naftiko: 1.0.0-alpha2
info:
  label: OAuth 2.0 Authorization Server
  description: OpenAPI specification for OAuth 2.0 authorization server endpoints as defined in RFC 6749 (The OAuth 2.0 Authorization
    Framework) and RFC 6750 (Bearer Token Usage). Covers the token endpoint, authorization endpoint, and token revocation
    endpoint (RFC 7009).
  tags:
  - Oauth
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: oauth
    baseUri: https://authorization-server.example.com
    description: OAuth 2.0 Authorization Server HTTP API.
    authentication:
      type: basic
      username: '{{OAUTH_USERNAME}}'
      password: '{{OAUTH_PASSWORD}}'
    resources:
    - name: authorize
      path: /authorize
      operations:
      - name: authorize
        method: GET
        description: Authorization Endpoint
        inputParameters:
        - name: response_type
          in: query
          type: string
          required: true
          description: The value MUST be "code" for requesting an authorization code or "token" for requesting an access token
            (implicit grant).
        - name: client_id
          in: query
          type: string
          required: true
          description: The client identifier issued to the client during registration.
        - name: redirect_uri
          in: query
          type: string
          description: The URI to which the authorization server will redirect the user-agent after authorization is granted
            or denied.
        - name: scope
          in: query
          type: string
          description: The scope of the access request as a space-delimited list of values.
        - name: state
          in: query
          type: string
          description: An opaque value used by the client to maintain state between the request and callback. Used to prevent
            cross-site request forgery.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: token
      path: /token
      operations:
      - name: requesttoken
        method: POST
        description: Token Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: revoke
      path: /revoke
      operations:
      - name: revoketoken
        method: POST
        description: Token Revocation Endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: oauth-rest
    description: REST adapter for OAuth 2.0 Authorization Server.
    resources:
    - path: /authorize
      name: authorize
      operations:
      - method: GET
        name: authorize
        description: Authorization Endpoint
        call: oauth.authorize
        outputParameters:
        - type: object
          mapping: $.
    - path: /token
      name: requesttoken
      operations:
      - method: POST
        name: requesttoken
        description: Token Endpoint
        call: oauth.requesttoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /revoke
      name: revoketoken
      operations:
      - method: POST
        name: revoketoken
        description: Token Revocation Endpoint
        call: oauth.revoketoken
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: oauth-mcp
    transport: http
    description: MCP adapter for OAuth 2.0 Authorization Server for AI agent use.
    tools:
    - name: authorize
      description: Authorization Endpoint
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: oauth.authorize
      with:
        response_type: tools.response_type
        client_id: tools.client_id
        redirect_uri: tools.redirect_uri
        scope: tools.scope
        state: tools.state
      inputParameters:
      - name: response_type
        type: string
        description: The value MUST be "code" for requesting an authorization code or "token" for requesting an access token
          (implicit grant).
        required: true
      - name: client_id
        type: string
        description: The client identifier issued to the client during registration.
        required: true
      - name: redirect_uri
        type: string
        description: The URI to which the authorization server will redirect the user-agent after authorization is granted
          or denied.
      - name: scope
        type: string
        description: The scope of the access request as a space-delimited list of values.
      - name: state
        type: string
        description: An opaque value used by the client to maintain state between the request and callback. Used to prevent
          cross-site request forgery.
      outputParameters:
      - type: object
        mapping: $.
    - name: requesttoken
      description: Token Endpoint
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: oauth.requesttoken
      outputParameters:
      - type: object
        mapping: $.
    - name: revoketoken
      description: Token Revocation Endpoint
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: oauth.revoketoken
      outputParameters:
      - type: object
        mapping: $.
binds:
- namespace: env
  keys:
    OAUTH_USERNAME: OAUTH_USERNAME
    OAUTH_PASSWORD: OAUTH_PASSWORD