swagger: "2.0" info: title: Authentiq Connect API version: "1.0" description: | Authentiq Connect OAuth 2.0 and OpenID Connect API reference. Learn about [Authentiq ID](https://www.authentiq.com/) or check out the [Authentiq Connect](https://developers.authentiq.com) developer documentation. termsOfService: https://www.authentiq.com/terms contact: name: Team Authentiq url: https://www.authentiq.com/ email: hello@authentiq.com host: connect.authentiq.io basePath: / schemes: - https consumes: - application/x-www-form-urlencoded - application/json produces: - application/x-www-form-urlencoded - application/json - application/problem+json - text/html paths: /authorize: get: summary: Authenticate a user description: | Start a session with Authentiq Connect to authenticate a user. ``` GET https://connect.authentiq.io/authorize?client_id=&response_type=code+id_token&scope=openid+email&redirect_uri=&state=0123456789 ``` This endpoint also supports the POST method. tags: - Authentication operationId: authorize parameters: - name: client_id in: query type: string description: > A client ID obtained from the [Dashboard](https://dashboard.authentiq.com/). required: true - name: response_type in: query type: string description: > The OIDC response type to use for this authentication flow. Valid choices are `code`, `id_token`, `token`, `token id_token`, `code id_token` `code token` and `code token id_token`, but a client can be configured with a more restricted set. required: true - name: scope in: query type: string description: > The space-separated identity claims to request from the end-user. Always include `openid` as a scope for compatibility with OIDC. required: true - name: redirect_uri in: query type: string description: > The location to redirect to after (un)successful authentication. See OIDC for the parameters passed in the query string (`response_mode=query`) or as fragments (`response_mode=fragment`). Unless the client is in test-mode this must be one of the registered redirect URLs. required: true - name: state in: query type: string description: > An opaque string that will be passed back to the redirect URL and therefore can be used to communicate client side state and prevent CSRF attacks. required: true - name: response_mode in: query type: string description: > Whether to append parameters to the redirect URL in the query string (`query`) or as fragments (`fragment`). This option usually has a sensible default for each of the response types. required: false - name: nonce in: query type: string description: > An nonce provided by the client (and opaque to Authentiq Connect) that will be included in any ID Token generated for this session. Clients should use the nonce to mitigate replay attacks. required: false - name: display in: query type: string description: > The authentication display mode, which can be one of `page`, `popup` or `modal`. Defaults to `page`. required: false default: page - name: prompt in: query type: string description: > Space-delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The supported values are: `none`, `login`, `consent`. If `consent` the end-user is asked to (re)confirm what claims they share. Use `none` to check for an active session. required: false default: login - name: max_age in: query type: integer description: > Specifies the allowable elapsed time in seconds since the last time the end-user was actively authenticated. required: false default: 0 - name: ui_locales in: query type: string description: > Specifies the preferred language to use on the authorization page, as a space-separated list of BCP47 language tags. Ignored at the moment. required: false # - in: query # name: id_token_hint # type: string # description: "" # required: false # - in: query # name: login_hint # type: string # description: "" # required: false # - in: query # name: acr_values # type: string # description: "" # required: false produces: - text/html responses: 302: description: > A successful or erroneous authentication response. 303: description: > *Sign in with Authentiq* page, popup or modal. externalDocs: description: OIDC Authorization Endpoint url: http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint /token: post: summary: Obtain an ID Token description: | Exchange en authorization code for an ID Token or Access Token. This endpoint supports both `client_secret_basic` (default) and `client_secret_basic` authentication methods, as specified by the client's `token_endpoint_auth_method`. tags: - Authentication operationId: token consumes: - application/x-www-form-urlencoded parameters: - name: Authorization in: header description: > HTTP Basic authorization header. required: false type: string - name: client_id in: formData description: > The registered client ID. required: true type: string - name: client_secret in: formData description: > The registered client ID secret. required: true type: string format: password - name: grant_type in: formData description: > The authorization grant type, must be `authorization_code`. required: true type: string - name: code in: formData description: > The authorization code previously obtained