aports/testing/docker-auth/reference-example.patch

diff --git a/examples/reference.yml b/examples/reference.yml
index ce741d0..4adec43 100644
--- a/examples/reference.yml
+++ b/examples/reference.yml
@@ -10,452 +10,452 @@
 #      autoredirect: false
 #      rootcertbundle: "/path/to/server.pem"
 
-server:  # Server settings.
-  # Address to listen on.
-  # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket.
-  addr: ":5001"
-
-  # Network, can be "tcp" or "unix" ("tcp" if unspecified).
-  net: "tcp"
-
-  # URL path prefix to use.
-  path_prefix: ""
-
-  # TLS options.
-  #
-  # Use specific certificate and key.
-  certificate: "/path/to/server.pem"
-  key: "/path/to/server.key"
-  #
-  # The following optional settings will fine tune TLS configuration to improve security.
-  # Leaving them unset should be just fine for most installations.
-  #
-  # Enable HTTP Strict Transport Security.
-  # hsts: true
-  #
-  # Set minimum TLS version.
-  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
-  # Either the version name (i.e. TLS11) or its uint16 value can be specified.
-  # tls_min_version: TLS12
-  #
-  # List of TLS curve preferences.
-  # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID
-  # Either CurveID names (i.e. P384) or uint16 values can be specified.
-  # tls_curve_preferences:
-  #   - P521
-  #   - 24
-  #   - P256
-  #
-  # List of enabled TLS cipher suites.
-  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
-  # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified.
-  # tls_cipher_suites:
-  #   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  #   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-  #   - 0xc014
-  #   - 0xc00a
-
-  # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate.
-  # Note that this only applies to server TLS certificate, this certificate will not be used for tokens
-  letsencrypt:
-    # Email is required. It will be used to register with LetsEncrypt.
-    email: webmaster@example.org
-    # Cache directory, where certificates issued by LE will be stored. Must exist.
-    # It is recommended to make it a volume mount so it persists across restarts.
-    cache_dir: /data/sslcache
-    # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
-    # With this option, you can limit it to a specific host name.
-    # host: "docker.example.org"
-  # If neither certificate+key or letsencrypt are configured, the listener does not use TLS.
-
-  # Take client's address from the specified HTTP header instead of connection.
-  # May be useful if the server is behind a proxy or load balancer.
-  # If configured, this header must be present, requests without it will be rejected.
-  # real_ip_header: "X-Forwarded-For"
-  # Optional position of client ip in X-Forwarded-For, negative starts from
-  # end of addresses.
-  # real_ip_pos: -2
-
-token:  # Settings for the tokens.
-  issuer: "Acme auth server"  # Must match issuer in the Registry config.
-  expiration: 900
-  # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain
-  # can be constructed from one of the certificates in registry's auth.token.rootcertbundle.
-  # If not specified, server's TLS certificate and key are used.
-  # certificate: "..."
-  # key: "..."
-
-# Authentication methods. All are tried, any one returning success is sufficient.
-# At least one must be configured. If you want an unauthenticated public setup,
-# configure static user map with anonymous access.
-
-# Static user map.
-users:
-  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
-  "admin":
-    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
-  "test":
-    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123
-  "": {}  # Allow anonymous (no "docker login") access.
-
-# Google authentication.
-# ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
-# Instead, Auth server maintains a database of Google authentication tokens.
-# Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link.
-# Once signed in, you will get a throw-away password which you can use for Docker login.
-google_auth:
-  domain: "example.com"  # Optional. If set, only logins from this domain are accepted.
-  # client_id and client_secret for API access. Required.
-  # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
-  # NB: Make sure JavaScript origins are configured correctly, and that third-party
-  # cookies are not blocked in the browser being used to login.
-  client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
-  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
-  # want to have sensitive information checked in.
-  # client_secret: "verysecret"
-  client_secret_file: "/path/to/client_secret.txt"
-  # Where to store server tokens. Required.
-  token_db: "/somewhere/to/put/google_tokens.ldb"
-  # How long to wait when talking to Google servers. Optional.
-  http_timeout: 10
-
-# GitHub authentication.
-# ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK.
-# Instead, Auth server maintains a database of GitHub authentication tokens.
-# Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link.
-# Once signed in, you will get a throw-away password which you can use for Docker login.
-github_auth:
-  organization: "acme"   # Optional. If set, only logins from this organization are accepted.
-  # client_id and client_secret for API access. Required.
-  # You can register a new application here: https://github.com/settings/developers
-  # NB: Make sure JavaScript origins are configured correctly, and that third-party
-  # cookies are not blocked in the browser being used to login.
-  client_id: "1223123456"
-  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
-  # want to have sensitive information checked in.
-  # client_secret: "verysecret"
-  client_secret_file: "/path/to/client_secret.txt"
-  # Either token_db file for storing of server tokens.
