fix(config): update docs for enforce dpop config and clean up markdow…

…n tables (#697)

Closes #696

docs/configuration.md

@@ -6,16 +6,16 @@ This guide provides details about the configuration setup for our application, i
 - [Server Configuration](#server-configuration)
 - [Database Configuration](#database-configuration)
 - [OPA Configuration](#opa-configuration)
--[Services Configuration](#services-configuration)
+- [Services Configuration](#services-configuration)
 
 ## Logger Configuration
 
 The logger configuration is used to define how the application logs its output.
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `level` | The logging level. | `info` |
-| `type` | The format of the log output. | `json` |
+| Field    | Description                      | Default  |
+| -------- | -------------------------------- | -------- |
+| `level`  | The logging level.               | `info`   |
+| `type`   | The format of the log output.    | `json`   |
 | `output` | The output destination for logs. | `stdout` |
 
 Example:
@@ -31,17 +31,17 @@ logger:
 
 The server configuration is used to define how the application runs its server.
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `port` | The port number for the server. | `9000` |
-| `host` | The host address for the server. | `""` |
-| `grpc.reflection` | The configuration for the grpc server. | `true` |
-| `tls.enabled` | Enable tls. | `false` |
-| `tls.cert` | The path to the tls certificate. | |
-| `tls.key` | The path to the tls key. | |
-| `auth.audience` | The audience for the IDP. | |
-| `auth.issuer` | The issuer for the IDP. | |
-| `auth.enforceDPoP` | If false, we allow access tokens that do not have DPoP bindings. | `true` |
+| Field              | Description                                           | Default |
+| ------------------ | ----------------------------------------------------- | ------- |
+| `port`             | The port number for the server.                       | `9000`  |
+| `host`             | The host address for the server.                      | `""`    |
+| `grpc.reflection`  | The configuration for the grpc server.                | `true`  |
+| `tls.enabled`      | Enable tls.                                           | `false` |
+| `tls.cert`         | The path to the tls certificate.                      |         |
+| `tls.key`          | The path to the tls key.                              |         |
+| `auth.audience`    | The audience for the IDP.                             |         |
+| `auth.issuer`      | The issuer for the IDP.                               |         |
+| `auth.enforceDPoP` | If true, DPoP bindings on Access Tokens are enforced. | `false` |
 
 Example:
 
@@ -64,16 +64,16 @@ server:
 
 The database configuration is used to define how the application connects to its database.
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `host` | The host address for the database. | `localhost` |
-| `port` | The port number for the database. | `5432` |
-| `database` | The name of the database. | `opentdf` |
-| `user` | The username for the database. | `postgres` |
-| `password` | The password for the database. | `changeme` |
-| `sslmode` | The ssl mode for the database | `prefer` |
-| `schema` | The schema for the database. | `opentdf` |
-| `runMigration` | Whether to run the database migration or not. | `true` |
+| Field          | Description                                   | Default     |
+| -------------- | --------------------------------------------- | ----------- |
+| `host`         | The host address for the database.            | `localhost` |
+| `port`         | The port number for the database.             | `5432`      |
+| `database`     | The name of the database.                     | `opentdf`   |
+| `user`         | The username for the database.                | `postgres`  |
+| `password`     | The password for the database.                | `changeme`  |
+| `sslmode`      | The ssl mode for the database                 | `prefer`    |
+| `schema`       | The schema for the database.                  | `opentdf`   |
+| `runMigration` | Whether to run the database migration or not. | `true`      |
 
 Example:
 
@@ -91,10 +91,10 @@ db:
 
 ## OPA Configuration
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `embedded` | Whether to use the embedded OPA Bundle server or not. This is only used for local development. | `false` |
-| `path` | The path to the OPA configuration file. | `./opa/opa.yaml` |
+| Field      | Description                                                                                    | Default          |
+| ---------- | ---------------------------------------------------------------------------------------------- | ---------------- |
+| `embedded` | Whether to use the embedded OPA Bundle server or not. This is only used for local development. | `false`          |
+| `path`     | The path to the OPA configuration file.                                                        | `./opa/opa.yaml` |
 
 Example:
 
@@ -108,9 +108,9 @@ opa:
 
 ### Key Access Server (KAS)
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `enabled` | Enable the Key Access Server | `true` |
+| Field     | Description                  | Default |
+| --------- | ---------------------------- | ------- |
+| `enabled` | Enable the Key Access Server | `true`  |
 
 Example:
 
@@ -122,9 +122,9 @@ services:
 
 ### Policy
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `enabled` | Enable the Policy Service | `true` |
+| Field     | Description               | Default |
+| --------- | ------------------------- | ------- |
+| `enabled` | Enable the Policy Service | `true`  |
 
 Example:
 
@@ -136,6 +136,6 @@ services:
 
 ### Authorization
 
-| Field | Description | Default |
-| --- | --- | --- |
-| `enabled` | Enable the Authorization
+| Field     | Description              | Default |
+| --------- | ------------------------ | ------- |
+| `enabled` | Enable the Authorization |

opentdf-dev.yaml

@@ -23,6 +23,7 @@ services:
 server:
   auth:
     enabled: true
+    enforceDPoP: false
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:

opentdf-example-no-kas.yaml

@@ -16,6 +16,7 @@ services:
 server:
   auth:
     enabled: false
+    enforceDPoP: false
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/tdf
   grpc:

opentdf-example.yaml

@@ -23,6 +23,7 @@ services:
 server:
   auth:
     enabled: true
+    enforceDPoP: false
     audience: "http://localhost:8080"
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:

opentdf-with-hsm.yaml

@@ -23,6 +23,7 @@ services:
 server:
   auth:
     enabled: true
+    enforceDPoP: false
     audience: "http://localhost:8080"
     issuer:  http://localhost:8888/auth/realms/opentdf
     clients:

service/internal/auth/config.go

@@ -1,6 +1,9 @@
 package auth
 
-import "fmt"
+import (
+	"fmt"
+	"log/slog"
+)
 
 // AuthConfig pulls AuthN and AuthZ together
 type Config struct {
@@ -11,7 +14,7 @@ type Config struct {
 
 // AuthNConfig is the configuration need for the platform to validate tokens
 type AuthNConfig struct {
-	EnforceDPoP       bool   `yaml:"enforceDPoP" json:"enforceDPoP" default:"true"`
+	EnforceDPoP       bool   `yaml:"enforceDPoP" json:"enforceDPoP" mapstructure:"enforceDPoP" default:"false"`
 	Issuer            string `yaml:"issuer" json:"issuer"`
 	Audience          string `yaml:"audience" json:"audience"`
 	OIDCConfiguration `yaml:"-" json:"-"`
@@ -36,5 +39,9 @@ func (c AuthNConfig) validateAuthNConfig() error {
 		return fmt.Errorf("config Auth.Audience is required")
 	}
 
+	if !c.EnforceDPoP {
+		slog.Warn("config Auth.EnforceDPoP is false. DPoP will not be enforced.")
+	}
+
 	return nil
 }