from the Authentication endpoint. required: true type: string - name: redirect_uri in: formData description: > The redirect URL that was used previously with the Authentication endpoint. required: true type: string produces: - application/json responses: 200: $ref: '#/responses/Token' 400: $ref: '#/responses/OAuth2Error' 401: $ref: '#/responses/OAuth2Error' externalDocs: description: OIDC Token Endpoint url: http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint /userinfo: get: summary: Retrieve a user profile tags: - Authentication description: | Use this endpoint to retrieve a user's profile in case you are unable to parse an ID Token or you've not already obtained enough details from the ID Token via the Token Endpoint. operationId: userInfo produces: - application/json responses: 200: $ref: '#/responses/UserInfo' 401: $ref: '#/responses/OAuth2Error' default: $ref: '#/responses/OAuth2Error' security: - oauth_code: [oidc, email, phone, address, aq:location, aq:name, aq:push] - oauth_implicit: [oidc, email, phone, address, aq:location, aq:name, aq:push] externalDocs: description: OIDC UserInfo Endpoint url: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo /client: get: summary: List clients tags: - Client Management description: | Retrieve a list of clients. operationId: client produces: - application/json responses: 200: description: A list of Client Objects. schema: type: array items: $ref: "#/definitions/Client" default: $ref: '#/responses/OAuth2Error' security: - client_registration_token: [] - oauth_code: [] - oauth_implicit: [] post: summary: Register a client tags: - Client Management description: | Register a new client with this Authentiq Connect provider. This endpoint is compatible with [OIDC's Client Registration](http://openid.net/specs/openid-connect-registration-1_0.html) extension. operationId: createClient consumes: - application/json - multipart/form-data parameters: - $ref: '#/parameters/Client' responses: 201: description: Client created headers: "Location": description: "URL of new client resource" type: string default: $ref: '#/responses/ProblemDetail' security: - client_registration_token: [] - oauth_code: [] - oauth_implicit: [] externalDocs: description: OIDC Client Registration Endpoint url: http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration /client/{client_id}: get: summary: View a client tags: - Client Management description: | Retrieve the configuration of a previously registered client. operationId: getClient produces: - application/json parameters: - $ref: "#/parameters/client_id" responses: "200": description: Client found schema: $ref: "#/definitions/Client" default: $ref: '#/responses/OAuth2Error' security: - client_registration_token: [] - oauth_code: [] - oauth_implicit: [] externalDocs: description: OIDC Client Configuration Endpoint url: http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint put: summary: Update a client tags: - Client Management description: | Update the configuration of a previously registered client. operationId: updateClient consumes: - application/json - multipart/form-data produces: - application/json parameters: - $ref: "#/parameters/client_id" - $ref: "#/parameters/Client" responses: "200": description: Client updated schema: $ref: "#/definitions/Client" default: $ref: '#/responses/ProblemDetail' security: - client_registration_token: [] - oauth_code: [] - oauth_implicit: [] externalDocs: description: OIDC Client Configuration Endpoint url: http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint delete: summary: Delete a client tags: - Client Management description: | Delete a previously registered client. operationId: clientClient_id parameters: - $ref: "#/parameters/client_id" responses: "204": description: Client deleted default: $ref: '#/responses/ProblemDetail' security: - client_registration_token: [] - oauth_code: [] - oauth_implicit: [] externalDocs: description: OIDC Client Configuration Endpoint url: http://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint /{client_id}/iframe: get: tags: - Session Management summary: Include a session iframe description: | An OpenID Connect Session Management iframe to facilitate e.g. single sign-on or remote logouts. The iframe implements the OIDC postMessage-based [change notification protocol](http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification) via which a client can receive notifications about session state changes. operationId: authorizeIframe parameters: - $ref: '#/parameters/client_id' produces: - test/html responses: 200: description: OK headers: "Cache-Control": description: public, max-age=7200 type: string externalDocs: description: OIDC OP Session Management Iframe url: http://openid.net/specs/openid-connect-session-1_0.html#OPiframe definitions: Token: description: > Successful token response required: - token_type properties: token_type: type: string access_token: description: The access token issued by the authorization server. type: string id_token: description: ID Token value associated with the authenticated session. type: string refresh_token: description: The refresh token issued to the