{
"description": "Generator information:\n- Generated from: /app/resource-manager/Microsoft.App/stable/2024-03-01/AuthConfigs.json\n- ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.App/containerApps/{containerAppName}/authConfigs/{authConfigName}",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"azureName": {
"description": "AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it\ndoesn't have to be.",
"type": "string"
},
"encryptionSettings": {
"description": "EncryptionSettings: The configuration settings of the secrets references of encryption key and signing key for\nContainerApp Service Authentication/Authorization.",
"properties": {
"containerAppAuthEncryptionSecretName": {
"description": "ContainerAppAuthEncryptionSecretName: The secret name which is referenced for EncryptionKey.",
"type": "string"
},
"containerAppAuthSigningSecretName": {
"description": "ContainerAppAuthSigningSecretName: The secret name which is referenced for SigningKey.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"globalValidation": {
"description": "GlobalValidation: The configuration settings that determines the validation flow of users using Service\nAuthentication/Authorization.",
"properties": {
"excludedPaths": {
"description": "ExcludedPaths: The paths for which unauthenticated flow would not be redirected to the login page.",
"items": {
"type": "string"
},
"type": "array"
},
"redirectToProvider": {
"description": "RedirectToProvider: The default authentication provider to use when multiple providers are configured.\nThis setting is only needed if multiple providers are configured and the unauthenticated client\naction is set to \"RedirectToLoginPage\".",
"type": "string"
},
"unauthenticatedClientAction": {
"description": "UnauthenticatedClientAction: The action to take when an unauthenticated client attempts to access the app.",
"enum": [
"AllowAnonymous",
"RedirectToLoginPage",
"Return401",
"Return403"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"httpSettings": {
"description": "HttpSettings: The configuration settings of the HTTP requests for authentication and authorization requests made against\nContainerApp Service Authentication/Authorization.",
"properties": {
"forwardProxy": {
"description": "ForwardProxy: The configuration settings of a forward proxy used to make the requests.",
"properties": {
"convention": {
"description": "Convention: The convention used to determine the url of the request made.",
"enum": [
"Custom",
"NoProxy",
"Standard"
],
"type": "string"
},
"customHostHeaderName": {
"description": "CustomHostHeaderName: The name of the header containing the host of the request.",
"type": "string"
},
"customProtoHeaderName": {
"description": "CustomProtoHeaderName: The name of the header containing the scheme of the request.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"requireHttps": {
"description": "RequireHttps: false if the authentication/authorization responses not having the HTTPS scheme are\npermissible; otherwise, true.",
"type": "boolean"
},
"routes": {
"description": "Routes: The configuration settings of the paths HTTP requests.",
"properties": {
"apiPrefix": {
"description": "ApiPrefix: The prefix that should precede all the authentication/authorization paths.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"identityProviders": {
"description": "IdentityProviders: The configuration settings of each of the identity providers used to configure ContainerApp Service\nAuthentication/Authorization.",
"properties": {
"apple": {
"description": "Apple: The configuration settings of the Apple provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Apple provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the Apple registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"azureActiveDirectory": {
"description": "AzureActiveDirectory: The configuration settings of the Azure Active directory provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Azure Active Directory provider should not be enabled despite the set registration;\notherwise, true.",
"type": "boolean"
},
"isAutoProvisioned": {
"description": "IsAutoProvisioned: Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party\ntooling.\nThis is an internal flag primarily intended to support the Azure Management Portal. Users should not\nread or write to this property.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the Azure Active Directory login flow.",
"properties": {
"disableWWWAuthenticate": {
"description": "DisableWWWAuthenticate: true if the www-authenticate provider should be omitted from the request;\notherwise, false.",
"type": "boolean"
},
"loginParameters": {
"description": "LoginParameters: Login parameters to send to the OpenID Connect authorization endpoint when\na user logs in. Each parameter must be in the form \"key=value\".",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the Azure Active Directory app registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of this relying party application, known as the client_id.\nThis setting is required for enabling OpenID Connection authentication with Azure Active Directory or\nother 3rd party OpenID Connect providers.\nMore information on OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html",
"type": "string"
},
"clientSecretCertificateIssuer": {
"description": "ClientSecretCertificateIssuer: An alternative to the client secret thumbprint, that is the issuer of a certificate used\nfor signing purposes. This property acts as\na replacement for the Client Secret Certificate Thumbprint. It is also optional.",
"type": "string"
},