-  token_db: "/somewhere/to/put/github_tokens.ldb"
-  # or google cloud storage for storing of the sensitive information,
-  gcs_token_db:
-    bucket: "tokenBucket"
-    client_secret_file: "/path/to/client_secret.json"
-  # or Redis,
-  redis_token_db:
-    redis_options:
-        # with a single instance,
-        addr: localhost:6379
-    redis_cluster_options:
-        # or in the cluster mode.
-        addrs: ["localhost:7000"]
-  # How long to wait when talking to GitHub servers. Optional.
-  http_timeout: "10s"
-  # How long to wait before revalidating the GitHub token. Optional.
-  revalidate_after: "1h"
-  # The Github Web URI in case you are using Github Enterprise.
-  # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com
-  github_web_uri: "https://github.acme.com"
-  # The Github API URI in case you are using Github Enterprise.
-  # Includes the protocol, without trailing slash. - defaults to: https://api.github.com
-  github_api_uri: "https://github.acme.com/api/v3"
-  # Set an URL to display in the `docker login` command when succesfully authenticated. Optional.
-  registry_url: localhost:5000
-
-# OpenID Connect authentication
-# ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK.
-# Instead, Auth server maintains a database of OIDC authentication tokens.
-# Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link.
-# Once signed in, you will get a throw-away password which you can use for Docker login.
-oidc_auth:
-  # --- required ---
-  # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all
-  # OIDC endpoints for token and authorization requests
-  issuer: "my_issuer_url"
-  # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth.
-  redirect_url: "my_redirect_uri/oidc_auth"
-  # The client id and client secret of the client that is registered at your OIDC provider for docker_auth
-  client_id: "be4ut1fu1-cl13n7-1d"
-  client_secret: "be4ut1fu1-cl13n7-s3cr37"
-  # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided
-  # client_secret_file: "/path/to/client_secret.txt"
-  #
-  # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case
-  token_db: "/path/to/tokens.ldb"
-  # --- optional ---
-  # How long to wait when talking to the OIDC provider.
-  http_timeout: 10
-  # the url of the registry where you want to login. Is used to present the full docker login command.
-  registry_url: "url_of_my_beautiful_docker_registry"
-  # The claim to use for the username.
-  # Default: email
-  user_claim: email
-  # String array claims that will be used as labels.
-  label_claims:
-    - groups
-  # Default: [openid, email]
-  scopes:
-    - openid
-    - email
-
-
-# Gitlab authentication.
-# ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK.
-# Instead, Auth server maintains a database of Gitlab authentication tokens.
-# Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link.
-# Once signed in, you will get a throw-away password which you can use for Docker login.
-gitlab_auth:
-  client_id: "1223123456"
-  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
-  # want to have sensitive information checked in.
-  # client_secret: "verysecret"
-  client_secret_file: "/path/to/client_secret.txt"
-  # Either token_db file for storing of server tokens.
-  token_db: "/somewhere/to/put/gitlab_tokens.ldb"
-  # or google cloud storage for storing of the sensitive information,
-  gcs_token_db:
-    bucket: "tokenBucket"
-    client_secret_file: "/path/to/client_secret.json"
-  # or Redis,
-  redis_token_db:
-    redis_options:
-      # with a single instance,
-      addr: localhost:6379
-    redis_cluster_options:
-      # or in the cluster mode.
-      addrs: ["localhost:7000"]
-  # How long to wait when talking to GitLab servers. Optional.
-  http_timeout: "10s"
-  # How long to wait before revalidating the Gitlab token. Optional.
-  revalidate_after: "1h"
-  # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com
-  gitlab_web_uri: "https://gitlab.com"
-  # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4
-  gitlab_api_uri: "https://gitlab.com/api/v4"
-  # Set an URL to display in the `docker login` command when successfully authenticated. Optional.
-  registry_url: localhost:5000
-  # grant_type is used for the authentication purpose. Required.
-  grant_type: "authorization_code"
-  # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required.
-  redirect_uri: "https://localhost:5001/gitlab_auth"
-
-# LDAP authentication.
-# Authentication is performed by first binding to the server, looking up the user entry
-# by using the specified filter, and then re-binding using the matched DN and the password provided.
-ldap_auth:
-  # Addr is the hostname:port or ip:port
-  addr: ldap.example.com:636
-  # Setup tls connection method to be
-  # "" or "none": the communication won't be encrypted
-  # "always": setup LDAP over SSL/TLS
-  # "starttls": sets StartTLS as the encryption method
-  tls: always
-  # set to true to allow insecure tls
-  insecure_tls_skip_verify: false
-  # set this to specify the ca certificate path
-  ca_certificate:
-  # In case bind DN and password is required for querying user information,
-  # specify them here. Plain text password is read from the file.
