# raw swagger spec link: # https://raw.githubusercontent.com/GluuFederation/oxAuth/master/docs/oxAuthSwagger.yaml # https://gluu.org/swagger-ui/?url=https://raw.githubusercontent.com/GluuFederation/oxAuth/master/docs/oxAuthSwagger.yaml openapi: 3.0.1 info: title: oxAuth description: oxAuth - OAuth 2.0 server; OpenID Connect Provider (OP) & UMA Authorization Server (AS) contact: email: yuriyz@gluu.org license: name: License url: https://github.com/GluuFederation/oxAuth/blob/master/LICENSE version: "master" servers: - url: https://gluu.org/ tags: - name: developers description: oxAuth is an open source OpenID Connect Provider (OP) and UMA Authorization Server (AS). The project also includes OpenID Connect Client code which can be used by websites to validate tokens.oxAuth currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.oxAuth is tightly coupled with oxTrust. paths: /authorize: get: tags: - Authorization summary: The Authorization Endpoint performs Authentication of the End-User. description: End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect. operationId: get_authorize parameters: - name: scope in: query required: true description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. schema: type: string - name: response_type in: query required: true description: OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. schema: type: string - name: client_id in: query required: true description: OAuth 2.0 Client Identifier valid at the Authorization Server. schema: type: string - name: redirect_uri in: query required: true description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider. schema: type: string - name: state in: query required: false description: Opaque value used to maintain state between the request and the callback. schema: type: string - name: response_mode in: query required: false description: Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. schema: type: string - name: nonce in: query required: false description: String value used to associate a Client session with an ID Token, and to mitigate replay attacks. schema: type: string - name: display in: query required: false description: ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. schema: type: string - name: prompt in: query required: false description: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are - none, login, consent, select_account. schema: type: string - name: max_age in: query required: false description: Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. schema: type: integer - name: ui_locales in: query required: false description: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. #example: \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). schema: type: string - name: id_token_hint in: query required: false description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response. schema: type: string - name: login_hint in: query required: false description: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). schema: type: string - name: acr_values in: query required: false description: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. schema: type: string - name: amr_values in: query required: false description: AMR Values. schema: type: string - name: request in: query required: false description: This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters. schema: type: string - name: request_uri in: query required: false description: This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters. schema: type: string - name: request_session_id in: query required: false description: Request session id. schema: type: string - name: session_id in: query required: false description: Session id of this call. schema: type: string - name: origin_headers in: query required: false description: Origin headers. Used in custom workflows. schema: type: string - name: code_challenge in: query required: false description: PKCE code challenge. schema: type: string - name: code_challenge_method in: query required: false description: PKCE code challenge method. schema: type: string - name: custom_response_headers in: query required: false description: Custom Response Headers. schema: type: string - name: claims in: query required: false description: Requested Claims. schema: type: string - name: auth_req_id in: query required: false description: CIBA authentication request Id. schema: type: string responses: 200: description: OK content: {} 302: description: Error codes for authorization endpoint. content: application/json: schema: title: AuthorizeError type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - unauthorized_client - disabled_client - access_denied - retry - unsupported_response_type - invalid_scope - server_error - temporarily_unavailable - invalid_request_redirect_uri - login_required - session_selection_required - consent_required - user_mismatched - request_not_supported - request_uri_not_supported - invalid_request_uri - invalid_request_object - authentication_session_invalid - invalid_authentication_method error_description: type: string details: type: string 400: $ref: '#/components/responses/InvalidRequest' 401: $ref: '#/components/responses/Unauthorized' 500: $ref: '#/components/responses/InternalServerError' post: tags: - Authorization summary: The Authorization Endpoint performs Authentication of the End-User. description: End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect. operationId: post_authorize requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - scope - response_type - client_id - redirect_uri properties: scope: type: string description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. response_type: type: string description: OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. client_id: type: string description: OAuth 2.0 Client Identifier valid at the Authorization Server. redirect_uri: type: string description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider. state: type: string description: Opaque value used to maintain state between the request and the callback. response_mode: type: string description: Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. nonce: type: string description: String value used to associate a Client session with an ID Token, and to mitigate replay attacks. display: type: string description: ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. prompt: type: string description: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. max_age: type: integer description: Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. ui_locales: type: string description: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. example: \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). id_token_hint: type: string description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response. login_hint: type: string description: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). acr_values: type: string description: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. amr_values: type: string description: AMR Values. request: type: string description: This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters. request_uri: type: string description: This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters. request_session_id: type: string description: Request session id. session_id: type: string description: Session id of this call. origin_headers: type: string description: Origin headers. Used in custom workflows. code_challenge: type: string description: PKCE code challenge. code_challenge_method: type: string description: PKCE code challenge method. custom_response_headers: type: string description: Custom Response Headers. claims: type: string description: Requested Claims. responses: 200: description: OK content: {} 302: description: Error codes for authorization endpoint. content: application/json: schema: title: AuthorizeError type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - unauthorized_client - disabled_client - access_denied - retry - unsupported_response_type - invalid_scope - server_error - temporarily_unavailable - invalid_request_redirect_uri - login_required - session_selection_required - consent_required - user_mismatched - request_not_supported - request_uri_not_supported - invalid_request_uri - invalid_request_object - authentication_session_invalid - invalid_authentication_method error_description: type: string details: type: string 400: $ref: '#/components/responses/InvalidRequest' 401: $ref: '#/components/responses/Unauthorized' 500: $ref: '#/components/responses/InternalServerError' /bc-authorize: post: tags: - Authorization summary: Performs backchannel authorization of the end-user. description: The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user. operationId: bc-authorize requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - client_id - scope - client_notification_token properties: client_id: type: string description: OAuth 2.0 Client Identifier valid at the Authorization Server. scope: type: string description: CIBA authentication requests must contain the openid scope value. client_notification_token: type: string description: It is a bearer token provided by the Client that will be used by the OpenID Provider to authenticate the callback request to the Client. It is required if the Client is registered to use Ping or Push modes. acr_values: type: string description: Requested Authentication Context Class Reference values. login_hint_token: type: string description: A token containing information identifying the end-user for whom authentication is being requested. id_token_hint: type: string description: An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested. login_hint: type: string description: A hint to the OpenID Provider regarding the end-user for whom authentication is being requested. binding_message: type: string description: A human readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user. user_code: type: string description: A secret code, such as password or pin, known only to the user but verifiable by the OP. requested_expiry: type: integer description: A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return. responses: 200: description: OK content: application/json: schema: title: Backchannel Authorization required: - AUTH_REQ_ID - EXPIRES_IN - INTERVAL type: object properties: AUTH_REQ_ID: type: string EXPIRES_IN: type: integer INTERVAL: type: integer 400: $ref: '#/components/responses/InvalidRequest' 401: description: Unauthorized CIBA (Client Initiated Backchannel Authentication) access. