use official upstream yaml library v3

Signed-off-by: Jan Larwig <jan@larwig.com>
2025-02-09 17:23:03 +01:00 · 2025-02-09 17:23:03 +01:00 · c186d40675
parent 6720d8da60
commit c186d40675
16 changed files with 250 additions and 260 deletions
--- a/docs/docs/configuration/alpha_config.md
+++ b/docs/docs/configuration/alpha_config.md
@ -148,7 +148,7 @@ You must remove these options before starting OAuth2 Proxy with `--alpha-config`

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `skipScope` | _bool_ | Skip adding the scope parameter in login request<br/>Default value is 'false' |
+| `SkipScope` | _bool_ | Skip adding the scope parameter in login request<br/>Default value is 'false' |

 ### AlphaOptions

@ -163,12 +163,12 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `upstreamConfig` | _[UpstreamConfig](#upstreamconfig)_ | UpstreamConfig is used to configure upstream servers.<br/>Once a user is authenticated, requests to the server will be proxied to<br/>these upstream servers based on the path mappings defined in this list. |
-| `injectRequestHeaders` | _[[]Header](#header)_ | InjectRequestHeaders is used to configure headers that should be added<br/>to requests to upstream servers.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
-| `injectResponseHeaders` | _[[]Header](#header)_ | InjectResponseHeaders is used to configure headers that should be added<br/>to responses from the proxy.<br/>This is typically used when using the proxy as an external authentication<br/>provider in conjunction with another proxy such as NGINX and its<br/>auth_request module.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
-| `server` | _[Server](#server)_ | Server is used to configure the HTTP(S) server for the proxy application.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
-| `metricsServer` | _[Server](#server)_ | MetricsServer is used to configure the HTTP(S) server for metrics.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
-| `providers` | _[Providers](#providers)_ | Providers is used to configure your provider. **Multiple-providers is not<br/>yet working.** [This feature is tracked in<br/>#925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926) |
+| `UpstreamConfig` | _[UpstreamConfig](#upstreamconfig)_ | UpstreamConfig is used to configure upstream servers.<br/>Once a user is authenticated, requests to the server will be proxied to<br/>these upstream servers based on the path mappings defined in this list. |
+| `InjectRequestHeaders` | _[[]Header](#header)_ | InjectRequestHeaders is used to configure headers that should be added<br/>to requests to upstream servers.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
+| `InjectResponseHeaders` | _[[]Header](#header)_ | InjectResponseHeaders is used to configure headers that should be added<br/>to responses from the proxy.<br/>This is typically used when using the proxy as an external authentication<br/>provider in conjunction with another proxy such as NGINX and its<br/>auth_request module.<br/>Headers may source values from either the authenticated user's session<br/>or from a static secret value. |
+| `Server` | _[Server](#server)_ | Server is used to configure the HTTP(S) server for the proxy application.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
+| `MetricsServer` | _[Server](#server)_ | MetricsServer is used to configure the HTTP(S) server for metrics.<br/>You may choose to run both HTTP and HTTPS servers simultaneously.<br/>This can be done by setting the BindAddress and the SecureBindAddress simultaneously.<br/>To use the secure server you must configure a TLS certificate and key. |
+| `Providers` | _[Providers](#providers)_ | Providers is used to configure your provider. **Multiple-providers is not<br/>yet working.** [This feature is tracked in<br/>#925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926) |

 ### AzureOptions

@ -178,8 +178,8 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `tenant` | _string_ | Tenant directs to a tenant-specific or common (tenant-independent) endpoint<br/>Default value is 'common' |
-| `graphGroupField` | _string_ | GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph<br/>Default value is 'id' |
+| `Tenant` | _string_ | Tenant directs to a tenant-specific or common (tenant-independent) endpoint<br/>Default value is 'common' |
+| `GraphGroupField` | _string_ | GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph<br/>Default value is 'id' |

 ### BitbucketOptions

@ -189,8 +189,8 @@ They may change between releases without notice.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `team` | _string_ | Team sets restrict logins to members of this team |
-| `repository` | _string_ | Repository sets restrict logins to user with access to this repository |
+| `Team` | _string_ | Team sets restrict logins to members of this team |
+| `Repository` | _string_ | Repository sets restrict logins to user with access to this repository |

 ### ClaimSource

@ -200,9 +200,9 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
-| `prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
-| `basicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |
+| `Claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
+| `Prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
+| `BasicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |

 ### GitHubOptions

@ -212,11 +212,11 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `org` | _string_ | Org sets restrict logins to members of this organisation |
-| `team` | _string_ | Team sets restrict logins to members of this team |
-| `repo` | _string_ | Repo sets restrict logins to collaborators of this repository |
-| `token` | _string_ | Token is the token to use when verifying repository collaborators<br/>it must have push access to the repository |
-| `users` | _[]string_ | Users allows users with these usernames to login<br/>even if they do not belong to the specified org and team or collaborators |
+| `Org` | _string_ | Org sets restrict logins to members of this organisation |
+| `Team` | _string_ | Team sets restrict logins to members of this team |
+| `Repo` | _string_ | Repo sets restrict logins to collaborators of this repository |
+| `Token` | _string_ | Token is the token to use when verifying repository collaborators<br/>it must have push access to the repository |
+| `Users` | _[]string_ | Users allows users with these usernames to login<br/>even if they do not belong to the specified org and team or collaborators |

 ### GitLabOptions

@ -226,8 +226,8 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `group` | _[]string_ | Group sets restrict logins to members of this group |
-| `projects` | _[]string_ | Projects restricts logins to members of these projects |
+| `Group` | _[]string_ | Group sets restrict logins to members of this group |
+| `Projects` | _[]string_ | Projects restricts logins to members of these projects |

 ### GoogleOptions

@ -237,13 +237,13 @@ ClaimSource allows loading a header value from a claim within the session

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `group` | _[]string_ | Groups sets restrict logins to members of this Google group |
-| `adminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls |
-| `serviceAccountJson` | _string_ | ServiceAccountJSON is the path to the service account json credentials |
-| `useApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON |
-| `targetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials |
-| `useOrganizationID` | _bool_ | UseOrganizationId indicates whether to use the organization ID as the UserName claim |
-| `adminAPIUserScope` | _string_ | admin scope needed for fetching user organization information from admin api, can be one of cloud, user or defaults to readonly |
+| `Groups` | _[]string_ | Groups sets restrict logins to members of this Google group |
+| `AdminEmail` | _string_ | AdminEmail is the Google admin to impersonate for api calls |
+| `ServiceAccountJSON` | _string_ | ServiceAccountJSON is the path to the service account json credentials |
+| `UseApplicationDefaultCredentials` | _bool_ | UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON |
+| `TargetPrincipal` | _string_ | TargetPrincipal is the Google Service Account used for Application Default Credentials |
+| `UseOrganizationID` | _bool_ | UseOrganizationId indicates whether to use the organization ID as the UserName claim |
+| `AdminAPIUserScope` | _string_ | admin scope needed for fetching user organization information from admin api, can be one of cloud, user or defaults to readonly |

 ### Header

@ -254,10 +254,10 @@ response header.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `name` | _string_ | Name is the header name to be used for this set of values.<br/>Names should be unique within a list of Headers. |
-| `preserveRequestValue` | _bool_ | PreserveRequestValue determines whether any values for this header<br/>should be preserved for the request to the upstream server.<br/>This option only applies to injected request headers.<br/>Defaults to false (headers that match this header will be stripped). |
+| `Name` | _string_ | Name is the header name to be used for this set of values.<br/>Names should be unique within a list of Headers. |
+| `PreserveRequestValue` | _bool_ | PreserveRequestValue determines whether any values for this header<br/>should be preserved for the request to the upstream server.<br/>This option only applies to injected request headers.<br/>Defaults to false (headers that match this header will be stripped). |
 | `InsecureSkipHeaderNormalization` | _bool_ | InsecureSkipHeaderNormalization disables normalizing the header name<br/>According to RFC 7230 Section 3.2 there aren't any rules about<br/>capitalization of header names, but the standard practice is to use<br/>Title-Case (e.g. X-Forwarded-For). By default, header names will be<br/>normalized to Title-Case and any incoming headers that match will be<br/>treated as the same header. Additionally underscores (_) in header names<br/>will be converted to dashes (-) when normalizing.<br/>Defaults to false (header names will be normalized). |
-| `values` | _[[]HeaderValue](#headervalue)_ | Values contains the desired values for this header |
+| `Values` | _[[]HeaderValue](#headervalue)_ | Values contains the desired values for this header |

