,68 +86,68 @@ oauth: # light-oauth2 key distribution endpoint configuration for token verification key: # key distribution server url for token verification. It will be used if it is configured. - server_url: https://localhost:6886 + server_url: ${client.tokenKeyServerUrl:https://localhost:6886} # key serviceId for key distribution service, it will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.tokenKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.tokenKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.tokenKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenKeyEnableHttp2:true} # sign endpoint configuration sign: # token server url. The default port number for token service is 6882. If this url exists, it will be used. - server_url: https://localhost:6882 + server_url: ${client.signServerUrl:https://localhost:6882} # token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.signServiceId:com.networknt.oauth2-token-1.0.0} # signing endpoint for the sign request - uri: "/oauth2/token" + uri: ${client.signUri:"/oauth2/token"} # timeout in milliseconds - timeout: 2000 + timeout: ${client.signTimeout:2000} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signEnableHttp2:true} # client_id for client authentication - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret for client authentication and it can be encrypted here. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the key distribution sever config for sign. It can be different then token key distribution server. key: # key distribution server url. It will be used to establish connection if it exists. - server_url: https://localhost:6886 + server_url: ${client.signKeyServerUrl:https://localhost:6886} # the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist. - serviceId: com.networknt.oauth2-key-1.0.0 + serviceId: ${client.signKeyServiceId:com.networknt.oauth2-key-1.0.0} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.signKeyUri:"/oauth2/key"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.signKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client secret used to access the key distribution service. - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.signKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.signKeyEnableHttp2:true} # de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider. deref: # Token service server url, this might be different than the above token server url. The static url will be used if it is configured. - server_url: https://localhost:6882 + server_url: ${client.derefServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured. - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.derefServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.derefEnableHttp2:true} # the path for the key distribution endpoint - uri: "/oauth2/deref" + uri: ${client.derefUri:"/oauth2/deref"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.derefClientId:f7d42348-c647-4efb-a52d-4c5787421e72} # client_secret for deref - client_secret: f6h1FTI8Q3-7UScPZDzfXA + client_secret: ${client.derefClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # circuit breaker configuration for the client request: # number of timeouts/errors to break the circuit - errorThreshold: 2 + errorThreshold: ${client.errorThreshold:2} # timeout in millisecond to indicate a client error. - timeout: 3000 + timeout: ${client.timeout:3000} # reset the circuit after this timeout in millisecond - resetTimeout: 7000 + resetTimeout: ${client.resetTimeout:7000} # if open tracing is enable. traceability, correlation and metrics should not be in the chain if opentracing is used. - injectOpenTracing: false + injectOpenTracing: ${client.injectOpenTracing:false} diff --git a/light-rest-4j/src/main/resources/templates/restkotlin/clientYml.rocker.raw b/light-rest-4j/src/main/resources/templates/restkotlin/clientYml.rocker.raw index 3656b1fda..642f868fd 100644 --- a/light-rest-4j/src/main/resources/templates/restkotlin/clientYml.rocker.raw +++ b/light-rest-4j/src/main/resources/templates/restkotlin/clientYml.rocker.raw @@ -4,39 +4,58 @@ tls: # if the server is using self-signed certificate, this need to be false. If true, you have to use CA signed certificate # or load truststore that contains the self-signed cretificate. - verifyHostname: true + verifyHostname: ${client.verifyHostname:true} + # The default trustedNames group used to created default SSL context. This is used to create Http2Client.SSL if set. + defaultGroupKey: ${client.defaultGroupKey:trustedNames.local} + # trusted hostnames, service names, service Ids, and so on. + # Note: localhost and 127.0.0.1 are not trustable hostname/ip in general. So, these values should not be used as trusted names in production. + trustedNames: + local: localhost + negativeTest: invalidhost + empty: # trust store contains certifictes that server needs. Enable if tls is used. - loadTrustStore: true + loadTrustStore: ${client.loadTrustStore:true} # trust store location can be specified here or system properties javax.net.ssl.trustStore and password javax.net.ssl.trustStorePassword - trustStore: client.truststore + trustStore: ${client.trustStore:client.truststore} + # trust store password + trustStorePass: ${client.trustStorePass:password} # key store contains client key and it should be loaded if two-way ssl is uesed. - loadKeyStore: false + loadKeyStore: ${client.loadKeyStore:false} # key store location - keyStore: client.keystore + keyStore: ${client.keyStore:client.keystore} + # key store password + keyStorePass: ${client.keyStorePass:password} + # private key password + keyPass: ${client.keyPass:password} # settings for OAuth2 server communication oauth: # OAuth 2.0 token endpoint configuration token: + cache: + #capacity of caching TOKENs + capacity: ${client.tokenCacheCapacity:200} # The scope token will be renewed automatically 1 minutes before expiry - tokenRenewBeforeExpired: 60000 + tokenRenewBeforeExpired: ${client.tokenRenewBeforeExpired:60000} # if scope token is expired, we need short delay so that we can retry faster. - expiredRefreshRetryDelay: 2000 + expiredRefreshRetryDelay: ${client.expiredRefreshRetryDelay:2000} # if scope token is not expired but in renew windown, we need slow retry delay. - earlyRefreshRetryDelay: 4000 + earlyRefreshRetryDelay: ${client.earlyRefreshRetryDelay:4000} # token server url. The default port number for token service is 6882. - server_url: https://localhost:6882 + server_url: ${client.tokenServerUrl:https://localhost:6882} # token service unique id for OAuth 2.0 provider - serviceId: com.networknt.oauth2-token-1.0.0 + serviceId: ${client.tokenServiceId:com.networknt.oauth2-token-1.0.0} # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + enableHttp2: ${client.tokenEnableHttp2:true} # the following section defines uri and parameters for authorization code grant type authorization_code: # token endpoint for authorization code grant - uri: "/oauth2/token" - # client_id for authorization code grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + uri: ${client.tokenAcUri:"/oauth2/token"} + # client_id for authorization code grant flow. + client_id: ${client.tokenAcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client_secret for authorization code grant flow. + client_secret: ${client.tokenAcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # the web server uri that will receive the redirected authorization code - redirect_uri: https://localhost:8080/authorization_code + redirect_uri: ${client.tokenAcRedirectUri:https://localhost:8080/authorization_code} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r @@ -44,31 +63,91 @@ oauth: # the following section defines uri and parameters for client credentials grant type client_credentials: # token endpoint for client credentials grant - uri: "/oauth2/token" + uri: ${client.tokenCcUri:"/oauth2/token"} # client_id for client credentials grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenCcClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client_secret for client credentials grant flow. + client_secret: ${client.tokenCcClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r - petstore.w refresh_token: # token endpoint for refresh token grant - uri: "/oauth2/token" + uri: ${client.tokenRtUri:"/oauth2/token"} # client_id for refresh token grant flow. client_secret is in secret.yml - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 + client_id: ${client.tokenRtClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client_secret for refresh token + client_secret: ${client.tokenRtClientSecret:f6h1FTI8Q3-7UScPZDzfXA} # optional scope, default scope in the client registration will be used if not defined. scope: - petstore.r - petstore.w - # light-oauth2 key distribution endpoint configuration - key: - # key distribution server url - server_url: https://localhost:6886 - # the unique service id for key distribution service - serviceId: com.networknt.oauth2-key-1.0.0 + # light-oauth2 key distribution endpoint configuration for token verification + key: + # key distribution server url for token verification. It will be used if it is configured. + server_url: ${client.tokenKeyServerUrl:https://localhost:6886} + # key serviceId for key distribution service, it will be used if above server_url is not configured. + serviceId: ${client.tokenKeyServiceId:com.networknt.oauth2-key-1.0.0} + # the path for the key distribution endpoint + uri: ${client.tokenKeyUri:"/oauth2/key"} + # client_id used to access key distribution service. It can be the same client_id with token service or not. + client_id: ${client.tokenKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client secret used to access the key distribution service. + client_secret: ${client.tokenKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} + # set to true if the oauth2 provider supports HTTP/2 + enableHttp2: ${client.tokenKeyEnableHttp2:true} + # sign endpoint configuration + sign: + # token server url. The default port number for token service is 6882. If this url exists, it will be used. + server_url: ${client.signServerUrl:https://localhost:6882} + # token serviceId. If server_url doesn't exist, the serviceId will be used to lookup the token service. + serviceId: ${client.signServiceId:com.networknt.oauth2-token-1.0.0} + # signing endpoint for the sign request + uri: ${client.signUri:"/oauth2/token"} + # timeout in milliseconds + timeout: ${client.signTimeout:2000} + # set to true if the oauth2 provider supports HTTP/2 + enableHttp2: ${client.signEnableHttp2:true} + # client_id for client authentication + client_id: ${client.signClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client secret for client authentication and it can be encrypted here. + client_secret: ${client.signClientSecret:f6h1FTI8Q3-7UScPZDzfXA} + # the key distribution sever config for sign. It can be different then token key distribution server. + key: + # key distribution server url. It will be used to establish connection if it exists. + server_url: ${client.signKeyServerUrl:https://localhost:6886} + # the unique service id for key distribution service, it will be used to lookup key service if above url doesn't exist. + serviceId: ${client.signKeyServiceId:com.networknt.oauth2-key-1.0.0} + # the path for the key distribution endpoint + uri: ${client.signKeyUri:"/oauth2/key"} + # client_id used to access key distribution service. It can be the same client_id with token service or not. + client_id: ${client.signKeyClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client secret used to access the key distribution service. + client_secret: ${client.signKeyClientSecret:f6h1FTI8Q3-7UScPZDzfXA} + # set to true if the oauth2 provider supports HTTP/2 + enableHttp2: ${client.signKeyEnableHttp2:true} + # de-ref by reference token to JWT token. It is separate service as it might be the external OAuth 2.0 provider. + deref: + # Token service server url, this might be different than the above token server url. The static url will be used if it is configured. + server_url: ${client.derefServerUrl:https://localhost:6882} + # token service unique id for OAuth 2.0 provider. Need for service lookup/discovery. It will be used if above server_url is not configured. + serviceId: ${client.derefServiceId:com.networknt.oauth2-token-1.0.0} + # set to true if the oauth2 provider supports HTTP/2 + enableHttp2: ${client.derefEnableHttp2:true} # the path for the key distribution endpoint - uri: "/oauth2/key" + uri: ${client.derefUri:"/oauth2/deref"} # client_id used to access key distribution service. It can be the same client_id with token service or not. - client_id: f7d42348-c647-4efb-a52d-4c5787421e72 - # set to true if the oauth2 provider supports HTTP/2 - enableHttp2: true + client_id: ${client.derefClientId:f7d42348-c647-4efb-a52d-4c5787421e72} + # client_secret for deref + client_secret: ${client.derefClientSecret:f6h1FTI8Q3-7UScPZDzfXA} +# circuit breaker configuration for the client +request: + # number of timeouts/errors to break the circuit + errorThreshold: ${client.errorThreshold:2} + # timeout in millisecond to indicate a client error. + timeout: ${client.timeout:3000} + # reset the circuit after this timeout in millisecond + resetTimeout: ${client.resetTimeout:7000} + # if open tracing is enable. traceability, correlation and metrics should not be in the chain if opentracing is used. + injectOpenTracing: ${client.injectOpenTracing:false}