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - invalid_scope - expired_login_hint_token - unknown_user_id - unauthorized_client - missing_user_code - invalid_user_code - invalid_binding_message - invalid_client - unauthorized_end_user_device - access_denied error_description: type: string details: type: string 403: $ref: '#/components/responses/AccessDenied' /bc-deviceRegistration: post: tags: - Registration summary: Performs backchannel device registration. description: Performs backchannel device registration. operationId: bc-deviceRegistration requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - id_token_hint - device_registration_token properties: id_token_hint: type: string description: An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom the device registration is being requested. device_registration_token: type: string description: OAuth 2.0 Client Identifier valid at the Authorization Serve responses: 200: description: OK content: {} 400: description: Invalid parameters are provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - invalid_scope - expired_login_hint_token - unknown_user_id - unauthorized_client - missing_user_code - invalid_user_code - invalid_binding_message - invalid_client - unauthorized_end_user_device - access_denied error_description: type: string details: type: string 403: $ref: '#/components/responses/AccessDenied' /clientinfo: get: tags: - Client Info summary: To get Claims details about the registered client. description: The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client. operationId: get_clientinfo parameters: - name: access_token in: query schema: type: string description: Client-specific access token. - name: Authorization in: header schema: type: string responses: 200: description: OK content: application/json: schema: title: ClientInfoResponse description: Client details in response. type: object properties: displayName: type: string inum: type: string description: XRI i-number oxAuthAppType: type: string description: oxAuth Appication type oxAuthIdTokenSignedResponseAlg: type: string description: oxAuth ID Token Signed Response Algorithm oxAuthRedirectURI: type: array description: Array of redirect URIs values used in the Authorization items: type: string oxId: type: string example: description: oxAuth Attribute Scope Id custom_attributes: type: array items: type: string 400: description: Invalid Request are provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - invalid_token error_description: type: string details: type: string post: tags: - Client Info summary: To get Claims details about the registered client. description: The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client. operationId: post_clientinfo parameters: - name: Authorization in: header schema: type: string requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - access_token properties: access_token: type: string description: Client-specific access token. responses: 200: description: OK content: application/json: schema: title: ClientInfoResponse description: Client details in response. type: object properties: displayName: type: string inum: type: string description: XRI i-number oxAuthAppType: type: string description: oxAuth Appication type oxAuthIdTokenSignedResponseAlg: type: string description: oxAuth ID Token Signed Response Algorithm oxAuthRedirectURI: type: array description: Array of redirect URIs values used in the Authorization items: type: string oxId: type: string example: description: oxAuth Attribute Scope Id custom_attributes: type: array items: type: string 400: description: Invalid Request are provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - invalid_token error_description: type: string details: type: string /.well-known/gluu-configuration: post: tags: - Server Configuration summary: Gets GluuServer configuration data that contains non-standard OpenID Connect discovery metadata. description: Gets GluuServer configuration data that contains non-standard OpenID Connect discovery metadata. operationId: well-known-gluu-configuration responses: 200: description: OK content: application/json: schema: title: GluuConfigurationResponse description: Client GluuAttribute by Dn(Distinguished Name) based on Authorization Scope. required: - id_generation_endpoint - introspection_endpoint type: object properties: id_generation_endpoint: type: string introspection_endpoint: type: string auth_level_mapping: type: object additionalProperties: type: string description: Additional Custom Acr's map object scope_to_claims_mapping: type: object additionalProperties: type: string description: Scope map object 500: $ref: '#/components/responses/InternalServerError' /introspection: get: tags: - Token summary: The Introspection OAuth 2 Endpoint. description: The Introspection OAuth 2 Endpoint. operationId: get-introspection parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string example: Bearer 23410913-abewfq.123483 - name: token in: query required: true schema: type: string example: token=2YotnFZFEjr1zCsicMWpAA - name: token_type_hint in: query description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User. schema: type: string - name: response_as_jwt in: query description: OPTIONAL. Boolean value with default value false. If true, returns introspection response as JWT (signed based on client configuration used for authentication to Introspection Endpoint). schema: type: boolean example: response_as_jwt=false responses: 200: description: OK content: application/json: schema: title: IntrospectionResponse description: meta-information about token required: - active type: object properties: active: type: boolean description: Boolean indicator of whether or not the presented token is currently active. example: true scope: type: array description: Provide list of scopes to which access was granted for this resource. example: - read write dolphin items: type: string client_id: type: string description: Client identifier for the OAuth 2.0 client that requested this token. example: 1238j323ds-23ij4 username: type: string description: Human-readable identifier for the resource owner who authorized this token. example: jdoe token_type: type: string description: Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749]. example: bearer, mac exp: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. iat: type: integer example: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. sub: type: string description: Subject of the token, as defined in JWT [RFC7519]. example: Z5O3upPC88QrAjx00dis aud: type: string description: Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519]. example: https://protected.example.net/resource iss: type: string description: String representing the issuer of this token, as defined in JWT [RFC7519]. example: https://server.example.com/ acr_values: type: string description: Authentication Context Class Reference values. jti: type: string description: String identifier for the token, as defined in JWT. 400: description: Error codes for introspection endpoint. content: application/json: schema: title: AuthorizeError type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - unauthorized_client - disabled_client - access_denied - retry - unsupported_response_type - invalid_scope - server_error - temporarily_unavailable - invalid_request_redirect_uri - login_required - session_selection_required - consent_required - user_mismatched - invalid_request_uri - invalid_request_object - authentication_session_invalid - invalid_authentication_method error_description: type: string details: type: string 401: $ref: '#/components/responses/Unauthorized' 500: $ref: '#/components/responses/InternalServerError' post: tags: - Token summary: The Introspection OAuth 2 Endpoint. description: The Introspection OAuth 2 Endpoint. operationId: post-introspection parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string example: Bearer 23410913-abewfq.123483 requestBody: content: application/x-www-form-urlencoded: schema: type: object required: - token properties: token: type: string description: Client access token. example: token=2YotnFZFEjr1zCsicMWpAA responses: 200: description: OK content: application/json: schema: title: IntrospectionResponse description: meta-information about token required: - active type: object properties: active: type: boolean description: Boolean indicator of whether or not the presented token is currently active. example: true scope: type: array description: Provide list of scopes to which access was granted for this resource. example: - read write dolphin items: type: string client_id: type: string description: Client identifier for the OAuth 2.0 client that requested this token. example: 1238j323ds-23ij4 username: type: string description: Human-readable identifier for the resource owner who authorized this token. example: jdoe token_type: type: string description: Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749]. example: bearer, mac exp: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. iat: type: integer example: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. sub: type: string description: Subject of the token, as defined in JWT [RFC7519]. example: Z5O3upPC88QrAjx00dis aud: type: string description: Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519]. example: https://protected.example.net/resource iss: type: string description: String representing the issuer of this token, as defined in JWT [RFC7519]. example: https://server.example.com/ acr_values: type: string description: Authentication Context Class Reference values. jti: type: string description: String identifier for the token, as defined in JWT. 400: description: Error codes for introspection endpoint. content: application/json: schema: title: AuthorizeError type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request - unauthorized_client - disabled_client - access_denied - retry - unsupported_response_type - invalid_scope - server_error - temporarily_unavailable - invalid_request_redirect_uri - login_required - session_selection_required - consent_required - user_mismatched - invalid_request_uri - invalid_request_object - authentication_session_invalid - invalid_authentication_method error_description: type: string details: type: string 401: $ref: '#/components/responses/Unauthorized' 500: $ref: '#/components/responses/InternalServerError' /jwks: get: tags: - JWK - JSON Web Key Set (JWKs) summary: A JSON Web Key (JWK) used by server. JWK is a JSON data structure that represents a set of public keys as a JSON object [RFC4627]. description: Provides list of JWK used by server. operationId: jwks responses: 200: description: OK content: application/json: schema: title: WebKeysConfiguration required: - keys type: object description: JSON Web Key Set (JWKS) - A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs. properties: keys: type: array description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. items: $ref: '#/components/schemas/JsonWebKey' 500: $ref: '#/components/responses/InternalServerError' /register: post: tags: - Registration summary: Registers new client dynamically. description: The Client Registration Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested. operationId: post-register requestBody: content: application/json: schema: title: RegisterParams required: - redirect_uris type: object properties: redirect_uris: type: array description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match the redirect_uri parameter value used in each Authorization Request items: type: string example: - https://client.example.org/cb claims_redirect_uri: type: array description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. items: type: string response_types: type: array description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token. items: type: string grant_types: type: array description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. items: type: string contacts: type: array description: e-mail addresses of people responsible for this Client. items: type: string client_name: type: string description: Name of the Client to be presented to the user. logo_uri: type: string description: URL that references a logo for the Client application client_uri: type: string description: URL of the home page of the Client. The value of this field must point to a valid Web