 ### HeaderValue

@ -268,12 +268,12 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | Value expects a base64 encoded string value. |
-| `fromEnv` | _string_ | FromEnv expects the name of an environment variable. |
-| `fromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
-| `claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
-| `prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
-| `basicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |
+| `Value` | _string_ | Value expects a base64 encoded string value. |
+| `FromEnv` | _string_ | FromEnv expects the name of an environment variable. |
+| `FromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
+| `Claim` | _string_ | Claim is the name of the claim in the session that the value should be<br/>loaded from. Available claims: `access_token` `id_token` `created_at`<br/>`expires_on` `refresh_token` `email` `user` `groups` `preferred_username`. |
+| `Prefix` | _string_ | Prefix is an optional prefix that will be prepended to the value of the<br/>claim if it is non-empty. |
+| `BasicAuthPassword` | _[SecretSource](#secretsource)_ | BasicAuthPassword converts this claim into a basic auth header.<br/>Note the value of claim will become the basic auth username and the<br/>basicAuthPassword will be used as the password value. |

 ### KeycloakOptions

@ -283,8 +283,8 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `groups` | _[]string_ | Group enables to restrict login to members of indicated group |
-| `roles` | _[]string_ | Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) |
+| `Groups` | _[]string_ | Group enables to restrict login to members of indicated group |
+| `Roles` | _[]string_ | Role enables to restrict login to users with role (only available when using the keycloak-oidc provider) |

 ### LoginGovOptions

@ -294,9 +294,9 @@ make up the header value

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `jwtKey` | _string_ | JWTKey is a private key in PEM format used to sign JWT, |
-| `jwtKeyFile` | _string_ | JWTKeyFile is a path to the private key file in PEM format used to sign the JWT |
-| `pubjwkURL` | _string_ | PubJWKURL is the JWK pubkey access endpoint |
+| `JWTKey` | _string_ | JWTKey is a private key in PEM format used to sign JWT, |
+| `JWTKeyFile` | _string_ | JWTKeyFile is a path to the private key file in PEM format used to sign the JWT |
+| `PubJWKURL` | _string_ | PubJWKURL is the JWK pubkey access endpoint |

 ### LoginURLParameter

@ -374,9 +374,9 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `name` | _string_ | Name specifies the name of the query parameter. |
-| `default` | _[]string_ |  _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
-| `allow` | _[[]URLParameterRule](#urlparameterrule)_ |  _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`.  Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |
+| `Name` | _string_ | Name specifies the name of the query parameter. |
+| `Default` | _[]string_ |  _(Optional)_ Default specifies a default value or values that will be<br/>passed to the IdP if not overridden. |
+| `Allow` | _[[]URLParameterRule](#urlparameterrule)_ |  _(Optional)_ Allow specifies rules about how the default (if any) may be<br/>overridden via the query string to `/oauth2/start`.  Only<br/>values that match one or more of the allow rules will be<br/>forwarded to the IdP. |

 ### MicrosoftEntraIDOptions

@ -386,8 +386,8 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `allowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
-| `federatedTokenAuth` | _bool_ | FederatedTokenAuth enable oAuth2 client authentication with federated token projected<br/>by Entra Workload Identity plugin, instead of client secret. |
+| `AllowedTenants` | _[]string_ | AllowedTenants is a list of allowed tenants. In case of multi-tenant apps, incoming tokens are<br/>issued by different issuers and OIDC issuer verification needs to be disabled.<br/>When not specified, all tenants are allowed. Redundant for single-tenant apps<br/>(regular ID token validation matches the issuer). |
+| `FederatedTokenAuth` | _bool_ | FederatedTokenAuth enable oAuth2 client authentication with federated token projected<br/>by Entra Workload Identity plugin, instead of client secret. |

 ### OIDCOptions

@ -397,18 +397,18 @@ character.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `issuerURL` | _string_ | IssuerURL is the OpenID Connect issuer URL<br/>eg: https://accounts.google.com |
-| `insecureAllowUnverifiedEmail` | _bool_ | InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified<br/>default set to 'false' |
-| `insecureSkipIssuerVerification` | _bool_ | InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL<br/>default set to 'false' |
-| `insecureSkipNonce` | _bool_ | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match<br/>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br/>after the initial OAuth redeem & subsequent token refreshes.<br/>default set to 'true'<br/>Warning: In a future release, this will change to 'false' by default for enhanced security. |
-| `skipDiscovery` | _bool_ | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br/>default set to 'false' |
-| `jwksURL` | _string_ | JwksURL is the OpenID Connect JWKS URL<br/>eg: https://www.googleapis.com/oauth2/v3/certs |
-| `publicKeyFiles` | _[]string_ | PublicKeyFiles is a list of paths pointing to public key files in PEM format to use<br/>for verifying JWT tokens |
-| `emailClaim` | _string_ | EmailClaim indicates which claim contains the user email,<br/>default set to 'email' |
-| `groupsClaim` | _string_ | GroupsClaim indicates which claim contains the user groups<br/>default set to 'groups' |
-| `userIDClaim` | _string_ | UserIDClaim indicates which claim contains the user ID<br/>default set to 'email' |
-| `audienceClaims` | _[]string_ | AudienceClaim allows to define any claim that is verified against the client id<br/>By default `aud` claim is used for verification. |
-| `extraAudiences` | _[]string_ | ExtraAudiences is a list of additional audiences that are allowed<br/>to pass verification in addition to the client id. |
+| `IssuerURL` | _string_ | IssuerURL is the OpenID Connect issuer URL<br/>eg: https://accounts.google.com |
+| `InsecureAllowUnverifiedEmail` | _bool_ | InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified<br/>default set to 'false' |
+| `InsecureSkipIssuerVerification` | _bool_ | InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL<br/>default set to 'false' |
+| `InsecureSkipNonce` | _bool_ | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match<br/>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br/>after the initial OAuth redeem & subsequent token refreshes.<br/>default set to 'true'<br/>Warning: In a future release, this will change to 'false' by default for enhanced security. |
+| `SkipDiscovery` | _bool_ | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br/>default set to 'false' |
+| `JwksURL` | _string_ | JwksURL is the OpenID Connect JWKS URL<br/>eg: https://www.googleapis.com/oauth2/v3/certs |
+| `PublicKeyFiles` | _[]string_ | PublicKeyFiles is a list of paths pointing to public key files in PEM format to use<br/>for verifying JWT tokens |
+| `EmailClaim` | _string_ | EmailClaim indicates which claim contains the user email,<br/>default set to 'email' |
+| `GroupsClaim` | _string_ | GroupsClaim indicates which claim contains the user groups<br/>default set to 'groups' |
+| `UserIDClaim` | _string_ | UserIDClaim indicates which claim contains the user ID<br/>default set to 'email' |
+| `AudienceClaims` | _[]string_ | AudienceClaim allows to define any claim that is verified against the client id<br/>By default `aud` claim is used for verification. |
+| `ExtraAudiences` | _[]string_ | ExtraAudiences is a list of additional audiences that are allowed<br/>to pass verification in addition to the client id. |

