{ "consumes": [ "application/json", "application/x-www-form-urlencoded" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "swagger": "2.0", "info": { "description": "Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here.", "title": "ORY Hydra", "version": "latest" }, "basePath": "/", "paths": { "/.well-known/jwks.json": { "get": { "description": "This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and,\nif enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like\n[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "JSON Web Keys Discovery", "operationId": "wellKnown", "responses": { "200": { "description": "JSONWebKeySet", "schema": { "$ref": "#/definitions/JSONWebKeySet" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/.well-known/openid-configuration": { "get": { "description": "The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll\nyour own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this\nflow at https://openid.net/specs/openid-connect-discovery-1_0.html .\n\nPopular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.\nFor a full list of clients go here: https://openid.net/developers/certified/", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "OpenID Connect Discovery", "operationId": "discoverOpenIDConfiguration", "responses": { "200": { "description": "wellKnown", "schema": { "$ref": "#/definitions/wellKnown" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/clients": { "get": { "description": "This endpoint lists all clients in the database, and never returns client secrets.\nAs a default it lists the first 100 clients. The `limit` parameter can be used to retrieve more clients,\nbut it has an upper bound at 500 objects. Pagination should be used to retrieve more than 500 objects.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.\n\nThe \"Link\" header is also included in successful responses, which contains one or more links for pagination, formatted like so: '\u003chttps://hydra-url/admin/clients?limit={limit}\u0026offset={offset}\u003e; rel=\"{page}\"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'.\nMultiple links can be included in this header, and will be separated by a comma.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "List OAuth 2.0 Clients", "operationId": "listOAuth2Clients", "parameters": [ { "type": "integer", "format": "int64", "description": "The maximum amount of clients to returned, upper bound is 500 clients.", "name": "limit", "in": "query" }, { "type": "integer", "format": "int64", "description": "The offset from where to start looking.", "name": "offset", "in": "query" }, { "type": "string", "description": "The name of the clients to filter by.", "name": "client_name", "in": "query" }, { "type": "string", "description": "The owner of the clients to filter by.", "name": "owner", "in": "query" } ], "responses": { "200": { "$ref": "#/responses/oAuth2ClientList" }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "post": { "description": "Create a new OAuth 2.0 client If you pass `client_secret` the secret will be used, otherwise a random secret\nwill be generated. The secret will be returned in the response and you will not be able to retrieve it later on.\nWrite the secret down and keep it somwhere safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Create an OAuth 2.0 Client", "operationId": "createOAuth2Client", "parameters": [ { "name": "Body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/oAuth2Client" } } ], "responses": { "201": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/clients/{id}": { "get": { "description": "Get an OAuth 2.0 client by its ID. This endpoint never returns the client secret.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Get an OAuth 2.0 Client", "operationId": "getOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "put": { "description": "Update an existing OAuth 2.0 Client. If you pass `client_secret` the secret will be updated and returned via the API.\nThis is the only time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Update an OAuth 2.0 Client", "operationId": "updateOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true }, { "name": "Body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/oAuth2Client" } } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "delete": { "description": "Delete an existing OAuth 2.0 Client by its ID.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.\n\nMake sure that this endpoint is well protected and only callable by first-party components.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Deletes an OAuth 2.0 Client", "operationId": "deleteOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "patch": { "description": "Patch an existing OAuth 2.0 Client. If you pass `client_secret`\nthe secret will be updated and returned via the API. This is the\nonly time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Patch an OAuth 2.0 Client", "operationId": "patchOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true }, { "name": "Body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/patchRequest" } } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/clients/{id}/lifespans": { "put": { "description": "UpdateLifespans an existing OAuth 2.0 client's token lifespan configuration. This\nclient configuration takes precedence over the instance-wide token lifespan\nconfiguration.", "consumes": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "operationId": "UpdateOAuth2ClientLifespans", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/UpdateOAuth2ClientLifespans" } } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/health/alive": { "get": { "description": "This endpoint returns a 200 status code when the HTTP server is up running.