"clientSecretCertificateSubjectAlternativeName": {
"description": "ClientSecretCertificateSubjectAlternativeName: An alternative to the client secret thumbprint, that is the subject\nalternative name of a certificate used for signing purposes. This property acts as\na replacement for the Client Secret Certificate Thumbprint. It is also optional.",
"type": "string"
},
"clientSecretCertificateThumbprint": {
"description": "ClientSecretCertificateThumbprint: An alternative to the client secret, that is the thumbprint of a certificate used for\nsigning purposes. This property acts as\na replacement for the Client Secret. It is also optional.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret of the relying party application.",
"type": "string"
},
"openIdIssuer": {
"description": "OpenIdIssuer: The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application.\nWhen using Azure Active Directory, this value is the URI of the directory tenant, e.g.\n`https://login.microsoftonline.com/v2.0/{tenant-guid}/`.\nThis URI is a case-sensitive identifier for the token issuer.\nMore information on OpenID Connect Discovery: http://openid.net/specs/openid-connect-discovery-1_0.html",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"validation": {
"description": "Validation: The configuration settings of the Azure Active Directory token validation flow.",
"properties": {
"allowedAudiences": {
"description": "AllowedAudiences: The list of audiences that can make successful authentication/authorization requests.",
"items": {
"type": "string"
},
"type": "array"
},
"defaultAuthorizationPolicy": {
"description": "DefaultAuthorizationPolicy: The configuration settings of the default authorization policy.",
"properties": {
"allowedApplications": {
"description": "AllowedApplications: The configuration settings of the Azure Active Directory allowed applications.",
"items": {
"type": "string"
},
"type": "array"
},
"allowedPrincipals": {
"description": "AllowedPrincipals: The configuration settings of the Azure Active Directory allowed principals.",
"properties": {
"groups": {
"description": "Groups: The list of the allowed groups.",
"items": {
"type": "string"
},
"type": "array"
},
"identities": {
"description": "Identities: The list of the allowed identities.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"jwtClaimChecks": {
"description": "JwtClaimChecks: The configuration settings of the checks that should be made while validating the JWT Claims.",
"properties": {
"allowedClientApplications": {
"description": "AllowedClientApplications: The list of the allowed client applications.",
"items": {
"type": "string"
},
"type": "array"
},
"allowedGroups": {
"description": "AllowedGroups: The list of the allowed groups.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"azureStaticWebApps": {
"description": "AzureStaticWebApps: The configuration settings of the Azure Static Web Apps provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Azure Static Web Apps provider should not be enabled despite the set registration;\notherwise, true.",
"type": "boolean"
},
"registration": {
"description": "Registration: The configuration settings of the Azure Static Web Apps registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"customOpenIdConnectProviders": {
"additionalProperties": {
"description": "The configuration settings of the custom Open ID Connect provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the custom Open ID provider provider should not be enabled; otherwise, true.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow of the custom Open ID Connect provider.",
"properties": {
"nameClaimType": {
"description": "NameClaimType: The name of the claim that contains the users name.",
"type": "string"
},
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the custom Open ID Connect provider.",
"properties": {
"clientCredential": {
"description": "ClientCredential: The authentication credentials of the custom Open ID Connect provider.",
"properties": {
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting that contains the client secret for the custom Open ID Connect provider.",
"type": "string"
},
"method": {
"description": "Method: The method that should be used to authenticate the user.",
"enum": [
"ClientSecretPost"
],
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"clientId": {
"description": "ClientId: The client id of the custom Open ID Connect provider.",
"type": "string"
},
"openIdConnectConfiguration": {
"description": "OpenIdConnectConfiguration: The configuration settings of the endpoints used for the custom Open ID Connect provider.",
"properties": {
"authorizationEndpoint": {
"description": "AuthorizationEndpoint: The endpoint to be used to make an authorization request.",
"type": "string"
},
"certificationUri": {
"description": "CertificationUri: The endpoint that provides the keys necessary to validate the token.",
"type": "string"
},
"issuer": {
"description": "Issuer: The endpoint that issues the token.",
"type": "string"
},
"tokenEndpoint": {
"description": "TokenEndpoint: The endpoint to be used to request a token.",
"type": "string"
},
"wellKnownOpenIdConfiguration": {
"description": "WellKnownOpenIdConfiguration: The endpoint that contains all the configuration endpoints for the provider.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"description": "CustomOpenIdConnectProviders: The map of the name of the alias of each custom Open ID Connect provider to the\nconfiguration settings of the custom Open ID Connect provider.",
"type": "object"
},
"facebook": {
