use official upstream yaml library v3

2025-02-09 17:23:03 +01:00 · 2025-02-09 17:23:03 +01:00 · 37019fc4cc
parent 11f1b9eacd
commit 37019fc4cc
16 changed files with 246 additions and 315 deletions
--- a/docs/docs/configuration/alpha_config.md
+++ b/docs/docs/configuration/alpha_config.md
@ -148,7 +148,7 @@ You must remove these options before starting OAuth2 Proxy with `--alpha-config`

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `skipScope` | _bool_ | Skip adding the scope parameter in login request<br/>Default value is 'false' |
+| `SkipScope` | _bool_ | Skip adding the scope parameter in login request<br/>Default value is 'false' |

 ### AlphaOptions

@ -163,12 +163,12 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `upstreamConfig` | _[UpstreamConfig](#upstreamconfig)_ | UpstreamConfig is used to configure upstream servers.<br/>Once a user is authenticated, requests to the server will be proxied to<br/>these upstream servers based on the path mappings defined in this list. |
-| `injectRequestHeaders` | _[[]Header](#header)_ | InjectRequestHeaders is used to configure headers that should be added<br/>to requests to upstream servers.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
-| `injectResponseHeaders` | _[[]Header](#header)_ | InjectResponseHeaders is used to configure headers that should be added<br/>to responses from the proxy.<br/>This is typically used when using the proxy as an external authentication<br/>provider in conjunction with another proxy such as NGINX and its<br/>auth_request module.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
-| `server` | _[Server](#server)_ | Server is used to configure the HTTP(S) server for the proxy application.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
-| `metricsServer` | _[Server](#server)_ | MetricsServer is used to configure the HTTP(S) server for metrics.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
-| `providers` | _[Providers](#providers)_ | Providers is used to configure your provider. **Multiple-providers is not<br/>yet working.** [This feature is tracked in<br/>#925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926) |
+| `UpstreamConfig` | _[UpstreamConfig](#upstreamconfig)_ | UpstreamConfig is used to configure upstream servers.<br/>Once a user is authenticated, requests to the server will be proxied to<br/>these upstream servers based on the path mappings defined in this list. |
+| `InjectRequestHeaders` | _[[]Header](#header)_ | InjectRequestHeaders is used to configure headers that should be added<br/>to requests to upstream servers.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
+| `InjectResponseHeaders` | _[[]Header](#header)_ | InjectResponseHeaders is used to configure headers that should be added<br/>to responses from the proxy.<br/>This is typically used when using the proxy as an external authentication<br/>provider in conjunction with another proxy such as NGINX and its<br/>auth_request module.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
+| `Server` | _[Server](#server)_ | Server is used to configure the HTTP(S) server for the proxy application.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
+| `MetricsServer` | _[Server](#server)_ | MetricsServer is used to configure the HTTP(S) server for metrics.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
+| `Providers` | _[Providers](#providers)_ | Providers is used to configure your provider. **Multiple-providers is not<br/>yet working.** [This feature is tracked in<br/>#925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926) |

 ### AzureOptions

@ -178,8 +178,8 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `tenant` | _string_ | Tenant directs to a tenant-specific or common (tenant-independent) endpoint<br/>Default value is 'common' |
-| `graphGroupField` | _string_ | GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph<br/>Default value is 'id' |
+| `Tenant` | _string_ | Tenant directs to a tenant-specific or common (tenant-independent) endpoint<br/>Default value is 'common' |
+| `GraphGroupField` | _string_ | GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph<br/>Default value is 'id' |

 ### BitbucketOptions

@ -189,8 +189,8 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `team` | _string_ | Team sets restrict logins to members of this team |
-| `repository` | _string_ | Repository sets restrict logins to user with access to this repository |
+| `Team` | _string_ | Team sets restrict logins to members of this team |
+| `Repository` | _string_ | Repository sets restrict logins to user with access to this repository |

 ### ClaimSource

@ -200,9 +200,9 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
-| `prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
-| `basicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |
+| `Claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
+| `Prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
+| `BasicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |

 ### GitHubOptions

@ -212,11 +212,11 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `org` | _string_ | Org sets restrict logins to members of this organisation |
-| `team` | _string_ | Team sets restrict logins to members of this team |
-| `repo` | _string_ | Repo sets restrict logins to collaborators of this repository |
-| `token` | _string_ | Token is the token to use when verifying repository collaborators<br/>it must have push access to the repository |
-| `users` | _[]string_ | Users allows users with these usernames to login<br/>even if they do not belong to the specified org and team or collaborators |
+| `Org` | _string_ | Org sets restrict logins to members of this organisation |
+| `Team` | _string_ | Team sets restrict logins to members of this team |
+| `Repo` | _string_ | Repo sets restrict logins to collaborators of this repository |
+| `Token` | _string_ | Token is the token to use when verifying repository collaborators<br/>it must have push access to the repository |
+| `Users` | _[]string_ | Users allows users with these usernames to login<br/>even if they do not belong to the specified org and team or collaborators |

 ### GitLabOptions

@ -226,8 +226,8 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `group` | _[]string_ | Group sets restrict logins to members of this group |
-| `projects` | _[]string_ | Projects restricts logins to members of these projects |
+| `Group` | _[]string_ | Group sets restrict logins to members of this group |
+| `Projects` | _[]string_ | Projects restricts logins to members of these projects |

 ### GoogleOptions

@ -237,11 +237,11 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `group` | _[]string_ | Groups sets restrict logins to members of this Google group |
-| `adminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls |
-| `serviceAccountJson` | _string_ | ServiceAccountJSON is the path to the service account json credentials |
-| `useApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON |
-| `targetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials |
+| `Groups` | _[]string_ | Groups sets restrict logins to members of this Google group |
+| `AdminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls |
+| `ServiceAccountJSON` | _string_ | ServiceAccountJSON is the path to the service account json credentials |
+| `UseApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON |
+| `TargetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials |

 ### Header

@ -252,9 +252,9 @@ response header.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `name` | _string_ | Name is the header name to be used for this set of values.<br/>Names should be unique within a list of Headers. |
-| `preserveRequestValue` | _bool_ | PreserveRequestValue determines whether any values for this header<br/>should be preserved for the request to the upstream server.<br/>This option only applies to injected request headers.<br/>Defaults to false (headers that match this header will be stripped). |
-| `values` | _[[]HeaderValue](#headervalue)_ | Values contains the desired values for this header |
+| `Name` | _string_ | Name is the header name to be used for this set of values.<br/>Names should be unique within a list of Headers. |
+| `PreserveRequestValue` | _bool_ | PreserveRequestValue determines whether any values for this header<br/>should be preserved for the request to the upstream server.<br/>This option only applies to injected request headers.<br/>Defaults to false (headers that match this header will be stripped). |
+| `Values` | _[[]HeaderValue](#headervalue)_ | Values contains the desired values for this header |

 ### HeaderValue

@ -265,12 +265,12 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | Value expects a base64 encoded string value. |
-| `fromEnv` | _string_ | FromEnv expects the name of an environment variable. |
-| `fromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
-| `claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
-| `prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
-| `basicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |
+| `Value` | _string_ | Value expects a base64 encoded string value. |
+| `FromEnv` | _string_ | FromEnv expects the name of an environment variable. |
+| `FromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
+| `Claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
+| `Prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
+| `BasicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |

 ### KeycloakOptions

@ -280,8 +280,8 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `groups` | _[]string_ | Group enables to restrict login to members of indicated group |
-| `roles` | _[]string_ | Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) |
+| `Groups` | _[]string_ | Group enables to restrict login to members of indicated group |
+| `Roles` | _[]string_ | Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) |

