REST API: Configurations

This endpoint allows an administrator to manage Configurations.

Updates here can be applied at runtime with little to no downtime of affected services.

API Documentation

GET /v0/configuration

Example

$ curl -i \
  -X GET "https://{firezone_host}/v0/configuration" \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer {api_token}' \

HTTP/1.1 200
Content-Type: application/json; charset=utf-8

{
  "data": {
    "allow_unprivileged_device_configuration": true,
    "allow_unprivileged_device_management": true,
    "default_client_allowed_ips": [
      "0.0.0.0/0",
      "::/0"
    ],
    "default_client_dns": [
      "1.1.1.1",
      "1.0.0.1"
    ],
    "default_client_endpoint": "localhost:51820",
    "default_client_mtu": 1280,
    "default_client_persistent_keepalive": 25,
    "disable_vpn_on_oidc_error": false,
    "id": "c4582e2b-cba3-4a4e-9f05-0f37666c41fe",
    "inserted_at": "2023-03-29T15:10:03.142320Z",
    "local_auth_enabled": true,
    "logo": {},
    "openid_connect_providers": [],
    "saml_identity_providers": [],
    "updated_at": "2023-03-29T15:10:03.142320Z",
    "vpn_session_duration": 0
  }
}

PATCH /v0/configuration

Example

$ curl -i \
  -X PUT "https://{firezone_host}/v0/configuration" \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer {api_token}' \
  --data-binary @- << EOF
{
  "configuration": {
    "allow_unprivileged_device_configuration": false,
    "allow_unprivileged_device_management": false,
    "default_client_allowed_ips": [
      "1.1.1.1",
      "2.2.2.2"
    ],
    "default_client_dns": [
      "1.1.1.1"
    ],
    "default_client_endpoint": "new-endpoint",
    "default_client_mtu": 1100,
    "default_client_persistent_keepalive": 1,
    "disable_vpn_on_oidc_error": true,
    "local_auth_enabled": false,
    "openid_connect_providers": [
      {
        "auto_create_users": false,
        "client_id": "test-id",
        "client_secret": "test-secret",
        "discovery_document_uri": "https://accounts.google.com/.well-known/openid-configuration",
        "id": "google",
        "label": "google",
        "redirect_uri": "https://invalid",
        "response_type": "code",
        "scope": "email openid"
      }
    ],
    "saml_identity_providers": [
      {
        "auto_create_users": false,
        "base_url": "https://saml",
        "id": "okta",
        "label": "okta",
        "metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<md:EntityDescriptor entityID=\"http://www.okta.com/exk6ff6p62kFjUR3X5d7\"\n  xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n  <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo\n        xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAYMaIfiKMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi04Mzg1OTk1NTEcMBoGCSqGSIb3DQEJ\nARYNaW5mb0Bva3RhLmNvbTAeFw0yMjA5MDcyMjQ1MTdaFw0zMjA5MDcyMjQ2MTdaMIGUMQswCQYD\nVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG\nA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi04Mzg1OTk1NTEc\nMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAOmj276L3kHm57hNGYTocT6NS4mffPbcvsA2UuKIWfmpV8HLTcmS+NahLtuN841OnRnTn+2p\nfjlwa1mwJhCODbF3dcVYOkGTPUC4y2nvf1Xas6M7+0O2WIfrzdX/OOUs/ROMnB/O/MpBwMR2SQh6\nQ3V+9v8g3K9yfMvcifDbl6g9fTliDzqV7I9xF5eJykl+iCAKNaQgp3cO6TaIa5u2ZKtRAdzwnuJC\nBXMyzaoNs/vfnwzuFtzWP1PSS1Roan+8AMwkYA6BCr1YRIqZ0GSkr/qexFCTZdq0UnSN78fY6CCM\nRFw5wU0WM9nEpbWzkBBWsYHeTLo5JqR/mZukfjlPDlcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\nlUhwzCSnuqt4wlHxJONN4kxUBG8bPnjHxob6jBKK+onFDuSVWZ+7LZw67blz6xdxvlOLaQLi1fK2\nFifehbc7KbRLckcgNgg7Y8qfUKdP0/nS0JlyAvlnICQqaHTHwhIzQqTHtTZeeIJHtpWOX/OPRI0S\nbkygh2qjF8bYn3sX8bGNUQL8iiMxFnvwGrXaErPqlRqFJbWQDBXD+nYDIBw7WN3Jyb0Ydin2zrlh\ngp3Qooi0TnAir3ncw/UF/+sivCgd+6nX7HkbZtipkMbg7ZByyD9xrOQG2JXrP6PyzGCPwnGMt9pL\niiVMepeLNqKZ3UvhrR1uRN0KWu7lduIRhxldLA==</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://dev-83859955.okta.com/app/dev-83859955_firezonesaml_1/exk6ff6p62kFjUR3X5d7/sso/saml\"/>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://dev-83859955.okta.com/app/dev-83859955_firezonesaml_1/exk6ff6p62kFjUR3X5d7/sso/saml\"/>\n  </md:IDPSSODescriptor>\n</md:EntityDescriptor>\n",
        "sign_metadata": false,
        "sign_requests": false,
        "signed_assertion_in_resp": false,
        "signed_envelopes_in_resp": false
      }
    ],
    "vpn_session_duration": 100
  }
}
EOF

