change docs

campudus · Mar 13, 2024 · 962b3ac · 962b3ac
1 parent ae7e42c
commit 962b3ac
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 31 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,8 @@
 conf.json
 conf-*.jsonc
 conf-*.json
-!conf-example.json
+!conf-example.jsonc
+!conf-example-manual-auth.jsonc
 !conf-test-example.json
 !conf-github-ci.json
 !conf-jenkins.json

diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ There are three different auth modes:
 - 2. manual auth with bearer token validation (JWT)
 - 3. automatic keycloak auth discovery (JWT) - preferred
 
-Auth modes 2. and 3. of Tableaux are secured by a JWT based authentication. The JWT (signed with a private key) is verified by the public key of the auth service. In manual auth mode 2. the public key is configured in the conf file (see `./conf-example.json`), in automatic auth mode 3. the public key is discovered via the auth service also configured in the conf file (see `./conf-example-auto-discovery.json`)
+Auth modes 2. and 3. of Tableaux are secured by a JWT based authentication. The JWT (signed with a private key) is verified by the public key of the auth service. In manual auth mode 2. the public key is configured in the conf file (see `./conf-example-manual-auth.jsonc`), in automatic auth mode 3. the public key is discovered via the auth service also configured in the conf file (see `./conf-example.jsonc`)
 
 The auth mode 1. is a legacy mode for testing or for running the service behind a different auth service. In this mode the incoming request is not verified. The user (e.g. for history entries) must be set via cookie `userName`. Legacy mode is activated, if `auth` key in config is missing.
 

diff --git a/conf-example-manual-auth.jsonc b/conf-example-manual-auth.jsonc
@@ -0,0 +1,14 @@
+{
+  // other configurations but auth are documented in conf-example.jsonc
+  "auth": {
+    "realm": "keycloak-realm",
+    "bearer-only": true,
+    "auth-server-url": "http://localhost:9999/auth",
+    "ssl-required": "external",
+    "resource": "grud-backend",
+    "verify-token-audience": true,
+    "use-resource-role-mappings": true,
+    "confidential-port": 0,
+    "issuer": "test"
+  }
+}
diff --git a/conf-example.json b/conf-example.json
diff --git a/conf-example.jsonc b/conf-example.jsonc
@@ -0,0 +1,21 @@
+{
+  "host": "127.0.0.1",
+  "port": 8080,
+  "uploadsDirectory": "uploads/",
+  "workingDirectory": "./",
+  "rolePermissionsPath": "./role-permissions.json",
+  "isPublicFileServer": false, // if true, the file serving endpoint is public, if false, the file serving is protected by the auth server (default: false)
+  "openApiUrl": "https://my.domain.com/api/docs", // override the openapi url, needed for reverse proxy (if not set, the openapi url is generated automatically)
+  "database": {
+    "host": "localhost",
+    "port": 5432,
+    "username": "postgres",
+    "password": "secret",
+    "database": "tableaux"
+  },
+  "auth": {
+    "isAutoDiscovery": true,
+    "resource": "grud-backend",
+    "issuer": "https://<path-to-keycloak>/auth/realms/<realm>"
+  }
+}