"description": "Facebook: The configuration settings of the Facebook provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Facebook provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"graphApiVersion": {
"description": "GraphApiVersion: The version of the Facebook api to be used while logging in.",
"type": "string"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Facebook provider.",
"properties": {
"appId": {
"description": "AppId: The App ID of the app used for login.",
"type": "string"
},
"appSecretSettingName": {
"description": "AppSecretSettingName: The app setting name that contains the app secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"gitHub": {
"description": "GitHub: The configuration settings of the GitHub provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the GitHub provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the GitHub provider.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"google": {
"description": "Google: The configuration settings of the Google provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Google provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Google provider.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"validation": {
"description": "Validation: The configuration settings of the Azure Active Directory token validation flow.",
"properties": {
"allowedAudiences": {
"description": "AllowedAudiences: The configuration settings of the allowed list of audiences from which to validate the JWT token.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"twitter": {
"description": "Twitter: The configuration settings of the Twitter provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Twitter provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Twitter provider.",
"properties": {
"consumerKey": {
"description": "ConsumerKey: The OAuth 1.0a consumer key of the Twitter application used for sign-in.\nThis setting is required for enabling Twitter Sign-In.\nTwitter Sign-In documentation: https://dev.twitter.com/web/sign-in",
"type": "string"
},
"consumerSecretSettingName": {
"description": "ConsumerSecretSettingName: The app setting name that contains the OAuth 1.0a consumer secret of the Twitter\napplication used for sign-in.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"login": {
"description": "Login: The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization.",
"properties": {
"allowedExternalRedirectUrls": {
"description": "AllowedExternalRedirectUrls: External URLs that can be redirected to as part of logging in or logging out of the app.\nNote that the query string part of the URL is ignored.\nThis is an advanced setting typically only needed by Windows Store application backends.\nNote that URLs within the current domain are always implicitly allowed.",
"items": {
"type": "string"
},
"type": "array"
},
"cookieExpiration": {
"description": "CookieExpiration: The configuration settings of the session cookie's expiration.",
"properties": {
"convention": {
"description": "Convention: The convention used when determining the session cookie's expiration.",
"enum": [
"FixedTime",
"IdentityProviderDerived"
],
"type": "string"
},
"timeToExpiration": {
"description": "TimeToExpiration: The time after the request is made when the session cookie should expire.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"nonce": {
"description": "Nonce: The configuration settings of the nonce used in the login flow.",
"properties": {
"nonceExpirationInterval": {
"description": "NonceExpirationInterval: The time after the request is made when the nonce should expire.",
"type": "string"
},
"validateNonce": {
"description": "ValidateNonce: false if the nonce should not be validated while completing the login flow; otherwise,\ntrue.",
"type": "boolean"
}
},
"type": "object",
"additionalProperties": false
},
"preserveUrlFragmentsForLogins": {
"description": "PreserveUrlFragmentsForLogins: true if the fragments from the request are preserved after the login request\nis made; otherwise, false.",
"type": "boolean"
},
"routes": {
"description": "Routes: The routes that specify the endpoints used for login and logout requests.",
"properties": {
"logoutEndpoint": {
"description": "LogoutEndpoint: The endpoint at which a logout request should be made.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"tokenStore": {
"description": "TokenStore: The configuration settings of the token store.",
"properties": {
"azureBlobStorage": {
"description": "AzureBlobStorage: The configuration settings of the storage of the tokens if blob storage is used.",
"properties": {
"sasUrlSettingName": {
"description": "SasUrlSettingName: The name of the app secrets containing the SAS URL of the blob storage containing the tokens.",
"type": "string"
}
},
"required": [
"sasUrlSettingName"
],
"type": "object",
"additionalProperties": false
},
"enabled": {
"description": "Enabled: true to durably store platform-specific security tokens that are obtained during login flows;\notherwise, false.\nThe default is false.",
"type": "boolean"
},
"tokenRefreshExtensionHours": {
"description": "TokenRefreshExtensionHours: The number of hours after session token expiration that a session token can be used to\ncall the token refresh API. The default is 72 hours.",
"type": "number"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"operatorSpec": {
"description": "OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not\npassed directly to Azure",
"properties": {
"configMapExpressions": {
"description": "ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).",
"items": {
"description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.",