page. policy_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used. tos_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. jwks_uri: type: string description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client's encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage . jwks: type: array description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. items: $ref: '#/components/schemas/JsonWebKey' example: '{ "keys" : [ { "e" : "AQAB", "n" : "gmlDX_mgMcHX.." ] }' sector_identifier_uri: type: string description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. subject_type: type: string description: Subject type requested for the Client ID. Valid types include pairwise and public. rpt_as_jwt: type: boolean description: Specifies whether RPT should be return as signed JWT. access_token_as_jwt: type: boolean description: Specifies whether access token as signed JWT. access_token_signing_alg: type: string description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified, then the default OP signing algorithm will be used . id_token_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client. id_token_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client. id_token_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client. userinfo_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing UserInfo Responses. userinfo_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses. userinfo_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses. request_object_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP. request_object_encryption_alg: type: string description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. request_object_encryption_enc: type: string description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. token_endpoint_auth_method: type: string description: Requested Client Authentication method for the Token Endpoint. token_endpoint_auth_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. default_max_age: type: integer description: Specifies the Default Maximum Authentication Age. example: 1000000 require_auth_time: type: boolean description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true. default_acr_values: type: array description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. items: type: string initiate_login_uri: type: string description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. post_logout_redirect_uris: type: array description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. example: - https://client.example.org/logout/page1 - https://client.example.org/logout/page2 - https://client.example.org/logout/page3 items: type: string frontchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. frontchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID query parameter be included to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false. backchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. backchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. request_uris: type: array description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server. items: type: string scopes: type: string deprecated: true description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591). claims: type: string description: String containing a space-separated list of claims that can be requested individually. id_token_token_binding_cnf: type: string description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens. tls_client_auth_subject_dn: type: string description: An string representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. allow_spontaneous_scopes: type: boolean description: Specifies whether to allow spontaneous scopes for client. The default value is false. example: false spontaneous_scopes: type: array description: List of spontaneous scopes items: type: string run_introspection_script_before_access_token_as_jwt_creation_and_include_claims: type: boolean description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script and transfer claims into JWT. keep_client_authorization_after_expiration: type: boolean description: Boolean value indicating if the client authorization will not be removed afer expiration (expiration date is same as client's expiration that created it). The default value is false. scope: type: array description: Provide list of scope which are used during authentication to authorize access to resource. example: - openid items: type: string authorized_origins: type: array description: specifies authorized JavaScript origins. items: type: string access_token_lifetime: type: integer description: Specifies the Client-specific access token expiration. example: 100000000 software_id: type: string description: Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. example: 4NRB1-0XZABZI9E6-5SM3R software_version: type: string description: Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. example: "2.1" software_statement: type: string description: specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. backchannel_token_delivery_mode: type: string description: specifies how backchannel token will be deliveried. example: push, poll, ping backchannel_client_notification_endpoint: type: string description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. backchannel_authentication_request_signing_alg: type: string description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests. backchannel_user_code_parameter: type: boolean description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false. additional_audience: type: array description: Additional audiences. items: type: string responses: 200: description: OK content: application/json: schema: title: RegisterResponseParam type: object required: - client_id properties: client_id: type: string description: Unique Client Identifier. It MUST NOT be currently valid for any other registered Client. client_secret: type: string description: This value is used by Confidential Clients to authenticate to the Token Endpoint registration_access_token: type: string description: Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration. registration_client_uri: type: string description: Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. client_id_issued_at: type: integer description: Time at which the Client Identifier was issued. client_secret_expires_at: type: integer description: Time at which the client_secret will expire or 0 if it will not expire. 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_redirect_uri - invalid_claims_redirect_uri - invalid_client_metadata - invalid_token - invalid_logout_uri - invalid_software_statement - access_denied error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' put: tags: - Registration summary: Updates Client Metadata for a registered client. description: Updates Client Metadata for a registered client. operationId: put-register parameters: - name: client_id in: query required: true description: Client ID that identifies client that must be updated by this request. schema: type: string - name: Authorization in: header required: true description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token schema: type: string requestBody: content: application/json: schema: title: RegisterParams required: - redirect_uris type: object properties: redirect_uris: type: array description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match the redirect_uri parameter value used in each Authorization Request items: type: string example: - https://client.example.org/cb claims_redirect_uri: type: array description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. items: type: string response_types: type: array description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token. items: type: string grant_types: type: array description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. items: type: string contacts: type: array description: e-mail addresses of people responsible for this Client. items: type: string client_name: type: string description: Name of the Client to be presented to the user. logo_uri: type: string description: URL that references a logo for the Client application client_uri: type: string description: URL of the home page of the Client. The value of this field must point to a valid Web page. policy_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used. tos_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. jwks_uri: type: string description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client's encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage . jwks: type: array description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. items: $ref: '#/components/schemas/JsonWebKey' example: '{ "keys" : [ { "e" : "AQAB", "n" : "gmlDX_mgMcHX.." ] }' sector_identifier_uri: type: string description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. subject_type: type: string description: Subject type requested for the Client ID. Valid types include pairwise and public. rpt_as_jwt: type: boolean description: Specifies whether RPT should be return as signed JWT. access_token_as_jwt: type: boolean description: Specifies whether access token as signed JWT. access_token_signing_alg: type: string description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified, then the default OP signing algorithm will be used . id_token_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client. id_token_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client. id_token_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client. userinfo_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing UserInfo Responses. userinfo_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses. userinfo_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses. request_object_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP. request_object_encryption_alg: type: string description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. request_object_encryption_enc: type: string description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. token_endpoint_auth_method: type: string description: Requested Client Authentication method for the Token Endpoint. token_endpoint_auth_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. default_max_age: type: integer description: Specifies the Default Maximum Authentication Age. example: 1000000 require_auth_time: type: boolean description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true. default_acr_values: type: array description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. items: type: string initiate_login_uri: type: string description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. post_logout_redirect_uris: type: array description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. example: - https://client.example.org/logout/page1 - https://client.example.org/logout/page2 - https://client.example.org/logout/page3 items: type: string frontchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. frontchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID query parameter be included to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false. backchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. backchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. request_uris: type: array description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server. items: type: string scopes: type: string deprecated: true description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591). claims: type: string description: String containing a space-separated list of claims that can be requested individually. id_token_token_binding_cnf: type: string description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens. tls_client_auth_subject_dn: type: string description: An string representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. allow_spontaneous_scopes: type: boolean description: Specifies whether to allow spontaneous scopes for client. The default value is false. example: false spontaneous_scopes: type: array description: List of spontaneous scopes items: type: string run_introspection_script_before_access_token_as_jwt_creation_and_include_claims: type: boolean description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script and transfer claims into JWT. keep_client_authorization_after_expiration: type: boolean description: Boolean value indicating if the client authorization will not be removed afer expiration (expiration date is same as client's expiration that created it). The default value is false. scope: type: array description: Provide list of scope which are used during authentication to authorize access to resource. example: - openid items: type: string authorized_origins: type: array description: specifies authorized JavaScript origins. items: type: string access_token_lifetime: type: integer description: Specifies the Client-specific access token expiration. example: 100000000 software_id: type: string description: Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. example: 4NRB1-0XZABZI9E6-5SM3R software_version: type: string description: Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. example: "2.1" software_statement: type: string description: specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. backchannel_token_delivery_mode: type: string description: specifies how backchannel token will be deliveried. example: push, poll, ping backchannel_client_notification_endpoint: type: string description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. backchannel_authentication_request_signing_alg: type: string description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests. backchannel_user_code_parameter: type: boolean description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false. additional_audience: type: array description: Additional audiences. items: type: string responses: 200: description: OK content: application/json: schema: title: RegisterResponseParam type: object required: - client_id properties: client_id: type: string description: Unique Client Identifier. It MUST NOT be currently valid for any other registered Client. client_secret: type: string description: This value is used by Confidential Clients to authenticate to the Token Endpoint registration_access_token: type: string description: Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration. registration_client_uri: type: string description: Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. client_id_issued_at: type: integer description: Time at which the Client Identifier was issued. client_secret_expires_at: type: integer description: Time at which the client_secret will expire or 0 if it will not expire. 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_client_metadata - invalid_token error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' get: tags: - Registration summary: Get client information for a previously registered client. description: Get client information for a previously registered client. operationId: get-register parameters: - name: client_id in: query required: true description: Client ID that identifies client. schema: type: string - name: Authorization in: header required: true description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token schema: type: string responses: 200: description: OK content: application/json: schema: title: ClientResponse type: object properties: redirect_uris: type: array description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match the redirect_uri parameter value used in each Authorization Request items: type: string example: - https://client.example.org/cb claims_redirect_uri: type: array description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. items: type: string response_types: type: array description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token. items: type: string grant_types: type: array description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. items: type: string contacts: type: array description: e-mail addresses of people responsible for this Client. items: type: string client_name: type: string description: Name of the Client to be presented to the user. logo_uri: type: string description: URL that references a logo for the Client application client_uri: type: string description: URL of the home page of the Client. The value of this field must point to a valid Web page. policy_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used. tos_uri: type: string description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. jwks_uri: type: string description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client's encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage . jwks: type: string description: Client's JSON Web Key Set (JWK) document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it must not use jwks. One significant downside of jwks is that it does not enable key rotation. The jwks_uri and jwks parameters must not be used together. example: '{"key1": "value1", "key2": "value2"}' sector_identifier_uri: type: string description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. subject_type: type: string description: Subject type requested for the Client ID. Valid types include pairwise and public. rpt_as_jwt: type: boolean description: Specifies whether RPT should be return as signed JWT. access_token_as_jwt: type: boolean description: Specifies whether access token as signed JWT. access_token_signing_alg: type: string description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified, then the default OP signing algorithm will be used . id_token_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client. id_token_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client. id_token_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client. userinfo_signed_response_alg: type: string description: JWS alg algorithm (JWA) required for signing UserInfo Responses. userinfo_encrypted_response_alg: type: string description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses. userinfo_encrypted_response_enc: type: string description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses. request_object_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP. request_object_encryption_alg: type: string description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. request_object_encryption_enc: type: string description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP. token_endpoint_auth_method: type: string description: Requested Client Authentication method for the Token Endpoint. token_endpoint_auth_signing_alg: type: string description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. default_max_age: type: integer description: Specifies the Default Maximum Authentication Age. example: 1000000 require_auth_time: type: boolean description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true. default_acr_values: type: array description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. items: type: string initiate_login_uri: type: string description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. post_logout_redirect_uris: type: array description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. example: - https://client.example.org/logout/page1 - https://client.example.org/logout/page2 - https://client.example.org/logout/page3 items: type: string frontchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. frontchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID query parameter be included to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false. backchannel_logout_uri: type: string description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. backchannel_logout_session_required: type: boolean description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. request_uris: type: array description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server. items: type: string scopes: type: string deprecated: true description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591). claims: type: string description: String containing a space-separated list of claims that can be requested individually. id_token_token_binding_cnf: type: string description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens. tls_client_auth_subject_dn: type: string description: An string representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. allow_spontaneous_scopes: type: boolean description: Specifies whether to allow spontaneous scopes for client. The default value is false. example: false spontaneous_scopes: type: array description: List of spontaneous scopes items: type: string run_introspection_script_before_access_token_as_jwt_creation_and_include_claims: type: boolean description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script and transfer claims into JWT. keep_client_authorization_after_expiration: type: boolean description: Boolean value indicating if the client authorization will not be removed afer expiration (expiration date is same as client's expiration that created it). The default value is false. scope: type: array description: Provide list of scope which are used during authentication to authorize access to resource. example: - openid items: type: string authorized_origins: type: array description: specifies authorized JavaScript origins. items: type: string access_token_lifetime: type: integer description: Specifies the Client-specific access token expiration. example: 100000000 software_id: type: string description: Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. example: 4NRB1-0XZABZI9E6-5SM3R software_version: type: string description: Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. example: "2.1" software_statement: type: string description: specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. backchannel_token_delivery_mode: type: string description: specifies how backchannel token will be deliveried. example: push, poll, ping backchannel_client_notification_endpoint: type: string description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. backchannel_authentication_request_signing_alg: type: string description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests. backchannel_user_code_parameter: type: boolean description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false. 