\nThis status does currently not include checks whether the database connection is working.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", "produces": [ "application/json" ], "tags": [ "admin" ], "summary": "Check Alive Status", "operationId": "isInstanceAlive", "responses": { "200": { "description": "healthStatus", "schema": { "$ref": "#/definitions/healthStatus" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/health/ready": { "get": { "description": "This endpoint returns a 200 status code when the HTTP server is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", "produces": [ "application/json" ], "tags": [ "public" ], "summary": "Check Readiness Status", "operationId": "isInstanceReady", "responses": { "200": { "description": "healthStatus", "schema": { "$ref": "#/definitions/healthStatus" } }, "503": { "description": "healthNotReadyStatus", "schema": { "$ref": "#/definitions/healthNotReadyStatus" } } } } }, "/keys/{set}": { "get": { "description": "This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Retrieve a JSON Web Key Set", "operationId": "getJsonWebKeySet", "parameters": [ { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true } ], "responses": { "200": { "description": "JSONWebKeySet", "schema": { "$ref": "#/definitions/JSONWebKeySet" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "put": { "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Update a JSON Web Key Set", "operationId": "updateJsonWebKeySet", "parameters": [ { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/JSONWebKeySet" } } ], "responses": { "200": { "description": "JSONWebKeySet", "schema": { "$ref": "#/definitions/JSONWebKeySet" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "post": { "description": "This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Generate a New JSON Web Key", "operationId": "createJsonWebKeySet", "parameters": [ { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/jsonWebKeySetGeneratorRequest" } } ], "responses": { "201": { "description": "JSONWebKeySet", "schema": { "$ref": "#/definitions/JSONWebKeySet" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "delete": { "description": "Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Delete a JSON Web Key Set", "operationId": "deleteJsonWebKeySet", "parameters": [ { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/keys/{set}/{kid}": { "get": { "description": "This endpoint returns a singular JSON Web Key, identified by the set and the specific key ID (kid).", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Fetch a JSON Web Key", "operationId": "getJsonWebKey", "parameters": [ { "type": "string", "description": "The kid of the desired key", "name": "kid", "in": "path", "required": true }, { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true } ], "responses": { "200": { "description": "JSONWebKeySet", "schema": { "$ref": "#/definitions/JSONWebKeySet" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "put": { "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Update a JSON Web Key", "operationId": "updateJsonWebKey", "parameters": [ { "type": "string", "description": "The kid of the desired key", "name": "kid", "in": "path", "required": true }, { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/JSONWebKey" } } ], "responses": { "200": { "description": "JSONWebKey", "schema": { "$ref": "#/definitions/JSONWebKey" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "delete": { "description": "Use this endpoint to delete a single JSON Web Key.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Delete a JSON Web Key", "operationId": "deleteJsonWebKey", "parameters": [ { "type": "string", "description": "The kid of the desired key", "name": "kid", "in": "path", "required": true }, { "type": "string", "description": "The set", "name": "set", "in": "path", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "403": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth": { "get": { "description": "This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows.\nOAuth2 is a very popular protocol and a library for your programming language will exists.\n\nTo learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749", "consumes": [ "application/x-www-form-urlencoded" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "The OAuth 2.0 Authorize Endpoint", "operationId": "oauthAuth", "responses": { "302": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/consent": { "get": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted\nor rejected the request.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Get Consent Request Information", "operationId": "getConsentRequest", "parameters": [ { "type": "string", "name": "consent_challenge", "in": "query", "required": true } ], "responses": { "200": { "description": "consentRequest", "schema": { "$ref": "#/definitions/consentRequest" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "410": { "description": "requestWasHandledResponse", "schema": { "$ref": "#/definitions/requestWasHandledResponse" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/consent/accept": { "put": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider includes additional information, such as session data for access and ID tokens, and if the\nconsent request should be used as basis for future requests.