"properties": {
"key": {
"description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.",
"type": "string"
},
"name": {
"description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.",
"type": "string"
},
"value": {
"description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/",
"type": "string"
}
},
"required": [
"name",
"value"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"secretExpressions": {
"description": "SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).",
"items": {
"description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.",
"properties": {
"key": {
"description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.",
"type": "string"
},
"name": {
"description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.",
"type": "string"
},
"value": {
"description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/",
"type": "string"
}
},
"required": [
"name",
"value"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"owner": {
"description": "Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also\ncontrols the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a\nreference to a app.azure.com/ContainerApp resource",
"properties": {
"armId": {
"pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)",
"type": "string"
},
"name": {
"description": "This is the name of the Kubernetes resource to reference.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"platform": {
"description": "Platform: The configuration settings of the platform of ContainerApp Service Authentication/Authorization.",
"properties": {
"enabled": {
"description": "Enabled: true if the Authentication / Authorization feature is enabled for the current app; otherwise,\nfalse.",
"type": "boolean"
},
"runtimeVersion": {
"description": "RuntimeVersion: The RuntimeVersion of the Authentication / Authorization feature in use for the current app.\nThe setting in this value can control the behavior of certain features in the Authentication / Authorization module.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"required": [
"owner"
],
"type": "object",
"additionalProperties": false
},
"status": {
"properties": {
"conditions": {
"description": "Conditions: The observed state of the resource",
"items": {
"description": "Condition defines an extension to status (an observation) of a resource",
"properties": {
"lastTransitionTime": {
"description": "LastTransitionTime is the last time the condition transitioned from one status to another.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "Message is a human readable message indicating details about the transition. This field may be empty.",
"type": "string"
},
"observedGeneration": {
"description": "ObservedGeneration is the .metadata.generation that the condition was set based upon. For instance, if\n.metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.",
"format": "int64",
"type": "integer"
},
"reason": {
"description": "Reason for the condition's last transition.\nReasons are upper CamelCase (PascalCase) with no spaces. A reason is always provided, this field will not be empty.",
"type": "string"
},
"severity": {
"description": "Severity with which to treat failures of this type of condition.\nFor conditions which have positive polarity (Status == True is their normal/healthy state), this will be omitted when Status == True\nFor conditions which have negative polarity (Status == False is their normal/healthy state), this will be omitted when Status == False.\nThis is omitted in all cases when Status == Unknown",
"type": "string"
},
"status": {
"description": "Status of the condition, one of True, False, or Unknown.",
"type": "string"
},
"type": {
"description": "Type of condition.",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"reason",
"status",
"type"
],
"type": "object",
"additionalProperties": false
},
"type": "array"
},
"encryptionSettings": {
"description": "EncryptionSettings: The configuration settings of the secrets references of encryption key and signing key for\nContainerApp Service Authentication/Authorization.",
"properties": {
"containerAppAuthEncryptionSecretName": {
"description": "ContainerAppAuthEncryptionSecretName: The secret name which is referenced for EncryptionKey.",
"type": "string"
},
"containerAppAuthSigningSecretName": {
"description": "ContainerAppAuthSigningSecretName: The secret name which is referenced for SigningKey.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"globalValidation": {
"description": "GlobalValidation: The configuration settings that determines the validation flow of users using Service\nAuthentication/Authorization.",
"properties": {
"excludedPaths": {
"description": "ExcludedPaths: The paths for which unauthenticated flow would not be redirected to the login page.",
"items": {
"type": "string"
},
"type": "array"
},
"redirectToProvider": {
"description": "RedirectToProvider: The default authentication provider to use when multiple providers are configured.\nThis setting is only needed if multiple providers are configured and the unauthenticated client\naction is set to \"RedirectToLoginPage\".",
"type": "string"
},
"unauthenticatedClientAction": {
"description": "UnauthenticatedClientAction: The action to take when an unauthenticated client attempts to access the app.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"httpSettings": {
"description": "HttpSettings: The configuration settings of the HTTP requests for authentication and authorization requests made against\nContainerApp Service Authentication/Authorization.",
"properties": {
"forwardProxy": {