 ### Provider

@ -418,36 +418,36 @@ Provider holds all configuration for a single provider

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `clientID` | _string_ | ClientID is the OAuth Client ID that is defined in the provider<br/>This value is required for all providers. |
-| `clientSecret` | _string_ | ClientSecret is the OAuth Client Secret that is defined in the provider<br/>This value is required for all providers. |
-| `clientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
-| `keycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
-| `azureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
-| `microsoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
+| `ClientID` | _string_ | ClientID is the OAuth Client ID that is defined in the provider<br/>This value is required for all providers. |
+| `ClientSecret` | _string_ | ClientSecret is the OAuth Client Secret that is defined in the provider<br/>This value is required for all providers. |
+| `ClientSecretFile` | _string_ | ClientSecretFile is the name of the file<br/>containing the OAuth Client Secret, it will be used if ClientSecret is not set. |
+| `KeycloakConfig` | _[KeycloakOptions](#keycloakoptions)_ | KeycloakConfig holds all configurations for Keycloak provider. |
+| `AzureConfig` | _[AzureOptions](#azureoptions)_ | AzureConfig holds all configurations for Azure provider. |
+| `MicrosoftEntraIDConfig` | _[MicrosoftEntraIDOptions](#microsoftentraidoptions)_ | MicrosoftEntraIDConfig holds all configurations for Entra ID provider. |
 | `ADFSConfig` | _[ADFSOptions](#adfsoptions)_ | ADFSConfig holds all configurations for ADFS provider. |
-| `bitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
-| `githubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |
-| `gitlabConfig` | _[GitLabOptions](#gitlaboptions)_ | GitLabConfig holds all configurations for GitLab provider. |
-| `googleConfig` | _[GoogleOptions](#googleoptions)_ | GoogleConfig holds all configurations for Google provider. |
-| `oidcConfig` | _[OIDCOptions](#oidcoptions)_ | OIDCConfig holds all configurations for OIDC provider<br/>or providers utilize OIDC configurations. |
-| `loginGovConfig` | _[LoginGovOptions](#logingovoptions)_ | LoginGovConfig holds all configurations for LoginGov provider. |
-| `id` | _string_ | ID should be a unique identifier for the provider.<br/>This value is required for all providers. |
-| `provider` | _[ProviderType](#providertype)_ | Type is the OAuth provider<br/>must be set from the supported providers group,<br/>otherwise 'Google' is set as default |
-| `name` | _string_ | Name is the providers display name<br/>if set, it will be shown to the users in the login page. |
-| `caFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br/>If not specified, the default Go trust sources are used instead |
-| `useSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used<br/>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. |
-| `loginURL` | _string_ | LoginURL is the authentication endpoint |
-| `loginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL |
-| `authRequestResponseMode` | _string_ | AuthRequestResponseMode defines the response mode to request during authorization request |
-| `redeemURL` | _string_ | RedeemURL is the token redemption endpoint |
-| `profileURL` | _string_ | ProfileURL is the profile access endpoint |
-| `skipClaimsFromProfileURL` | _bool_ | SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token<br/>default set to 'false' |
-| `resource` | _string_ | ProtectedResource is the resource that is protected (Azure AD and ADFS only) |
-| `validateURL` | _string_ | ValidateURL is the access token validation endpoint |
-| `scope` | _string_ | Scope is the OAuth scope specification |
-| `allowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
-| `code_challenge_method` | _string_ | The code challenge method |
-| `backendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |
+| `BitbucketConfig` | _[BitbucketOptions](#bitbucketoptions)_ | BitbucketConfig holds all configurations for Bitbucket provider. |
+| `GitHubConfig` | _[GitHubOptions](#githuboptions)_ | GitHubConfig holds all configurations for GitHubC provider. |
+| `GitLabConfig` | _[GitLabOptions](#gitlaboptions)_ | GitLabConfig holds all configurations for GitLab provider. |
+| `GoogleConfig` | _[GoogleOptions](#googleoptions)_ | GoogleConfig holds all configurations for Google provider. |
+| `OIDCConfig` | _[OIDCOptions](#oidcoptions)_ | OIDCConfig holds all configurations for OIDC provider<br/>or providers utilize OIDC configurations. |
+| `LoginGovConfig` | _[LoginGovOptions](#logingovoptions)_ | LoginGovConfig holds all configurations for LoginGov provider. |
+| `ID` | _string_ | ID should be a unique identifier for the provider.<br/>This value is required for all providers. |
+| `Type` | _[ProviderType](#providertype)_ | Type is the OAuth provider<br/>must be set from the supported providers group,<br/>otherwise 'Google' is set as default |
+| `Name` | _string_ | Name is the providers display name<br/>if set, it will be shown to the users in the login page. |
+| `CAFiles` | _[]string_ | CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.<br/>If not specified, the default Go trust sources are used instead |
+| `UseSystemTrustStore` | _bool_ | UseSystemTrustStore determines if your custom CA files and the system trust store are used<br/>If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files. |
+| `LoginURL` | _string_ | LoginURL is the authentication endpoint |
+| `LoginURLParameters` | _[[]LoginURLParameter](#loginurlparameter)_ | LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL |
+| `AuthRequestResponseMode` | _string_ | AuthRequestResponseMode defines the response mode to request during authorization request |
+| `RedeemURL` | _string_ | RedeemURL is the token redemption endpoint |
+| `ProfileURL` | _string_ | ProfileURL is the profile access endpoint |
+| `SkipClaimsFromProfileURL` | _bool_ | SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token<br/>default set to 'false' |
+| `ProtectedResource` | _string_ | ProtectedResource is the resource that is protected (Azure AD and ADFS only) |
+| `ValidateURL` | _string_ | ValidateURL is the access token validation endpoint |
+| `Scope` | _string_ | Scope is the OAuth scope specification |
+| `AllowedGroups` | _[]string_ | AllowedGroups is a list of restrict logins to members of this group |
+| `CodeChallengeMethod` | _string_ | The code challenge method |
+| `BackendLogoutURL` | _string_ | URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session |

 ### ProviderType
 #### (`string` alias)
@ -480,9 +480,9 @@ Only one source within the struct should be defined at any time.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | Value expects a base64 encoded string value. |
-| `fromEnv` | _string_ | FromEnv expects the name of an environment variable. |
-| `fromFile` | _string_ | FromFile expects a path to a file containing the secret value. |
+| `Value` | _string_ | Value expects a base64 encoded string value. |
+| `FromEnv` | _string_ | FromEnv expects the name of an environment variable. |
+| `FromFile` | _string_ | FromFile expects a path to a file containing the secret value. |

 ### Server

@ -521,8 +521,8 @@ login URL.  Either Value or Pattern should be supplied, not both.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `value` | _string_ | A Value rule matches just this specific value |
-| `pattern` | _string_ | A Pattern rule gives a regular expression that must be matched by<br/>some substring of the value.  The expression is _not_ automatically<br/>anchored to the start and end of the value, if you _want_ to restrict<br/>the whole parameter value you must anchor it yourself with `^` and `$`. |
+| `Value` | _string_ | A Value rule matches just this specific value |
+| `Pattern` | _string_ | A Pattern rule gives a regular expression that must be matched by<br/>some substring of the value.  The expression is _not_ automatically<br/>anchored to the start and end of the value, if you _want_ to restrict<br/>the whole parameter value you must anchor it yourself with `^` and `$`. |