 ### LoginGovOptions

@ -291,9 +291,9 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `jwtKey` | _string_ | JWTKey is a private key in PEM format used to sign JWT, |
-| `jwtKeyFile` | _string_ | JWTKeyFile is a path to the private key file in PEM format used to sign the JWT |
-| `pubjwkURL` | _string_ | PubJWKURL is the JWK pubkey access endpoint |
+| `JWTKey` | _string_ | JWTKey is a private key in PEM format used to sign JWT, |
+| `JWTKeyFile` | _string_ | JWTKeyFile is a path to the private key file in PEM format used to sign the JWT |
+| `PubJWKURL` | _string_ | PubJWKURL is the JWK pubkey access endpoint |

 ### LoginURLParameter

@ -371,9 +371,9 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `name` | _string_ | Name specifies the name of the query parameter. |
-| `default` | _[]string_ |  _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
-| `allow` | _[[]URLParameterRule](#urlparameterrule)_ |  _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`.  Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |
+| `Name` | _string_ | Name specifies the name of the query parameter. |
+| `Default` | _[]string_ |  _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
+| `Allow` | _[[]URLParameterRule](#urlparameterrule)_ |  _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`.  Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |

 ### MicrosoftEntraIDOptions

@ -383,8 +383,8 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `allowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
-| `federatedTokenAuth` | _bool_ | FederatedTokenAuth enable oAuth2 client authentication with federated token projected<br/>by Entra Workload Identity plugin, instead of client secret. |
+| `AllowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
+| `FederatedTokenAuth` | _bool_ | FederatedTokenAuth enable oAuth2 client authentication with federated token projected<br/>by Entra Workload Identity plugin, instead of client secret. |

 ### OIDCOptions

@ -394,18 +394,18 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `issuerURL` | _string_ | IssuerURL is the OpenID Connect issuer URL<br/>eg: https://accounts.google.com |
-| `insecureAllowUnverifiedEmail` | _bool_ | InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified<br/>default set to 'false' |
-| `insecureSkipIssuerVerification` | _bool_ | InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL<br/>default set to 'false' |
-| `insecureSkipNonce` | _bool_ | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match<br/>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br/>after the initial OAuth redeem & subsequent token refreshes.<br/>default set to 'true'<br/>Warning: In a future release, this will change to 'false' by default for enhanced security. |
-| `skipDiscovery` | _bool_ | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br/>default set to 'false' |
-| `jwksURL` | _string_ | JwksURL is the OpenID Connect JWKS URL<br/>eg: https://www.googleapis.com/oauth2/v3/certs |
-| `publicKeyFiles` | _[]string_ | PublicKeyFiles is a list of paths pointing to public key files in PEM format to use<br/>for verifying JWT tokens |
-| `emailClaim` | _string_ | EmailClaim indicates which claim contains the user email,<br/>default set to 'email' |
-| `groupsClaim` | _string_ | GroupsClaim indicates which claim contains the user groups<br/>default set to 'groups' |
-| `userIDClaim` | _string_ | UserIDClaim indicates which claim contains the user ID<br/>default set to 'email' |
-| `audienceClaims` | _[]string_ | AudienceClaim allows to define any claim that is verified against the client id<br/>By default `aud` claim is used for verification. |
-| `extraAudiences` | _[]string_ | ExtraAudiences is a list of additional audiences that are allowed<br/>to pass verification in addition to the client id. |
+| `IssuerURL` | _string_ | IssuerURL is the OpenID Connect issuer URL<br/>eg: https://accounts.google.com |
+| `InsecureAllowUnverifiedEmail` | _bool_ | InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified<br/>default set to 'false' |
+| `InsecureSkipIssuerVerification` | _bool_ | InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL<br/>default set to 'false' |
+| `InsecureSkipNonce` | _bool_ | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match<br/>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br/>after the initial OAuth redeem & subsequent token refreshes.<br/>default set to 'true'<br/>Warning: In a future release, this will change to 'false' by default for enhanced security. |
+| `SkipDiscovery` | _bool_ | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br/>default set to 'false' |
+| `JwksURL` | _string_ | JwksURL is the OpenID Connect JWKS URL<br/>eg: https://www.googleapis.com/oauth2/v3/certs |
+| `PublicKeyFiles` | _[]string_ | PublicKeyFiles is a list of paths pointing to public key files in PEM format to use<br/>for verifying JWT tokens |
+| `EmailClaim` | _string_ | EmailClaim indicates which claim contains the user email,<br/>default set to 'email' |
+| `GroupsClaim` | _string_ | GroupsClaim indicates which claim contains the user groups<br/>default set to 'groups' |
+| `UserIDClaim` | _string_ | UserIDClaim indicates which claim contains the user ID<br/>default set to 'email' |
+| `AudienceClaims` | _[]string_ | AudienceClaim allows to define any claim that is verified against the client id<br/>By default `aud` claim is used for verification. |
+| `ExtraAudiences` | _[]string_ | ExtraAudiences is a list of additional audiences that are allowed<br/>to pass verification in addition to the client id. |

 ### Provider

@ -415,36 +415,36 @@ Provider holds all configuration for a single provider

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `clientID` | _string_ | ClientID is the OAuth Client ID that is defined in the provider<br/>This value is required for all providers. |
-| `clientSecret` | _string_ | ClientSecret is the OAuth Client Secret that is defined in the provider<br/>This value is required for all providers. |
-| `clientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
-| `keycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
-| `azureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
-| `microsoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
+| `ClientID` | _string_ | ClientID is the OAuth Client ID that is defined in the provider<br/>This value is required for all providers. |
+| `ClientSecret` | _string_ | ClientSecret is the OAuth Client Secret that is defined in the provider<br/>This value is required for all providers. |
+| `ClientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
+| `KeycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
+| `AzureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
+| `MicrosoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
 | `ADFSConfig` | _[ADFSOptions](#adfsoptions)_ | ADFSConfig holds all configurations for ADFS provider. |
-| `bitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
-| `githubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |
-| `gitlabConfig` | _[GitLabOptions](#gitlaboptions)_ | GitLabConfig holds all configurations for GitLab provider. |
-| `googleConfig` | _[GoogleOptions](#googleoptions)_ | GoogleConfig holds all configurations for Google provider. |
-| `oidcConfig` | _[OIDCOptions](#oidcoptions)_ | OIDCConfig holds all configurations for OIDC provider<br/>or providers utilize OIDC configurations. |
-| `loginGovConfig` | _[LoginGovOptions](#logingovoptions)_ | LoginGovConfig holds all configurations for LoginGov provider. |
-| `id` | _string_ | ID should be a unique identifier for the provider.<br/>This value is required for all providers. |
-| `provider` | _[ProviderType](#providertype)_ | Type is the OAuth provider<br/>must be set from the supported providers group,<br/>otherwise 'Google' is set as default |
-| `name` | _string_ | Name is the providers display name<br/>if set, it will be shown to the users in the login page. |
-| `caFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br/>If not specified, the default Go trust sources are used instead |
-| `useSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used<br/>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. |
-| `loginURL` | _string_ | LoginURL is the authentication endpoint |
-| `loginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL |
-| `authRequestResponseMode` | _string_ | AuthRequestResponseMode defines the response mode to request during authorization request |
-| `redeemURL` | _string_ | RedeemURL is the token redemption endpoint |
-| `profileURL` | _string_ | ProfileURL is the profile access endpoint |
-| `skipClaimsFromProfileURL` | _bool_ | SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token<br/>default set to 'false' |
-| `resource` | _string_ | ProtectedResource is the resource that is protected (Azure AD and ADFS only) |
-| `validateURL` | _string_ | ValidateURL is the access token validation endpoint |
-| `scope` | _string_ | Scope is the OAuth scope specification |
-| `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
-| `code_challenge_method` | _string_ | The code challenge method |
-| `backendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |
+| `BitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
+| `GitHubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |
+| `GitLabConfig` | _[GitLabOptions](#gitlaboptions)_ | GitLabConfig holds all configurations for GitLab provider. |
+| `GoogleConfig` | _[GoogleOptions](#googleoptions)_ | GoogleConfig holds all configurations for Google provider. |
+| `OIDCConfig` | _[OIDCOptions](#oidcoptions)_ | OIDCConfig holds all configurations for OIDC provider<br/>or providers utilize OIDC configurations. |
+| `LoginGovConfig` | _[LoginGovOptions](#logingovoptions)_ | LoginGovConfig holds all configurations for LoginGov provider. |
+| `ID` | _string_ | ID should be a unique identifier for the provider.<br/>This value is required for all providers. |
+| `Type` | _[ProviderType](#providertype)_ | Type is the OAuth provider<br/>must be set from the supported providers group,<br/>otherwise 'Google' is set as default |
+| `Name` | _string_ | Name is the providers display name<br/>if set, it will be shown to the users in the login page. |
+| `CAFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br/>If not specified, the default Go trust sources are used instead |
+| `UseSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used<br/>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. |
+| `LoginURL` | _string_ | LoginURL is the authentication endpoint |
+| `LoginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL |
+| `AuthRequestResponseMode` | _string_ | AuthRequestResponseMode defines the response mode to request during authorization request |
+| `RedeemURL` | _string_ | RedeemURL is the token redemption endpoint |
+| `ProfileURL` | _string_ | ProfileURL is the profile access endpoint |
+| `SkipClaimsFromProfileURL` | _bool_ | SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token<br/>default set to 'false' |
+| `ProtectedResource` | _string_ | ProtectedResource is the resource that is protected (Azure AD and ADFS only) |
+| `ValidateURL` | _string_ | ValidateURL is the access token validation endpoint |
+| `Scope` | _string_ | Scope is the OAuth scope specification |
+| `AllowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
+| `CodeChallengeMethod` | _string_ | The code challenge method |
+| `BackendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |

 ### ProviderType
 #### (`string` alias)
@ -477,9 +477,9 @@ Only one source within the struct should be defined at any time.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | Value expects a base64 encoded string value. |
-| `fromEnv` | _string_ | FromEnv expects the name of an environment variable. |
-| `fromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
+| `Value` | _string_ | Value expects a base64 encoded string value. |
+| `FromEnv` | _string_ | FromEnv expects the name of an environment variable. |
+| `FromFile` | _string_ | FromFile expects a path to a file containing the secret value. |

 ### Server

@ -518,8 +518,8 @@ login URL.  Either Value or Pattern should be supplied, not both.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | A Value rule matches just this specific value |
-| `pattern` | _string_ | A Pattern rule gives a regular expression that must be matched by<br/>some substring of the value.  The expression is _not_ automatically<br/>anchored to the start and end of the value, if you _want_ to restrict<br/>the whole parameter value you must anchor it yourself with `^` and `$`. |
+| `Value` | _string_ | A Value rule matches just this specific value |
+| `Pattern` | _string_ | A Pattern rule gives a regular expression that must be matched by<br/>some substring of the value.  The expression is _not_ automatically<br/>anchored to the start and end of the value, if you _want_ to restrict<br/>the whole parameter value you must anchor it yourself with `^` and `$`. |

 ### Upstream

@ -530,18 +530,18 @@ Requests will be proxied to this upstream if the path matches the request path.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `id` | _string_ | ID should be a unique identifier for the upstream.<br/>This value is required for all upstreams. |
-| `path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
-| `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem<br/>(for a `file:` upstream).<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server.  Or if the upstream were `file:///app`, a request for<br/>`/baz/info.html` would return the contents of the file `/app/foo/info.html`. |
-| `uri` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
-| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
-| `static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |
-| `staticCode` | _int_ | StaticCode determines the response code for the Static response.<br/>This option can only be used with Static enabled. |
-| `flushInterval` | _duration_ | FlushInterval is the period between flushing the response buffer when<br/>streaming response from the upstream.<br/>Defaults to 1 second. |
-| `passHostHeader` | _bool_ | PassHostHeader determines whether the request host header should be proxied<br/>to the upstream server.<br/>Defaults to true. |
-| `proxyWebSockets` | _bool_ | ProxyWebSockets enables proxying of websockets to upstream servers<br/>Defaults to true. |
-| `timeout` | _duration_ | Timeout is the maximum duration the server will wait for a response from the upstream server.<br/>Defaults to 30 seconds. |
-| `disableKeepAlives` | _bool_ | DisableKeepAlives disables HTTP keep-alive connections to the upstream server.<br/>Defaults to false. |
+| `ID` | _string_ | ID should be a unique identifier for the upstream.<br/>This value is required for all upstreams. |
+| `Path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
+| `RewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem<br/>(for a `file:` upstream).<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server.  Or if the upstream were `file:///app`, a request for<br/>`/baz/info.html` would return the contents of the file `/app/foo/info.html`. |
+| `URI` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
+| `InsecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
+| `Static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |
+| `StaticCode` | _int_ | StaticCode determines the response code for the Static response.<br/>This option can only be used with Static enabled. |
+| `FlushInterval` | _duration_ | FlushInterval is the period between flushing the response buffer when<br/>streaming response from the upstream.<br/>Defaults to 1 second. |
+| `PassHostHeader` | _bool_ | PassHostHeader determines whether the request host header should be proxied<br/>to the upstream server.<br/>Defaults to true. |
+| `ProxyWebSockets` | _bool_ | ProxyWebSockets enables proxying of websockets to upstream servers<br/>Defaults to true. |
+| `Timeout` | _duration_ | Timeout is the maximum duration the server will wait for a response from the upstream server.<br/>Defaults to 30 seconds. |
+| `DisableKeepAlives` | _bool_ | DisableKeepAlives disables HTTP keep-alive connections to the upstream server.<br/>Defaults to false. |

 ### UpstreamConfig

@ -551,5 +551,5 @@ UpstreamConfig is a collection of definitions for upstream servers.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls<br/>like: "/%2F/" which would otherwise be redirected to "/" |
-| `upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.<br/>Requests will be proxied to this upstream if the path matches the request path. |
+| `ProxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls<br/>like: "/%2F/" which would otherwise be redirected to "/" |
+| `Upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.<br/>Requests will be proxied to this upstream if the path matches the request path. |
--- a/go.mod
+++ b/go.mod
@ -13,7 +13,6 @@ require (
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/golang-jwt/jwt/v5 v5.2.3
@ -22,9 +21,10 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/justinas/alice v1.2.0
 	github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.37.0
+	github.com/onsi/gomega v1.38.0
 	github.com/pierrec/lz4/v4 v4.1.22
 	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.11.0
@ -37,13 +37,14 @@ require (
 	golang.org/x/net v0.42.0
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0
-	google.golang.org/api v0.242.0
+	google.golang.org/api v0.243.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/apimachinery v0.33.3
 )

