# Authorization Service The Authorization service hosts the [Access Control Resources (ACR)](https://docs.inrupt.com/reference/glossary#access-control-resource) for every ESS Pod resource and is responsible for managing/enforcing the [Access Control Policies (ACP)](https://docs.inrupt.com/security/authorization/acp). ## Authorization Service Endpoint By default, the ESS Authorization Service runs from the following root URL: ```none https://authorization. ``` To change the root Authorization service URL, see [**`INRUPT_AUTHORIZATION_BASE_URL`**](#inrupt_authorization_base_url) ## Authorization Service and Initial ACP Policies When a Pod is created, like any other Pod resource, an ACR is also created for the Pod Root. The ACR is initialized with the default [ACP policies](https://docs.inrupt.com/security/authorization#acp) for the Pod Owner and for Access Grant enablement: * **Initial Pod Owner policies** give the Pod Owner read and write access to the Pod. These policies also specify a client matcher as well if the **Authorization Service’s** configuration for the initial client allow list is set: * [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) or if that is unset, * [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) {% tabs %} {% tab title="Allow List is Set" %} {% hint style="info" %} **Note** ESS uses the values in its **Authorization Service’s** [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) (at the time of Pod creation) to create the client matcher for the initial ACP policies. If the configuration is unset, ESS uses the values in its **Authorization service’s** [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) (at the time of Pod creation). {% endhint %} Using the value of the Pod owner’s WebID and an initial client allow list, ESS creates the initial policies of the form: ``` If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write). ``` Specifically, ESS creates: **Policy 1 for the Pod Root:**\ If the agent matches the Pod owner’s WebID, and if the client application’s Client ID has a match in the initial client allow list, allow Read and Write access. **Policy 2 for the Pod Root’s Initial Member Policies:**\ If the agent matches the Pod owner’s WebID, and if the client application’s Client ID has a match in the initial client allow list, allow Read and Write access. For more information on a Container’s Member Policies, see [Member Policies](https://docs.inrupt.com/security/authorization/acp#member-policies) {% endtab %} {% tab title="Allow List is Not Set" %} {% hint style="info" %} **Note** ESS uses the values in **Authorization Service’s** [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) (at the time of Pod creation) to create the client matcher for the initial policies. If the configuration is unset, ESS uses the values in its **Authorization Service’s** [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) (at the time of Pod creation). {% endhint %} If the initial client allow list is empty (when creating the policy), ESS uses the value of the Pod owner’s WebID to create initial policies of the form: ``` If allOf(AgentMatcher) evaluates to true, Then allow (Read and Write). ``` Specifically, ESS creates: **Policy 1 for the Pod Root:**\ If the agent matches the Pod owner’s WebID, allow Read and Write access. **Policy 2 for the Pod Root’s Initial Member Policies:**\ If the agent matches the Pod owner’s WebID, allow Read and Write access. For more information on a Container’s Member Policies, see [Member Policies](https://docs.inrupt.com/security/authorization/acp#member-policies) {% endtab %} {% endtabs %} {% hint style="warning" %} **Disambiguation** Both Authorization Service and [Pod Storage Service](https://docs.inrupt.com/ess/2.3/services/service-pod-management/service-pod-storage) have a **`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`** setting. Only the Authorization Service setting affects which clients are allowed. The [Pod Storage Service](https://docs.inrupt.com/ess/2.3/services/service-pod-management/service-pod-storage) is for [Discovery](https://docs.inrupt.com/ess/2.3/service-pod-management/service-pod-storage#discovery) purposes only. {% endhint %} * Initial Access Grant Enablement policies allow the use of [Access Grants](https://docs.inrupt.com/security/authorization/access-requests-grants) that grant read/write/append access to the Pod resources.\ \ `If allOf(VC Matcher) evaluates to true, Then allow (Read and Write and Append).`\ \ Specifically, ESS creates:\ \ **Policy 3 for the Pod Root:** If a presented VC matches the specified type, allow its use for **`Read`**, **`Write`**, and **`Append`** access.\ \ **Policy 4 for the Pod Root’s Initial Member Policies**:\ If a presented VC matches the specified type, allow its use for **`Read`**, **`Write`**, and **`Append`** access.