lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: add example config file and update README

Browse source
This commit is contained in:
Johan Lundberg 2026-02-18 12:54:43 +01:00
parent eeb09321e2
commit 8c91edf137
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
2 changed files with 59 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -82,7 +82,9 @@ uv run porchlight initial-admin admin --group admin --group superusers
### Configuration ### Configuration
All settings are read from environment variables with the `OIDC_OP_` prefix: All settings are read from environment variables with the `OIDC_OP_` prefix.
Settings can also be provided via a TOML config file (see below). Environment
variables always take priority over file values.
| Variable | Default | Description | | Variable | Default | Description |
|---|---|---| |---|---|---|
@ -93,9 +95,42 @@ All settings are read from environment variables with the `OIDC_OP_` prefix:
| `OIDC_OP_SIGNING_KEY_PATH` | `data/keys` | OIDC signing key storage | | `OIDC_OP_SIGNING_KEY_PATH` | `data/keys` | OIDC signing key storage |
| `OIDC_OP_INVITE_TTL` | `86400` | Magic link expiry in seconds | | `OIDC_OP_INVITE_TTL` | `86400` | Magic link expiry in seconds |
| `OIDC_OP_MANAGE_CLIENT_ID` | `manage-app` | Client ID for the management UI | | `OIDC_OP_MANAGE_CLIENT_ID` | `manage-app` | Client ID for the management UI |
| `OIDC_OP_CONFIG_FILE` | `porchlight.toml` | Path to TOML config file |
Database migrations run automatically on startup. Database migrations run automatically on startup.
### Configuration file
Copy `porchlight.example.toml` to `porchlight.toml` and edit to suit your
deployment. The file supports all the same settings as environment variables
(without the `OIDC_OP_` prefix), plus OIDC client registrations.
```toml
issuer = "https://auth.example.com"
session_secret = "your-random-secret"
[clients.my-webapp]
client_secret = "change-me-to-a-long-random-string"
redirect_uris = ["https://app.example.com/callback"]
response_types = ["code"]
scope = ["openid", "profile", "email"]
token_endpoint_auth_method = "client_secret_basic"
```
Each `[clients.<client-id>]` section registers an OIDC Relying Party on
startup. Only `client_secret` and `redirect_uris` are required; the other
fields have sensible defaults (`response_types = ["code"]`,
`scope = ["openid"]`, `token_endpoint_auth_method = "client_secret_basic"`).
To use a config file at a different path:
```bash
export OIDC_OP_CONFIG_FILE=/etc/porchlight/config.toml
```
If the config file does not exist, it is silently ignored and all settings
fall back to environment variables and defaults.
## Development Setup ## Development Setup
### Prerequisites ### Prerequisites

23
porchlight.example.toml Normal file
View file

@ -0,0 +1,23 @@
# Porchlight OIDC Provider Configuration
#
# Copy this file to porchlight.toml and edit to suit your deployment.
# Environment variables (OIDC_OP_*) override values set here.
# To use a different path: export OIDC_OP_CONFIG_FILE=/path/to/config.toml
issuer = "https://auth.example.com"
# debug = false
# session_secret = "generate-a-random-string-here"
# sqlite_path = "data/oidc_op.db"
# signing_key_path = "data/keys"
# invite_ttl = 86400
# Register OIDC Relying Party clients below.
# Each [clients.<client-id>] section defines one client.
# [clients.my-webapp]
# client_secret = "change-me-to-a-long-random-string"
# redirect_uris = ["https://app.example.com/callback"]
# response_types = ["code"]
# scope = ["openid", "profile", "email"]
# token_endpoint_auth_method = "client_secret_basic"