# Authenticator configuration - example for LDAP
ui.authenticator=step.core.access.LdapAuthenticator
# url of your LDAP server
ui.authenticator.ldap.url=<url>
# root named context for searching for users
ui.authenticator.ldap.base=dc=<>,dc=<>
# search filter - {user} will be replaced with the username
ui.authenticator.ldap.filter=(cn={user})
# user used for connecting to the LDAP server
ui.authenticator.ldap.techuser=cn=<>,dc=<>,dc=<>
ui.authenticator.ldap.techpwd=<PWD>
# Use following flag to manage users from LDAP (authenticated user will be created automatically in Step)
#ui.authenticator.as.user.manager=true
# Define which default role is used to create users
ui.authenticator.user.creation.default.role=guest

# The following is used by different plugins (oidc, notification, alm, etc) to define the URL under which the controller is reachable
controller.url=http://localhost:8080

# Authenticator configuration - example for OIDC
ui.authenticator=step.core.access.OidcAuthenticator
# Use following flag to manage users from OIDC (authenticated user will be created automatically in Step)
ui.authenticator.as.user.manager=true
# Define which default role is used to create users (when ui.authenticator.as.role.manager=false)
ui.authenticator.user.creation.default.role=guest
# Define the json path to extract the username for the JWT token (default preferred_username)
# authenticator.jwt.oidc.user-claim-name=preferred_username
# Define the source to extract the user name, one of access_token, id_token, userinfo (default access_token)
# authenticator.jwt.oidc.user-claim-name.source=id_token

# Use following flag to manage roles from OIDC (extracted role will be assigned to the user in Step)
ui.authenticator.as.role.manager=true
# Define the source to extract the role, one of access_token, id_token, userinfo (default access_token)
# authenticator.jwt.oidc.roles.source=access_token
# List of json path to extract the role and map them to Step's roles
authenticator.jwt.oidc.roles.jsonpath.admin=$.resource_access.step-local.roles[?(@ =~ /admin/)]
authenticator.jwt.oidc.roles.jsonpath.developer=$.resource_access.step-local.roles[?(@ =~ /developer/)]
authenticator.jwt.oidc.roles.jsonpath.tester=$.resource_access.step-local.roles[?(@ =~ /tester/)]
authenticator.jwt.oidc.roles.jsonpath.guest=$.resource_access.step-local.roles[?(@ =~ /guest/)]
# Ordering (priority of roles) is required in case the user was assigned multiple Step roles in IDM.
# From left to right: lowest to the highest priority (roles not defined in this list have the lower priority)
authenticator.jwt.oidc.roles.order=guest,tester,developer,admin

# Open Id Connect configurations
authenticator.oidc.client_id=<your-client-id>
authenticator.oidc.client_secret=<your-client-secret>
# Define your Oidc issuer path, the well-known endpoint must be available at <your-issuer-path>/.well-known/openid-configuration
authenticator.oidc.issuer=<your-issuer-path>
# Define the length of the state query parameter (default 12, 0 to not send this parameter)
#authenticator.oidc.state.length=12

authenticator.oidc.scope=openid email profile
# turn off if you don't want or cannot validate the audience during the access token validation (default true)
authenticator.jwt.oidc.audience.check=true
authenticator.jwt.oidc.audience=<audience-name>
# turn off if you don't want or cannot validate the issuer provided in the JWT tokens (for instance if the one in id_token is different from the specified one in authenticator.oidc.issuer)
#authenticator.jwt.oidc.issuer.check=false  

<logger name="step.core.access" level="debug" />