-  bind_dn:
-  bind_password_file:
-  # User query settings. ${account} is expanded from auth request
-  base: o=example.com
-  filter: (&(uid=${account})(objectClass=person))
-  # Labels can be mapped from LDAP attributes
-  labels:
-    # Add the user's title to a label called title
-    title:
-      attribute: title
-    # Add the user's memberOf values to a label called groups
-    groups:
-      attribute: memberOf
-      # Special handling to simplify the values to just the common name
-      parse_cn: true
-      # lower case the value
-      lower_case: true
-
-mongo_auth:
-  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
-  dial_info:
-    # The MongoDB hostnames or IPs to connect to.
-    addrs: ["localhost"]
-    # The time to wait for a server to respond when first connecting and on
-    # follow up operations in the session. If timeout is zero, the call may
-    # block forever waiting for a connection to be established.
-    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
-    timeout: "10s"
-    # Database name that will be used on the MongoDB server.
-    database: "docker_auth"
-    # The username with which to connect to the MongoDB server.
-    username: ""
-    # Path to the text file with the password in it.
-    password_file: ""
-    # Enable TLS connection to MongoDB (only enable this if your server supports it)
-    enable_tls: false
-  # Name of the collection in which ACLs will be stored in MongoDB.
-  collection: "users"
-  # Unlike acl_mongo we don't cache the full user set. We just query mongo for
-  # an exact match for each authorization
-
-xorm_auth:
-  # the database type you'd like to connect to
-  database_type: "mysql"
-  # the connection string to connect to the database
-  conn_string: "username:password@/database_name?charset=utf8"
-
-# External authentication - call an external progam to authenticate user.
-# Username and password are passed to command's stdin and exit code is examined.
-# 0 - allow, 1 - deny, 2 - no match, other - error.
-# In case of success, if any output is returned, it is parsed as a JSON object.
-# The "labels" key may contain labels to be passed down to authz, where they can
-# be used in matching. See ext_auth.sh for an example.
-ext_auth:
-  command: "/usr/local/bin/my_auth"  # Can be a relative path too; $PATH works.
-  args: ["--flag", "--more", "--flags"]
-
-# User written authentication plugin - call a user written program to authenticate user.
-# Username of type string and password of authn.PasswordString is passed to the plugin
-# Expects a boolean value whether the user is authenticate or not, authn.Labels, error
-# The "labels" key may contain labels to be passed down to authz, where they can
-# be used in matching.
-plugin_authn:
-  plugin_path: ""
-
-# Authorization methods. All are tried, any one returning success is sufficient.
-# At least one must be configured.
-
-# ACL specifies who can do what. If the match section of an entry matches the
-# request, the set of allowed actions will be applied to the token request
-# and a ticket will be issued only for those of the requested actions that are
-# allowed by the rule.
-#  * It is possible to match on user's name ("account"), subject type ("type")
-#    and name ("name"; for type=repository this is the image name).
-#  * Matches are evaluated as shell file name patterns ("globs") by default,
-#    so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
-#    match patterns can be evaluated as regexes by enclosing them in //, e.g.
-#    "/(foo|bar)/".
-#  * IP match can be single IP address or a subnet in the "prefix/mask" notation.
-#  * ACL is evaluated in the order it is defined until a match is found.
-#    Rules below the first match are not evaluated, so you'll need to put more
-#    specific rules above more broad ones.
-#  * Empty match clause matches anything, it only makes sense at the end of the
-#    list and can be used as a way of specifying default permissions.
-#  * Empty actions set means "deny everything". Thus, a rule with `actions: []`
-#    is in effect a "deny" rule.
-#  * A special set consisting of a single "*" action means "allow everything".
-#  * If no match is found the default is to deny the request.
+#server:  # Server settings.
+#  # Address to listen on.
+#  # Can be HOST:PORT for TCP or file path (e.g. /run/docker_auth.sock) for Unix socket.
+#  addr: ":5001"
+#
+#  # Network, can be "tcp" or "unix" ("tcp" if unspecified).
+#  net: "tcp"
+#
+#  # URL path prefix to use.
+#  path_prefix: ""
+#
+#  # TLS options.
+#  #
+#  # Use specific certificate and key.
+#  certificate: "/path/to/server.pem"
+#  key: "/path/to/server.key"
+#  #
+#  # The following optional settings will fine tune TLS configuration to improve security.
+#  # Leaving them unset should be just fine for most installations.
+#  #
+#  # Enable HTTP Strict Transport Security.
+#  # hsts: true
+#  #
+#  # Set minimum TLS version.
+#  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
+#  # Either the version name (i.e. TLS11) or its uint16 value can be specified.
+#  # tls_min_version: TLS12
+#  #
+#  # List of TLS curve preferences.
+#  # Values can be found at https://golang.org/pkg/crypto/tls/#CurveID
+#  # Either CurveID names (i.e. P384) or uint16 values can be specified.
+#  # tls_curve_preferences:
+#  #   - P521
+#  #   - 24
+#  #   - P256
+#  #
+#  # List of enabled TLS cipher suites.