client, if any. type: string expires_in: description: The lifetime in seconds of the access token. type: integer format: int32 expires_at: description: The time the access token will expire in seconds since epoch. type: integer format: int64 scope: description: The scope of the granted tokens. type: string OAuth2Error: description: > Error Response defined as in Section 5.2 of OAuth 2.0 [RFC6749]. required: - error properties: error: type: string error_description: type: string ProblemDetail: description: > HTTP Problem Detail required: - type - status properties: type: type: string default: about:blank title: type: string description: > Human-readable summary of the problem type. status: type: integer description: > The HTTP status code for this occurrence of the problem. detail: type: string description: > Human-readable explanation specific to this occurrence of the problem. Session: description: "Session object" properties: version: type: integer sub: type: string session_id: type: string session_state: type: string session_uri: type: string client_id: type: string scopes: type: array items: type: string scopes_optional: type: array items: type: string scopes_required: type: array items: type: string scopes_signed: type: array items: type: string tokens_seen: type: array items: type: string scopes_seen: type: array items: type: string redirect_uri: type: string response_type: type: string response_mode: type: string nonce: type: string created_at: type: string connected_at: type: string format: date-time authenticated_at: type: string format: date-time concluded_at: type: string format: date-time deleted_at: type: string format: date-time client_name: type: string client_uri: type: string logo_uri: type: string policy_uri: type: string tos_uri: type: string contacts: type: array items: type: string UserInfo: description: OIDC UserInfo structure required: - sub properties: sub: type: string name: type: string given_name: type: string family_name: type: string email: type: string email_verified: type: boolean phone_number: type: string phone_number_verified: type: boolean address: $ref: "#/definitions/Address" aq:location: description: Geolocation structure properties: latitude: type: number format: float longitude: type: number format: float address: $ref: "#/definitions/Address" Address: description: OIDC Address structure properties: street_address: type: string locality: type: string region: type: string postal_code: type: string country: type: string Client: description: Client object required: - client_name - client_uri properties: client_id: type: string # only in responses redirect_uris: type: array items: type: string response_types: type: array items: type: string grant_types: type: array items: type: string application_type: type: string contacts: type: array items: type: string client_name: type: string logo_uri: type: string client_uri: type: string policy_uri: type: string tos_uri: type: string default_max_age: type: integer format: int64 default_scopes: type: array items: type: string parameters: Client: name: body in: body description: Client Object required: true schema: $ref: "#/definitions/Client" client_id: name: client_id in: path description: Client identifier required: true type: string responses: Token: description: Token response schema: $ref: "#/definitions/Token" UserInfo: description: UserInfo response schema: $ref: "#/definitions/UserInfo" OAuth2Error: description: OAuth 2.0 error response schema: $ref: '#/definitions/OAuth2Error' ProblemDetail: description: Problem Detail error response schema: $ref: '#/definitions/ProblemDetail' securityDefinitions: client_secret: description: Session management by confidential clients. type: oauth2 flow: password tokenUrl: https://connect.authentiq.io/token scopes: clients: Enable client management client_registration_token: description: Client management via registration token. type: apiKey name: Authorization in: header user_jwt: description: Session management by Authentiq ID. type: oauth2 flow: application tokenUrl: https://connect.authentiq.io/token scopes: session: Enable session management oauth_code: description: End-user authentication. type: oauth2 flow: accessCode authorizationUrl: https://connect.authentiq.io/authorize tokenUrl: https://connect.authentiq.io/token scopes: oidc: Enable OIDC flow email: The user's email address phone: The user's phone number address: The user's postal address aq:location: The user's current location aq:name: The user's full name aq:push: Enable *One click sign-in* oauth_implicit: description: End-user authentication. type: oauth2 flow: implicit authorizationUrl: https://connect.authentiq.io/authorize scopes: oidc: Enable OIDC flow email: The user's email address phone: The user's phone number address: The user's postal address aq:location: The user's current location aq:name: The user's full name aq:push: Enable *One click sign-in* #tags: # - authentiq # - oauth2 # - oidc # - oidc-client-registration # - oidc-discovery # - oidc-session-management # - oidc-backchannel-logout externalDocs: description: Authentiq Developer Docs url: https://developers.authentiq.com/