 require (
-	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth v0.16.3 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
@ -83,9 +84,8 @@ require (
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 // indirect
+	google.golang.org/grpc v1.74.2 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,12 +1,11 @@
-cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
-cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
+cloud.google.com/go/auth v0.16.3 h1:kabzoQ9/bobUmnseYnBO6qQG7q4a/CffFRlJSxv2wCc=
+cloud.google.com/go/auth v0.16.3/go.mod h1:NucRGjaXfzP1ltpcQ7On/VTZ0H4kWB5Jy+Y9Dnm76fA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
 cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb h1:ZVN4Iat3runWOFLaBCDVU5a9X/XikSRBosye++6gojw=
 github.com/Bose/minisentinel v0.0.0-20200130220412-917c5a9223bb/go.mod h1:WsAABbY4HQBgd3mGuG4KMNTbHJCPvx9IVBHzysbknss=
-github.com/FZambia/sentinel v1.0.0 h1:KJ0ryjKTZk5WMp0dXvSdNqp3lFaW1fNFuEYfrkLOYIc=
 github.com/FZambia/sentinel v1.0.0/go.mod h1:ytL1Am/RLlAoAXG6Kj5LNuw/TRRQrv2rt2FT26vP5gI=
 github.com/a8m/envsubst v1.4.3 h1:kDF7paGK8QACWYaQo6KtyYBozY2jhQrTuNNuUxQkhJY=
 github.com/a8m/envsubst v1.4.3/go.mod h1:4jjHWQlZoaXPoLQUb7H2qT4iLkZDdmEQiOUogdUmqVU=
@ -20,12 +19,7 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-simplejson v0.5.1 h1:xgwPbetQScXt1gh9BmoJ6j9JMr3TElvuIyjR8pgdoow=
 github.com/bitly/go-simplejson v0.5.1/go.mod h1:YOPVLzCfwK14b4Sff3oP1AmGhI9T9Vsg84etUnlyp+Q=
-github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
-github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
-github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
-github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/bsm/redislock v0.9.4 h1:X/Wse1DPpiQgHbVYRE9zv6m070UcKoOGekgvpNhiSvw=
 github.com/bsm/redislock v0.9.4/go.mod h1:Epf7AJLiSFwLCiZcfi6pWFO/8eAYrYpQXFxEDPoDeAk=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@ -44,12 +38,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 h1:Arcl6UOIS/kgO2nW3A65HN+7CMjSDP/gofXL4CZt1V4=
-github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
@ -61,17 +51,10 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
-github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
 github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3 h1:6amM4HsNPOvMLVc2ZnyqrjeQ92YAVWn7T4WBKK87inY=
 github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@ -85,34 +68,27 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
-github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0=
-github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=
 github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa h1:hI1uC2A3vJFjwvBn0G0a7QBRdBUp6Y048BtLAHRTKPo=
 github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa/go.mod h1:8vxFeeg++MqgCHwehSuwTlYCF0ALyDJbYJ1JsKi7v6s=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk=
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
+github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
@ -120,8 +96,6 @@ github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFu
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
 github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
@ -132,7 +106,6 @@ github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7D
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/redis/go-redis/v9 v9.11.0 h1:E3S08Gl/nJNn5vkxd2i78wZxWAPNZgUNTp8WIJUAiIs=
 github.com/redis/go-redis/v9 v9.11.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/sagikazarmark/locafero v0.9.0 h1:GbgQGNtTrEmddYDSAH9QLRyfAHY12md+8YFTqyMTC9k=
 github.com/sagikazarmark/locafero v0.9.0/go.mod h1:UBUyz37V+EdMS3hDF3QWIiVr/2dPrx49OMO0Bn0hJqk=
@ -142,8 +115,6 @@ github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/spf13/cast v1.9.2 h1:SsGfm7M8QOFtEzumm7UZrZdLLquNdzFYfIbEXntcFbE=
 github.com/spf13/cast v1.9.2/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
 github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
@ -165,18 +136,12 @@ github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
@ -186,8 +151,6 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@ -197,8 +160,6 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
@ -206,8 +167,6 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -219,8 +178,6 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
 golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@ -234,53 +191,29 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
 golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
 golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.240.0 h1:PxG3AA2UIqT1ofIzWV2COM3j3JagKTKSwy7L6RHNXNU=
-google.golang.org/api v0.240.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
-google.golang.org/api v0.241.0 h1:QKwqWQlkc6O895LchPEDUSYr22Xp3NCxpQRiWTB6avE=
-google.golang.org/api v0.241.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
-google.golang.org/api v0.242.0 h1:7Lnb1nfnpvbkCiZek6IXKdJ0MFuAZNAJKQfA1ws62xg=
-google.golang.org/api v0.242.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
-google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
-google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
-google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 h1:vPV0tzlsK6EzEDHNNH5sa7Hs9bd7iXR7B1tSiPepkV0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:pKLAc5OolXC3ViWGI62vvC0n10CpwAtRcTNCFwTKBEw=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/api v0.243.0 h1:sw+ESIJ4BVnlJcWu9S+p2Z6Qq1PjG77T8IJ1xtp4jZQ=
+google.golang.org/api v0.243.0/go.mod h1:GE4QtYfaybx1KmeHMdBnNnyLzBZCVihGBXAmJu/uUr8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 h1:qJW29YvkiJmXOYMu5Tf8lyrTp3dOS+K4z6IixtLaCf8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
-k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
 k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
--- a/main.go
+++ b/main.go
@ -5,12 +5,12 @@ import (
 	"os"
 	"runtime"

-	"github.com/ghodss/yaml"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/version"
 	"github.com/spf13/pflag"
+	"gopkg.in/yaml.v3"
 )

 func main() {
--- a/main_test.go
+++ b/main_test.go
@ -2,9 +2,7 @@ package main

 import (
 	"errors"
-	"fmt"
 	"os"
-	"strings"
 	"time"

 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
@ -256,7 +254,7 @@ redirect_url="http://localhost:4180/oauth2/callback"
 			configContent:      testCoreConfig,
 			alphaConfigContent: testAlphaConfig + ":",
 			expectedOptions:    func() *options.Options { return nil },
-			expectedErr:        fmt.Errorf("failed to load alpha options: error unmarshalling config: error converting YAML to JSON: yaml: line %d: did not find expected key", strings.Count(testAlphaConfig, "\n")),
+			expectedErr:        errors.New("failed to load alpha options: error unmarshalling config: yaml: line 1: did not find expected key"),
 		}),
 		Entry("with alpha configuration and bad core configuration", loadConfigurationTableInput{
 			configContent:      testCoreConfig + "unknown_field=\"something\"",
--- a/pkg/apis/options/alpha_options.go
+++ b/pkg/apis/options/alpha_options.go
@ -12,13 +12,13 @@ type AlphaOptions struct {
 	// UpstreamConfig is used to configure upstream servers.
 	// Once a user is authenticated, requests to the server will be proxied to
 	// these upstream servers based on the path mappings defined in this list.
-	UpstreamConfig UpstreamConfig `json:"upstreamConfig,omitempty"`
+	UpstreamConfig UpstreamConfig `yaml:"upstreamConfig,omitempty"`

 	// InjectRequestHeaders is used to configure headers that should be added
 	// to requests to upstream servers.
 	// Headers may source values from either the authenticated user's session
 	// or from a static secret value.
-	InjectRequestHeaders []Header `json:"injectRequestHeaders,omitempty"`
+	InjectRequestHeaders []Header `yaml:"injectRequestHeaders,omitempty"`

 	// InjectResponseHeaders is used to configure headers that should be added
 	// to responses from the proxy.
@ -27,24 +27,24 @@ type AlphaOptions struct {
 	// auth_request module.
 	// Headers may source values from either the authenticated user's session
 	// or from a static secret value.
-	InjectResponseHeaders []Header `json:"injectResponseHeaders,omitempty"`
+	InjectResponseHeaders []Header `yaml:"injectResponseHeaders,omitempty"`

