Sessions

required

Under the sessions option configuration related to session management can be changed.

ttl

integer 3600 optional

The ttl option defines the "time-to-life", i.e. the session lifetime.

config.yaml

sessions:
    ttl: 86400

redis_addr

string optional

The redis_addr option is used to pass a network address where a redis server can be reached. If set, the redis instance is used for caching. If not given, an in-memory cache is used.

config.yaml

sessions:
    redis_addr: redis:6379

memcached_addr

string required if apache is used

The memcached_addr option is used to pass a network address where a memcached server can be reached. If set, the user claims are stored in the memcached with the format needed by the apache module AuthMemCookie.

Session information is still / also stored in redis or in-memory.

config.yaml

sessions:
    memcached_addr: memcached:11211

memcached_claims

mapping / object see file example optional

The memcached_claims option is used to specify which information should be stored in the memcached and from which OIDC claims the information should be obtained.

Note

The following keys are required by AuthMemCookie:

• UserName
• Groups

Info

OIDC Claims can be given as a single string or a list of strings. If a list is given OFFA will use the value from the first non-empty claim.

Example

In the config below UserName will be populated with the value in preferred_username if that is set, or sub otherwise.

The default mapping is as listed in the following config.yaml example.

config.yaml

sessions:
    memcached_claims:
        UserName:
            - preferred_username
            - sub
        Groups: groups
        Email: email
        Name: name
        GivenName: given_name
        Provider: iss
        Subject: sub

cookie_name

string offa-session optional

The cookie_name option is used to set the name of the cookie that holds the session token.

config.yaml

sessions:
    cookie_name: offa

cookie_domain

string required

The cookie_domain option is used to set the domain the session cookie is assigned to protect. This must be the same as the domain OFFA is served on or a parent domain.

Example

If OFFA is accessible via the URI https://offa.example.com the domain should be either offa.example.com or example.com.

config.yaml

sessions:
    cookie_domain: example.com