 ### Upstream

@ -533,18 +533,18 @@ Requests will be proxied to this upstream if the path matches the request path.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `id` | _string_ | ID should be a unique identifier for the upstream.<br/>This value is required for all upstreams. |
-| `path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
-| `rewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem<br/>(for a `file:` upstream).<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server.  Or if the upstream were `file:///app`, a request for<br/>`/baz/info.html` would return the contents of the file `/app/foo/info.html`. |
-| `uri` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
-| `insecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
-| `static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |
-| `staticCode` | _int_ | StaticCode determines the response code for the Static response.<br/>This option can only be used with Static enabled. |
-| `flushInterval` | _duration_ | FlushInterval is the period between flushing the response buffer when<br/>streaming response from the upstream.<br/>Defaults to 1 second. |
-| `passHostHeader` | _bool_ | PassHostHeader determines whether the request host header should be proxied<br/>to the upstream server.<br/>Defaults to true. |
-| `proxyWebSockets` | _bool_ | ProxyWebSockets enables proxying of websockets to upstream servers<br/>Defaults to true. |
-| `timeout` | _duration_ | Timeout is the maximum duration the server will wait for a response from the upstream server.<br/>Defaults to 30 seconds. |
-| `disableKeepAlives` | _bool_ | DisableKeepAlives disables HTTP keep-alive connections to the upstream server.<br/>Defaults to false. |
+| `ID` | _string_ | ID should be a unique identifier for the upstream.<br/>This value is required for all upstreams. |
+| `Path` | _string_ | Path is used to map requests to the upstream server.<br/>The closest match will take precedence and all Paths must be unique.<br/>Path can also take a pattern when used with RewriteTarget.<br/>Path segments can be captured and matched using regular experessions.<br/>Eg:<br/>- `^/foo$`: Match only the explicit path `/foo`<br/>- `^/bar/$`: Match any path prefixed with `/bar/`<br/>- `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget |
+| `RewriteTarget` | _string_ | RewriteTarget allows users to rewrite the request path before it is sent to<br/>the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem<br/>(for a `file:` upstream).<br/>Use the Path to capture segments for reuse within the rewrite target.<br/>Eg: With a Path of `^/baz/(.*)`, a RewriteTarget of `/foo/$1` would rewrite<br/>the request `/baz/abc/123` to `/foo/abc/123` before proxying to the<br/>upstream server.  Or if the upstream were `file:///app`, a request for<br/>`/baz/info.html` would return the contents of the file `/app/foo/info.html`. |
+| `URI` | _string_ | The URI of the upstream server. This may be an HTTP(S) server of a File<br/>based URL. It may include a path, in which case all requests will be served<br/>under that path.<br/>Eg:<br/>- http://localhost:8080<br/>- https://service.localhost<br/>- https://service.localhost/path<br/>- file://host/path<br/>If the URI's path is "/base" and the incoming request was for "/dir",<br/>the upstream request will be for "/base/dir". |
+| `InsecureSkipTLSVerify` | _bool_ | InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.<br/>This option is insecure and will allow potential Man-In-The-Middle attacks<br/>between OAuth2 Proxy and the upstream server.<br/>Defaults to false. |
+| `Static` | _bool_ | Static will make all requests to this upstream have a static response.<br/>The response will have a body of "Authenticated" and a response code<br/>matching StaticCode.<br/>If StaticCode is not set, the response will return a 200 response. |
+| `StaticCode` | _int_ | StaticCode determines the response code for the Static response.<br/>This option can only be used with Static enabled. |
+| `FlushInterval` | _duration_ | FlushInterval is the period between flushing the response buffer when<br/>streaming response from the upstream.<br/>Defaults to 1 second. |
+| `PassHostHeader` | _bool_ | PassHostHeader determines whether the request host header should be proxied<br/>to the upstream server.<br/>Defaults to true. |
+| `ProxyWebSockets` | _bool_ | ProxyWebSockets enables proxying of websockets to upstream servers<br/>Defaults to true. |
+| `Timeout` | _duration_ | Timeout is the maximum duration the server will wait for a response from the upstream server.<br/>Defaults to 30 seconds. |
+| `DisableKeepAlives` | _bool_ | DisableKeepAlives disables HTTP keep-alive connections to the upstream server.<br/>Defaults to false. |

 ### UpstreamConfig

@ -554,5 +554,5 @@ UpstreamConfig is a collection of definitions for upstream servers.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `proxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls<br/>like: "/%2F/" which would otherwise be redirected to "/" |
-| `upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.<br/>Requests will be proxied to this upstream if the path matches the request path. |
+| `ProxyRawPath` | _bool_ | ProxyRawPath will pass the raw url path to upstream allowing for urls<br/>like: "/%2F/" which would otherwise be redirected to "/" |
+| `Upstreams` | _[[]Upstream](#upstream)_ | Upstreams represents the configuration for the upstream servers.<br/>Requests will be proxied to this upstream if the path matches the request path. |
--- a/go.mod
+++ b/go.mod
@ -12,7 +12,6 @@ require (
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/golang-jwt/jwt/v5 v5.2.3
@ -20,9 +19,10 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/justinas/alice v1.2.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.37.0
+	github.com/onsi/gomega v1.38.0
 	github.com/pierrec/lz4/v4 v4.1.22
 	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.11.0
@ -35,13 +35,14 @@ require (
 	golang.org/x/net v0.42.0
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0
-	google.golang.org/api v0.242.0
+	google.golang.org/api v0.243.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/apimachinery v0.33.3
 )

 require (
-	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth v0.16.3 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@ -80,9 +81,7 @@ require (
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 // indirect
+	google.golang.org/grpc v1.74.2 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,5 +1,5 @@
-cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
-cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
+cloud.google.com/go/auth v0.16.3 h1:kabzoQ9/bobUmnseYnBO6qQG7q4a/CffFRlJSxv2wCc=
+cloud.google.com/go/auth v0.16.3/go.mod h1:NucRGjaXfzP1ltpcQ7On/VTZ0H4kWB5Jy+Y9Dnm76fA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
@ -44,8 +44,6 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 h1:Arcl6UOIS/kgO2nW3A65HN+7CMjSDP/gofXL4CZt1V4=
-github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
@ -93,16 +91,16 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa h1:hI1uC2A3vJFjwvBn0G0a7QBRdBUp6Y048BtLAHRTKPo=
-github.com/mbland/hmacauth v0.0.0-20170912233209-44256dfd4bfa/go.mod h1:8vxFeeg++MqgCHwehSuwTlYCF0ALyDJbYJ1JsKi7v6s=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk=
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
+github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
@ -138,8 +136,6 @@ github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@ -227,16 +223,16 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
 golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.242.0 h1:7Lnb1nfnpvbkCiZek6IXKdJ0MFuAZNAJKQfA1ws62xg=
-google.golang.org/api v0.242.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
+google.golang.org/api v0.243.0 h1:sw+ESIJ4BVnlJcWu9S+p2Z6Qq1PjG77T8IJ1xtp4jZQ=
+google.golang.org/api v0.243.0/go.mod h1:GE4QtYfaybx1KmeHMdBnNnyLzBZCVihGBXAmJu/uUr8=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 h1:qJW29YvkiJmXOYMu5Tf8lyrTp3dOS+K4z6IixtLaCf8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -244,9 +240,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/main.go
+++ b/main.go
@ -5,12 +5,12 @@ import (
 	"os"
 	"runtime"

-	"github.com/ghodss/yaml"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/version"
 	"github.com/spf13/pflag"
+	"gopkg.in/yaml.v3"
 )

 func main() {
--- a/main_test.go
+++ b/main_test.go
@ -2,9 +2,7 @@ package main

 import (
 	"errors"
-	"fmt"
 	"os"
-	"strings"
 	"time"

 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
@ -256,7 +254,7 @@ redirect_url="http://localhost:4180/oauth2/callback"
 			configContent:      testCoreConfig,
 			alphaConfigContent: testAlphaConfig + ":",
 			expectedOptions:    func() *options.Options { return nil },
-			expectedErr:        fmt.Errorf("failed to load alpha options: error unmarshalling config: error converting YAML to JSON: yaml: line %d: did not find expected key", strings.Count(testAlphaConfig, "\n")),
+			expectedErr:        errors.New("failed to load alpha options: error unmarshalling config: yaml: line 1: did not find expected key"),
 		}),
 		Entry("with alpha configuration and bad core configuration", loadConfigurationTableInput{
 			configContent:      testCoreConfig + "unknown_field=\"something\"",
--- a/pkg/apis/options/alpha_options.go
+++ b/pkg/apis/options/alpha_options.go
@ -12,13 +12,13 @@ type AlphaOptions struct {
 	// UpstreamConfig is used to configure upstream servers.
 	// Once a user is authenticated, requests to the server will be proxied to
 	// these upstream servers based on the path mappings defined in this list.
-	UpstreamConfig UpstreamConfig `json:"upstreamConfig,omitempty"`
+	UpstreamConfig UpstreamConfig `yaml:"upstreamConfig,omitempty"`

 	// InjectRequestHeaders is used to configure headers that should be added
 	// to requests to upstream servers.
 	// Headers may source values from either the authenticated user's session
 	// or from a static secret value.
-	InjectRequestHeaders []Header `json:"injectRequestHeaders,omitempty"`
+	InjectRequestHeaders []Header `yaml:"injectRequestHeaders,omitempty"`

 	// InjectResponseHeaders is used to configure headers that should be added
 	// to responses from the proxy.
@ -27,24 +27,24 @@ type AlphaOptions struct {
 	// auth_request module.
 	// Headers may source values from either the authenticated user's session
 	// or from a static secret value.
-	InjectResponseHeaders []Header `json:"injectResponseHeaders,omitempty"`
+	InjectResponseHeaders []Header `yaml:"injectResponseHeaders,omitempty"`