"description": "ForwardProxy: The configuration settings of a forward proxy used to make the requests.",
"properties": {
"convention": {
"description": "Convention: The convention used to determine the url of the request made.",
"type": "string"
},
"customHostHeaderName": {
"description": "CustomHostHeaderName: The name of the header containing the host of the request.",
"type": "string"
},
"customProtoHeaderName": {
"description": "CustomProtoHeaderName: The name of the header containing the scheme of the request.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"requireHttps": {
"description": "RequireHttps: false if the authentication/authorization responses not having the HTTPS scheme are\npermissible; otherwise, true.",
"type": "boolean"
},
"routes": {
"description": "Routes: The configuration settings of the paths HTTP requests.",
"properties": {
"apiPrefix": {
"description": "ApiPrefix: The prefix that should precede all the authentication/authorization paths.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"id": {
"description": "Id: Fully qualified resource ID for the resource. Ex -\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}",
"type": "string"
},
"identityProviders": {
"description": "IdentityProviders: The configuration settings of each of the identity providers used to configure ContainerApp Service\nAuthentication/Authorization.",
"properties": {
"apple": {
"description": "Apple: The configuration settings of the Apple provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Apple provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the Apple registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"azureActiveDirectory": {
"description": "AzureActiveDirectory: The configuration settings of the Azure Active directory provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Azure Active Directory provider should not be enabled despite the set registration;\notherwise, true.",
"type": "boolean"
},
"isAutoProvisioned": {
"description": "IsAutoProvisioned: Gets a value indicating whether the Azure AD configuration was auto-provisioned using 1st party\ntooling.\nThis is an internal flag primarily intended to support the Azure Management Portal. Users should not\nread or write to this property.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the Azure Active Directory login flow.",
"properties": {
"disableWWWAuthenticate": {
"description": "DisableWWWAuthenticate: true if the www-authenticate provider should be omitted from the request;\notherwise, false.",
"type": "boolean"
},
"loginParameters": {
"description": "LoginParameters: Login parameters to send to the OpenID Connect authorization endpoint when\na user logs in. Each parameter must be in the form \"key=value\".",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the Azure Active Directory app registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of this relying party application, known as the client_id.\nThis setting is required for enabling OpenID Connection authentication with Azure Active Directory or\nother 3rd party OpenID Connect providers.\nMore information on OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html",
"type": "string"
},
"clientSecretCertificateIssuer": {
"description": "ClientSecretCertificateIssuer: An alternative to the client secret thumbprint, that is the issuer of a certificate used\nfor signing purposes. This property acts as\na replacement for the Client Secret Certificate Thumbprint. It is also optional.",
"type": "string"
},
"clientSecretCertificateSubjectAlternativeName": {
"description": "ClientSecretCertificateSubjectAlternativeName: An alternative to the client secret thumbprint, that is the subject\nalternative name of a certificate used for signing purposes. This property acts as\na replacement for the Client Secret Certificate Thumbprint. It is also optional.",
"type": "string"
},
"clientSecretCertificateThumbprint": {
"description": "ClientSecretCertificateThumbprint: An alternative to the client secret, that is the thumbprint of a certificate used for\nsigning purposes. This property acts as\na replacement for the Client Secret. It is also optional.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret of the relying party application.",
"type": "string"
},
"openIdIssuer": {
"description": "OpenIdIssuer: The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application.\nWhen using Azure Active Directory, this value is the URI of the directory tenant, e.g.\n`https://login.microsoftonline.com/v2.0/{tenant-guid}/`.\nThis URI is a case-sensitive identifier for the token issuer.\nMore information on OpenID Connect Discovery: http://openid.net/specs/openid-connect-discovery-1_0.html",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"validation": {
"description": "Validation: The configuration settings of the Azure Active Directory token validation flow.",
"properties": {
"allowedAudiences": {
"description": "AllowedAudiences: The list of audiences that can make successful authentication/authorization requests.",
"items": {
"type": "string"
},
"type": "array"
},
"defaultAuthorizationPolicy": {
"description": "DefaultAuthorizationPolicy: The configuration settings of the default authorization policy.",
"properties": {
"allowedApplications": {
"description": "AllowedApplications: The configuration settings of the Azure Active Directory allowed applications.",
"items": {
"type": "string"
},
"type": "array"
},
"allowedPrincipals": {
"description": "AllowedPrincipals: The configuration settings of the Azure Active Directory allowed principals.",
"properties": {
"groups": {
"description": "Groups: The list of the allowed groups.",