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Accept a Consent Request", "operationId": "acceptConsentRequest", "parameters": [ { "type": "string", "name": "consent_challenge", "in": "query", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/acceptConsentRequest" } } ], "responses": { "200": { "description": "completedRequest", "schema": { "$ref": "#/definitions/completedRequest" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/consent/reject": { "put": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\nto authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to\ngrant or deny the client access to the requested scope (\"Application my-dropbox-app wants write access to all your private files\").\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider must include a reason why the consent was not granted.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Reject a Consent Request", "operationId": "rejectConsentRequest", "parameters": [ { "type": "string", "name": "consent_challenge", "in": "query", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/rejectRequest" } } ], "responses": { "200": { "description": "completedRequest", "schema": { "$ref": "#/definitions/completedRequest" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/login": { "get": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the subject and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the subject a login screen\")\na subject (in OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Get a Login Request", "operationId": "getLoginRequest", "parameters": [ { "type": "string", "name": "login_challenge", "in": "query", "required": true } ], "responses": { "200": { "description": "loginRequest", "schema": { "$ref": "#/definitions/loginRequest" } }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "410": { "description": "requestWasHandledResponse", "schema": { "$ref": "#/definitions/requestWasHandledResponse" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/login/accept": { "put": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the subject and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the subject a login screen\")\na subject (in OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells ORY Hydra that the subject has successfully authenticated and includes additional information such as\nthe subject's ID and if ORY Hydra should remember the subject's subject agent for future authentication attempts by setting\na cookie.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Accept a Login Request", "operationId": "acceptLoginRequest", "parameters": [ { "type": "string", "name": "login_challenge", "in": "query", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/acceptLoginRequest" } } ], "responses": { "200": { "description": "completedRequest", "schema": { "$ref": "#/definitions/completedRequest" } }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/login/reject": { "put": { "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity provider\") to authenticate the subject and then tell ORY Hydra now about it. The login\nprovider is an web-app you write and host, and it must be able to authenticate (\"show the subject a login screen\")\na subject (in OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells ORY Hydra that the subject has not authenticated and includes a reason why the authentication\nwas be denied.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Reject a Login Request", "operationId": "rejectLoginRequest", "parameters": [ { "type": "string", "name": "login_challenge", "in": "query", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/rejectRequest" } } ], "responses": { "200": { "description": "completedRequest", "schema": { "$ref": "#/definitions/completedRequest" } }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/logout": { "get": { "description": "Use this endpoint to fetch a logout request.", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Get a Logout Request", "operationId": "getLogoutRequest", "parameters": [ { "type": "string", "name": "logout_challenge", "in": "query", "required": true } ], "responses": { "200": { "description": "logoutRequest", "schema": { "$ref": "#/definitions/logoutRequest" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "410": { "description": "requestWasHandledResponse", "schema": { "$ref": "#/definitions/requestWasHandledResponse" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/logout/accept": { "put": { "description": "When a user or an application requests ORY Hydra to log out a user, this endpoint is used to confirm that logout request.\nNo body is required.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Accept a Logout Request", "operationId": "acceptLogoutRequest", "parameters": [ { "type": "string", "name": "logout_challenge", "in": "query", "required": true } ], "responses": { "200": { "description": "completedRequest", "schema": { "$ref": "#/definitions/completedRequest" } }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/requests/logout/reject": { "put": { "description": "When a user or an application requests ORY Hydra to log out a user, this endpoint is used to deny that logout request.