\ See also [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_ACCESS_GRANTS_ALLOWED_MODES`**](#inrupt_authorization_default_acr_access_grants_allowed_modes). {% hint style="warning" %} **Important** The policies only enable the use of [Access Grants](https://docs.inrupt.com/security/authorization/access-requests-grants) for the allowed access modes. To determine the access for an agent using an access grant, ESS uses the *intersection* of: * The allowed access specified by the policy, and * The granted access specified in the Access Grant (for the resource specified in the Access Grant). {% endhint %} {% hint style="info" %} **Note**\ A Pod’s initial Policies are set when the Pod is provisioned. As such, updates to the various **`INRUPT_AUTHORIZATION_DEFAULT_ACR_*`** options do not affect existing Pods. That is, once a Pod’s initial policies have been created, changes to the various **`INRUPT_AUTHORIZATION_DEFAULT_ACR_*`** options are not reflected in that Pod’s policies. {% endhint %} ## Configuration As part of the [installation process](https://docs.inrupt.com/ess/2.3/installation), Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs. The following configuration options are available for the service and may be set as part of [updating the inputs for your deployment](https://docs.inrupt.com/ess/installation#step-1-initialize-the-installation-directory) . The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values. {% hint style="info" %} **Note**\ Whitespaces are **preserved** when parsing comma-delimited lists (i.e., the parsed string values are not trimmed). For example, when parsed, **`"value1, value2,value3 "`** results in **`"value1"`** , **`" value2"`** , **`"value3 "`** . {% endhint %} ### Required #### INRUPT\_AUTHORIZATION\_BASE\_URL The URI of the Authorization service. #### INRUPT\_AUTHORIZATION\_CLIENT\_ID\_ALLOW\_LIST Default: **`https://podbrowser.inrupt.com/api/app`** Comma-delimited list of [Client IDs](https://docs.inrupt.com/reference/glossary#client-identifier) that determine which applications are allowed to perform read and write operations on the [Access Control Resources](https://github.com/inrupt/docs-gitbook/blob/main/ess/reference/glossary.md#access-control-resource). In addition, the authorization server uses [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) to initialize the [default access policies for a new Pod](https://docs.inrupt.com/ess/2.3/service-pod-management/service-pod-provision#initial-acp-policies) if [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) is unset. {% hint style="warning" %} **Important**\ The Authorization Service’s [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) value must be managed with care. Only those applications with a high level of trust should be listed. This value should never be set to an empty list. {% endhint %} See also: * [Set Authorization Client Allow List](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-security/modify-authz-client-list) * [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) configuration for the Pod service. ## Kafka Configuration {% hint style="info" %} **Tip**\ See also [ESS’ Kafka Configuration](https://docs.inrupt.com/ess/2.3/services/appendix/appendix-kafka-configuration) {% endhint %} #### INRUPT\_KAFKA\_AUDITV1EVENTSENCRYPTED\_CIPHER\_PASSWORD The strong cipher key to use when running auditing with encrypted messages over the **`auditv1eventsencrypted`** topic. #### INRUPT\_KAFKA\_AUDITV1EVENTSPRODUCERENCRYPTED\_CIPHER\_PASSWORD The strong cipher key to use when running auditing with encrypted messages over the **`auditv1eventsproducerencrypted`** topic. #### INRUPT\_KAFKA\_SOLIDACCESSCONTROLRESOURCE\_CIPHER\_PASSWORD The symmetric key to use when encrypting messages (see **`MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER`**). {% hint style="danger" %} **Warning**\ Set to a strong password. {% endhint %} #### KAFKA\_BOOTSTRAP\_SERVERS Default : **`localhost:9092`** Comma-delimited list of Kafka broker servers for use by ESS services, including this service. Setting [**`KAFKA_BOOTSTRAP_SERVERS`**](#kafka_bootstrap_servers) configures ESS to use the same Kafka instances for all its Kafka [message channels](https://quarkus.io/guides/kafka#kafka-configuration) (e.g., **`solidresource`** and **`auditv1out`** message channels). This service uses the **`solidaccesscontrolresource`** and **`auditv1out`** message channels. {% hint style="info" %} **Note**\ Inrupt-provided overlays default to using [**`KAFKA_BOOTSTRAP_SERVERS`**](#kafka_bootstrap_servers) . To use different Kafka instances for the **`solidaccesscontrolresource`** and **`auditv1out`** message channels, use specific [message channel](https://quarkus.io/guides/kafka#kafka-configuration) configuration. {% endhint %} #### MP\_MESSAGING\_OUTGOING\_SOLIDACCESSCONTROLRESOURCE\_VALUE\_SERIALIZER Default : **`org.apache.kafka.common.serialization.StringSerializer`** The serializer used for the notification messages the service sends to Kafka. Supported values are: * **`org.apache.kafka.common.serialization.StringSerializer`** When set to this value, notification messages sent to Kafka are unencrypted.