log:
  level: debug
  format: json

tracing:
  provider: otel
  providers:
    otlp:
      server_url: otel-agent:4318
      insecure: true

authenticators:
  jwt:
    enabled: true
    config:
      trusted_issuers:
        - https://firebaseappcheck.googleapis.com/72279297366
      target_audience:
        - projects/72279297366
      jwks_urls:
        - https://firebaseappcheck.googleapis.com/v1beta/jwks
        - file:///home/ory/jwks.json # ONLY FOR DEV, DO NOT USE IN PRODUCTION
      token_from:
        header: Appcheck

  bearer_token:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      preserve_query: true
      subject_from: identity.id
      extra_from: "@this"

  oauth2_introspection:
    enabled: true
    config:
      introspection_url: http://hydra:4445/admin/oauth2/introspect
      token_from:
        header: Oauth2-Token

  anonymous:
    enabled: true
    config:
      subject: anon

  cookie_session:
    enabled: true
    config:
      # TODO cluster-internal mTLS
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      subject_from: identity.id
      extra_from: identity.traits

  unauthorized:
    enabled: true

  noop:
    enabled: true

authorizers:
  allow:
    enabled: true

mutators:
  id_token:
    enabled: true
    config:
      jwks_url: file:///home/ory/jwks.json
      issuer_url: "galoy.io"
      claims: '{"sub": "{{ print .Subject }}" }'

  noop:
    enabled: true

  header:
    enabled: true
    config:
      headers:
        X-Appcheck-Jti: "{{ print .Extra.jti }}"

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true

access_rules:
  repositories:
    - file:///home/ory/oathkeeper_rules.yaml
  matching_strategy: regexp