\nNo body is required.\n\nThe response is empty as the logout provider has to chose what action to perform next.", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Reject a Logout Request", "operationId": "rejectLogoutRequest", "parameters": [ { "type": "string", "name": "logout_challenge", "in": "query", "required": true }, { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/rejectRequest" } } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "404": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/sessions/consent": { "get": { "description": "This endpoint lists all subject's granted consent sessions, including client and granted scope.\nIf the subject is unknown or has not granted any consent sessions yet, the endpoint returns an\nempty JSON array with status code 200 OK.\n\n\nThe \"Link\" header is also included in successful responses, which contains one or more links for pagination, formatted like so: '\u003chttps://hydra-url/admin/oauth2/auth/sessions/consent?subject={user}\u0026limit={limit}\u0026offset={offset}\u003e; rel=\"{page}\"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'.\nMultiple links can be included in this header, and will be separated by a comma.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Lists All Consent Sessions of a Subject", "operationId": "listSubjectConsentSessions", "parameters": [ { "type": "string", "name": "subject", "in": "query", "required": true }, { "type": "integer", "format": "int64", "description": "The maximum amount of consent sessions to be returned, upper bound is 500 sessions.", "name": "limit", "in": "query" }, { "type": "integer", "format": "int64", "description": "The offset from where to start looking.", "name": "offset", "in": "query" } ], "responses": { "200": { "$ref": "#/responses/handledConsentRequestList" }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "delete": { "description": "This endpoint revokes a subject's granted consent sessions for a specific OAuth 2.0 Client and invalidates all\nassociated OAuth 2.0 Access Tokens.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Revokes Consent Sessions of a Subject for a Specific OAuth 2.0 Client", "operationId": "revokeConsentSessions", "parameters": [ { "type": "string", "description": "The subject (Subject) who's consent sessions should be deleted.", "name": "subject", "in": "query", "required": true }, { "type": "string", "description": "If set, deletes only those consent sessions by the Subject that have been granted to the specified OAuth 2.0 Client ID", "name": "client", "in": "query" }, { "type": "boolean", "description": "If set to `?all=true`, deletes all consent sessions by the Subject that have been granted.", "name": "all", "in": "query" } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/auth/sessions/login": { "delete": { "description": "This endpoint invalidates a subject's authentication session. After revoking the authentication session, the subject\nhas to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect\nFront- or Back-channel logout.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Invalidates All Login Sessions of a Certain User\nInvalidates a Subject's Authentication Session", "operationId": "revokeAuthenticationSession", "parameters": [ { "type": "string", "name": "subject", "in": "query", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/flush": { "post": { "description": "This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be\nnot be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted\nautomatically when performing the refresh flow.", "consumes": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Flush Expired OAuth2 Access Tokens", "operationId": "flushInactiveOAuth2Tokens", "parameters": [ { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/flushInactiveOAuth2TokensRequest" } } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/introspect": { "post": { "description": "The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token\nis neither expired nor revoked. If a token is active, additional information on the token will be included. You can\nset additional data for a token by setting `accessTokenExtra` during the consent flow.\n\nFor more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).", "consumes": [ "application/x-www-form-urlencoded" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Introspect OAuth2 Tokens", "operationId": "introspectOAuth2Token", "parameters": [ { "type": "string", "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue returned.", "name": "token", "in": "formData", "required": true }, { "type": "string", "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.", "name": "scope", "in": "formData" } ], "responses": { "200": { "description": "oAuth2TokenIntrospection", "schema": { "$ref": "#/definitions/oAuth2TokenIntrospection" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/register": { "post": { "description": "This endpoint behaves like the administrative counterpart (`createOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nPlease note that using this endpoint you are not able to choose the `client_secret` nor the `client_id` as those\nvalues will be server generated when specifying `token_endpoint_auth_method` as `client_secret_basic` or\n`client_secret_post`.