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_token - invalid_client_metadata - access_denied error_description: type: string details: type: string 401: $ref: '#/components/responses/InvalidRequest' 500: $ref: '#/components/responses/InternalServerError' delete: tags: - Client Registration summary: Deletes the client info for a previously registered client. description: The Client Registration Endpoint removes the Client Metadata for a previously registered client. operationId: delete-register parameters: - name: client_id in: query required: true description: Client ID that identifies client. schema: type: string - name: Authorization in: header required: true description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token schema: type: string responses: 204: description: OK content: {} 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_token - invalid_client_metadata - access_denied error_description: type: string details: type: string 401: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_token - invalid_client_metadata - access_denied error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' /revoke: post: tags: - Token summary: Revoke an Access Token or a Refresh Token, the RP (Client). description: Revoke an Access Token or a Refresh Token, the RP (Client). operationId: revoke requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - token properties: token: type: string description: The token that the client wants to get revoked. token_type_hint: type: string description: A hint about the type of the token submitted for revocation. responses: 200: description: OK content: content: {} 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - unsupported_token_type - invalid_client - invalid_request error_description: type: string details: type: string /session_status: get: tags: - Session Management summary: Determine current sesion status. description: Determine current sesion status. operationId: session_status responses: 200: description: OK content: application/json: schema: title: SessionStateObject type: object properties: state: type: string description: String that represents the End-User's login state at the OP. It MUST NOT contain the space (\" \") character. auth_time: type: string format: date description: specifies the time at which session was authenticated. example: 100000000 custom_state: type: string /revoke_session: post: tags: - Session Management summary: Revoke all sessions for user. description: Revoke all sessions for user (requires revoke_session scope). operationId: revoke-session requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - user_criterion_key - user_criterion_value properties: user_criterion_key: type: string description: user criterion key (e.g. uid) user_criterion_value: type: string description: user criterion value (e.g. chris) responses: 200: description: OK - Returned if request was processed successfully. Means it will return in case sessions are found as well as in case sessions are not found (error is not returned to not disclose internal information). 401: $ref: '#/components/responses/Unauthorized' 500: $ref: '#/components/responses/InternalServerError' /end_session: get: tags: - Session Management summary: End current session. description: End current session. operationId: end_session parameters: - name: id_token_hint in: query description: Previously issued ID Token (id_token) passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value. schema: type: string - name: post_logout_redirect_uri in: query description: URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout. schema: type: string - name: state in: query description: Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP. schema: type: string - name: session_id in: query description: Session Id schema: type: string responses: 200: description: OK - User redirected to logout page content: {} 302: $ref: '#/components/responses/Found' 400: description: Error codes for end session endpoint. content: application/json: schema: title: EndSessionError type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_grant - invalid_request - invalid_grant_and_session - session_not_passed - post_logout_uri_not_passed - post_logout_uri_not_associated_with_client error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' /token: post: tags: - Token summary: To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client). description: To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client). operationId: post-token requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - grant_type properties: grant_type: type: array description: Provide a list of the OAuth 2.0 grant types that the Client is declaring that it will restrict itself to using. example: - authorization_code - client_credentials items: type: string code: type: string description: Code which is returned by authorization endpoint. (For grant_type=authorization_code) redirect_uri: type: string description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider. username: type: string description: End-User username. password: type: string description: End-User password. scope: type: array description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. items: type: string assertion: type: string description: Assertion. refresh_token: type: string description: Refresh token. client_id: type: string description: OAuth 2.0 Client Identifier valid at the Authorization Server. client_secret: type: string description: The client secret. The client MAY omit the parameter if the client secret is an empty string. code_verifier: type: string description: The client's PKCE code verifier. ticket: type: string claim_token: type: string claim_token_format: type: string pct: type: string rpt: type: string responses: 200: description: OK content: application/json: schema: type: object description: AccessTokenResponse. required: - access_token - token_type properties: access_token: type: string description: The access token issued by the authorization server. token_type: type: string description: The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). expires_in: type: integer description: The lifetime in seconds of the access token. For example, the value \"3600\" denotes that the access token will expire in one hour from the time the response was generated. refresh_token: type: string description: The refresh token, which can be used to obtain new access tokens using the same authorization grant scope: type: array example: - openid - oxd items: type: string id_token: type: string 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_client_metadata - invalid_token error_description: type: string details: type: string 401: $ref: '#/components/responses/Unauthorized' 403: $ref: '#/components/responses/AccessDenied' 500: $ref: '#/components/responses/InternalServerError' /uma/gather_claims: get: tags: - UMA (User Managed Access) summary: UMA Claims Gathering Endpoint. description: UMA Claims Gathering Endpoint. operationId: get-uma-gather_claims parameters: - name: client_id in: query description: OAuth 2.0 Client Identifier valid at the Authorization Server. schema: type: string - name: ticket in: query schema: type: string - name: claims_redirect_uri in: query schema: type: string - name: state in: query schema: type: string - name: reset in: query schema: type: boolean - name: authentication in: query schema: type: boolean responses: 302: $ref: '#/components/responses/Found' 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_session - invalid_claims_gathering_script_name error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string post: tags: - UMA (User Managed Access) summary: UMA Claims Gathering Endpoint description: UMA Claims Gathering Endpoint operationId: post-uma-gather_claims requestBody: content: application/x-www-form-urlencoded: schema: type: object properties: client_id: type: string description: OAuth 2.0 Client Identifier valid at the Authorization Server. ticket: type: string claims_redirect_uri: type: string state: type: string reset: type: boolean authentication: type: boolean responses: 302: $ref: '#/components/responses/Found' 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_session - invalid_claims_gathering_script_name error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /uma2-configuration: get: tags: - UMA (User Managed Access) summary: Gets UMA configuration data. description: Gets UMA configuration data. operationId: uma2-configuration responses: 200: description: OK content: application/json: schema: type: object description: UmaMetadata required: - issuer - authorization_endpoint - token_endpoint - response_types_supported properties: issuer: type: string description: The authorization server's issuer identifier, which is\n a URL that uses the \"https\" scheme and has no query or fragment\n components. This is the location where \".well-known\" RFC 5785\n [RFC5785] resources containing information about the authorization\n server are published. Using these well-known resources is\n described in Section 3. The issuer identifier is used to prevent\n authorization server mix-up attacks, as described in \"OAuth 2.0 Mix-Up Mitigation\" example: https://sample.com authorization_endpoint: type: string description: "URL of the authorization server's authorization endpoint." example: https://sample.com/oxauth/restv1/authorize token_endpoint: type: string description: URL of the authorization server's token endpoint [RFC6749]. This is REQUIRED unless only the implicit grant type is used. example: https://sample.com/oxauth/restv1/token jwks_uri: type: string description: URL of the authorization server's JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the \"https\" scheme. The JWK Set MAY also contain the server's encryption key(s), which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a \"use\" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. example: https://sample.com/oxauth/restv1/jwks registration_endpoint: type: string description: URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591] example: https://sample.com/oxauth/restv1/register response_types_supported: type: array items: type: string description: JSON array containing a list of the OAuth 2.0 \"response_type\" values that this authorization server supports. The array values used are the same as those used with the \"response_types\" parameter defined by \"OAuth 2.0 Dynamic Client Registration Protocol\" [RFC7591]. example: - code - id_token - token grant_types_supported: type: array items: type: string description: JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the \"grant_types\" parameter defined by \"OAuth 2.0 Dynamic Client Registration Protocol\" [RFC7591]. If omitted, the default value is \"[\"authorization_code\", \"implicit\"]\". example: - authorization_code - implicit - client_credentials token_endpoint_auth_methods_supported: type: array items: type: string description: JSON array containing a list of client authentication methods supported by this token endpoint. Client authentication method values are used in the \"token_endpoint_auth_method\" parameter defined in Section 2 of [RFC7591]. If omitted, the default is \"client_secret_basic\" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. example: - client_secret_basic - client_secret_post - client_secret_jwt - private_key_jwt token_endpoint_auth_signing_alg_values_supported: type: array items: type: string description: JSON array containing a list of the JWS signing algorithms (\"alg\" values) supported by the token endpoint for the signature on the JWT [JWT] used to authenticate the client at the token endpoint for the \"private_key_jwt\" and \"client_secret_jwt\" authentication methods. Servers SHOULD support \"RS256\". The value \"none\" MUST NOT be used. example: - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 - ES256 - ES384 - ES512 service_documentation: type: string description: URL of a page containing human-readable information that developers might want or need to know when using the authorization server. In particular, if the authorization