openapi: 3.1.0
info:
  title: OAuth2 Proxy Endpoints
  description: |
    HTTP endpoints exposed by oauth2-proxy, a reverse proxy that
    authenticates requests using upstream OAuth/OIDC providers. The
    OAuth2 endpoints live under a configurable prefix (`--proxy-prefix`,
    default `/oauth2`); the health and operational endpoints live at the
    document root. Sourced from
    https://oauth2-proxy.github.io/oauth2-proxy/features/endpoints.
  version: "1.0"
servers:
  - url: http://localhost:4180
    description: Default oauth2-proxy listen address
paths:
  /:
    get:
      summary: Authenticate and proxy to upstream
      description: Validates the session cookie and proxies authenticated requests to the configured upstream.
      responses:
        '200':
          description: Upstream response is returned to the client.
        '302':
          description: Redirected to the sign-in flow when unauthenticated.
  /robots.txt:
    get:
      summary: Robots exclusion
      responses:
        '200':
          description: Returns a disallow-all robots.txt.
  /ping:
    get:
      summary: Liveness probe
      responses:
        '200':
          description: Service is alive.
  /ready:
    get:
      summary: Readiness probe
      description: Verifies underlying connections such as Redis are healthy.
      responses:
        '200':
          description: Service is ready.
        '503':
          description: A dependency is unhealthy.
  /metrics:
    get:
      summary: Prometheus metrics
      description: Exposes Prometheus-format metrics when enabled.
      responses:
        '200':
          description: Metrics in Prometheus exposition format.
  /oauth2/sign_in:
    get:
      summary: Render sign-in page
      responses:
        '200':
          description: HTML sign-in page.
  /oauth2/sign_out:
    get:
      summary: Clear the session cookie
      description: Clears the local session and optionally redirects to the provider's logout endpoint.
      responses:
        '302':
          description: Session cleared and user redirected.
  /oauth2/start:
    get:
      summary: Begin OAuth authorization
      responses:
        '302':
          description: Redirects to the OAuth provider's authorize endpoint.
  /oauth2/callback:
    get:
      summary: OAuth callback target
      description: Endpoint the OAuth provider redirects back to after consent.
      responses:
        '302':
          description: Session established and user redirected to the original URL.
  /oauth2/auth:
    get:
      summary: External authentication subrequest
      description: |
        Returns 202 when the request is authenticated and 401 when it is
        not, intended for use with `nginx auth_request` or similar
        gateways.
      responses:
        '202':
          description: Request is authenticated.
        '401':
          description: Request is not authenticated.
      security:
        - SessionCookie: []
  /oauth2/userinfo:
    get:
      summary: Authenticated user information
      responses:
        '200':
          description: JSON object containing the authenticated user's email and groups.
      security:
        - SessionCookie: []
  /oauth2/static/{path}:
    parameters:
      - in: path
        name: path
        required: true
        schema:
          type: string
    get:
      summary: Serve static assets for the login/error pages
      responses:
        '200':
          description: Static asset (CSS, image, etc.).
components:
  securitySchemes:
    SessionCookie:
      type: apiKey
      in: cookie
      name: _oauth2_proxy
      description: Session cookie established by the OAuth callback.