\ \ Services that consume these messages will need to set their **`MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER`**\ to the corresponding deserializer value **`org.apache.kafka.common.serialization.StringDeserializer`**. * **`com.inrupt.components.kafka.encryption.EncryptMessageSerializer`** When set to this value, notification messages sent to Kafka are encrypted. Services that consume these encrypted messages will need to set their **`MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER`**\ configuration to the corresponding deserializer value **`com.inrupt.components.kafka.encryption.DecryptMessageDeserializer`**. ### Optional **Configuration Logging** ESS services log their startup configuration. #### INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_ALLOW Default : inrupt,mp.messaging A comma-separated list of configuration property prefixes (case-sensitive) that determine which configurations are logged: * If the list is empty, **NO** configuration property is logged. * If a configuration property starts with a listed prefix ( **case-sensitive** ), the configuration property and its value are logged **unless** the configuration also matches a prefix in [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) (which acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) list).\ As such, if the configuration matches prefix in both [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) , the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) takes precedence and the configuration is not logged. For example, if **`inrupt.`** is an allow prefix, but **`inrupt.kafka.`** is a deny prefix, all configurations that start with **`inrupt.kafka.`** are excluded from the logs. When specifying the prefixes, you can specify the prefixes using one of two formats: * using dot notation (e.g., **`inrupt.foobar.`** ), or * using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ). {% hint style="warning" %} Warning\ Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) . For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) , change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well. {% endhint %} {% hint style="info" %} Tip\ To avoid allowing more than desired configurations, specify as much of the prefix as possible. If the prefix specifies the complete prefix term, include the term delineator. For example: * If using dot-notation, if you want to match configuration properties of the form **`foobar....`** , specify **`foobar.`** (including the dot **`.`** ) instead of, for example, **`foo`** or **`foobar`** . * If using converted form, if you want to match configuration properties of the form **`FOOBAR_...`** , specify **`FOOBAR_`** (including the underscore **`_`** ) instead of, for example, **`FOO`** or **`FOOBAR`** . {% endhint %} #### INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_DENY Default : inrupt.kafka A comma-separated list of configuration name prefixes (case-sensitive) that determines which configurations (that would otherwise match the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow)) are not logged. That is, [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) . For example: * If **`foobar.`** is an allowed prefix, to suppress **`foobar.private.`** , you can specify **`foobar.private.`** to the deny list. * If **`foobar.`** is **not** an allowed prefix, no property starting with **`foobar.`** is logged. As such, you do not need to specify **`foobar.private`** to the deny list. When specifying the prefixes, you can specify the prefixes using one of two formats: * using dot notation (e.g., **`inrupt.foobar.`** ), or * using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ). {% hint style="warning" %} **Warning**\ Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) . For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) , change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well. {% endhint %} #### INRUPT\_LOGGING\_REDACTION\_NAME\_ACTION Default : **`REPLACE`** Type of the redaction to perform. Supported values are:
ActionDescription
REPLACEDefault. Replaces the matching text with a specified replacement.
PLAINLeaves the matching field unprocessed. Only available if the redaction target is a field (i.e.,INRUPT_LOGGING_REDACTION_{NAME}_FIELD).
DROPSuppresses the matching field. Only available if the redaction target is a field (i.e.,INRUPT_LOGGING_REDACTION_{NAME}_FIELD).
PRIORITIZEChanges the log level of the matching message.
SHA256Replaces the matching text with its hash.