+#  # Values can be found at https://golang.org/pkg/crypto/tls/#pkg-constants
+#  # Either CipherSuite names (i.e. TLS_RSA_WITH_RC4_128_SHA) or uint16 values can be specified.
+#  # tls_cipher_suites:
+#  #   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#  #   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#  #   - 0xc014
+#  #   - 0xc00a
+#
+#  # Use LetsEncrypt (https://letsencrypt.org/) to automatically obtain and maintain a certificate.
+#  # Note that this only applies to server TLS certificate, this certificate will not be used for tokens
+#  letsencrypt:
+#    # Email is required. It will be used to register with LetsEncrypt.
+#    email: webmaster@example.org
+#    # Cache directory, where certificates issued by LE will be stored. Must exist.
+#    # It is recommended to make it a volume mount so it persists across restarts.
+#    cache_dir: /data/sslcache
+#    # Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
+#    # With this option, you can limit it to a specific host name.
+#    # host: "docker.example.org"
+#  # If neither certificate+key or letsencrypt are configured, the listener does not use TLS.
+#
+#  # Take client's address from the specified HTTP header instead of connection.
+#  # May be useful if the server is behind a proxy or load balancer.
+#  # If configured, this header must be present, requests without it will be rejected.
+#  # real_ip_header: "X-Forwarded-For"
+#  # Optional position of client ip in X-Forwarded-For, negative starts from
+#  # end of addresses.
+#  # real_ip_pos: -2
+#
+#token:  # Settings for the tokens.
+#  issuer: "Acme auth server"  # Must match issuer in the Registry config.
+#  expiration: 900
+#  # Token must be signed by a certificate that registry trusts, i.e. by a certificate to which a trust chain
+#  # can be constructed from one of the certificates in registry's auth.token.rootcertbundle.
+#  # If not specified, server's TLS certificate and key are used.
+#  # certificate: "..."
+#  # key: "..."
+#
+## Authentication methods. All are tried, any one returning success is sufficient.
+## At least one must be configured. If you want an unauthenticated public setup,
+## configure static user map with anonymous access.
+#
+## Static user map.
+#users:
+#  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.
+#  "admin":
+#    password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC"  # badmin
+#  "test":
+#    password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya"  # 123
+#  "": {}  # Allow anonymous (no "docker login") access.
+#
+## Google authentication.
+## ==! NB: DO NOT ENTER YOUR GOOGLE PASSWORD AT "docker login". IT WILL NOT WORK.
+## Instead, Auth server maintains a database of Google authentication tokens.
+## Go to the server's port as HTTPS with your browser and follow the "Login with Google account" link.
+## Once signed in, you will get a throw-away password which you can use for Docker login.
+#google_auth:
+#  domain: "example.com"  # Optional. If set, only logins from this domain are accepted.
+#  # client_id and client_secret for API access. Required.
+#  # Follow instructions here: https://developers.google.com/identity/sign-in/web/devconsole-project
+#  # NB: Make sure JavaScript origins are configured correctly, and that third-party
+#  # cookies are not blocked in the browser being used to login.
+#  client_id: "1223123456-somethingsomething.apps.googleusercontent.com"
+#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
+#  # want to have sensitive information checked in.
+#  # client_secret: "verysecret"
+#  client_secret_file: "/path/to/client_secret.txt"
+#  # Where to store server tokens. Required.
+#  token_db: "/somewhere/to/put/google_tokens.ldb"
+#  # How long to wait when talking to Google servers. Optional.
+#  http_timeout: 10
+#
+## GitHub authentication.
+## ==! NB: DO NOT ENTER YOUR GITHUB PASSWORD AT "docker login". IT WILL NOT WORK.
+## Instead, Auth server maintains a database of GitHub authentication tokens.
+## Go to the server's port as HTTPS with your browser and follow the "Login with GitHub account" link.
+## Once signed in, you will get a throw-away password which you can use for Docker login.
+#github_auth:
+#  organization: "acme"   # Optional. If set, only logins from this organization are accepted.
+#  # client_id and client_secret for API access. Required.
+#  # You can register a new application here: https://github.com/settings/developers
+#  # NB: Make sure JavaScript origins are configured correctly, and that third-party
+#  # cookies are not blocked in the browser being used to login.
+#  client_id: "1223123456"
+#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
+#  # want to have sensitive information checked in.
+#  # client_secret: "verysecret"
+#  client_secret_file: "/path/to/client_secret.txt"
+#  # Either token_db file for storing of server tokens.
+#  token_db: "/somewhere/to/put/github_tokens.ldb"
+#  # or google cloud storage for storing of the sensitive information,
+#  gcs_token_db:
+#    bucket: "tokenBucket"
+#    client_secret_file: "/path/to/client_secret.json"
+#  # or Redis,
+#  redis_token_db:
+#    redis_options:
+#        # with a single instance,
+#        addr: localhost:6379
+#    redis_cluster_options:
+#        # or in the cluster mode.