HTTP/1.1 200
Content-Type: application/json; charset=utf-8

{
  "data": {
    "allow_unprivileged_device_configuration": false,
    "allow_unprivileged_device_management": false,
    "default_client_allowed_ips": [
      "1.1.1.1",
      "2.2.2.2"
    ],
    "default_client_dns": [
      "1.1.1.1"
    ],
    "default_client_endpoint": "new-endpoint",
    "default_client_mtu": 1100,
    "default_client_persistent_keepalive": 1,
    "disable_vpn_on_oidc_error": true,
    "id": "c4582e2b-cba3-4a4e-9f05-0f37666c41fe",
    "inserted_at": "2023-03-29T15:10:03.142320Z",
    "local_auth_enabled": false,
    "logo": {},
    "openid_connect_providers": [
      {
        "auto_create_users": false,
        "client_id": "test-id",
        "client_secret": "test-secret",
        "discovery_document_uri": "https://accounts.google.com/.well-known/openid-configuration",
        "id": "google",
        "label": "google",
        "redirect_uri": "https://invalid",
        "response_type": "code",
        "scope": "email openid"
      }
    ],
    "saml_identity_providers": [
      {
        "auto_create_users": false,
        "base_url": "https://saml",
        "id": "okta",
        "label": "okta",
        "metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<md:EntityDescriptor entityID=\"http://www.okta.com/exk6ff6p62kFjUR3X5d7\"\n  xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n  <md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo\n        xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAYMaIfiKMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi04Mzg1OTk1NTEcMBoGCSqGSIb3DQEJ\nARYNaW5mb0Bva3RhLmNvbTAeFw0yMjA5MDcyMjQ1MTdaFw0zMjA5MDcyMjQ2MTdaMIGUMQswCQYD\nVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG\nA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi04Mzg1OTk1NTEc\nMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAOmj276L3kHm57hNGYTocT6NS4mffPbcvsA2UuKIWfmpV8HLTcmS+NahLtuN841OnRnTn+2p\nfjlwa1mwJhCODbF3dcVYOkGTPUC4y2nvf1Xas6M7+0O2WIfrzdX/OOUs/ROMnB/O/MpBwMR2SQh6\nQ3V+9v8g3K9yfMvcifDbl6g9fTliDzqV7I9xF5eJykl+iCAKNaQgp3cO6TaIa5u2ZKtRAdzwnuJC\nBXMyzaoNs/vfnwzuFtzWP1PSS1Roan+8AMwkYA6BCr1YRIqZ0GSkr/qexFCTZdq0UnSN78fY6CCM\nRFw5wU0WM9nEpbWzkBBWsYHeTLo5JqR/mZukfjlPDlcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\nlUhwzCSnuqt4wlHxJONN4kxUBG8bPnjHxob6jBKK+onFDuSVWZ+7LZw67blz6xdxvlOLaQLi1fK2\nFifehbc7KbRLckcgNgg7Y8qfUKdP0/nS0JlyAvlnICQqaHTHwhIzQqTHtTZeeIJHtpWOX/OPRI0S\nbkygh2qjF8bYn3sX8bGNUQL8iiMxFnvwGrXaErPqlRqFJbWQDBXD+nYDIBw7WN3Jyb0Ydin2zrlh\ngp3Qooi0TnAir3ncw/UF/+sivCgd+6nX7HkbZtipkMbg7ZByyD9xrOQG2JXrP6PyzGCPwnGMt9pL\niiVMepeLNqKZ3UvhrR1uRN0KWu7lduIRhxldLA==</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://dev-83859955.okta.com/app/dev-83859955_firezonesaml_1/exk6ff6p62kFjUR3X5d7/sso/saml\"/>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://dev-83859955.okta.com/app/dev-83859955_firezonesaml_1/exk6ff6p62kFjUR3X5d7/sso/saml\"/>\n  </md:IDPSSODescriptor>\n</md:EntityDescriptor>\n",
        "sign_metadata": false,
        "sign_requests": false,
        "signed_assertion_in_resp": false,
        "signed_envelopes_in_resp": false
      }
    ],
    "updated_at": "2023-03-29T15:11:47.879874Z",
    "vpn_session_duration": 100
  }
}