 	// Server is used to configure the HTTP(S) server for the proxy application.
 	// You may choose to run both HTTP and HTTPS servers simultaneously.
 	// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
 	// To use the secure server you must configure a TLS certificate and key.
-	Server Server `json:"server,omitempty"`
+	Server Server `yaml:"server,omitempty"`

 	// MetricsServer is used to configure the HTTP(S) server for metrics.
 	// You may choose to run both HTTP and HTTPS servers simultaneously.
 	// This can be done by setting the BindAddress and the SecureBindAddress simultaneously.
 	// To use the secure server you must configure a TLS certificate and key.
-	MetricsServer Server `json:"metricsServer,omitempty"`
+	MetricsServer Server `yaml:"metricsServer,omitempty"`

 	// Providers is used to configure your provider. **Multiple-providers is not
 	// yet working.** [This feature is tracked in
 	// #925](https://github.com/oauth2-proxy/oauth2-proxy/issues/926)
-	Providers Providers `json:"providers,omitempty"`
+	Providers Providers `yaml:"providers,omitempty"`
 }

 // Initialize alpha options with default values and settings of the core options
--- a/pkg/apis/options/duration_test.go
+++ b/pkg/apis/options/duration_test.go
@ -7,7 +7,7 @@ import (

 func TestDecode(t *testing.T) {
 	type result struct {
-		Duration time.Duration `json:"duration"`
+		Duration time.Duration `yaml:"duration"`
 	}

 	tests := []struct {
@ -64,7 +64,7 @@ func TestDecode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var result struct {
-				Duration time.Duration `json:"duration"`
+				Duration time.Duration `yaml:"duration"`
 			}

 			err := Decode(tt.input, &result)
--- a/pkg/apis/options/header.go
+++ b/pkg/apis/options/header.go
@ -5,13 +5,13 @@ package options
 type Header struct {
 	// Name is the header name to be used for this set of values.
 	// Names should be unique within a list of Headers.
-	Name string `json:"name,omitempty"`
+	Name string `yaml:"name,omitempty"`

 	// PreserveRequestValue determines whether any values for this header
 	// should be preserved for the request to the upstream server.
 	// This option only applies to injected request headers.
 	// Defaults to false (headers that match this header will be stripped).
-	PreserveRequestValue bool `json:"preserveRequestValue,omitempty"`
+	PreserveRequestValue bool `yaml:"preserveRequestValue,omitempty"`

 	// InsecureSkipHeaderNormalization disables normalizing the header name
 	// According to RFC 7230 Section 3.2 there aren't any rules about
@ -24,17 +24,17 @@ type Header struct {
 	InsecureSkipHeaderNormalization bool `json:"InsecureSkipHeaderNormalization,omitempty"`

 	// Values contains the desired values for this header
-	Values []HeaderValue `json:"values,omitempty"`
+	Values []HeaderValue `yaml:"values,omitempty"`
 }

 // HeaderValue represents a single header value and the sources that can
 // make up the header value
 type HeaderValue struct {
 	// Allow users to load the value from a secret source
-	*SecretSource `json:"secretSource,omitempty"`
+	*SecretSource `yaml:"secretSource,omitempty"`

 	// Allow users to load the value from a session claim
-	*ClaimSource `json:"claimSource,omitempty"`
+	*ClaimSource `yaml:"claimSource,omitempty"`
 }

 // ClaimSource allows loading a header value from a claim within the session
@ -42,14 +42,14 @@ type ClaimSource struct {
 	// Claim is the name of the claim in the session that the value should be
 	// loaded from. Available claims: `access_token` `id_token` `created_at`
 	// `expires_on` `refresh_token` `email` `user` `groups` `preferred_username`.
-	Claim string `json:"claim,omitempty"`
+	Claim string `yaml:"claim,omitempty"`

 	// Prefix is an optional prefix that will be prepended to the value of the
 	// claim if it is non-empty.
-	Prefix string `json:"prefix,omitempty"`
+	Prefix string `yaml:"prefix,omitempty"`

 	// BasicAuthPassword converts this claim into a basic auth header.
 	// Note the value of claim will become the basic auth username and the
 	// basicAuthPassword will be used as the password value.
-	BasicAuthPassword *SecretSource `json:"basicAuthPassword,omitempty"`
+	BasicAuthPassword *SecretSource `yaml:"basicAuthPassword,omitempty"`
 }
--- a/pkg/apis/options/load.go
+++ b/pkg/apis/options/load.go
@ -9,10 +9,10 @@ import (
 	"strings"

 	"github.com/a8m/envsubst"
-	"github.com/ghodss/yaml"
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
+	"gopkg.in/yaml.v3"
 )

 // Load reads in the config file at the path given, then merges in environment
@ -92,7 +92,7 @@ func Decode(input interface{}, result interface{}) error {
 		DecodeHook:           mapstructure.ComposeDecodeHookFunc(toDurationHookFunc()),
 		Metadata:             nil,    // Don't track any metadata
 		Result:               result, // Decode the result into the prefilled options
-		TagName:              "json", // Parse all fields that use the json tag
+		TagName:              "yaml", // Parse all fields that use the json tag
 		ZeroFields:           false,  // Don't clean the default values from the result map (options)
 		ErrorUnused:          true,   // Throw an error if keys have been used that aren't mapped to any struct fields
 		IgnoreUntaggedFields: true,   // Ignore fields in structures that aren't tagged with json
--- a/pkg/apis/options/load_test.go
+++ b/pkg/apis/options/load_test.go
@ -355,15 +355,15 @@ var _ = Describe("Load", func() {
 var _ = Describe("LoadYAML", func() {
 	Context("with a testOptions structure", func() {
 		type TestOptionSubStruct struct {
-			StringSliceOption []string `json:"stringSliceOption,omitempty"`
+			StringSliceOption []string `yaml:"stringSliceOption,omitempty"`
 		}

 		type TestOptions struct {
-			StringOption string              `json:"stringOption,omitempty"`
-			Sub          TestOptionSubStruct `json:"sub,omitempty"`
+			StringOption string              `yaml:"stringOption,omitempty"`
+			Sub          TestOptionSubStruct `yaml:"sub,omitempty"`

 			// Check that embedded fields can be unmarshalled
-			TestOptionSubStruct `json:",inline,squash"`
+			TestOptionSubStruct `yaml:",inline,squash"`
 		}

 		var testOptionsConfigBytesFull = []byte(`
@ -445,7 +445,7 @@ sub:
 				configFile:     []byte("\tfoo: bar"),
 				input:          &TestOptions{},
 				expectedOutput: &TestOptions{},
-				expectedErr:    errors.New("error unmarshalling config: error converting YAML to JSON: yaml: found character that cannot start any token"),
+				expectedErr:    errors.New("error unmarshalling config: yaml: found character that cannot start any token"),
 			}),
 			Entry("with extra fields in the YAML", loadYAMLTableInput{
 				configFile: append(testOptionsConfigBytesFull, []byte("foo: bar\n")...),
--- a/pkg/apis/options/login_url_parameters.go
+++ b/pkg/apis/options/login_url_parameters.go
@ -71,19 +71,19 @@ package options
 // character.
 type LoginURLParameter struct {
 	// Name specifies the name of the query parameter.
-	Name string `json:"name"`
+	Name string `yaml:"name"`

 	// Default specifies a default value or values that will be
 	// passed to the IdP if not overridden.
 	//+optional
-	Default []string `json:"default,omitempty"`
+	Default []string `yaml:"default,omitempty"`

 	// Allow specifies rules about how the default (if any) may be
 	// overridden via the query string to `/oauth2/start`.  Only
 	// values that match one or more of the allow rules will be
 	// forwarded to the IdP.
 	//+optional
-	Allow []URLParameterRule `json:"allow,omitempty"`
+	Allow []URLParameterRule `yaml:"allow,omitempty"`
 }

 // URLParameterRule represents a rule by which query parameters
@ -92,11 +92,11 @@ type LoginURLParameter struct {
 // login URL.  Either Value or Pattern should be supplied, not both.
 type URLParameterRule struct {
 	// A Value rule matches just this specific value
-	Value *string `json:"value,omitempty"`
+	Value *string `yaml:"value,omitempty"`