+#        addrs: ["localhost:7000"]
+#  # How long to wait when talking to GitHub servers. Optional.
+#  http_timeout: "10s"
+#  # How long to wait before revalidating the GitHub token. Optional.
+#  revalidate_after: "1h"
+#  # The Github Web URI in case you are using Github Enterprise.
+#  # Includes the protocol, without trailing slash. Optional - defaults to: https://github.com
+#  github_web_uri: "https://github.acme.com"
+#  # The Github API URI in case you are using Github Enterprise.
+#  # Includes the protocol, without trailing slash. - defaults to: https://api.github.com
+#  github_api_uri: "https://github.acme.com/api/v3"
+#  # Set an URL to display in the `docker login` command when succesfully authenticated. Optional.
+#  registry_url: localhost:5000
+#
+## OpenID Connect authentication
+## ==! NB: DO NOT ENTER YOUR OIDC PASSWORD AT "docker login". IT WILL NOT WORK.
+## Instead, Auth server maintains a database of OIDC authentication tokens.
+## Go to the server's port as HTTPS with your browser and follow the "Login with OIDC account" link.
+## Once signed in, you will get a throw-away password which you can use for Docker login.
+#oidc_auth:
+#  # --- required ---
+#  # The issuer URL of your OIDC provider. It has to be extendable with /.well-known/openid-configuration to request all
+#  # OIDC endpoints for token and authorization requests
+#  issuer: "my_issuer_url"
+#  # The redirect URI which is registered for this client at your OIDC provider. It has to end with /oidc_auth.
+#  redirect_url: "my_redirect_uri/oidc_auth"
+#  # The client id and client secret of the client that is registered at your OIDC provider for docker_auth
+#  client_id: "be4ut1fu1-cl13n7-1d"
+#  client_secret: "be4ut1fu1-cl13n7-s3cr37"
+#  # you can also give the client_secret in a file. Either a client_secret or a client_secret_file has to be provided
+#  # client_secret_file: "/path/to/client_secret.txt"
+#  #
+#  # a file in which the tokens should be stored. Does not have to exist, it will be generated in this case
+#  token_db: "/path/to/tokens.ldb"
+#  # --- optional ---
+#  # How long to wait when talking to the OIDC provider.
+#  http_timeout: 10
+#  # the url of the registry where you want to login. Is used to present the full docker login command.
+#  registry_url: "url_of_my_beautiful_docker_registry"
+#  # The claim to use for the username.
+#  # Default: email
+#  user_claim: email
+#  # String array claims that will be used as labels.
+#  label_claims:
+#    - groups
+#  # Default: [openid, email]
+#  scopes:
+#    - openid
+#    - email
+#
+#
+## Gitlab authentication.
+## ==! NB: DO NOT ENTER YOUR Gitlab PASSWORD AT "docker login". IT WILL NOT WORK.
+## Instead, Auth server maintains a database of Gitlab authentication tokens.
+## Go to the server's port as HTTPS with your browser and follow the "Login with Gitlab account" link.
+## Once signed in, you will get a throw-away password which you can use for Docker login.
+#gitlab_auth:
+#  client_id: "1223123456"
+#  # Either client_secret or client_secret_file is required. Use client_secret_file if you don't
+#  # want to have sensitive information checked in.
+#  # client_secret: "verysecret"
+#  client_secret_file: "/path/to/client_secret.txt"
+#  # Either token_db file for storing of server tokens.
+#  token_db: "/somewhere/to/put/gitlab_tokens.ldb"
+#  # or google cloud storage for storing of the sensitive information,
+#  gcs_token_db:
+#    bucket: "tokenBucket"
+#    client_secret_file: "/path/to/client_secret.json"
+#  # or Redis,
+#  redis_token_db:
+#    redis_options:
+#      # with a single instance,
+#      addr: localhost:6379
+#    redis_cluster_options:
+#      # or in the cluster mode.
+#      addrs: ["localhost:7000"]
+#  # How long to wait when talking to GitLab servers. Optional.
+#  http_timeout: "10s"
+#  # How long to wait before revalidating the Gitlab token. Optional.
+#  revalidate_after: "1h"
+#  # Includes the protocol, without trailing slash. Optional - defaults to: https://gitlab.com
+#  gitlab_web_uri: "https://gitlab.com"
+#  # Includes the protocol, without trailing slash. - defaults to: https://gitlab.com/api/v4
+#  gitlab_api_uri: "https://gitlab.com/api/v4"
+#  # Set an URL to display in the `docker login` command when successfully authenticated. Optional.
+#  registry_url: localhost:5000
+#  # grant_type is used for the authentication purpose. Required.
+#  grant_type: "authorization_code"
+#  # Redirect uri is used for the authentication purpose. Must end with '/gitlab_auth' prefix. Required.
+#  redirect_uri: "https://localhost:5001/gitlab_auth"
+#
+## LDAP authentication.
+## Authentication is performed by first binding to the server, looking up the user entry
+## by using the specified filter, and then re-binding using the matched DN and the password provided.