\n\nThe `client_secret` will be returned in the response and you will not be able to retrieve it later on.\nWrite the secret down and keep it somewhere safe.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "Register an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", "operationId": "dynamicClientRegistrationCreateOAuth2Client", "parameters": [ { "name": "Body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/oAuth2Client" } } ], "responses": { "201": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/register/{id}": { "get": { "description": "This endpoint behaves like the administrative counterpart (`getOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "Get an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", "operationId": "dynamicClientRegistrationGetOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "put": { "description": "This endpoint behaves like the administrative counterpart (`updateOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nIf you pass `client_secret` the secret will be updated and returned via the API.\nThis is the only time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "Update an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", "operationId": "dynamicClientRegistrationUpdateOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true }, { "name": "Body", "in": "body", "required": true, "schema": { "$ref": "#/definitions/oAuth2Client" } } ], "responses": { "200": { "description": "oAuth2Client", "schema": { "$ref": "#/definitions/oAuth2Client" } }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } }, "delete": { "description": "This endpoint behaves like the administrative counterpart (`deleteOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "Deletes an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", "operationId": "dynamicClientRegistrationDeleteOAuth2Client", "parameters": [ { "type": "string", "description": "The id of the OAuth 2.0 Client.", "name": "id", "in": "path", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "default": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/revoke": { "post": { "security": [ { "basic": [] }, { "oauth2": [] } ], "description": "Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no\nlonger be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.\nRevoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by\nthe client the token was generated for.", "consumes": [ "application/x-www-form-urlencoded" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "Revoke OAuth2 Tokens", "operationId": "revokeOAuth2Token", "parameters": [ { "type": "string", "name": "token", "in": "formData", "required": true } ], "responses": { "200": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/sessions/logout": { "get": { "description": "This endpoint initiates and completes user logout at Ory Hydra and initiates OpenID Connect Front-/Back-channel logout:\n\nhttps://openid.net/specs/openid-connect-frontchannel-1_0.html\nhttps://openid.net/specs/openid-connect-backchannel-1_0.html\n\nBack-channel logout is performed asynchronously and does not affect logout flow.", "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "OpenID Connect Front-Backchannel Enabled Logout", "operationId": "disconnectUser", "responses": { "302": { "$ref": "#/responses/emptyResponse" } } } }, "/oauth2/token": { "post": { "security": [ { "basic": [] }, { "oauth2": [] } ], "description": "The client makes a request to the token endpoint by sending the\nfollowing parameters using the \"application/x-www-form-urlencoded\" HTTP\nrequest entity-body.\n\n\u003e Do not implement a client for this endpoint yourself. Use a library. There are many libraries\n\u003e available for any programming language. You can find a list of libraries here: https://oauth.net/code/\n\u003e\n\u003e Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!", "consumes": [ "application/x-www-form-urlencoded" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "The OAuth 2.0 Token Endpoint", "operationId": "oauth2Token", "parameters": [ { "type": "string", "name": "grant_type", "in": "formData", "required": true }, { "type": "string", "name": "code", "in": "formData" }, { "type": "string", "name": "refresh_token", "in": "formData" }, { "type": "string", "name": "redirect_uri", "in": "formData" }, { "type": "string", "name": "client_id", "in": "formData" } ], "responses": { "200": { "description": "oauth2TokenResponse", "schema": { "$ref": "#/definitions/oauth2TokenResponse" } }, "400": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/oauth2/tokens": { "delete": { "description": "This endpoint deletes OAuth2 access tokens issued for a client from the database", "consumes": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Delete OAuth2 Access Tokens from a Client", "operationId": "deleteOAuth2Token", "parameters": [ { "type": "string", "name": "client_id", "in": "query", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/trust/grants/jwt-bearer/issuers": { "get": { "description": "Use this endpoint to list all trusted JWT Bearer Grant Type Issuers.