* If the action is **`REPLACE`** ( *default* ), see also **`INRUPT_LOGGING_REDACTION_{NAME}_REPLACEMENT`** . * If the action is to **`PRIORITIZE`** , see also **`INRUPT_LOGGING_REDACTION_{NAME}_LEVEL`** . For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) #### INRUPT\_LOGGING\_REDACTION\_NAME\_ENABLED Default : **`true`** A boolean that determines whether the redaction configurations with the specified **`INRUPT_LOGGING_REDACTION_{NAME}_`** prefix is enabled. For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) #### INRUPT\_LOGGING\_REDACTION\_NAME\_EXCEPTION Fully qualified name of the exception class to match in the log messages (includes inner exception). Configure to target an exception message class. For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) #### INRUPT\_LOGGING\_REDACTION\_NAME\_FIELD Exact name of the field to match in the log messages. Configure to target a specific log message field for redaction. For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) #### INRUPT\_LOGGING\_REDACTION\_NAME\_PATTERN A regex (see [Java regex pattern](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html#sum)) to match in the log messages. Configure to target log message text that matches a specified pattern. For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) #### INRUPT\_LOGGING\_REDACTION\_NAME\_REPLACEMENT Replacement text to use if the **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** is **`REPLACE`** . If unspecified, defaults to **`REDACTED`** . For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction) ### **Application-Defined Metadata Propagation** #### INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_ALLOW A comma-separated list of application-defined properties that can be included in the associated [audit events](https://docs.inrupt.com/ess/2.3/service-auditing#audit-event-message-internal-format) (unless specified in the corresponding [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_DENY`**](#inrupt_audit_producer_request_metadata_deny)). This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip**\ To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_DENY A comma-separated list of application-defined properties to exclude from the associated audit messages. This setting takes precedence over [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_ALLOW`**](#inrupt_audit_producer_request_metadata_allow). This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip**\ To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_LOGGING\_REQUEST\_METADATA\_ALLOW A comma-separated list of application-defined properties that can be included in the associated [log messages](https://docs.inrupt.com/ess/administration/logging#application-defined-metadata) (unless specified in the corresponding [**`INRUPT_LOGGING_REQUEST_METADATA_DENY`**](#inrupt_logging_request_metadata_deny)) . This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip**\ To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_LOGGING\_REQUEST\_METADATA\_DENY A comma-separated list of application-defined properties to exclude from the associated log messages. This setting takes precedence over [**`INRUPT_LOGGING_REQUEST_METADATA_ALLOW`**](#inrupt_logging_request_metadata_allow). This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip**\ To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_ALLOW A comma-separated list of non-baggage request headers to add to the [baggage](https://www.w3.org/TR/baggage/) (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_DENY`**](#inrupt_request_metadata_propagator_header_deny)); i.e., include these non-baggage request headers as application-defined properties. The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc. See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_DENY A comma-separated list of non-baggage request headers to exclude from being added to the [baggage](https://www.w3.org/TR/baggage/); i.e., excludes these headers as application-defined properties. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow). The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match (and exclude) **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc. See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_OVERRIDES A flag that determines ESS behavior when metadata property is defined both as a header and as a baggage entry: * If **`true`** ESS updates/overrides the baggage entry with the header value. * If **`false`** (the default), ESS keeps the baggage entry. For details, [Duplicate Property Definition](https://docs.inrupt.com/ess/administration/application-defined-metadata#duplicate-property-definition) #### INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_ALLOW A comma-separated list of application-defined properties that can return as response headers (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_DENY`**](#inrupt_request_metadata_reflector_header_deny)) . This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip** * To return a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. * You may need to update **`QUARKUS_HTTP_CORS_EXPOSED_HEADERS`** to extend the list of [CORS-safelisted response headers](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header) . {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. #### INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_DENY A comma-separated list of application-defined properties to exclude from returning as response headers. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_ALLOW`**](#inrupt_request_metadata_reflector_header_allow). This configuration is **case-sensitive** to the propagated properties in the baggage. {% hint style="info" %} **Tip**\ To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match. {% endhint %} See: * [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure. * [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information. ### Purge Configuration The Authorization service contains user data, and as such it can be purged upon user request. See the [Purger Application documentation](https://docs.inrupt.com/ess/2.3/services/purger-application) for more information about the data being purged. #### INRUPT\_PURGE\_BATCH\_SIZ *Default* : **`100`** The maximum number of access control records that the purge task will purge in each batch. This must be a non-zero, positive integer. {% hint style="info" %} Added in version 2.3.0. {% endhint %} #### INRUPT\_PURGE\_CLEANUP\_TASK\_EVERY *Default* : **`PT5H`** Frequency at which a task goes through stored purge statuses to clear any which are beyond their retention window. {% hint style="info" %} Added in version 2.3.0. {% endhint %} #### INRUPT\_PURGE\_IN\_PROGRESS\_TIMEOUT\_SECONDS *Default* : **`120`** Timeout after which an ongoing purge task is considered stale. Stale tasks are picked up by an ESS background process to be taken to completion. By keeping track of a purge task’s state (active or stale) the service can ensure that a purge which was started will eventually reach completion, even if the system is disrupted whilst the asynchronous purge process is ongoing. {% hint style="info" %} Added in version 2.3.0. {% endhint %} #### INRUPT\_PURGE\_PROCESS\_TASK\_EVERY *Default* : **`PT5M`** Frequency at which an ESS background process goes through ongoing purges to pick up the incomplete stale ones. See [**`INRUPT_PURGE_IN_PROGRESS_TIMEOUT_SECONDS`**](#inrupt_purge_in_progress_timeout_seconds) for additional details. {% hint style="info" %} Added in version 2.3.0. {% endhint %} #### INRUPT\_PURGE\_STATUS\_RETENTION\_WINDOW *Default* : **`P2D`** Duration after which a purge task status will be cleared from storage. The purge task contains some Personally Identifying Data (such as the WebID), so ensuring it is cleared after a purge is required for compliance. {% hint style="info" %} Added in version 2.3.0. {% endhint %} ### General #### INRUPT\_AUTHORIZATION\_DEFAULT\_ACR\_ACCESS\_GRANTS\_ALLOWED\_MODES *Default* : **`read,write,append`** Comma-delimited list of actions allowed when using Access Grants. This configuration is used to initialize the default access policies (specifically, the policy enabling the use of Access Grants) during Pod creation. See also [Enable Access Grant Usage (ACP)](https://docs.inrupt.com/security/authorization/access-requests-grants#enable-access-grant-usage-acp) #### INRUPT\_AUTHORIZATION\_DEFAULT\_ACR\_CLIENT\_ID\_ALLOW\_LIST *Default* : Comma-delimited list of Client IDs used to initialize the default access policies (specifically, the client matchers) during Pod creation. If [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) is unset, the service uses the [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) to initialize the policies. {% hint style="warning" %} **Important**\ The option only takes effect during Pod creation. Changes to [**`INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_default_acr_client_id_allow_list) (or [**`INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST`**](#inrupt_authorization_client_id_allow_list) ) has no impact on existing Pods. {% endhint %} To configure, see [Set Initial Pod Clients Allow List](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-security/modify-pod-client-list) #### INRUPT\_AUTHORIZATION\_MAX\_POD\_COUNT *Default* : **`10`** The maximum number of Pods owned by a specific WebID. {% hint style="warning" %} **Important**\ The [**`INRUPT_AUTHORIZATION_MAX_POD_COUNT`**](#inrupt_authorization_max_pod_count) value must equal [Pod Provisioning Services](https://docs.inrupt.com/ess/2.3/services/service-pod-management/service-pod-provision)' [**`INRUPT_STORAGE_MAX_PODS_PER_OWNER`**](https://docs.inrupt.com/ess/2.3/service-pod-management/service-pod-provision#inrupt_storage_max_pods_per_owner) value. When changing the [**`INRUPT_AUTHORIZATION_MAX_POD_COUNT`**](#inrupt_authorization_max_pod_count) value, ensure you also update [**`INRUPT_STORAGE_MAX_PODS_PER_OWNER`**](https://docs.inrupt.com/ess/2.3/service-pod-management/service-pod-provision#inrupt_storage_max_pods_per_owner) to the same value. {% endhint %} #### INRUPT\_JWT\_ALLOWED\_SIGNATURE\_ALGORITHMS *Default* : **`ES256`** , A comma-separated list that specifies the allowed encryption [algorithms](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.1) used to sign ID tokens. #### INRUPT\_JWT\_ISSUER\_ALLOW\_LIST A comma-separated list of trusted Solid-OIDC issuers (i.e., identity providers). * If unset, the service accepts all Solid-OIDC issuers with the exception of those in the [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#inrupt_jwt_issuer_deny_list) * If set, the service accepts only those Solid-OIDC issuers in the list with the following exception: * If an issuer is in both [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) and [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#inrupt_jwt_issuer_deny_list) , the [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#inrupt_jwt_issuer_deny_list) supersedes the [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) and the issuer is not accepted by ESS. See also [**`INRUPT_JWT_ISSUER_DENY_LIST`**](#inrupt_jwt_issuer_deny_list) . #### INRUPT\_JWT\_ISSUER\_DENY\_LIST A comma-separated list of disallowed Solid-OIDC issuers. * If unset, the service accepts all Solid-OIDC issuers unless [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) is set, in which case, the service only accepts those in the [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) . * If set, the service disallows the Solid-OIDC issuers in the list. If [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) is also set, issuers not in the [**`INRUPT_JWT_ISSUER_ALLOW_LIST`**](#inrupt_jwt_issuer_allow_list) are also disallowed. #### QUARKUS\_GRPC\_SERVER\_PORT The gRPC port of the Authorization Server. #### QUARKUS\_GRPC\_SERVER\_SSL\_CERTIFICATE Path to the server TLS/SSL certificate. #### QUARKUS\_GRPC\_SERVER\_SSL\_KEY Path to a server TLS/SSL certificate key file. #### QUARKUS\_GRPC\_SERVER\_SSL\_TRUST\_STORE Trust store file to use. #### QUARKUS\_GRPC\_SERVER\_SSL\_TRUST\_STORE\_PASSWORD Password of the trust store file. #### QUARKUS\_LOG\_LEVEL *Default* : **`INFO`** Logging level. ## Additional Information See also [Quarkus Configuration Options](https://quarkus.io/guides/all-config)