+#ldap_auth:
+#  # Addr is the hostname:port or ip:port
+#  addr: ldap.example.com:636
+#  # Setup tls connection method to be
+#  # "" or "none": the communication won't be encrypted
+#  # "always": setup LDAP over SSL/TLS
+#  # "starttls": sets StartTLS as the encryption method
+#  tls: always
+#  # set to true to allow insecure tls
+#  insecure_tls_skip_verify: false
+#  # set this to specify the ca certificate path
+#  ca_certificate:
+#  # In case bind DN and password is required for querying user information,
+#  # specify them here. Plain text password is read from the file.
+#  bind_dn:
+#  bind_password_file:
+#  # User query settings. ${account} is expanded from auth request
+#  base: o=example.com
+#  filter: (&(uid=${account})(objectClass=person))
+#  # Labels can be mapped from LDAP attributes
+#  labels:
+#    # Add the user's title to a label called title
+#    title:
+#      attribute: title
+#    # Add the user's memberOf values to a label called groups
+#    groups:
+#      attribute: memberOf
+#      # Special handling to simplify the values to just the common name
+#      parse_cn: true
+#      # lower case the value
+#      lower_case: true
+#
+#mongo_auth:
+#  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
+#  dial_info:
+#    # The MongoDB hostnames or IPs to connect to.
+#    addrs: ["localhost"]
+#    # The time to wait for a server to respond when first connecting and on
+#    # follow up operations in the session. If timeout is zero, the call may
+#    # block forever waiting for a connection to be established.
+#    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
+#    timeout: "10s"
+#    # Database name that will be used on the MongoDB server.
+#    database: "docker_auth"
+#    # The username with which to connect to the MongoDB server.
+#    username: ""
+#    # Path to the text file with the password in it.
+#    password_file: ""
+#    # Enable TLS connection to MongoDB (only enable this if your server supports it)
+#    enable_tls: false
+#  # Name of the collection in which ACLs will be stored in MongoDB.
+#  collection: "users"
+#  # Unlike acl_mongo we don't cache the full user set. We just query mongo for
+#  # an exact match for each authorization
+#
+#xorm_auth:
+#  # the database type you'd like to connect to
+#  database_type: "mysql"
+#  # the connection string to connect to the database
+#  conn_string: "username:password@/database_name?charset=utf8"
+#
+## External authentication - call an external progam to authenticate user.
+## Username and password are passed to command's stdin and exit code is examined.
+## 0 - allow, 1 - deny, 2 - no match, other - error.
+## In case of success, if any output is returned, it is parsed as a JSON object.
+## The "labels" key may contain labels to be passed down to authz, where they can
+## be used in matching. See ext_auth.sh for an example.
+#ext_auth:
+#  command: "/usr/local/bin/my_auth"  # Can be a relative path too; $PATH works.
+#  args: ["--flag", "--more", "--flags"]
+#
+## User written authentication plugin - call a user written program to authenticate user.
+## Username of type string and password of authn.PasswordString is passed to the plugin
+## Expects a boolean value whether the user is authenticate or not, authn.Labels, error
+## The "labels" key may contain labels to be passed down to authz, where they can
+## be used in matching.
+#plugin_authn:
+#  plugin_path: ""
+#
+## Authorization methods. All are tried, any one returning success is sufficient.
+## At least one must be configured.
+#
+## ACL specifies who can do what. If the match section of an entry matches the
+## request, the set of allowed actions will be applied to the token request
+## and a ticket will be issued only for those of the requested actions that are
+## allowed by the rule.
+##  * It is possible to match on user's name ("account"), subject type ("type")
+##    and name ("name"; for type=repository this is the image name).
+##  * Matches are evaluated as shell file name patterns ("globs") by default,
+##    so "foobar", "f??bar", "f*bar" are all valid. For even more flexibility
+##    match patterns can be evaluated as regexes by enclosing them in //, e.g.
+##    "/(foo|bar)/".
+##  * IP match can be single IP address or a subnet in the "prefix/mask" notation.
+##  * ACL is evaluated in the order it is defined until a match is found.
+##    Rules below the first match are not evaluated, so you'll need to put more
+##    specific rules above more broad ones.
+##  * Empty match clause matches anything, it only makes sense at the end of the
+##    list and can be used as a way of specifying default permissions.
+##  * Empty actions set means "deny everything". Thus, a rule with `actions: []`
+##    is in effect a "deny" rule.
+##  * A special set consisting of a single "*" action means "allow everything".
+##  * If no match is found the default is to deny the request.
+##
+## You can use the following variables from the ticket request in any field:
+##  * ${account} - the account name, currently the same as authenticated user's name.
+##  * ${service} - the service name, specified by auth.token.service in the registry config.
+##  * ${type} - the type of the entity, normally "repository".
+##  * ${name} - the name of the repository (i.e. image), e.g. centos.