 	// Server is used to configure the HTTP(S) server for the proxy application.
 	// You may choose to run both HTTP and HTTPS servers simultaneously.
 	// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
 	// To use the secure server you must configure a TLS certificate and key.
-	Server Server `json:"server,omitempty"`
+	Server Server `yaml:"server,omitempty"`

 	// MetricsServer is used to configure the HTTP(S) server for metrics.
 	// You may choose to run both HTTP and HTTPS servers simultaneously.
 	// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
 	// To use the secure server you must configure a TLS certificate and key.
-	MetricsServer Server `json:"metricsServer,omitempty"`
+	MetricsServer Server `yaml:"metricsServer,omitempty"`

 	// Providers is used to configure your provider. **Multiple-providers is not
 	// yet working.** [This feature is tracked in
 	// #925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926)
-	Providers Providers `json:"providers,omitempty"`
+	Providers Providers `yaml:"providers,omitempty"`
 }

 // Initialize alpha options with default values and settings of the core options
--- a/pkg/apis/options/duration_test.go
+++ b/pkg/apis/options/duration_test.go
@ -7,7 +7,7 @@ import (

 func TestDecode(t *testing.T) {
 	type result struct {
-		Duration time.Duration `json:"duration"`
+		Duration time.Duration `yaml:"duration"`
 	}

 	tests := []struct {
@ -64,7 +64,7 @@ func TestDecode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var result struct {
-				Duration time.Duration `json:"duration"`
+				Duration time.Duration `yaml:"duration"`
 			}

 			err := Decode(tt.input, &result)
--- a/pkg/apis/options/header.go
+++ b/pkg/apis/options/header.go
@ -5,26 +5,26 @@ package options
 type Header struct {
 	// Name is the header name to be used for this set of values.
 	// Names should be unique within a list of Headers.
-	Name string `json:"name,omitempty"`
+	Name string `yaml:"name,omitempty"`

 	// PreserveRequestValue determines whether any values for this header
 	// should be preserved for the request to the upstream server.
 	// This option only applies to injected request headers.
 	// Defaults to false (headers that match this header will be stripped).
-	PreserveRequestValue bool `json:"preserveRequestValue,omitempty"`
+	PreserveRequestValue bool `yaml:"preserveRequestValue,omitempty"`

 	// Values contains the desired values for this header
-	Values []HeaderValue `json:"values,omitempty"`
+	Values []HeaderValue `yaml:"values,omitempty"`
 }

 // HeaderValue represents a single header value and the sources that can
 // make up the header value
 type HeaderValue struct {
 	// Allow users to load the value from a secret source
-	*SecretSource `json:"secretSource,omitempty"`
+	*SecretSource `yaml:"secretSource,omitempty"`

 	// Allow users to load the value from a session claim
-	*ClaimSource `json:"claimSource,omitempty"`
+	*ClaimSource `yaml:"claimSource,omitempty"`
 }

 // ClaimSource allows loading a header value from a claim within the session
@ -32,14 +32,14 @@ type ClaimSource struct {
 	// Claim is the name of the claim in the session that the value should be
 	// loaded from. Available claims: `access_token` `id_token` `created_at`
 	// `expires_on` `refresh_token` `email` `user` `groups` `preferred_username`.
-	Claim string `json:"claim,omitempty"`
+	Claim string `yaml:"claim,omitempty"`

 	// Prefix is an optional prefix that will be prepended to the value of the
 	// claim if it is non-empty.
-	Prefix string `json:"prefix,omitempty"`
+	Prefix string `yaml:"prefix,omitempty"`

 	// BasicAuthPassword converts this claim into a basic auth header.
 	// Note the value of claim will become the basic auth username and the
 	// basicAuthPassword will be used as the password value.
-	BasicAuthPassword *SecretSource `json:"basicAuthPassword,omitempty"`
+	BasicAuthPassword *SecretSource `yaml:"basicAuthPassword,omitempty"`
 }
--- a/pkg/apis/options/load.go
+++ b/pkg/apis/options/load.go
@ -9,10 +9,10 @@ import (
 	"strings"

 	"github.com/a8m/envsubst"
-	"github.com/ghodss/yaml"
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
+	"gopkg.in/yaml.v3"
 )

 // Load reads in the config file at the path given, then merges in environment
@ -92,7 +92,7 @@ func Decode(input interface{}, result interface{}) error {
 		DecodeHook:           mapstructure.ComposeDecodeHookFunc(toDurationHookFunc()),
 		Metadata:             nil,    // Don't track any metadata
 		Result:               result, // Decode the result into the prefilled options
-		TagName:              "json", // Parse all fields that use the json tag
+		TagName:              "yaml", // Parse all fields that use the json tag
 		ZeroFields:           false,  // Don't clean the default values from the result map (options)
 		ErrorUnused:          true,   // Throw an error if keys have been used that aren't mapped to any struct fields
 		IgnoreUntaggedFields: true,   // Ignore fields in structures that aren't tagged with json
--- a/pkg/apis/options/load_test.go
+++ b/pkg/apis/options/load_test.go
@ -355,15 +355,15 @@ var _ = Describe("Load", func() {
 var _ = Describe("LoadYAML", func() {
 	Context("with a testOptions structure", func() {
 		type TestOptionSubStruct struct {
-			StringSliceOption []string `json:"stringSliceOption,omitempty"`
+			StringSliceOption []string `yaml:"stringSliceOption,omitempty"`
 		}

 		type TestOptions struct {
-			StringOption string              `json:"stringOption,omitempty"`
-			Sub          TestOptionSubStruct `json:"sub,omitempty"`
+			StringOption string              `yaml:"stringOption,omitempty"`
+			Sub          TestOptionSubStruct `yaml:"sub,omitempty"`

 			// Check that embedded fields can be unmarshalled
-			TestOptionSubStruct `json:",inline,squash"`
+			TestOptionSubStruct `yaml:",inline,squash"`
 		}

 		var testOptionsConfigBytesFull = []byte(`
@ -445,7 +445,7 @@ sub:
 				configFile:     []byte("\tfoo: bar"),
 				input:          &TestOptions{},
 				expectedOutput: &TestOptions{},
-				expectedErr:    errors.New("error unmarshalling config: error converting YAML to JSON: yaml: found character that cannot start any token"),
+				expectedErr:    errors.New("error unmarshalling config: yaml: found character that cannot start any token"),
 			}),
 			Entry("with extra fields in the YAML", loadYAMLTableInput{
 				configFile: append(testOptionsConfigBytesFull, []byte("foo: bar\n")...),
--- a/pkg/apis/options/login_url_parameters.go
+++ b/pkg/apis/options/login_url_parameters.go
@ -71,19 +71,19 @@ package options
 // character.
 type LoginURLParameter struct {
 	// Name specifies the name of the query parameter.
-	Name string `json:"name"`
+	Name string `yaml:"name"`

 	// Default specifies a default value or values that will be
 	// passed to the IdP if not overridden.
 	//+optional
-	Default []string `json:"default,omitempty"`
+	Default []string `yaml:"default,omitempty"`

 	// Allow specifies rules about how the default (if any) may be
 	// overridden via the query string to `/oauth2/start`.  Only
 	// values that match one or more of the allow rules will be
 	// forwarded to the IdP.
 	//+optional
-	Allow []URLParameterRule `json:"allow,omitempty"`
+	Allow []URLParameterRule `yaml:"allow,omitempty"`
 }

 // URLParameterRule represents a rule by which query parameters
@ -92,11 +92,11 @@ type LoginURLParameter struct {
 // login URL.  Either Value or Pattern should be supplied, not both.
 type URLParameterRule struct {
 	// A Value rule matches just this specific value
-	Value *string `json:"value,omitempty"`
+	Value *string `yaml:"value,omitempty"`