"items": {
"type": "string"
},
"type": "array"
},
"identities": {
"description": "Identities: The list of the allowed identities.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"jwtClaimChecks": {
"description": "JwtClaimChecks: The configuration settings of the checks that should be made while validating the JWT Claims.",
"properties": {
"allowedClientApplications": {
"description": "AllowedClientApplications: The list of the allowed client applications.",
"items": {
"type": "string"
},
"type": "array"
},
"allowedGroups": {
"description": "AllowedGroups: The list of the allowed groups.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"azureStaticWebApps": {
"description": "AzureStaticWebApps: The configuration settings of the Azure Static Web Apps provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Azure Static Web Apps provider should not be enabled despite the set registration;\notherwise, true.",
"type": "boolean"
},
"registration": {
"description": "Registration: The configuration settings of the Azure Static Web Apps registration.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"customOpenIdConnectProviders": {
"additionalProperties": {
"description": "The configuration settings of the custom Open ID Connect provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the custom Open ID provider provider should not be enabled; otherwise, true.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow of the custom Open ID Connect provider.",
"properties": {
"nameClaimType": {
"description": "NameClaimType: The name of the claim that contains the users name.",
"type": "string"
},
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the custom Open ID Connect provider.",
"properties": {
"clientCredential": {
"description": "ClientCredential: The authentication credentials of the custom Open ID Connect provider.",
"properties": {
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting that contains the client secret for the custom Open ID Connect provider.",
"type": "string"
},
"method": {
"description": "Method: The method that should be used to authenticate the user.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"clientId": {
"description": "ClientId: The client id of the custom Open ID Connect provider.",
"type": "string"
},
"openIdConnectConfiguration": {
"description": "OpenIdConnectConfiguration: The configuration settings of the endpoints used for the custom Open ID Connect provider.",
"properties": {
"authorizationEndpoint": {
"description": "AuthorizationEndpoint: The endpoint to be used to make an authorization request.",
"type": "string"
},
"certificationUri": {
"description": "CertificationUri: The endpoint that provides the keys necessary to validate the token.",
"type": "string"
},
"issuer": {
"description": "Issuer: The endpoint that issues the token.",
"type": "string"
},
"tokenEndpoint": {
"description": "TokenEndpoint: The endpoint to be used to request a token.",
"type": "string"
},
"wellKnownOpenIdConfiguration": {
"description": "WellKnownOpenIdConfiguration: The endpoint that contains all the configuration endpoints for the provider.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"description": "CustomOpenIdConnectProviders: The map of the name of the alias of each custom Open ID Connect provider to the\nconfiguration settings of the custom Open ID Connect provider.",
"type": "object"
},
"facebook": {
"description": "Facebook: The configuration settings of the Facebook provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Facebook provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"graphApiVersion": {
"description": "GraphApiVersion: The version of the Facebook api to be used while logging in.",
"type": "string"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Facebook provider.",
"properties": {
"appId": {
"description": "AppId: The App ID of the app used for login.",
"type": "string"
},
"appSecretSettingName": {
"description": "AppSecretSettingName: The app setting name that contains the app secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"gitHub": {
"description": "GitHub: The configuration settings of the GitHub provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the GitHub provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the GitHub provider.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"google": {
"description": "Google: The configuration settings of the Google provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Google provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"login": {
"description": "Login: The configuration settings of the login flow.",
"properties": {
"scopes": {
"description": "Scopes: A list of the scopes that should be requested while authenticating.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Google provider.",
"properties": {
"clientId": {
"description": "ClientId: The Client ID of the app used for login.",
"type": "string"
},
"clientSecretSettingName": {
"description": "ClientSecretSettingName: The app setting name that contains the client secret.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"validation": {
"description": "Validation: The configuration settings of the Azure Active Directory token validation flow.",
"properties": {
"allowedAudiences": {
"description": "AllowedAudiences: The configuration settings of the allowed list of audiences from which to validate the JWT token.",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"twitter": {
"description": "Twitter: The configuration settings of the Twitter provider.",
"properties": {
"enabled": {
