Configuration

In this section, the configuration of the SSO bridge is explained. Configuration is used based on a config.yaml file which should be placed in the apps/backend folder. This config.yaml file is loaded when booting the application. The values get type checked, and it gives a clear error message if there is a configuration field missing or provided incorrectly. Next to the config.yaml file, you can also set environment variables. These override the values that are listed in the config.yaml file.

Databases

By default, the development database is sqlite. We use postgres databases for production type instances of the http data planes.

Configuration parameters

Key	Required	Type	Description	Default
DatabaseConfig
db	Yes	DatabaseConfig	Database configuration
db.type	Yes	"sqlite" | "postgres"	Type of database
db.database	Yes	String	Name of the database
db.synchronize		Boolean	Synchronize database schema
db{type=sqlite}	Yes	SQLiteConfig	Database configuration
db{type=sqlite}.type		"sqlite" | "postgres"	Type of database	"sqlite"
db{type=sqlite}.database	Yes	String	Name of the database
db{type=sqlite}.synchronize		Boolean	Synchronize database schema
db{type=postgres}	Yes	PostgresConfig	Database configuration
db{type=postgres}.host	Yes	String	Host of the database
db{type=postgres}.port	Yes	Number	Port of the database
db{type=postgres}.username	Yes	String	Username of the database
db{type=postgres}.password	Yes	String	Password of the database
db{type=postgres}.ssl		Unknown	SSL configuration of the database
db{type=postgres}.type		"sqlite" | "postgres"	Type of database	"postgres"
db{type=postgres}.database	Yes	String	Name of the database
db{type=postgres}.synchronize		Boolean	Synchronize database schema
ServerConfig
server		ServerConfig	Server configuration
server.listen		String	IP address the server listens on	"0.0.0.0"
server.port		Number	Port the server listens on	3000
server.publicDomain		String	Public domain of the server	"localhost"
server.publicAddress		String	Public address of the server	"http://localhost:3000"
server.subPath		String	Sub path of the server
InitClient
initClients		InitClient[]	Initial client configurations
initClients[].clientId	Yes	String	Client ID
initClients[].clientSecret		String	Client secret (required for client_secret_post authentication)
initClients[].tokenEndpointAuthMethod		"client_secret_post" | "private_key_jwt" | "none"	Token endpoint authentication method: client_secret_post, private_key_jwt, or none	"client_secret_post"
initClients[].jwk		Object	Public key in JWK format (required for private_key_jwt authentication)
initClients[].secretName	Yes	String	Kubernetes secret name
initClients[].permissions	Yes	String	Client permissions (can be permission strings or permission set names)
initClients[].grants		String	Client grants types supported	["client_credentials"]
initClients[].name	Yes	String	Client name
initClients[].description	Yes	String	Client description
initClients[].redirectUris	Yes	String	Allowed Client redirect URIs regex
InitUser
initUsers		InitUser[]	Initial user configurations
initUsers[].username	Yes	String	Username
initUsers[].password	Yes	String	Password
initUsers[].email	Yes	String	Email
initUsers[].permissions	Yes	String	User permissions (can be permission strings or permission set names)
initUsers[].grants		String	Grant types supported	["authorization_code","refresh_token"]
initUsers[].require2FA		Boolean	Require two-factor authentication for this user. User will be prompted to set up 2FA on first login.
kubernetesNamespace		String	Kubernetes namespace	"default"
twoFactorIssuerName		String	Issuer name for Two-Factor Authentication (shown in authenticator apps)	"SSO Bridge"
dcqlQueryMap		Unknown	DCQL Query map for OID4VP	{"Administrator":{"credentials":[{"id":"identity_credential","format":"jwt_vc_json","meta":{"type_values":[["VerifiableCredential","HandsonCredential"]]},"claims":[{"id":"email","path":["credentialSubject","email"]},{"id":"role","path":["credentialSubject","role"],"values":["Administrator"]}]}]},"User":{"credentials":[{"id":"identity_credential","format":"jwt_vc_json","meta":{"type_values":[["VerifiableCredential","HandsonCredential"]]},"claims":[{"id":"email","path":["credentialSubject","email"]}]}]}}
AuditModuleConfig
audit		AuditModuleConfig	Audit logging configuration
audit.enabled		Boolean	Enable audit logging	true
audit.minSeverity		"debug" | "info" | "warning" | "error" | "critical"	Minimum severity level to log	"info"
audit.logDenied		Boolean	Always log denied access attempts regardless of action type	true
audit.logDelegated		Boolean	Log delegated access attempts when enabled, while still respecting action-specific success filters	true
audit.logMutations		Boolean	Log successful mutation actions (create, update, delete, manage)	true
audit.logExecute	Yes	Boolean	Log successful execute actions
audit.logReads	Yes	Boolean	Log successful read actions — disabled by default as reads are frequent and rarely relevant for auditing
audit.sensitiveResources		Unknown	Resources that are always logged regardless of action-specific success filters	["w.key","w.credential","sso.user"]
AuditHandlersConfig
audit.handlers		AuditHandlersConfig	Handler configuration
audit.handlers.console	Yes	Boolean	Enable console audit log handler
audit.handlers.database		Boolean	Enable database audit log handler	true
audit.handlers.otlp	Yes	Boolean	Enable OTLP audit log handler
OtlpAuditHandlerConfig
audit.otlp		OtlpAuditHandlerConfig	OTLP audit log handler configuration
audit.otlp.url		String	OTLP HTTP logs endpoint URL	"http://localhost:4318/v1/logs"
audit.otlp.headers		Object	Additional HTTP headers to include in OTLP requests
audit.otlp.timeoutMillis		Unknown	OTLP export timeout in milliseconds	5000
audit.otlp.concurrencyLimit		Unknown	Maximum number of concurrent OTLP export requests	1
audit.otlp.serviceName		String	Service name included on OTLP log attributes	"tsg-dsp-api"
audit.otlp.serviceVersion		String	Optional service version included on OTLP log attributes