 	// A Pattern rule gives a regular expression that must be matched by
 	// some substring of the value.  The expression is _not_ automatically
 	// anchored to the start and end of the value, if you _want_ to restrict
 	// the whole parameter value you must anchor it yourself with `^` and `$`.
-	Pattern *string `json:"pattern,omitempty"`
+	Pattern *string `yaml:"pattern,omitempty"`
 }
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -22,78 +22,78 @@ type Providers []Provider
 type Provider struct {
 	// ClientID is the OAuth Client ID that is defined in the provider
 	// This value is required for all providers.
-	ClientID string `json:"clientID,omitempty"`
+	ClientID string `yaml:"clientID,omitempty"`
 	// ClientSecret is the OAuth Client Secret that is defined in the provider
 	// This value is required for all providers.
-	ClientSecret string `json:"clientSecret,omitempty"`
+	ClientSecret string `yaml:"clientSecret,omitempty"`
 	// ClientSecretFile is the name of the file
 	// containing the OAuth Client Secret, it will be used if ClientSecret is not set.
-	ClientSecretFile string `json:"clientSecretFile,omitempty"`
+	ClientSecretFile string `yaml:"clientSecretFile,omitempty"`

 	// KeycloakConfig holds all configurations for Keycloak provider.
-	KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
+	KeycloakConfig KeycloakOptions `yaml:"keycloakConfig,omitempty"`
 	// AzureConfig holds all configurations for Azure provider.
-	AzureConfig AzureOptions `json:"azureConfig,omitempty"`
+	AzureConfig AzureOptions `yaml:"azureConfig,omitempty"`
 	// MicrosoftEntraIDConfig holds all configurations for Entra ID provider.
-	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `json:"microsoftEntraIDConfig,omitempty"`
+	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `yaml:"microsoftEntraIDConfig,omitempty"`
 	// ADFSConfig holds all configurations for ADFS provider.
-	ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
+	ADFSConfig ADFSOptions `yaml:"ADFSConfig,omitempty"`
 	// BitbucketConfig holds all configurations for Bitbucket provider.
-	BitbucketConfig BitbucketOptions `json:"bitbucketConfig,omitempty"`
+	BitbucketConfig BitbucketOptions `yaml:"bitbucketConfig,omitempty"`
 	// GitHubConfig holds all configurations for GitHubC provider.
-	GitHubConfig GitHubOptions `json:"githubConfig,omitempty"`
+	GitHubConfig GitHubOptions `yaml:"githubConfig,omitempty"`
 	// GitLabConfig holds all configurations for GitLab provider.
-	GitLabConfig GitLabOptions `json:"gitlabConfig,omitempty"`
+	GitLabConfig GitLabOptions `yaml:"gitlabConfig,omitempty"`
 	// GoogleConfig holds all configurations for Google provider.
-	GoogleConfig GoogleOptions `json:"googleConfig,omitempty"`
+	GoogleConfig GoogleOptions `yaml:"googleConfig,omitempty"`
 	// OIDCConfig holds all configurations for OIDC provider
 	// or providers utilize OIDC configurations.
-	OIDCConfig OIDCOptions `json:"oidcConfig,omitempty"`
+	OIDCConfig OIDCOptions `yaml:"oidcConfig,omitempty"`
 	// LoginGovConfig holds all configurations for LoginGov provider.
-	LoginGovConfig LoginGovOptions `json:"loginGovConfig,omitempty"`
+	LoginGovConfig LoginGovOptions `yaml:"loginGovConfig,omitempty"`

 	// ID should be a unique identifier for the provider.
 	// This value is required for all providers.
-	ID string `json:"id,omitempty"`
+	ID string `yaml:"id,omitempty"`
 	// Type is the OAuth provider
 	// must be set from the supported providers group,
 	// otherwise 'Google' is set as default
-	Type ProviderType `json:"provider,omitempty"`
+	Type ProviderType `yaml:"provider,omitempty"`
 	// Name is the providers display name
 	// if set, it will be shown to the users in the login page.
-	Name string `json:"name,omitempty"`
+	Name string `yaml:"name,omitempty"`
 	// CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
 	// If not specified, the default Go trust sources are used instead
-	CAFiles []string `json:"caFiles,omitempty"`
+	CAFiles []string `yaml:"caFiles,omitempty"`
 	// UseSystemTrustStore determines if your custom CA files and the system trust store are used
 	// If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files.
-	UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty"`
+	UseSystemTrustStore bool `yaml:"useSystemTrustStore,omitempty"`
 	// LoginURL is the authentication endpoint
-	LoginURL string `json:"loginURL,omitempty"`
+	LoginURL string `yaml:"loginURL,omitempty"`
 	// LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL
-	LoginURLParameters []LoginURLParameter `json:"loginURLParameters,omitempty"`
+	LoginURLParameters []LoginURLParameter `yaml:"loginURLParameters,omitempty"`
 	// AuthRequestResponseMode defines the response mode to request during authorization request
-	AuthRequestResponseMode string `json:"authRequestResponseMode,omitempty"`
+	AuthRequestResponseMode string `yaml:"authRequestResponseMode,omitempty"`
 	// RedeemURL is the token redemption endpoint
-	RedeemURL string `json:"redeemURL,omitempty"`
+	RedeemURL string `yaml:"redeemURL,omitempty"`
 	// ProfileURL is the profile access endpoint
-	ProfileURL string `json:"profileURL,omitempty"`
+	ProfileURL string `yaml:"profileURL,omitempty"`
 	// SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token
 	// default set to 'false'
-	SkipClaimsFromProfileURL bool `json:"skipClaimsFromProfileURL,omitempty"`
+	SkipClaimsFromProfileURL bool `yaml:"skipClaimsFromProfileURL,omitempty"`
 	// ProtectedResource is the resource that is protected (Azure AD and ADFS only)
-	ProtectedResource string `json:"resource,omitempty"`
+	ProtectedResource string `yaml:"resource,omitempty"`
 	// ValidateURL is the access token validation endpoint
-	ValidateURL string `json:"validateURL,omitempty"`
+	ValidateURL string `yaml:"validateURL,omitempty"`
 	// Scope is the OAuth scope specification
-	Scope string `json:"scope,omitempty"`
+	Scope string `yaml:"scope,omitempty"`
 	// AllowedGroups is a list of restrict logins to members of this group
-	AllowedGroups []string `json:"allowedGroups,omitempty"`
+	AllowedGroups []string `yaml:"allowedGroups,omitempty"`
 	// The code challenge method
-	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
+	CodeChallengeMethod string `yaml:"code_challenge_method,omitempty"`

 	// URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session
-	BackendLogoutURL string `json:"backendLogoutURL"`
+	BackendLogoutURL string `yaml:"backendLogoutURL"`
 }

 // ProviderType is used to enumerate the different provider type options
@ -157,19 +157,19 @@ const (

 type KeycloakOptions struct {
 	// Group enables to restrict login to members of indicated group
-	Groups []string `json:"groups,omitempty"`
+	Groups []string `yaml:"groups,omitempty"`

