# Example: IIIF Auth 2.0 — header-trust backend
#
# iiiris hosts no login UI. The reverse proxy in front of iiiris
# (oauth2-proxy, Pomerium, authelia, Cloudflare Access, Tailscale,
# Google IAP) handles authentication and forwards the authenticated
# user identity as a trusted header. iiiris reads that header and
# treats it as the session.
#
# This is the right choice when:
#   - Your organization already has an auth provider in front of every service
#   - You want iiiris to inherit that auth without running a parallel flow
#   - The viewers your users use are on the same trusted side of the proxy
#
# **Security**: the reverse proxy MUST strip the configured header
# from untrusted client requests before forwarding to iiiris. Without
# that, anyone can forge an arbitrary username. iiiris does not
# verify the header against any second source.
#
# **info.json** for header-backend profiles advertises the probe
# service only — no AuthAccessService2, because there is no
# interactive flow for the viewer to initiate. The viewer learns
# whether the user is authorized from the probe response.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    sso:
      # Pattern is advertised in info.json verbatim; "external" is the
      # closest spec match for a header-trust deployment (the access
      # service is provided by an external entity — the reverse proxy).
      pattern: external
      label:
        en: ["Single sign-on"]
      access_service:
        backend: header
        header: X-Forwarded-User
        # Other common values, depending on your auth proxy:
        #   X-Auth-Request-Email      (oauth2-proxy)
        #   X-Pomerium-Jwt-Assertion  (Pomerium — header carries a JWT, not a user)
        #   Remote-User               (authelia)
      # session_ttl / token_ttl: not relevant. The header IS the
      # session, refreshed on every request. iiiris mints no cookie.

  rules:
    - match: "sso-only/*"
      profile: sso

  cors:
    # Probe responses still go through CORS; viewers behind the same
    # reverse proxy don't need a wildcard token origin, but list the
    # ones that legitimately request tokens.
    token_origins:
      - https://viewer.example.org
