Configuration
You can customize the behavior of the Token Service application by editing the env section of the
Cloud Run configuration file
The Token Service application supports the following environment variables:
| Name | Description | Required | Default | Available since |
|---|---|---|---|---|
| Basic configuration These options are required for the application to work. |
||||
AUTH_FLOWS
|
A comma-separated list of authentication flows to enable. The following flows are supported:
|
Required | (None) | 1.0 |
WORKLOAD_IDENITY_PROJECT_NUMBER
|
The Project number of the project that contains the workload identity pool. |
Required | (None) | 1.0 |
WORKLOAD_IDENITY_POOL_ID
|
The workload identity pool ID. |
Required | (None) | 1.0 |
WORKLOAD_IDENITY_PROVIDER_ID
|
The workload identity provider ID. |
Required | (None) | 1.0 |
TOKEN_VALIDITY
|
The duration (in minutes) for which ID tokens remain valid. |
Required | 5 | 1.0 |
| mTLS configuration Use these options if you've customized the names of headers used by the load balancer. |
||||
MTLS_HEADER_CLIENT_ID
|
The name of HTTP header that contains the client ID. | Required | X-Client-Cert-Spiffe | 1.0 |
MTLS_HEADER_CLIENT_CERT_PRESENT
|
The name of HTTP header that determines whether a certificate was present. | Required | X-Client-Cert-Present | 1.0 |
MTLS_HEADER_CLIENT_CERT_CHAIN_VERIFIED
|
The name of HTTP header that determines whether the certificate chain has been verified. | Required | X-Client-Cert-Chain-Verified | 1.0 |
MTLS_HEADER_CLIENT_CERT_ERROR
|
The name of HTTP header that contains error information. | Required | X-Client-Cert-Error | 1.0 |
MTLS_HEADER_CLIENT_CERT_SHA256_FINGERPRINT
|
The name of HTTP header that contains the SHA256 certificate fingerprint. | Required | X-Client-Cert-Hash | 1.0 |
MTLS_HEADER_CLIENT_CERT_SPIFFE_ID
|
The name of HTTP header that contains the Spiffe ID. | Required | X-Client-Cert-Spiffe | 1.0 |
MTLS_HEADER_CLIENT_CERT_URI_SANS
|
The name of HTTP header that contains URI Subject Alternative Names. | Required | X-Client-Cert-URI-SANs | 1.0 |
MTLS_HEADER_CLIENT_CERT_DNSNAME_SANS
|
The name of HTTP header that contains DNS Subject Alternative Names. | Required | X-Client-Cert-DNSName-SANs | 1.0 |
MTLS_HEADER_CLIENT_CERT_SERIAL_NUMBER
|
The name of HTTP header that contains the certificate serial number. | Required | X-Client-Cert-Serial-Number | 1.0 |
MTLS_HEADER_CLIENT_CERT_VALID_NOT_BEFORE
|
The name of HTTP header that contains the not-before date for the certificate. | Required | X-Client-Cert-Valid-Not-Before | 1.0 |
MTLS_HEADER_CLIENT_CERT_VALID_NOT_AFTER
|
The name of HTTP header that contains the not-after date for the certificate. | Required | X-Client-Cert-Valid-Not-After | 1.0 |
| Advanced | ||||
TOKEN_ISSUER
|
Custom issuer to use in ID tokens. |
Required | Determined automatically | 1.0 |