 	// Role enables to restrict login to users with role (only available when using the keycloak-oidc provider)
-	Roles []string `json:"roles,omitempty"`
+	Roles []string `yaml:"roles,omitempty"`
 }

 type AzureOptions struct {
 	// Tenant directs to a tenant-specific or common (tenant-independent) endpoint
 	// Default value is 'common'
-	Tenant string `json:"tenant,omitempty"`
+	Tenant string `yaml:"tenant,omitempty"`
 	// GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph
 	// Default value is 'id'
-	GraphGroupField string `json:"graphGroupField,omitempty"`
+	GraphGroupField string `yaml:"graphGroupField,omitempty"`
 }

 type MicrosoftEntraIDOptions struct {
@ -177,110 +177,110 @@ type MicrosoftEntraIDOptions struct {
 	// issued by different issuers and OIDC issuer verification needs to be disabled.
 	// When not specified, all tenants are allowed. Redundant for single-tenant apps
 	// (regular ID token validation matches the issuer).
-	AllowedTenants []string `json:"allowedTenants,omitempty"`
+	AllowedTenants []string `yaml:"allowedTenants,omitempty"`

 	// FederatedTokenAuth enable oAuth2 client authentication with federated token projected
 	// by Entra Workload Identity plugin, instead of client secret.
-	FederatedTokenAuth bool `json:"federatedTokenAuth,omitempty"`
+	FederatedTokenAuth bool `yaml:"federatedTokenAuth,omitempty"`
 }

 type ADFSOptions struct {
 	// Skip adding the scope parameter in login request
 	// Default value is 'false'
-	SkipScope bool `json:"skipScope,omitempty"`
+	SkipScope bool `yaml:"skipScope,omitempty"`
 }

 type BitbucketOptions struct {
 	// Team sets restrict logins to members of this team
-	Team string `json:"team,omitempty"`
+	Team string `yaml:"team,omitempty"`
 	// Repository sets restrict logins to user with access to this repository
-	Repository string `json:"repository,omitempty"`
+	Repository string `yaml:"repository,omitempty"`
 }

 type GitHubOptions struct {
 	// Org sets restrict logins to members of this organisation
-	Org string `json:"org,omitempty"`
+	Org string `yaml:"org,omitempty"`
 	// Team sets restrict logins to members of this team
-	Team string `json:"team,omitempty"`
+	Team string `yaml:"team,omitempty"`
 	// Repo sets restrict logins to collaborators of this repository
-	Repo string `json:"repo,omitempty"`
+	Repo string `yaml:"repo,omitempty"`
 	// Token is the token to use when verifying repository collaborators
 	// it must have push access to the repository
-	Token string `json:"token,omitempty"`
+	Token string `yaml:"token,omitempty"`
 	// Users allows users with these usernames to login
 	// even if they do not belong to the specified org and team or collaborators
-	Users []string `json:"users,omitempty"`
+	Users []string `yaml:"users,omitempty"`
 }

 type GitLabOptions struct {
 	// Group sets restrict logins to members of this group
-	Group []string `json:"group,omitempty"`
+	Group []string `yaml:"group,omitempty"`
 	// Projects restricts logins to members of these projects
-	Projects []string `json:"projects,omitempty"`
+	Projects []string `yaml:"projects,omitempty"`
 }

 type GoogleOptions struct {
 	// Groups sets restrict logins to members of this Google group
-	Groups []string `json:"group,omitempty"`
+	Groups []string `yaml:"group,omitempty"`
 	// AdminEmail is the Google admin to impersonate for api calls
-	AdminEmail string `json:"adminEmail,omitempty"`
+	AdminEmail string `yaml:"adminEmail,omitempty"`
 	// ServiceAccountJSON is the path to the service account json credentials
-	ServiceAccountJSON string `json:"serviceAccountJson,omitempty"`
+	ServiceAccountJSON string `yaml:"serviceAccountJson,omitempty"`
 	// UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON
-	UseApplicationDefaultCredentials bool `json:"useApplicationDefaultCredentials,omitempty"`
+	UseApplicationDefaultCredentials bool `yaml:"useApplicationDefaultCredentials,omitempty"`
 	// TargetPrincipal is the Google Service Account used for Application Default Credentials
-	TargetPrincipal string `json:"targetPrincipal,omitempty"`
+	TargetPrincipal string `yaml:"targetPrincipal,omitempty"`
 }

 type OIDCOptions struct {
 	// IssuerURL is the OpenID Connect issuer URL
 	// eg: https://accounts.google.com
-	IssuerURL string `json:"issuerURL,omitempty"`
+	IssuerURL string `yaml:"issuerURL,omitempty"`
 	// InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
 	// default set to 'false'
-	InsecureAllowUnverifiedEmail bool `json:"insecureAllowUnverifiedEmail"`
+	InsecureAllowUnverifiedEmail bool `yaml:"insecureAllowUnverifiedEmail"`
 	// InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
 	// default set to 'false'
-	InsecureSkipIssuerVerification bool `json:"insecureSkipIssuerVerification"`
+	InsecureSkipIssuerVerification bool `yaml:"insecureSkipIssuerVerification"`
 	// InsecureSkipNonce skips verifying the ID Token's nonce claim that must match
 	// the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
 	// after the initial OAuth redeem & subsequent token refreshes.
 	// default set to 'true'
 	// Warning: In a future release, this will change to 'false' by default for enhanced security.
-	InsecureSkipNonce bool `json:"insecureSkipNonce"`
+	InsecureSkipNonce bool `yaml:"insecureSkipNonce"`
 	// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
 	// default set to 'false'
-	SkipDiscovery bool `json:"skipDiscovery,omitempty"`
+	SkipDiscovery bool `yaml:"skipDiscovery,omitempty"`
 	// JwksURL is the OpenID Connect JWKS URL
 	// eg: https://www.googleapis.com/oauth2/v3/certs
-	JwksURL string `json:"jwksURL,omitempty"`
+	JwksURL string `yaml:"jwksURL,omitempty"`
 	// PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
 	// for verifying JWT tokens
-	PublicKeyFiles []string `json:"publicKeyFiles,omitempty"`
+	PublicKeyFiles []string `yaml:"publicKeyFiles,omitempty"`
 	// EmailClaim indicates which claim contains the user email,
 	// default set to 'email'
-	EmailClaim string `json:"emailClaim,omitempty"`
+	EmailClaim string `yaml:"emailClaim,omitempty"`
 	// GroupsClaim indicates which claim contains the user groups
 	// default set to 'groups'
-	GroupsClaim string `json:"groupsClaim,omitempty"`
+	GroupsClaim string `yaml:"groupsClaim,omitempty"`
 	// UserIDClaim indicates which claim contains the user ID
 	// default set to 'email'
-	UserIDClaim string `json:"userIDClaim,omitempty"`
+	UserIDClaim string `yaml:"userIDClaim,omitempty"`
 	// AudienceClaim allows to define any claim that is verified against the client id
 	// By default `aud` claim is used for verification.
-	AudienceClaims []string `json:"audienceClaims,omitempty"`
+	AudienceClaims []string `yaml:"audienceClaims,omitempty"`
 	// ExtraAudiences is a list of additional audiences that are allowed
 	// to pass verification in addition to the client id.
-	ExtraAudiences []string `json:"extraAudiences,omitempty"`
+	ExtraAudiences []string `yaml:"extraAudiences,omitempty"`
 }

 type LoginGovOptions struct {
 	// JWTKey is a private key in PEM format used to sign JWT,
-	JWTKey string `json:"jwtKey,omitempty"`
+	JWTKey string `yaml:"jwtKey,omitempty"`
 	// JWTKeyFile is a path to the private key file in PEM format used to sign the JWT
-	JWTKeyFile string `json:"jwtKeyFile,omitempty"`
+	JWTKeyFile string `yaml:"jwtKeyFile,omitempty"`
 	// PubJWKURL is the JWK pubkey access endpoint
-	PubJWKURL string `json:"pubjwkURL,omitempty"`
+	PubJWKURL string `yaml:"pubjwkURL,omitempty"`
 }

 func providerDefaults() Providers {
--- a/pkg/apis/options/secret_source.go
+++ b/pkg/apis/options/secret_source.go
@ -4,11 +4,11 @@ package options
 // Only one source within the struct should be defined at any time.
 type SecretSource struct {
 	// Value expects a base64 encoded string value.
-	Value string `json:"value,omitempty"`
+	Value string `yaml:"value,omitempty"`