+##  * ${labels:<LABEL>} - tests all values in the list of lables:<LABEL> for the user. Refer to the labels doc for details
+#acl:
+#  - match: {ip: "127.0.0.0/8"}
+#    actions: ["*"]
+#    comment: "Allow everything from localhost (IPv4)"
+#  - match: {ip: "::1"}
+#    actions: ["*"]
+#    comment: "Allow everything from localhost (IPv6)"
+#  - match: {ip: "172.17.0.1"}
+#    actions: ["*"]
+#    comment: "Allow everything from the local Docker bridge address"
+#  - match: {account: "admin"}
+#    actions: ["*"]
+#    comment: "Admin has full access to everything."
+#  - match: {account: "test", name: "test-*"}
+#    actions: ["*"]
+#    comment: "User \"test\" has full access to test-* images but nothing else. (1)"
+#  - match: {account: "test"}
+#    actions: []
+#    comment: "User \"test\" has full access to test-* images but nothing else. (2)"
+#  - match: {account: "/.+/", name: "${account}/*"}
+#    actions: ["*"]
+#    comment: "Logged in users have full access to images that are in their 'namespace'"
+#  - match: {account: "/.+/", type: "registry", name: "catalog"}
+#    actions: ["*"]
+#    comment: "Logged in users can query the catalog."
+#  - match: {account: "/.+/"}
+#    actions: ["pull"]
+#    comment: "Logged in users can pull all images."
+#  - match: {account: "", name: "hello-world"}
+#    actions: ["pull"]
+#    comment: "Anonymous users can pull \"hello-world\"."
+#  - match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"}
+#    actions: []
+#    comment: "Emit domain part of account to make it a correct repo name"
+#  - match: {labels: {"group": "VIP"}}
+#    actions: ["push"]
+#    comment: "Users assigned to group 'VIP' is able to push"
+#  - match: {labels: {"group": "/trainee|dev/"}}
+#    actions: ["push", "pull"]
+#    comment: "Users assigned to group 'trainee' and 'dev' is able to push and pull"
+#  - match: {name: "${labels:group}-shared/*"}
+#    actions: ["push", "pull"]
+#    comment: "Users can push to the shared namespace of any group they are in"
+#  - match: {name: "${labels:project}/*"}
+#    actions: ["push", "pull"]
+#    comment: "Users can push to any project they are assigned to"
+#  - match: {name: "${labels:project}-{labels:tier}/*"}
+#    actions: ["push", "pull"]
+#    comment: "Users can push to a project-tier/* that they are assigned to"
+#  - match: {labels: {"title": "Developer"}}
+#    actions: ["*"]
+#    comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
+#  - match: {labels: {"groups": "Admin"}}
+#    actions: ["push"]
+#    comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
+#  # Access is denied by default.
+#
+## (optional) Define to query ACL from a MongoDB server.
+#acl_mongo:
+#  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
+#  dial_info:
+#    # The MongoDB hostnames or IPs to connect to.
+#    addrs: ["localhost"]
+#    # The time to wait for a server to respond when first connecting and on
+#    # follow up operations in the session. If timeout is zero, the call may
+#    # block forever waiting for a connection to be established.
+#    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
+#    timeout: "10s"
+#    # Database name that will be used on the MongoDB server.
+#    database: "docker_auth"
+#    # The username with which to connect to the MongoDB server.
+#    username: ""
+#    # Path to the text file with the password in it.
+#    password_file: ""
+#    # Enable TLS connection to MongoDB (only enable this if your server supports it)
+#    enable_tls: false
+#  # Name of the collection in which ACLs will be stored in MongoDB.
+#  collection: "acl"
+#  # Specify how long an ACL remains valid before they will be fetched again from
+#  # the MongoDB server.
+#  # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
+#  cache_ttl: "1m"
+#
+## (optional) Define to query ACL from a XORM.io database connection.
+#acl_xorm:
+#  # the database type you'd like to connect to
+#  database_type: "mysql"
+#  conn_string: "username:password@/database_name?charset=utf8"
+#  cache_ttl: "1m"
+#
+## (optioinal) Use casbin to verify permission
+#casbin_authz:
+#  model_path: "path/to/model"
+#  policy_path: "path/to/csv"
+#
+## External authorization - call an external progam to authorize user.
+## JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined.
+## 0 - allow, 1 - deny, other - error.
+#ext_authz:
+#  command: "/usr/local/bin/my_authz"  # Can be a relative path too; $PATH works.
+#  args: ["--flag", "--more", "--flags"]
+#
+## User written authorization plugin - call a user written program to authorize user.
+## *authz.AuthRequestInfo is passed to the plugin and expects an authorized set of actions or an error.
+## return the set of authorized actions is the user is authorized. Otherwise return nil
+#plugin_authz:
+#  plugin_path: ""
 #
-# You can use the following variables from the ticket request in any field:
-#  * ${account} - the account name, currently the same as authenticated user's name.
