naftiko: 1.0.0-alpha2 info: label: OpenID Connect API description: OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end-users based on the authentication performed by an authorization server, and to obtain basic profile information about the end-user in an interoperable and REST-like manner. This specification covers the core OIDC endpoints including discovery, token, userinfo, and JWKS. tags: - Oidc - API created: '2026-05-06' modified: '2026-05-06' capability: consumes: - type: http namespace: oidc baseUri: https://example.com description: OpenID Connect API HTTP API. authentication: type: bearer token: '{{OIDC_TOKEN}}' resources: - name: well-known-openid-configuration path: /.well-known/openid-configuration operations: - name: getdiscovery method: GET description: OpenID Connect Discovery outputRawFormat: json outputParameters: - name: result type: object value: $. - name: authorize path: /authorize operations: - name: authorize method: GET description: Authorization Endpoint inputParameters: - name: response_type in: query type: string required: true description: The value must include 'code' for the Authorization Code Flow, 'id_token' for the Implicit Flow, or 'code id_token' for the Hybrid Flow. - name: client_id in: query type: string required: true description: The client identifier issued during registration. - name: redirect_uri in: query type: string required: true description: The redirection URI to which the response will be sent. Must exactly match one of the redirection URIs registered for the client. - name: scope in: query type: string required: true description: Space-delimited list of scopes. Must include 'openid' to indicate an OIDC request. May also include 'profile', 'email', 'address', and 'phone'. - name: state in: query type: string description: An opaque value used by the client to maintain state between the request and callback. Recommended for CSRF protection. - name: nonce in: query type: string description: A string value used to associate a client session with an ID Token and to mitigate replay attacks. Required for implicit flow. - name: prompt in: query type: string description: Space-delimited list of values that specifies whether the authorization server prompts the end-user for reauthentication and consent. - name: login_hint in: query type: string description: A hint to the authorization server about the login identifier the end-user might use. - name: acr_values in: query type: string description: Requested Authentication Context Class Reference values. - name: code_challenge in: query type: string description: PKCE code challenge derived from the code verifier. - name: code_challenge_method in: query type: string description: Code challenge method used to derive the code challenge. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: token path: /token operations: - name: gettoken method: POST description: Token Endpoint outputRawFormat: json outputParameters: - name: result type: object value: $. - name: userinfo path: /userinfo operations: - name: getuserinfo method: GET description: UserInfo Endpoint outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postuserinfo method: POST description: UserInfo Endpoint (POST) outputRawFormat: json outputParameters: - name: result type: object value: $. - name: well-known-jwks-json path: /.well-known/jwks.json operations: - name: getjwks method: GET description: JSON Web Key Set Endpoint outputRawFormat: json outputParameters: - name: result type: object value: $. - name: end-session path: /end-session operations: - name: endsession method: GET description: End Session Endpoint inputParameters: - name: id_token_hint in: query type: string description: The ID token previously issued to the client. - name: post_logout_redirect_uri in: query type: string description: The URI to redirect to after logout. - name: state in: query type: string description: Opaque value for maintaining state between request and callback. outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: oidc-rest description: REST adapter for OpenID Connect API. resources: - path: /.well-known/openid-configuration name: getdiscovery operations: - method: GET name: getdiscovery description: OpenID Connect Discovery call: oidc.getdiscovery outputParameters: - type: object mapping: $. - path: /authorize name: authorize operations: - method: GET name: authorize description: Authorization Endpoint call: oidc.authorize outputParameters: - type: object mapping: $. - path: /token name: gettoken operations: - method: POST name: gettoken description: Token Endpoint call: oidc.gettoken outputParameters: - type: object mapping: $. - path: /userinfo name: getuserinfo operations: - method: GET name: getuserinfo description: UserInfo Endpoint call: oidc.getuserinfo outputParameters: - type: object mapping: $. - path: /userinfo name: postuserinfo operations: - method: POST name: postuserinfo description: UserInfo Endpoint (POST) call: oidc.postuserinfo outputParameters: - type: object mapping: $. - path: /.well-known/jwks.json name: getjwks operations: - method: GET name: getjwks description: JSON Web Key Set Endpoint call: oidc.getjwks outputParameters: - type: object mapping: $. - path: /end-session name: endsession operations: - method: GET name: endsession description: End Session Endpoint call: oidc.endsession outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: oidc-mcp transport: http description: MCP adapter for OpenID Connect API for AI agent use. tools: - name: getdiscovery description: OpenID Connect Discovery hints: readOnly: true destructive: false idempotent: true call: oidc.getdiscovery outputParameters: - type: object mapping: $. - name: authorize description: Authorization Endpoint hints: readOnly: true destructive: false idempotent: true call: oidc.authorize with: response_type: tools.response_type client_id: tools.client_id redirect_uri: tools.redirect_uri scope: tools.scope state: tools.state nonce: tools.nonce prompt: tools.prompt login_hint: tools.login_hint acr_values: tools.acr_values code_challenge: tools.code_challenge code_challenge_method: tools.code_challenge_method inputParameters: - name: response_type type: string description: The value must include 'code' for the Authorization Code Flow, 'id_token' for the Implicit Flow, or 'code id_token' for the Hybrid Flow. required: true - name: client_id type: string description: The client identifier issued during registration. required: true - name: redirect_uri type: string description: The redirection URI to which the response will be sent. Must exactly match one of the redirection URIs registered for the client. required: true - name: scope type: string description: Space-delimited list of scopes. Must include 'openid' to indicate an OIDC request. May also include 'profile', 'email', 'address', and 'phone'. required: true - name: state type: string description: An opaque value used by the client to maintain state between the request and callback. Recommended for CSRF protection. - name: nonce type: string description: A string value used to associate a client session with an ID Token and to mitigate replay attacks. Required for implicit flow. - name: prompt type: string description: Space-delimited list of values that specifies whether the authorization server prompts the end-user for reauthentication and consent. - name: login_hint type: string description: A hint to the authorization server about the login identifier the end-user might use. - name: acr_values type: string description: Requested Authentication Context Class Reference values. - name: code_challenge type: string description: PKCE code challenge derived from the code verifier. - name: code_challenge_method type: string description: Code challenge method used to derive the code challenge. outputParameters: - type: object mapping: $. - name: gettoken description: Token Endpoint hints: readOnly: false destructive: false idempotent: false call: oidc.gettoken outputParameters: - type: object mapping: $. - name: getuserinfo description: UserInfo Endpoint hints: readOnly: true destructive: false idempotent: true call: oidc.getuserinfo outputParameters: - type: object mapping: $. - name: postuserinfo description: UserInfo Endpoint (POST) hints: readOnly: false destructive: false idempotent: false call: oidc.postuserinfo outputParameters: - type: object mapping: $. - name: getjwks description: JSON Web Key Set Endpoint hints: readOnly: true destructive: false idempotent: true call: oidc.getjwks outputParameters: - type: object mapping: $. - name: endsession description: End Session Endpoint hints: readOnly: true destructive: false idempotent: true call: oidc.endsession with: id_token_hint: tools.id_token_hint post_logout_redirect_uri: tools.post_logout_redirect_uri state: tools.state inputParameters: - name: id_token_hint type: string description: The ID token previously issued to the client. - name: post_logout_redirect_uri type: string description: The URI to redirect to after logout. - name: state type: string description: Opaque value for maintaining state between request and callback. outputParameters: - type: object mapping: $. binds: - namespace: env keys: OIDC_TOKEN: OIDC_TOKEN