 	// A Pattern rule gives a regular expression that must be matched by
 	// some substring of the value.  The expression is _not_ automatically
 	// anchored to the start and end of the value, if you _want_ to restrict
 	// the whole parameter value you must anchor it yourself with `^` and `$`.
-	Pattern *string `json:"pattern,omitempty"`
+	Pattern *string `yaml:"pattern,omitempty"`
 }
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -22,78 +22,78 @@ type Providers []Provider
 type Provider struct {
 	// ClientID is the OAuth Client ID that is defined in the provider
 	// This value is required for all providers.
-	ClientID string `json:"clientID,omitempty"`
+	ClientID string `yaml:"clientID,omitempty"`
 	// ClientSecret is the OAuth Client Secret that is defined in the provider
 	// This value is required for all providers.
-	ClientSecret string `json:"clientSecret,omitempty"`
+	ClientSecret string `yaml:"clientSecret,omitempty"`
 	// ClientSecretFile is the name of the file
 	// containing the OAuth Client Secret, it will be used if ClientSecret is not set.
-	ClientSecretFile string `json:"clientSecretFile,omitempty"`
+	ClientSecretFile string `yaml:"clientSecretFile,omitempty"`

 	// KeycloakConfig holds all configurations for Keycloak provider.
-	KeycloakConfig KeycloakOptions `json:"keycloakConfig,omitempty"`
+	KeycloakConfig KeycloakOptions `yaml:"keycloakConfig,omitempty"`
 	// AzureConfig holds all configurations for Azure provider.
-	AzureConfig AzureOptions `json:"azureConfig,omitempty"`
+	AzureConfig AzureOptions `yaml:"azureConfig,omitempty"`
 	// MicrosoftEntraIDConfig holds all configurations for Entra ID provider.
-	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `json:"microsoftEntraIDConfig,omitempty"`
+	MicrosoftEntraIDConfig MicrosoftEntraIDOptions `yaml:"microsoftEntraIDConfig,omitempty"`
 	// ADFSConfig holds all configurations for ADFS provider.
-	ADFSConfig ADFSOptions `json:"ADFSConfig,omitempty"`
+	ADFSConfig ADFSOptions `yaml:"ADFSConfig,omitempty"`
 	// BitbucketConfig holds all configurations for Bitbucket provider.
-	BitbucketConfig BitbucketOptions `json:"bitbucketConfig,omitempty"`
+	BitbucketConfig BitbucketOptions `yaml:"bitbucketConfig,omitempty"`
 	// GitHubConfig holds all configurations for GitHubC provider.
-	GitHubConfig GitHubOptions `json:"githubConfig,omitempty"`
+	GitHubConfig GitHubOptions `yaml:"githubConfig,omitempty"`
 	// GitLabConfig holds all configurations for GitLab provider.
-	GitLabConfig GitLabOptions `json:"gitlabConfig,omitempty"`
+	GitLabConfig GitLabOptions `yaml:"gitlabConfig,omitempty"`
 	// GoogleConfig holds all configurations for Google provider.
-	GoogleConfig GoogleOptions `json:"googleConfig,omitempty"`
+	GoogleConfig GoogleOptions `yaml:"googleConfig,omitempty"`
 	// OIDCConfig holds all configurations for OIDC provider
 	// or providers utilize OIDC configurations.
-	OIDCConfig OIDCOptions `json:"oidcConfig,omitempty"`
+	OIDCConfig OIDCOptions `yaml:"oidcConfig,omitempty"`
 	// LoginGovConfig holds all configurations for LoginGov provider.
-	LoginGovConfig LoginGovOptions `json:"loginGovConfig,omitempty"`
+	LoginGovConfig LoginGovOptions `yaml:"loginGovConfig,omitempty"`

 	// ID should be a unique identifier for the provider.
 	// This value is required for all providers.
-	ID string `json:"id,omitempty"`
+	ID string `yaml:"id,omitempty"`
 	// Type is the OAuth provider
 	// must be set from the supported providers group,
 	// otherwise 'Google' is set as default
-	Type ProviderType `json:"provider,omitempty"`
+	Type ProviderType `yaml:"provider,omitempty"`
 	// Name is the providers display name
 	// if set, it will be shown to the users in the login page.
-	Name string `json:"name,omitempty"`
+	Name string `yaml:"name,omitempty"`
 	// CAFiles is a list of paths to CA certificates that should be used when connecting to the provider.
 	// If not specified, the default Go trust sources are used instead
-	CAFiles []string `json:"caFiles,omitempty"`
+	CAFiles []string `yaml:"caFiles,omitempty"`
 	// UseSystemTrustStore determines if your custom CA files and the system trust store are used
 	// If set to true, your custom CA files and the system trust store are used otherwise only your custom CA files.
-	UseSystemTrustStore bool `json:"useSystemTrustStore,omitempty"`
+	UseSystemTrustStore bool `yaml:"useSystemTrustStore,omitempty"`
 	// LoginURL is the authentication endpoint
-	LoginURL string `json:"loginURL,omitempty"`
+	LoginURL string `yaml:"loginURL,omitempty"`
 	// LoginURLParameters defines the parameters that can be passed from the start URL to the IdP login URL
-	LoginURLParameters []LoginURLParameter `json:"loginURLParameters,omitempty"`
+	LoginURLParameters []LoginURLParameter `yaml:"loginURLParameters,omitempty"`
 	// AuthRequestResponseMode defines the response mode to request during authorization request
-	AuthRequestResponseMode string `json:"authRequestResponseMode,omitempty"`
+	AuthRequestResponseMode string `yaml:"authRequestResponseMode,omitempty"`
 	// RedeemURL is the token redemption endpoint
-	RedeemURL string `json:"redeemURL,omitempty"`
+	RedeemURL string `yaml:"redeemURL,omitempty"`
 	// ProfileURL is the profile access endpoint
-	ProfileURL string `json:"profileURL,omitempty"`
+	ProfileURL string `yaml:"profileURL,omitempty"`
 	// SkipClaimsFromProfileURL allows to skip request to Profile URL for resolving claims not present in id_token
 	// default set to 'false'
-	SkipClaimsFromProfileURL bool `json:"skipClaimsFromProfileURL,omitempty"`
+	SkipClaimsFromProfileURL bool `yaml:"skipClaimsFromProfileURL,omitempty"`
 	// ProtectedResource is the resource that is protected (Azure AD and ADFS only)
-	ProtectedResource string `json:"resource,omitempty"`
+	ProtectedResource string `yaml:"resource,omitempty"`
 	// ValidateURL is the access token validation endpoint
-	ValidateURL string `json:"validateURL,omitempty"`
+	ValidateURL string `yaml:"validateURL,omitempty"`
 	// Scope is the OAuth scope specification
-	Scope string `json:"scope,omitempty"`
+	Scope string `yaml:"scope,omitempty"`
 	// AllowedGroups is a list of restrict logins to members of this group
-	AllowedGroups []string `json:"allowedGroups,omitempty"`
+	AllowedGroups []string `yaml:"allowedGroups,omitempty"`
 	// The code challenge method
-	CodeChallengeMethod string `json:"code_challenge_method,omitempty"`
+	CodeChallengeMethod string `yaml:"code_challenge_method,omitempty"`

 	// URL to call to perform backend logout, `{id_token}` would be replaced by the actual `id_token` if available in the session
-	BackendLogoutURL string `json:"backendLogoutURL"`
+	BackendLogoutURL string `yaml:"backendLogoutURL"`
 }

 // ProviderType is used to enumerate the different provider type options
@ -157,19 +157,19 @@ const (

 type KeycloakOptions struct {
 	// Group enables to restrict login to members of indicated group
-	Groups []string `json:"groups,omitempty"`
+	Groups []string `yaml:"groups,omitempty"`