"description": "Enabled: false if the Twitter provider should not be enabled despite the set registration; otherwise,\ntrue.",
"type": "boolean"
},
"registration": {
"description": "Registration: The configuration settings of the app registration for the Twitter provider.",
"properties": {
"consumerKey": {
"description": "ConsumerKey: The OAuth 1.0a consumer key of the Twitter application used for sign-in.\nThis setting is required for enabling Twitter Sign-In.\nTwitter Sign-In documentation: https://dev.twitter.com/web/sign-in",
"type": "string"
},
"consumerSecretSettingName": {
"description": "ConsumerSecretSettingName: The app setting name that contains the OAuth 1.0a consumer secret of the Twitter\napplication used for sign-in.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"login": {
"description": "Login: The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization.",
"properties": {
"allowedExternalRedirectUrls": {
"description": "AllowedExternalRedirectUrls: External URLs that can be redirected to as part of logging in or logging out of the app.\nNote that the query string part of the URL is ignored.\nThis is an advanced setting typically only needed by Windows Store application backends.\nNote that URLs within the current domain are always implicitly allowed.",
"items": {
"type": "string"
},
"type": "array"
},
"cookieExpiration": {
"description": "CookieExpiration: The configuration settings of the session cookie's expiration.",
"properties": {
"convention": {
"description": "Convention: The convention used when determining the session cookie's expiration.",
"type": "string"
},
"timeToExpiration": {
"description": "TimeToExpiration: The time after the request is made when the session cookie should expire.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"nonce": {
"description": "Nonce: The configuration settings of the nonce used in the login flow.",
"properties": {
"nonceExpirationInterval": {
"description": "NonceExpirationInterval: The time after the request is made when the nonce should expire.",
"type": "string"
},
"validateNonce": {
"description": "ValidateNonce: false if the nonce should not be validated while completing the login flow; otherwise,\ntrue.",
"type": "boolean"
}
},
"type": "object",
"additionalProperties": false
},
"preserveUrlFragmentsForLogins": {
"description": "PreserveUrlFragmentsForLogins: true if the fragments from the request are preserved after the login request\nis made; otherwise, false.",
"type": "boolean"
},
"routes": {
"description": "Routes: The routes that specify the endpoints used for login and logout requests.",
"properties": {
"logoutEndpoint": {
"description": "LogoutEndpoint: The endpoint at which a logout request should be made.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"tokenStore": {
"description": "TokenStore: The configuration settings of the token store.",
"properties": {
"azureBlobStorage": {
"description": "AzureBlobStorage: The configuration settings of the storage of the tokens if blob storage is used.",
"properties": {
"sasUrlSettingName": {
"description": "SasUrlSettingName: The name of the app secrets containing the SAS URL of the blob storage containing the tokens.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"enabled": {
"description": "Enabled: true to durably store platform-specific security tokens that are obtained during login flows;\notherwise, false.\nThe default is false.",
"type": "boolean"
},
"tokenRefreshExtensionHours": {
"description": "TokenRefreshExtensionHours: The number of hours after session token expiration that a session token can be used to\ncall the token refresh API. The default is 72 hours.",
"type": "number"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object",
"additionalProperties": false
},
"name": {
"description": "Name: The name of the resource",
"type": "string"
},
"platform": {
"description": "Platform: The configuration settings of the platform of ContainerApp Service Authentication/Authorization.",
"properties": {
"enabled": {
"description": "Enabled: true if the Authentication / Authorization feature is enabled for the current app; otherwise,\nfalse.",
"type": "boolean"
},
"runtimeVersion": {
"description": "RuntimeVersion: The RuntimeVersion of the Authentication / Authorization feature in use for the current app.\nThe setting in this value can control the behavior of certain features in the Authentication / Authorization module.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"systemData": {
"description": "SystemData: Azure Resource Manager metadata containing createdBy and modifiedBy information.",
"properties": {
"createdAt": {
"description": "CreatedAt: The timestamp of resource creation (UTC).",
"type": "string"
},
"createdBy": {
"description": "CreatedBy: The identity that created the resource.",
"type": "string"
},
"createdByType": {
"description": "CreatedByType: The type of identity that created the resource.",
"type": "string"
},
"lastModifiedAt": {
"description": "LastModifiedAt: The timestamp of resource last modification (UTC)",
"type": "string"
},
"lastModifiedBy": {
"description": "LastModifiedBy: The identity that last modified the resource.",
"type": "string"
},
"lastModifiedByType": {
"description": "LastModifiedByType: The type of identity that last modified the resource.",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
},
"type": {
"description": "Type: The type of the resource. E.g. \"Microsoft.Compute/virtualMachines\" or \"Microsoft.Storage/storageAccounts\"",
"type": "string"
}
},
"type": "object",
"additionalProperties": false
}
},
"type": "object"
}