 	// FromEnv expects the name of an environment variable.
-	FromEnv string `json:"fromEnv,omitempty"`
+	FromEnv string `yaml:"fromEnv,omitempty"`

 	// FromFile expects a path to a file containing the secret value.
-	FromFile string `json:"fromFile,omitempty"`
+	FromFile string `yaml:"fromFile,omitempty"`
 }
--- a/pkg/apis/options/server.go
+++ b/pkg/apis/options/server.go
@ -4,15 +4,15 @@ package options
 type Server struct {
 	// BindAddress is the address on which to serve traffic.
 	// Leave blank or set to "-" to disable.
-	BindAddress string
+	BindAddress string `yaml:"bindAddress,omitempty"`

 	// SecureBindAddress is the address on which to serve secure traffic.
 	// Leave blank or set to "-" to disable.
-	SecureBindAddress string
+	SecureBindAddress string `yaml:"secureBindAddress,omitempty"`

 	// TLS contains the information for loading the certificate and key for the
 	// secure traffic and further configuration for the TLS server.
-	TLS *TLS
+	TLS *TLS `yaml:"tls,omitempty"`
 }

 // TLS contains the information for loading a TLS certificate and key
@ -20,15 +20,15 @@ type Server struct {
 type TLS struct {
 	// Key is the TLS key data to use.
 	// Typically this will come from a file.
-	Key *SecretSource
+	Key *SecretSource `yaml:"key,omitempty"`

 	// Cert is the TLS certificate data to use.
 	// Typically this will come from a file.
-	Cert *SecretSource
+	Cert *SecretSource `yaml:"cert,omitempty"`

 	// MinVersion is the minimal TLS version that is acceptable.
 	// E.g. Set to "TLS1.3" to select TLS version 1.3
-	MinVersion string
+	MinVersion string `yaml:"minVersion,omitempty"`

 	// CipherSuites is a list of TLS cipher suites that are allowed.
 	// E.g.:
@ -36,5 +36,5 @@ type TLS struct {
 	// - TLS_RSA_WITH_AES_256_GCM_SHA384
 	// If not specified, the default Go safe cipher list is used.
 	// List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants).
-	CipherSuites []string
+	CipherSuites []string `yaml:"cipherSuites,omitempty"`
 }
--- a/pkg/apis/options/upstreams.go
+++ b/pkg/apis/options/upstreams.go
@ -14,11 +14,11 @@ const (
 type UpstreamConfig struct {
 	// ProxyRawPath will pass the raw url path to upstream allowing for urls
 	// like: "/%2F/" which would otherwise be redirected to "/"
-	ProxyRawPath bool `json:"proxyRawPath,omitempty"`
+	ProxyRawPath bool `yaml:"proxyRawPath,omitempty"`

 	// Upstreams represents the configuration for the upstream servers.
 	// Requests will be proxied to this upstream if the path matches the request path.
-	Upstreams []Upstream `json:"upstreams,omitempty"`
+	Upstreams []Upstream `yaml:"upstreams,omitempty"`
 }

 // Upstream represents the configuration for an upstream server.
@ -26,7 +26,7 @@ type UpstreamConfig struct {
 type Upstream struct {
 	// ID should be a unique identifier for the upstream.
 	// This value is required for all upstreams.
-	ID string `json:"id,omitempty"`
+	ID string `yaml:"id,omitempty"`

 	// Path is used to map requests to the upstream server.
 	// The closest match will take precedence and all Paths must be unique.
@ -36,7 +36,7 @@ type Upstream struct {
 	// - `^/foo$`: Match only the explicit path `/foo`
 	// - `^/bar/$`: Match any path prefixed with `/bar/`
 	// - `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget
-	Path string `json:"path,omitempty"`
+	Path string `yaml:"path,omitempty"`

 	// RewriteTarget allows users to rewrite the request path before it is sent to
 	// the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem
@ -46,7 +46,7 @@ type Upstream struct {
 	// the request `/baz/abc/123` to `/foo/abc/123` before proxying to the
 	// upstream server.  Or if the upstream were `file:///app`, a request for
 	// `/baz/info.html` would return the contents of the file `/app/foo/info.html`.
-	RewriteTarget string `json:"rewriteTarget,omitempty"`
+	RewriteTarget string `yaml:"rewriteTarget,omitempty"`

 	// The URI of the upstream server. This may be an HTTP(S) server of a File
 	// based URL. It may include a path, in which case all requests will be served
@ -58,43 +58,43 @@ type Upstream struct {
 	// - file://host/path
 	// If the URI's path is "/base" and the incoming request was for "/dir",
 	// the upstream request will be for "/base/dir".
-	URI string `json:"uri,omitempty"`
+	URI string `yaml:"uri,omitempty"`

 	// InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
 	// This option is insecure and will allow potential Man-In-The-Middle attacks
 	// between OAuth2 Proxy and the upstream server.
 	// Defaults to false.
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`

 	// Static will make all requests to this upstream have a static response.
 	// The response will have a body of "Authenticated" and a response code
 	// matching StaticCode.
 	// If StaticCode is not set, the response will return a 200 response.
-	Static bool `json:"static,omitempty"`
+	Static bool `yaml:"static,omitempty"`

 	// StaticCode determines the response code for the Static response.
 	// This option can only be used with Static enabled.
-	StaticCode *int `json:"staticCode,omitempty"`
+	StaticCode *int `yaml:"staticCode,omitempty"`

 	// FlushInterval is the period between flushing the response buffer when
 	// streaming response from the upstream.
 	// Defaults to 1 second.
-	FlushInterval *time.Duration `json:"flushInterval,omitempty"`
+	FlushInterval *time.Duration `yaml:"flushInterval,omitempty"`

 	// PassHostHeader determines whether the request host header should be proxied
 	// to the upstream server.
 	// Defaults to true.
-	PassHostHeader *bool `json:"passHostHeader,omitempty"`
+	PassHostHeader *bool `yaml:"passHostHeader,omitempty"`

 	// ProxyWebSockets enables proxying of websockets to upstream servers
 	// Defaults to true.
-	ProxyWebSockets *bool `json:"proxyWebSockets,omitempty"`
+	ProxyWebSockets *bool `yaml:"proxyWebSockets,omitempty"`

 	// Timeout is the maximum duration the server will wait for a response from the upstream server.
 	// Defaults to 30 seconds.
-	Timeout *time.Duration `json:"timeout,omitempty"`
+	Timeout *time.Duration `yaml:"timeout,omitempty"`

 	// DisableKeepAlives disables HTTP keep-alive connections to the upstream server.
 	// Defaults to false.
-	DisableKeepAlives bool `json:"disableKeepAlives,omitempty"`
+	DisableKeepAlives bool `yaml:"disableKeepAlives,omitempty"`
 }
--- a/pkg/requests/result_test.go
+++ b/pkg/requests/result_test.go
@ -104,8 +104,8 @@ var _ = Describe("Result suite", func() {

 	Context("UnmarshalInto", func() {
 		type testStruct struct {
-			A string `json:"a"`
-			B int    `json:"b"`
+			A string `yaml:"a"`
+			B int    `yaml:"b"`
 		}

 		type unmarshalIntoTableInput struct {