 	// Role enables to restrict login to users with role (only available when using the keycloak-oidc provider)
-	Roles []string `json:"roles,omitempty"`
+	Roles []string `yaml:"roles,omitempty"`
 }

 type AzureOptions struct {
 	// Tenant directs to a tenant-specific or common (tenant-independent) endpoint
 	// Default value is 'common'
-	Tenant string `json:"tenant,omitempty"`
+	Tenant string `yaml:"tenant,omitempty"`
 	// GraphGroupField configures the group field to be used when building the groups list from Microsoft Graph
 	// Default value is 'id'
-	GraphGroupField string `json:"graphGroupField,omitempty"`
+	GraphGroupField string `yaml:"graphGroupField,omitempty"`
 }

 type MicrosoftEntraIDOptions struct {
@ -177,114 +177,114 @@ type MicrosoftEntraIDOptions struct {
 	// issued by different issuers and OIDC issuer verification needs to be disabled.
 	// When not specified, all tenants are allowed. Redundant for single-tenant apps
 	// (regular ID token validation matches the issuer).
-	AllowedTenants []string `json:"allowedTenants,omitempty"`
+	AllowedTenants []string `yaml:"allowedTenants,omitempty"`

 	// FederatedTokenAuth enable oAuth2 client authentication with federated token projected
 	// by Entra Workload Identity plugin, instead of client secret.
-	FederatedTokenAuth bool `json:"federatedTokenAuth,omitempty"`
+	FederatedTokenAuth bool `yaml:"federatedTokenAuth,omitempty"`
 }

 type ADFSOptions struct {
 	// Skip adding the scope parameter in login request
 	// Default value is 'false'
-	SkipScope bool `json:"skipScope,omitempty"`
+	SkipScope bool `yaml:"skipScope,omitempty"`
 }

 type BitbucketOptions struct {
 	// Team sets restrict logins to members of this team
-	Team string `json:"team,omitempty"`
+	Team string `yaml:"team,omitempty"`
 	// Repository sets restrict logins to user with access to this repository
-	Repository string `json:"repository,omitempty"`
+	Repository string `yaml:"repository,omitempty"`
 }

 type GitHubOptions struct {
 	// Org sets restrict logins to members of this organisation
-	Org string `json:"org,omitempty"`
+	Org string `yaml:"org,omitempty"`
 	// Team sets restrict logins to members of this team
-	Team string `json:"team,omitempty"`
+	Team string `yaml:"team,omitempty"`
 	// Repo sets restrict logins to collaborators of this repository
-	Repo string `json:"repo,omitempty"`
+	Repo string `yaml:"repo,omitempty"`
 	// Token is the token to use when verifying repository collaborators
 	// it must have push access to the repository
-	Token string `json:"token,omitempty"`
+	Token string `yaml:"token,omitempty"`
 	// Users allows users with these usernames to login
 	// even if they do not belong to the specified org and team or collaborators
-	Users []string `json:"users,omitempty"`
+	Users []string `yaml:"users,omitempty"`
 }

 type GitLabOptions struct {
 	// Group sets restrict logins to members of this group
-	Group []string `json:"group,omitempty"`
+	Group []string `yaml:"group,omitempty"`
 	// Projects restricts logins to members of these projects
-	Projects []string `json:"projects,omitempty"`
+	Projects []string `yaml:"projects,omitempty"`
 }

 type GoogleOptions struct {
 	// Groups sets restrict logins to members of this Google group
-	Groups []string `json:"group,omitempty"`
+	Groups []string `yaml:"group,omitempty"`
 	// AdminEmail is the Google admin to impersonate for api calls
-	AdminEmail string `json:"adminEmail,omitempty"`
+	AdminEmail string `yaml:"adminEmail,omitempty"`
 	// ServiceAccountJSON is the path to the service account json credentials
-	ServiceAccountJSON string `json:"serviceAccountJson,omitempty"`
+	ServiceAccountJSON string `yaml:"serviceAccountJson,omitempty"`
 	// UseApplicationDefaultCredentials is a boolean whether to use Application Default Credentials instead of a ServiceAccountJSON
-	UseApplicationDefaultCredentials bool `json:"useApplicationDefaultCredentials,omitempty"`
+	UseApplicationDefaultCredentials bool `yaml:"useApplicationDefaultCredentials,omitempty"`
 	// TargetPrincipal is the Google Service Account used for Application Default Credentials
-	TargetPrincipal string `json:"targetPrincipal,omitempty"`
+	TargetPrincipal string `yaml:"targetPrincipal,omitempty"`
 	// UseOrganizationId indicates whether to use the organization ID as the UserName claim
-	UseOrganizationID bool `json:"useOrganizationID,omitempty"`
+	UseOrganizationID bool `yaml:"useOrganizationID,omitempty"`
 	// admin scope needed for fetching user organization information from admin api, can be one of cloud, user or defaults to readonly
-	AdminAPIUserScope string `json:"adminAPIUserScope,omitempty"`
+	AdminAPIUserScope string `yaml:"adminAPIUserScope,omitempty"`
 }

 type OIDCOptions struct {
 	// IssuerURL is the OpenID Connect issuer URL
 	// eg: https://accounts.google.com
-	IssuerURL string `json:"issuerURL,omitempty"`
+	IssuerURL string `yaml:"issuerURL,omitempty"`
 	// InsecureAllowUnverifiedEmail prevents failures if an email address in an id_token is not verified
 	// default set to 'false'
-	InsecureAllowUnverifiedEmail bool `json:"insecureAllowUnverifiedEmail"`
+	InsecureAllowUnverifiedEmail bool `yaml:"insecureAllowUnverifiedEmail"`
 	// InsecureSkipIssuerVerification skips verification of ID token issuers. When false, ID Token Issuers must match the OIDC discovery URL
 	// default set to 'false'
-	InsecureSkipIssuerVerification bool `json:"insecureSkipIssuerVerification"`
+	InsecureSkipIssuerVerification bool `yaml:"insecureSkipIssuerVerification"`
 	// InsecureSkipNonce skips verifying the ID Token's nonce claim that must match
 	// the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked
 	// after the initial OAuth redeem & subsequent token refreshes.
 	// default set to 'true'
 	// Warning: In a future release, this will change to 'false' by default for enhanced security.
-	InsecureSkipNonce bool `json:"insecureSkipNonce"`
+	InsecureSkipNonce bool `yaml:"insecureSkipNonce"`
 	// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
 	// default set to 'false'
-	SkipDiscovery bool `json:"skipDiscovery,omitempty"`
+	SkipDiscovery bool `yaml:"skipDiscovery,omitempty"`
 	// JwksURL is the OpenID Connect JWKS URL
 	// eg: https://www.googleapis.com/oauth2/v3/certs
-	JwksURL string `json:"jwksURL,omitempty"`
+	JwksURL string `yaml:"jwksURL,omitempty"`
 	// PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
 	// for verifying JWT tokens
-	PublicKeyFiles []string `json:"publicKeyFiles,omitempty"`
+	PublicKeyFiles []string `yaml:"publicKeyFiles,omitempty"`
 	// EmailClaim indicates which claim contains the user email,
 	// default set to 'email'
-	EmailClaim string `json:"emailClaim,omitempty"`
+	EmailClaim string `yaml:"emailClaim,omitempty"`
 	// GroupsClaim indicates which claim contains the user groups
 	// default set to 'groups'
-	GroupsClaim string `json:"groupsClaim,omitempty"`
+	GroupsClaim string `yaml:"groupsClaim,omitempty"`
 	// UserIDClaim indicates which claim contains the user ID
 	// default set to 'email'
-	UserIDClaim string `json:"userIDClaim,omitempty"`
+	UserIDClaim string `yaml:"userIDClaim,omitempty"`
 	// AudienceClaim allows to define any claim that is verified against the client id
 	// By default `aud` claim is used for verification.
-	AudienceClaims []string `json:"audienceClaims,omitempty"`
+	AudienceClaims []string `yaml:"audienceClaims,omitempty"`
 	// ExtraAudiences is a list of additional audiences that are allowed
 	// to pass verification in addition to the client id.
-	ExtraAudiences []string `json:"extraAudiences,omitempty"`
+	ExtraAudiences []string `yaml:"extraAudiences,omitempty"`
 }

 type LoginGovOptions struct {
 	// JWTKey is a private key in PEM format used to sign JWT,
-	JWTKey string `json:"jwtKey,omitempty"`
+	JWTKey string `yaml:"jwtKey,omitempty"`
 	// JWTKeyFile is a path to the private key file in PEM format used to sign the JWT
-	JWTKeyFile string `json:"jwtKeyFile,omitempty"`
+	JWTKeyFile string `yaml:"jwtKeyFile,omitempty"`
 	// PubJWKURL is the JWK pubkey access endpoint
-	PubJWKURL string `json:"pubjwkURL,omitempty"`
+	PubJWKURL string `yaml:"pubjwkURL,omitempty"`
 }

 func providerDefaults() Providers {
--- a/pkg/apis/options/secret_source.go
+++ b/pkg/apis/options/secret_source.go
@ -4,11 +4,11 @@ package options
 // Only one source within the struct should be defined at any time.
 type SecretSource struct {
 	// Value expects a base64 encoded string value.
-	Value string `json:"value,omitempty"`
+	Value string `yaml:"value,omitempty"`