server does not support Dynamic Client Registration, then information on how to register clients needs to be provided in this documentation. example: http:// ui_locales_supported: type: array items: type: string description: Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values. example: - en - es op_policy_uri: type: string description: URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier \"op_policy_uri\", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect. example: http://ox.sample.com/doku.php?id=oxauth:policy op_tos_uri: type: string description: URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier \"op_tos_uri\", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect. example: http://ox.sample.com/doku.php?id=oxauth:tos introspection_endpoint: type: string description: URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662]. example: https://sample.com/oxauth/restv1/rpt/status code_challenge_methods_supported: type: array items: type: string description: JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the \"code_challenge_method\" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA \"PKCE Code Challenge Methods\" registry [IANA.OAuth.Parameters] claims_interaction_endpoint: type: string description: Static endpoint URI at which the authorization server declares that it interacts with end-user requesting parties to gather claims. If the authorization server also provides a claims interaction endpoint URI as part of its redirect_user hint in a need_info response to a client on authorization failure (see Section 3.3.6), that value overrides this metadata value. Providing the static endpoint URI is useful for enabling interactive claims gathering prior to any pushed-claims flows taking place, so that, for example, it is possible to gather requesting party authorization interactively for collecting all other claims in a \"silent\" fashion." example: https://sample.com/oxauth/restv1/uma/gather_claims uma_profiles_supported: type: array items: type: string description: UMA profiles supported by this authorization server. The value is an array of string values, where each string value is a URI identifying an UMA profile permission_endpoint: type: string description: The endpoint URI at which the resource server requests permissions on the client's behalf. example: https://sample.com/oxauth/restv1/host/rsrc_pr resource_registration_endpoint: type: string description: The endpoint URI at which the resource server registers resources to put them under authorization manager protection. example: https://sample.com/oxauth/restv1/host/rsrc/resource_set scope_endpoint: type: string description: The Scope endpoint URI. example: https://sample.com/oxauth/restv1/uma/scopes 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /host/rsrc_pr: post: tags: - UMA (User Managed Access) summary: Registers permission. description: Registers permission. operationId: host-rsrc_pr parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string requestBody: required: true content: application/x-www-form-urlencoded: schema: title: UmaPermissiona description: A permission is (requested or granted) authorized access to a particular resource with some number of scopes bound to that resource. type: object required: - resource_id - resource_scopes properties: resource_id: type: string description: The identifier for a resource to which this client is seeking access. The identifier MUST correspond to a resource that was previously registered. example: 112210f47de98100 resource_scopes: type: array description: An array referencing zero or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource. items: type: string params: type: object description: A key/value map that can contain custom parameters. additionalProperties: type: string responses: 201: description: OK content: application/json: schema: title: UmaPermissionList type: array description: List of Uma Permission. items: type: object required: - resource_id - resource_scopes properties: resource_id: type: string description: The identifier for a resource to which this client is seeking access. The identifier MUST correspond to a resource that was previously registered. example: 112210f47de98100 resource_scopes: type: array description: An array referencing zero or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource. items: type: string example: - http://photoz.example.com/dev/actions/add - http://photoz.example.com/dev/actions/internalClient params: type: object description: A key/value map that can contain custom parameters. additionalProperties: type: string exp: type: integer description: Number of seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1256953732 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /host/rsrc/resource_set: post: tags: - UMA 2 Resource summary: Adds a new resource description. description: Adds a new resource description. operationId: post-host-rsrc-resource_set parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string requestBody: content: application/json: schema: title: UmaResource description: Resource description type: object required: - resource_scopes properties: name: type: string description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner. icon_uri: type: string description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner. example: http://www.example.com/icons/sharesocial.png type: type: string description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim. resource_scopes: type: array items: type: string description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions. example: \"read-public\", \"post-updates"\,\"read-private"\ scope_expression: type: string description: type: string description: A human-readable string describing the resource iat: type: integer description: number of seconds since January 1 1970 UTC, indicating when the token was issued at format: int64 example: 1535709072 exp: type: integer description: number of seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1419356238 responses: 201: description: OK content: application/json: schema: title: UmaResourceResponse description: UmaResourceResponse Resource created. type: object required: - _id properties: _id: type: string description: UMA Resource identifier example: KX3A-39WE user_access_policy_uri: type: string example: http://as.example.com/rs/222/resource/22/policy 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string put: tags: - UMA 2 Resource summary: Updates a previously registered resource. description: Updates a previously registered resource. operationId: put-host-rsrc-resource_set{rsid} parameters: - name: Authorization in: header required: true schema: type: string - name: rsid in: path required: true description: Resource ID. schema: type: string requestBody: content: application/json: schema: title: UmaResource description: Resource description type: object required: - resource_scopes properties: name: type: string description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner. icon_uri: type: string description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner. example: http://www.example.com/icons/sharesocial.png type: type: string description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim. resource_scopes: type: array items: type: string description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions. example: \"read-public\", \"post-updates"\,\"read-private"\ scope_expression: type: string description: type: string description: A human-readable string describing the resource iat: type: integer description: number of seconds since January 1 1970 UTC, indicating when the token was issued at format: int64 example: 1535709072 exp: type: integer description: number of seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1419356238 responses: 200: description: OK content: application/json: schema: title: UmaResourceResponse description: UmaResourceResponse Resource created. type: object required: - _id properties: _id: type: string description: UMA Resource identifier example: KX3A-39WE user_access_policy_uri: type: string example: http://as.example.com/rs/222/resource/22/policy 404: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - not_found error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string get: tags: - UMA 2 Resource summary: Lists all previously registered resource. description: Lists all previously registered resource. operationId: get-host-rsrc-resource_set parameters: - name: Authorization in: header required: true schema: type: string - name: scope in: query description: Scope uri. schema: type: string responses: 200: description: OK content: application/json: schema: title: Uma Resource indetifiers description: Uma Resource details type: array items: type: string description: List of resource identifers example: [ '11','22'] 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string delete: tags: - UMA 2 Resource summary: Deletes a previously registered resource. description: Deletes a previously registered resource. operationId: delete-host-rsrc-resource_set parameters: - name: Authorization in: header required: true schema: type: string - name: rsid in: path required: true description: Resource ID schema: type: string responses: 204: description: OK content: {} 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /host/rsrc/resource_set/{rsid}: get: tags: - UMA 2 Resource summary: Reads a previously registered resource. description: Reads a previously registered resource. operationId: get-host-rsrc-resource_set/{rsid} parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string - name: rsid in: path required: true description: Resource description ID. schema: type: string responses: 200: description: OK content: application/json: schema: title: UmaResourceWithId description: Uma Resource details type: object required: - _id - iat - exp properties: _id: type: string description: UMA Resource identifier example: KX3A-39WE name: type: string description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner. uri: type: string description: A human-readable string describing the resource type: type: string description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim. scopes: type: array items: type: string description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions. scope_expression: type: string description: type: string description: A human-readable string describing the resource icon_uri: type: string description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner. example: http://www.example.com/icons/sharesocial.png iat: type: integer description: number of seconds since January 1 1970 UTC, indicating when the token was issued at format: int64 example: 1535709072 exp: type: integer description: number of seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1419356238 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /rpt/status: get: tags: - Token Introspection summary: The Introspection OAuth 2 Endpoint for RPT. description: The Introspection OAuth 2 Endpoint for RPT. operationId: get-rpt-status parameters: - name: Authorization in: header required: true schema: type: string - name: token in: query required: true schema: type: string - name: token_type_hint in: query schema: type: string responses: 200: description: OK content: application/json: schema: title: RptIntrospectionResponse type: object required: - active - permissions - resource_id - resource_scopes properties: active: type: boolean description: Boolean indicator of whether or not the presented token is currently active. exp: type: integer description: Integer timestamp, in seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1256953732 iat: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. example: 1256953732 clientId: type: string description: Client id used to obtain RPT. sub: type: string description: Subject of the token. Usually a machine-readable identifier of the resource owner who authorized this token. aud: type: string description: Service-specific string identifier or list of string identifiers representing the intended audience for this token. permissions: type: array items: type: object description: List of UmaPermission granted to RPT. A permission is (requested or granted) authorized access to a particular resource with some number of scopes bound to that resource. required: - resource_id - resource_scopes properties: resource_id: type: string description: A string that uniquely identifies the protected resource, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected. resource_scopes: type: array description: An array referencing zero or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource. items: type: string exp: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. If the token-level exp value pre-dates a permission-level exp value, the token-level value takes precedence. iat: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. If the token-level iat value post-dates a permission-level iat value, the token-level value takes precedence. nbf: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value, the token-level value takes precedence. pct_claims: type: object additionalProperties: type: string description: PCT token claims. #example: {name:['John']} iss: type: string description: String representing the issuer of this token, as defined in JWT [RFC7519]. jti: type: string description: String identifier for the token, as defined in JWT [RFC7519]. nbf: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. resource_id: type: string description: Resource ID. resource_scopes: type: array items: type: string 405: description: Introspection of RPT is not allowed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string post: tags: - Token Introspection summary: The Introspection OAuth 2 Endpoint for RPT. description: The Introspection OAuth 2 Endpoint for RPT. operationId: post-rpt-status parameters: - name: Authorization in: header required: true description: Client Authorization details that contains the access token along with other details. schema: type: string requestBody: content: application/x-www-form-urlencoded: schema: type: object required: - token properties: token: type: string description: Client access token. token_type_hint: type: string description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User. responses: 200: description: OK content: application/json: schema: title: RptIntrospectionResponse type: object required: - active - permissions - resource_id - resource_scopes properties: active: type: boolean description: Boolean indicator of whether or not the presented token is currently active. exp: type: integer description: Integer timestamp, in seconds since January 1 1970 UTC, indicating when this token will expire. format: int64 example: 1256953732 iat: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. example: 1256953732 clientId: type: string description: Client id used to obtain RPT. sub: type: string description: Subject of the token. Usually a machine-readable identifier of the resource owner who authorized this token. aud: type: string description: Service-specific string identifier or list of string identifiers representing the intended audience for this token. permissions: type: array items: type: object description: List of UmaPermission granted to RPT. A permission is (requested or granted) authorized access to a particular resource with some number of scopes bound to that resource. required: - resource_id - resource_scopes properties: resource_id: type: string description: A string that uniquely identifies the protected resource, access to which has been granted to this client on behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected. resource_scopes: type: array description: An array referencing zero or more strings representing scopes to which access was granted for this resource. Each string MUST correspond to a scope that was registered by this resource server for the referenced resource. items: type: string exp: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire. If the token-level exp value pre-dates a permission-level exp value, the token-level value takes precedence. iat: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued. If the token-level iat value post-dates a permission-level iat value, the token-level value takes precedence. nbf: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value, the token-level value takes precedence. pct_claims: type: object additionalProperties: type: string description: PCT token claims. example: '{name:["John"]}' iss: type: string description: String representing the issuer of this token, as defined in JWT [RFC7519]. jti: type: string description: String identifier for the token, as defined in JWT [RFC7519]. nbf: type: integer description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid. resource_id: type: string description: Resource ID. resource_scopes: type: array items: type: string 405: description: Introspection of RPT is not allowed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /uma/scopes: get: tags: - UMA Scope summary: Provides UMA Scope description by scope id. description: Provides UMA Scope description by scope id. operationId: get-uma_scopes parameters: - name: id in: path required: true description: Resource description ID. schema: type: string responses: 200: description: OK content: application/json: schema: title: UmaScopeDescription required: - name properties: description: type: string description: A human-readable string describing the resource at length. The authorization server MAY use this description in any user interface it presents to a resource owner, for example, for resource protection monitoring or policy setting. iconUri: type: string description: A URI for a graphic icon representing the scope. The referenced icon MAY be used by the authorization server in any user interface it presents to the resource owner. name: type: string description: A human-readable string describing some scope (extent) of access. This name MAY be used by the authorization server in any user interface it presents to the resource owner. 404: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - not_found error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /userinfo: get: tags: - User Info summary: Returns Claims about the authenticated End-User. description: Returns Claims about the authenticated End-User. operationId: get-userinfo parameters: - name: access_token in: query required: true description: OAuth 2.0 Access Token. schema: type: string - name: Authorization in: header schema: type: string responses: 200: description: OK content: application/jwt: schema: title: User Claims details properties: sub: type: integer example: 248289761001 name: type: string example: Jane Doe given_name: type: string example: Jane family_name: type: string example: Doe preferred_username: type: string example: j.doe email: type: string example: janedoe@example.com picture: type: string example: http://example.com/janedoe/me.jpg 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request error_description: type: string details: type: string 401: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_token error_description: type: string details: type: string 403: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - insufficient_scope error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' post: tags: - User Info summary: Returns Claims about the authenticated End-User. description: Returns Claims about the authenticated End-User. operationId: post-userinfo parameters: - name: Authorization in: header description: Client Authorization details that contains the access token along with other details. schema: type: string requestBody: required: true content: application/x-www-form-urlencoded: schema: type: object required: - access_token properties: access_token: type: string description: OAuth 2.0 Access Token. responses: 200: description: OK content: application/jwt: schema: title: User Claims details properties: sub: type: integer example: 248289761001 name: type: string example: Jane Doe given_name: type: string example: Jane family_name: type: string example: Doe preferred_username: type: string example: j.doe email: type: string example: janedoe@example.com picture: type: string example: http://example.com/janedoe/me.jpg 400: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_request error_description: type: string details: type: string 401: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - invalid_token error_description: type: string details: type: string 403: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - insufficient_scope error_description: type: string details: type: string 500: $ref: '#/components/responses/InternalServerError' /fido/u2f/authentication: get: tags: - FIDO U2F summary: Performs FIDO U2F authentication of end-user. description: Performs FIDO U2F authentication of end-user. operationId: get-fido-u2f-authentication parameters: - name: username in: query required: true schema: type: string - name: keyhandle in: query schema: type: string description: Websafe-base64 encoding of the key handle obtained from the U2F token during registration. - name: application in: query description: The application id that the RP would like to assert. schema: type: string - name: session_id in: query schema: type: string responses: 200: description: OK content: application/json: schema: title: AuthenticateRequestMessage description: FIDO U2F device authentication request. required: - version - challenge - appId - keyHandle type: object properties: version: type: string description: Version of the protocol that the to-be-registered U2F token must speak. example: U2F_V2 challenge: type: string description: The websafe-base64-encoded challenge. appId: type: string description: The application id that the RP would like to assert. keyHandle: type: string description: Websafe-base64 encoding of the key handle obtained from the U2F token during registration. 403: $ref: '#/components/responses/AccessDenied' 404: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - no_eligable_devices error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string post: tags: - FIDO U2F summary: Performs FIDO U2F authentication of end-user. description: Performs FIDO U2F authentication of end-user. operationId: post-fido-u2f-authentication requestBody: content: application/json: schema: title: GetClientTokenParams required: - username - tokenResponse type: object properties: username: type: string tokenResponse: type: object properties: clientData: type: string description: base64(UTF8(client data)) signatureData: type: string description: base64(raw response from U2F device) keyHandle: type: string description: keyHandle originally passed responses: 200: description: OK content: application/json: schema: title: AuthenticateStatus description: FIDO U2F device authentication status. required: - status - challenge type: object properties: status: type: string description: Version of the protocol that the to-be-registered U2F token must speak. example: U2F_V2 challenge: type: string description: The websafe-base64-encoded challenge. 