-#  * ${service} - the service name, specified by auth.token.service in the registry config.
-#  * ${type} - the type of the entity, normally "repository".
-#  * ${name} - the name of the repository (i.e. image), e.g. centos.
-#  * ${labels:<LABEL>} - tests all values in the list of lables:<LABEL> for the user. Refer to the labels doc for details
-acl:
-  - match: {ip: "127.0.0.0/8"}
-    actions: ["*"]
-    comment: "Allow everything from localhost (IPv4)"
-  - match: {ip: "::1"}
-    actions: ["*"]
-    comment: "Allow everything from localhost (IPv6)"
-  - match: {ip: "172.17.0.1"}
-    actions: ["*"]
-    comment: "Allow everything from the local Docker bridge address"
-  - match: {account: "admin"}
-    actions: ["*"]
-    comment: "Admin has full access to everything."
-  - match: {account: "test", name: "test-*"}
-    actions: ["*"]
-    comment: "User \"test\" has full access to test-* images but nothing else. (1)"
-  - match: {account: "test"}
-    actions: []
-    comment: "User \"test\" has full access to test-* images but nothing else. (2)"
-  - match: {account: "/.+/", name: "${account}/*"}
-    actions: ["*"]
-    comment: "Logged in users have full access to images that are in their 'namespace'"
-  - match: {account: "/.+/", type: "registry", name: "catalog"}
-    actions: ["*"]
-    comment: "Logged in users can query the catalog."
-  - match: {account: "/.+/"}
-    actions: ["pull"]
-    comment: "Logged in users can pull all images."
-  - match: {account: "", name: "hello-world"}
-    actions: ["pull"]
-    comment: "Anonymous users can pull \"hello-world\"."
-  - match: {account: "/^(.+)@test.com$/", name: "${account:1}/*"}
-    actions: []
-    comment: "Emit domain part of account to make it a correct repo name"
-  - match: {labels: {"group": "VIP"}}
-    actions: ["push"]
-    comment: "Users assigned to group 'VIP' is able to push"
-  - match: {labels: {"group": "/trainee|dev/"}}
-    actions: ["push", "pull"]
-    comment: "Users assigned to group 'trainee' and 'dev' is able to push and pull"
-  - match: {name: "${labels:group}-shared/*"}
-    actions: ["push", "pull"]
-    comment: "Users can push to the shared namespace of any group they are in"
-  - match: {name: "${labels:project}/*"}
-    actions: ["push", "pull"]
-    comment: "Users can push to any project they are assigned to"
-  - match: {name: "${labels:project}-{labels:tier}/*"}
-    actions: ["push", "pull"]
-    comment: "Users can push to a project-tier/* that they are assigned to"
-  - match: {labels: {"title": "Developer"}}
-    actions: ["*"]
-    comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
-  - match: {labels: {"groups": "Admin"}}
-    actions: ["push"]
-    comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
-  # Access is denied by default.
-
-# (optional) Define to query ACL from a MongoDB server.
-acl_mongo:
-  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
-  dial_info:
-    # The MongoDB hostnames or IPs to connect to.
-    addrs: ["localhost"]
-    # The time to wait for a server to respond when first connecting and on
-    # follow up operations in the session. If timeout is zero, the call may
-    # block forever waiting for a connection to be established.
-    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
-    timeout: "10s"
-    # Database name that will be used on the MongoDB server.
-    database: "docker_auth"
-    # The username with which to connect to the MongoDB server.
-    username: ""
-    # Path to the text file with the password in it.
-    password_file: ""
-    # Enable TLS connection to MongoDB (only enable this if your server supports it)
-    enable_tls: false
-  # Name of the collection in which ACLs will be stored in MongoDB.
-  collection: "acl"
-  # Specify how long an ACL remains valid before they will be fetched again from
-  # the MongoDB server.
-  # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
-  cache_ttl: "1m"
-
-# (optional) Define to query ACL from a XORM.io database connection.
-acl_xorm:
-  # the database type you'd like to connect to
-  database_type: "mysql"
-  conn_string: "username:password@/database_name?charset=utf8"
-  cache_ttl: "1m"
-
-# (optioinal) Use casbin to verify permission
-casbin_authz:
-  model_path: "path/to/model"
-  policy_path: "path/to/csv"
-
-# External authorization - call an external progam to authorize user.
-# JSON of authz.AuthRequestInfo is passed to command's stdin and exit code is examined.
-# 0 - allow, 1 - deny, other - error.
-ext_authz:
-  command: "/usr/local/bin/my_authz"  # Can be a relative path too; $PATH works.
-  args: ["--flag", "--more", "--flags"]
-
-# User written authorization plugin - call a user written program to authorize user.
-# *authz.AuthRequestInfo is passed to the plugin and expects an authorized set of actions or an error.
-# return the set of authorized actions is the user is authorized. Otherwise return nil
-plugin_authz:
-  plugin_path: ""
-