 	// FromEnv expects the name of an environment variable.
-	FromEnv string `json:"fromEnv,omitempty"`
+	FromEnv string `yaml:"fromEnv,omitempty"`

 	// FromFile expects a path to a file containing the secret value.
-	FromFile string `json:"fromFile,omitempty"`
+	FromFile string `yaml:"fromFile,omitempty"`
 }
--- a/pkg/apis/options/server.go
+++ b/pkg/apis/options/server.go
@ -4,15 +4,15 @@ package options
 type Server struct {
 	// BindAddress is the address on which to serve traffic.
 	// Leave blank or set to "-" to disable.
-	BindAddress string
+	BindAddress string `yaml:"bindAddress,omitempty"`

 	// SecureBindAddress is the address on which to serve secure traffic.
 	// Leave blank or set to "-" to disable.
-	SecureBindAddress string
+	SecureBindAddress string `yaml:"secureBindAddress,omitempty"`

 	// TLS contains the information for loading the certificate and key for the
 	// secure traffic and further configuration for the TLS server.
-	TLS *TLS
+	TLS *TLS `yaml:"tls,omitempty"`
 }

 // TLS contains the information for loading a TLS certificate and key
@ -20,15 +20,15 @@ type Server struct {
 type TLS struct {
 	// Key is the TLS key data to use.
 	// Typically this will come from a file.
-	Key *SecretSource
+	Key *SecretSource `yaml:"key,omitempty"`

 	// Cert is the TLS certificate data to use.
 	// Typically this will come from a file.
-	Cert *SecretSource
+	Cert *SecretSource `yaml:"cert,omitempty"`

 	// MinVersion is the minimal TLS version that is acceptable.
 	// E.g. Set to "TLS1.3" to select TLS version 1.3
-	MinVersion string
+	MinVersion string `yaml:"minVersion,omitempty"`

 	// CipherSuites is a list of TLS cipher suites that are allowed.
 	// E.g.:
@ -36,5 +36,5 @@ type TLS struct {
 	// - TLS_RSA_WITH_AES_256_GCM_SHA384
 	// If not specified, the default Go safe cipher list is used.
 	// List of valid cipher suites can be found in the [crypto/tls documentation](https://pkg.go.dev/crypto/tls#pkg-constants).
-	CipherSuites []string
+	CipherSuites []string `yaml:"cipherSuites,omitempty"`
 }
--- a/pkg/apis/options/upstreams.go
+++ b/pkg/apis/options/upstreams.go
@ -14,11 +14,11 @@ const (
 type UpstreamConfig struct {
 	// ProxyRawPath will pass the raw url path to upstream allowing for urls
 	// like: "/%2F/" which would otherwise be redirected to "/"
-	ProxyRawPath bool `json:"proxyRawPath,omitempty"`
+	ProxyRawPath bool `yaml:"proxyRawPath,omitempty"`

 	// Upstreams represents the configuration for the upstream servers.
 	// Requests will be proxied to this upstream if the path matches the request path.
-	Upstreams []Upstream `json:"upstreams,omitempty"`
+	Upstreams []Upstream `yaml:"upstreams,omitempty"`
 }

 // Upstream represents the configuration for an upstream server.
@ -26,7 +26,7 @@ type UpstreamConfig struct {
 type Upstream struct {
 	// ID should be a unique identifier for the upstream.
 	// This value is required for all upstreams.
-	ID string `json:"id,omitempty"`
+	ID string `yaml:"id,omitempty"`

 	// Path is used to map requests to the upstream server.
 	// The closest match will take precedence and all Paths must be unique.
@ -36,7 +36,7 @@ type Upstream struct {
 	// - `^/foo$`: Match only the explicit path `/foo`
 	// - `^/bar/$`: Match any path prefixed with `/bar/`
 	// - `^/baz/(.*)$`: Match any path prefixed with `/baz` and capture the remaining path for use with RewriteTarget
-	Path string `json:"path,omitempty"`
+	Path string `yaml:"path,omitempty"`

 	// RewriteTarget allows users to rewrite the request path before it is sent to
 	// the upstream server (for an HTTP/HTTPS upstream) or mapped to the filesystem
@ -46,7 +46,7 @@ type Upstream struct {
 	// the request `/baz/abc/123` to `/foo/abc/123` before proxying to the
 	// upstream server.  Or if the upstream were `file:///app`, a request for
 	// `/baz/info.html` would return the contents of the file `/app/foo/info.html`.
-	RewriteTarget string `json:"rewriteTarget,omitempty"`
+	RewriteTarget string `yaml:"rewriteTarget,omitempty"`

 	// The URI of the upstream server. This may be an HTTP(S) server of a File
 	// based URL. It may include a path, in which case all requests will be served
@ -58,43 +58,43 @@ type Upstream struct {
 	// - file://host/path
 	// If the URI's path is "/base" and the incoming request was for "/dir",
 	// the upstream request will be for "/base/dir".
-	URI string `json:"uri,omitempty"`
+	URI string `yaml:"uri,omitempty"`

 	// InsecureSkipTLSVerify will skip TLS verification of upstream HTTPS hosts.
 	// This option is insecure and will allow potential Man-In-The-Middle attacks
 	// between OAuth2 Proxy and the upstream server.
 	// Defaults to false.
-	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`

 	// Static will make all requests to this upstream have a static response.
 	// The response will have a body of "Authenticated" and a response code
 	// matching StaticCode.
 	// If StaticCode is not set, the response will return a 200 response.
-	Static bool `json:"static,omitempty"`
+	Static bool `yaml:"static,omitempty"`

 	// StaticCode determines the response code for the Static response.
 	// This option can only be used with Static enabled.
-	StaticCode *int `json:"staticCode,omitempty"`
+	StaticCode *int `yaml:"staticCode,omitempty"`

 	// FlushInterval is the period between flushing the response buffer when
 	// streaming response from the upstream.
 	// Defaults to 1 second.
-	FlushInterval *time.Duration `json:"flushInterval,omitempty"`
+	FlushInterval *time.Duration `yaml:"flushInterval,omitempty"`

 	// PassHostHeader determines whether the request host header should be proxied
 	// to the upstream server.
 	// Defaults to true.
-	PassHostHeader *bool `json:"passHostHeader,omitempty"`
+	PassHostHeader *bool `yaml:"passHostHeader,omitempty"`

 	// ProxyWebSockets enables proxying of websockets to upstream servers
 	// Defaults to true.
-	ProxyWebSockets *bool `json:"proxyWebSockets,omitempty"`
+	ProxyWebSockets *bool `yaml:"proxyWebSockets,omitempty"`

 	// Timeout is the maximum duration the server will wait for a response from the upstream server.
 	// Defaults to 30 seconds.
-	Timeout *time.Duration `json:"timeout,omitempty"`
+	Timeout *time.Duration `yaml:"timeout,omitempty"`

 	// DisableKeepAlives disables HTTP keep-alive connections to the upstream server.
 	// Defaults to false.
-	DisableKeepAlives bool `json:"disableKeepAlives,omitempty"`
+	DisableKeepAlives bool `yaml:"disableKeepAlives,omitempty"`
 }
--- a/pkg/requests/result_test.go
+++ b/pkg/requests/result_test.go
@ -104,8 +104,8 @@ var _ = Describe("Result suite", func() {

 	Context("UnmarshalInto", func() {
 		type testStruct struct {
-			A string `json:"a"`
-			B int    `json:"b"`
+			A string `yaml:"a"`
+			B int    `yaml:"b"`
 		}

 		type unmarshalIntoTableInput struct {