403: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - session_expired - invalid_request - device_compromised error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /fido-configuration: get: tags: - FIDO U2F summary: Performs FIDO configuration data. description: Performs FIDO configuration data. operationId: fido-configuration responses: 200: description: OK content: application/json: schema: title: U2fConfiguration description: FIDO U2F Configuration. required: - version - issuer properties: version: type: string description: The version of the FIDO U2F core protocol to which this server conforms. The value MUST be the string 1.0. issuer: type: string description: A URI indicating the party operating the FIDO U2F server. registration_endpoint: type: string authentication_endpoint: type: string 403: $ref: '#/components/responses/AccessDenied' 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /fido/u2f/registration: get: tags: - FIDO U2F summary: U2F device registration. description: U2F device registration. operationId: get-fido-u2f-registration parameters: - name: username in: query required: true schema: type: string - name: application in: query description: The application id that the RP would like to assert. schema: type: string - name: session_id in: query schema: type: string - name: enrollment_code in: query schema: type: string responses: 200: description: OK content: application/json: schema: title: RegisterRequestMessage description: RegisterRequestMessage required: - authenticateRequests - registerRequests type: object properties: authenticateRequests: type: array items: type: object description: list of AuthenticateRequest properties: version: type: string description: Version of the protocol that the to-be-registered U2F token must speak. example: U2F_V2 challenge: type: string description: The websafe-base64-encoded challenge. appId: type: string description: The application id that the RP would like to assert. keyHandle: type: string description: websafe-base64 encoding of the key handle obtained from the U2F token during registration registerRequests: type: array items: type: object description: list of RegisterRequest properties: version: type: string description: Version of the protocol that the to-be-registered U2F token must speak. example: U2F_V2 challenge: type: string description: The websafe-base64-encoded challenge. appId: type: string description: The application id that the RP would like to assert. 403: $ref: '#/components/responses/AccessDenied' 406: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - registration_not_allowed error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string post: tags: - FIDO U2F summary: U2F device registration. description: U2F device registration. operationId: post-fido-u2f-registration requestBody: content: application/json: schema: title: RegisterSiteParams required: - username type: object properties: username: type: string tokenResponse: type: object description: FIDO U2F device registration details properties: registrationData: type: string clientData: type: string deviceData: type: string responses: 200: description: OK content: application/json: schema: title: RegisterStatus description: RegisterRequestMessage type: object properties: status: type: string challenge: type: string 403: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - session_expired - invalid_request error_description: type: string details: type: string 406: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - registration_not_allowed error_description: type: string details: type: string 500: description: Invalid parameters provided to endpoint. content: application/json: schema: type: object required: - error - error_description properties: error: type: string format: enum example: - server_error error_description: type: string details: type: string /fido2/configuration: get: tags: - FIDO2 summary: FIDO2 configuration description: FIDO2 configuration operationId: get-fido2-configuration responses: 200: description: OK content: application/json: schema: title: FIDO2 configuration description: FIDO2 configuration. required: - version - issuer - attestation properties: version: type: string description: The version of the FIDO2 U2F core protocol to which this server conforms. The value MUST be the string 1.0. issuer: type: string description: A URI indicating the party operating the FIDO U2F server. attestation: type: array items: type: object description: list of fido2 attestation endpoints properties: base_path: type: string description: fido2 attestation endpoint options_enpoint: type: string description: fido2 attestation options endpoint result_enpoint: type: string description: fido2 attestation result endpoint assertion: type: array items: type: object description: list of fido2 assertion endpoints properties: base_path: type: string description: fido2 assertion endpoint options_enpoint: type: string description: fido2 assertion options endpoint result_enpoint: type: string description: fido2 assertion result endpoint 403: $ref: '#/components/responses/AccessDenied' 406: $ref: '#/components/responses/NotAcceptable' 500: $ref: '#/components/responses/InternalServerError' /fido2/assertion/options: post: tags: - FIDO2 summary: FIDO2 Assertion Options description: FIDO2 Assertion Options operationId: options requestBody: content: application/json: schema: title: AssertionOptions type: object properties: content: type: object description: An object that contains the extensions to enable, and the options to use for each of them. properties: username: type: string authenticatorSelection: type: array items: type: string description: Set of parameters required for FIDO2 assertion option. documentDomain: type: string extensions: type: string responses: 200: description: OK content: application/json: schema: title: AssertionOptionsResponse type: object required: - challenge - user - allowCredentials - userVerification - extensions properties: challenge: type: string description: Websafe-base64 encoding of the challenge. user: type: string description: username allowCredentials: type: array items: type: string example: - type - transports - id userVerification: type: string extensions: type: string 403: $ref: '#/components/responses/AccessDenied' 500: $ref: '#/components/responses/InternalServerError' /fido2/assertion/result: post: tags: - FIDO2 summary: FIDO2 Assertion Result - Parses and validates an assertion response from the client. description: FIDO2 Assertion Result. operationId: result requestBody: content: application/json: schema: title: AssertionOptions required: - clientDataJSON type: object properties: id: type: string description: The base64url encoded id returned by the client type: type: array items: type: string example: - public-key rawId: type: string description: The base64url encoded rawId returned by the client. If res.rawId is missing, res.id will be used instead. If both are missing an error will be thrown. userHandle: type: string description: The base64url encoded userHandle returned by the client. May be null or an empty string. clientDataJSON: type: array description: The base64url encoded clientDataJSON returned by the client items: type: string example: - challenge - origin responses: 200: description: OK content: {} 403: $ref: '#/components/responses/AccessDenied' 500: $ref: '#/components/responses/InternalServerError' /fido2/attestation/options: post: tags: - FIDO2 summary: Created new registration. description: Created new registration. operationId: attestation-options requestBody: content: application/json: schema: title: AttestationOptions description: An object containing various options for the option creation type: object properties: username: type: string displayName: type: string documentDomain: type: string credentialType: type: string authenticatorSelection: type: array items: type: string description: Set of parameters required for FIDO2 attestation option. extensions: type: string responses: 200: description: OK content: application/json: schema: title: CredentialCreationOptions required: - challenge - rp - user - attestation - pubKeyCredParams - authenticatorSelection - excludeCredentials - extensions type: object properties: challenge: type: string description: The base64url encoded challenge that was sent to the client, as generated by assertionOptions. rp: type: array description: RP credentials items: type: string example: - name - id user: type: object description: User object required: - id - name - displayName properties: id: type: string name: type: string displayName: type: string attestation: type: string format: enum pubKeyCredParams: type: array items: type: string example: - public-key - type - alg authenticatorSelection: type: array items: type: string description: Set of parameters required for FIDO2 attestation option. excludeCredentials: type: array items: type: string description: Set of parameters required for FIDO2 attestation option. extensions: type: string 403: $ref: '#/components/responses/AccessDenied' 500: $ref: '#/components/responses/InternalServerError' /fido2/attestation/result: post: tags: - FIDO2 summary: FIDO2 attestation result. description: FIDO2 attestation result operationId: attestation-result requestBody: content: application/json: schema: title: AttestationOptions description: An object containing various options for the option creation type: object required: - _type - clientDataJSON properties: type: type: string clientDataJSON: type: array description: The base64url encoded clientDataJSON returned by the client items: type: string example: - challenge - origin id: type: string responses: 200: description: OK content: {} $ref: '#/components/responses/AccessDenied' 500: $ref: '#/components/responses/InternalServerError' components: responses: Found: #302 - FOUND description: Resource Found. content: {} InvalidRequest: #400 - BAD_REQUEST description: Invalid parameters are provided to endpoint. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Unauthorized: #401 - UNAUTHORIZED description: Unauthorized access request. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' AccessDenied: #403 - FORBIDDEN description: Invalid details provided hence access denied. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' NotFound: #404 - NOT_FOUND description: Resource Not Found. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' NotAcceptable: #406 - NOT_ACCEPTABLE description: Request Not Acceptable. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' InternalServerError: #500 - INTERNAL_SERVER_ERROR description: Internal error occured. Please check log file for details. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' schemas: ErrorResponse: required: - error - error_description type: object properties: error: type: string error_description: type: string details: type: string JsonWebKey: required: - alg - exp - key_ops - kid - kty - use - x5c type: object properties: kid: type: string kty: type: string use: type: string alg: type: string crv: type: string exp: type: integer format: int64 x5c: type: array items: type: string n: type: string e: type: string x: type: string y: type: string