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "List Trusted OAuth2 JWT Bearer Grant Type Issuers", "operationId": "listTrustedJwtGrantIssuers", "parameters": [ { "type": "string", "description": "If optional \"issuer\" is supplied, only jwt-bearer grants with this issuer will be returned.", "name": "issuer", "in": "query" }, { "type": "integer", "format": "int64", "description": "The maximum amount of policies returned, upper bound is 500 policies", "name": "limit", "in": "query" }, { "type": "integer", "format": "int64", "description": "The offset from where to start looking.", "name": "offset", "in": "query" } ], "responses": { "200": { "description": "trustedJwtGrantIssuers", "schema": { "$ref": "#/definitions/trustedJwtGrantIssuers" } }, "500": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } } } }, "post": { "description": "Use this endpoint to establish a trust relationship for a JWT issuer\nto perform JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication\nand Authorization Grants [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Trust an OAuth2 JWT Bearer Grant Type Issuer", "operationId": "trustJwtGrantIssuer", "parameters": [ { "name": "Body", "in": "body", "schema": { "$ref": "#/definitions/trustJwtGrantIssuerBody" } } ], "responses": { "201": { "description": "trustedJwtGrantIssuer", "schema": { "$ref": "#/definitions/trustedJwtGrantIssuer" } }, "400": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } }, "409": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } }, "500": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } } } } }, "/trust/grants/jwt-bearer/issuers/{id}": { "get": { "description": "Use this endpoint to get a trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Get a Trusted OAuth2 JWT Bearer Grant Type Issuer", "operationId": "getTrustedJwtGrantIssuer", "parameters": [ { "type": "string", "description": "The id of the desired grant", "name": "id", "in": "path", "required": true } ], "responses": { "200": { "description": "trustedJwtGrantIssuer", "schema": { "$ref": "#/definitions/trustedJwtGrantIssuer" } }, "404": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } }, "500": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } } } }, "delete": { "description": "Use this endpoint to delete trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.\n\nOnce deleted, the associated issuer will no longer be able to perform the JSON Web Token (JWT) Profile\nfor OAuth 2.0 Client Authentication and Authorization Grant.", "consumes": [ "application/json" ], "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "admin" ], "summary": "Delete a Trusted OAuth2 JWT Bearer Grant Type Issuer", "operationId": "deleteTrustedJwtGrantIssuer", "parameters": [ { "type": "string", "description": "The id of the desired grant", "name": "id", "in": "path", "required": true } ], "responses": { "204": { "$ref": "#/responses/emptyResponse" }, "404": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } }, "500": { "description": "genericError", "schema": { "$ref": "#/definitions/genericError" } } } } }, "/userinfo": { "get": { "security": [ { "oauth2": [] } ], "description": "This endpoint returns the payload of the ID Token, including the idTokenExtra values, of\nthe provided OAuth 2.0 Access Token.\n\nFor more information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo).\n\nIn the case of authentication error, a WWW-Authenticate header might be set in the response\nwith more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3)\nfor more details about header format.", "produces": [ "application/json" ], "schemes": [ "http", "https" ], "tags": [ "public" ], "summary": "OpenID Connect Userinfo", "operationId": "userinfo", "responses": { "200": { "description": "userinfoResponse", "schema": { "$ref": "#/definitions/userinfoResponse" } }, "401": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } }, "500": { "description": "jsonError", "schema": { "$ref": "#/definitions/jsonError" } } } } }, "/version": { "get": { "description": "This endpoint returns the service version typically notated using semantic versioning.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.", "produces": [ "application/json" ], "tags": [ "admin" ], "summary": "Get Service Version", "operationId": "getVersion", "responses": { "200": { "description": "version", "schema": { "$ref": "#/definitions/version" } } } } } }, "definitions": { "DefaultSession": { "description": "IDTokenSession is a session container for the id token", "type": "object", "properties": { "expires_at": { "type": "object", "additionalProperties": { "type": "string", "format": "date-time" } }, "headers": { "$ref": "#/definitions/Headers" }, "id_token_claims": { "$ref": "#/definitions/IDTokenClaims" }, "subject": { "type": "string" }, "username": { "type": "string" } } }, "Headers": { "description": "Headers is the jwt headers", "type": "object", "properties": { "extra": { "type": "object", "additionalProperties": true } } }, "IDTokenClaims": { "description": "IDTokenClaims represent the claims used in open id connect requests", "type": "object", "properties": { "acr": { "type": "string" }, "amr": { "type": "array", "items": { "type": "string" } }, "at_hash": { "type": "string" }, "aud": { "type": "array", "items": { "type": "string" } }, "auth_time": { "type": "string", "format": "date-time" }, "c_hash": { "type": "string" }, "exp": { "type": "string", "format": "date-time" }, "ext": { "type": "object", "additionalProperties": true }, "iat": { "type": "string", "format": "date-time" }, "iss": { "type": "string" }, "jti": { "type": "string" }, "nonce": { "type": "string" }, "rat": { "type": "string", "format": "date-time" }, "sub": { "type": "string" } } }, "JSONRawMessage": { "type": "object", "title": "JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger." }, "JSONWebKey": { "description": "It is important that this model object is named JSONWebKey for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKey.", "type": "object", "required": [ "use", "kty", "kid", "alg" ], "properties": { "alg": { "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key. The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.", "type": "string", "example": "RS256" }, "crv": { "type": "string", "example": "P-256" }, "d": { "type": "string", "example": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE" }, "dp": { "type": "string", "example": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0" }, "dq": { "type": "string", "example": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk" }, "e": { "type": "string", "example": "AQAB" }, "k": { "type": "string", "example": "GawgguFyGrWKav7AX4VKUg" }, "kid": { "description": "The \"kid\" (key ID) parameter is used to match a specific key. This\nis used, for instance, to choose among a set of keys within a JWK Set\nduring key rollover. The structure of the \"kid\" value is\nunspecified. When \"kid\" values are used within a JWK Set, different\nkeys within the JWK Set SHOULD use distinct \"kid\" values. (One\nexample in which different keys might use the same \"kid\" value is if\nthey have different \"kty\" (key type) values but are considered to be\nequivalent alternatives by the application using them.) The \"kid\"\nvalue is a case-sensitive string.", "type": "string", "example": "1603dfe0af8f4596" }, "kty": { "description": "The \"kty\" (key type) parameter identifies the cryptographic algorithm\nfamily used with the key, such as \"RSA\" or \"EC\". \"kty\" values should\neither be registered in the IANA \"JSON Web Key Types\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name. The \"kty\" value is a case-sensitive string.", "type": "string", "example": "RSA" }, "n": { "type": "string", "example": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0" }, "p": { "type": "string", "example": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ" }, "q": { "type": "string", "example": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ" }, "qi": { "type": "string", "example": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU" }, "use": { "description": "Use (\"public key use\") identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Values are commonly \"sig\" (signature) or \"enc\" (encryption).", "type": "string", "example": "sig" }, "x": { "type": "string", "example": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU" }, "x5c": { "description": "The \"x5c\" (X.509 certificate chain) parameter contains a chain of one\nor more PKIX certificates [RFC5280]. The certificate chain is\nrepresented as a JSON array of certificate value strings. Each\nstring in the array is a base64-encoded (Section 4 of [RFC4648] --\nnot base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.\nThe PKIX certificate containing the key value MUST be the first\ncertificate.", "type": "array", "items": { "type": "string" } }, "y": { "type": "string", "example": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0" } } }, "JSONWebKeySet": { "description": "It is important that this model object is named JSONWebKeySet for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKeySet. Since one with the same name is previously defined as\nclient.Client.JSONWebKeys and this one is last, this one will be\neffectively written in the swagger spec.", "type": "object", "properties": { "keys": { "description": "The value of the \"keys\" parameter is an array of JWK values. By\ndefault, the order of the JWK values within the array does not imply\nan order of preference among them, although applications of JWK Sets\ncan choose to assign a meaning to the order for their purposes, if\ndesired.", "type": "array", "items": { "$ref": "#/definitions/JSONWebKey" } } } }, "JoseJSONWebKeySet": { "type": "object" }, "NullDuration": { "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", "type": "string", "title": "NullDuration represents a nullable JSON and SQL compatible time.Duration." }, "PreviousConsentSession": { "description": "The response used to return used consent requests\nsame as HandledLoginRequest, just with consent_request exposed as json", "type": "object", "properties": { "consent_request": { "$ref": "#/definitions/consentRequest" }, "grant_access_token_audience": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "grant_scope": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "handled_at": { "$ref": "#/definitions/nullTime" }, "remember": { "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", "type": "boolean" }, "remember_for": { "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", "type": "integer", "format": "int64" }, "session": { "$ref": "#/definitions/consentRequestSession" } } }, "Session": { "type": "object", "properties": { "allowed_top_level_claims": { "type": "array", "items": { "type": "string" } }, "client_id": { "type": "string" }, "consent_challenge": { "type": "string" }, "exclude_not_before_claim": { "type": "boolean" }, "expires_at": { "type": "object", "additionalProperties": { "type": "string", "format": "date-time" } }, "extra": { "type": "object", "additionalProperties": true }, "headers": { "$ref": "#/definitions/Headers" }, "id_token_claims": { "$ref": "#/definitions/IDTokenClaims" }, "kid": { "type": "string" }, "subject": { "type": "string" }, "username": { "type": "string" } } }, "StringSlicePipeDelimiter": { "type": "array", "title": "StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string.", "items": { "type": "string" } }, "UpdateOAuth2ClientLifespans": { "description": "The OIDC Hybrid grant type inherits token lifespan configuration from the implicit grant.", "type": "object", "title": "UpdateOAuth2ClientLifespans holds default lifespan configuration for the different\ntoken types that may be issued for the client. This configuration takes\nprecedence over fosite's instance-wide default lifespan, but it may be\noverridden by a session's expires_at claim.", "properties": { "authorization_code_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "authorization_code_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "authorization_code_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "client_credentials_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "implicit_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "implicit_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "jwt_bearer_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "password_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "password_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "refresh_token_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "refresh_token_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "refresh_token_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" } } }, "acceptConsentRequest": { "type": "object", "title": "The request payload used to accept a consent request.", "properties": { "grant_access_token_audience": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "grant_scope": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "handled_at": { "$ref": "#/definitions/nullTime" }, "remember": { "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", "type": "boolean" }, "remember_for": { "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", "type": "integer", "format": "int64" }, "session": { "$ref": "#/definitions/consentRequestSession" } } }, "acceptLoginRequest": { "type": "object", "title": "HandledLoginRequest is the request payload used to accept a login request.", "required": [ "subject" ], "properties": { "acr": { "description": "ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", "type": "string" }, "amr": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "context": { "$ref": "#/definitions/JSONRawMessage" }, "force_subject_identifier": { "description": "ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the\n(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID\nConnect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client.\n\nPlease note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the\nsub claim in the OAuth 2.0 Introspection.\n\nPer default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself\nyou can use this field. Please note that setting this field has no effect if `pairwise` is not configured in\nORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's\nconfiguration).\n\nPlease also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies\nthat you have to compute this value on every authentication process (probably depending on the client ID or some\nother unique value).\n\nIf you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.", "type": "string" }, "remember": { "description": "Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store\na cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she\nwill not be asked to log in again.", "type": "boolean" }, "remember_for": { "description": "RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered for the duration of the browser session (using a session cookie).", "type": "integer", "format": "int64" }, "subject": { "description": "Subject is the user ID of the end-user that authenticated.", "type": "string" } } }, "completedRequest": { "type": "object", "title": "The response payload sent when accepting or rejecting a login or consent request.", "required": [ "redirect_to" ], "properties": { "redirect_to": { "description": "RedirectURL is the URL which you should redirect the user to once the authentication process is completed.", "type": "string" } } }, "consentRequest": { "type": "object", "title": "Contains information on an ongoing consent request.", "required": [ "challenge" ], "properties": { "acr": { "description": "ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", "type": "string" }, "amr": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "challenge": { "description": "ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.", "type": "string" }, "client": { "$ref": "#/definitions/oAuth2Client" }, "context": { "$ref": "#/definitions/JSONRawMessage" }, "login_challenge": { "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", "type": "string" }, "login_session_id": { "description": "LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", "type": "string" }, "oidc_context": { "$ref": "#/definitions/openIDConnectContext" }, "request_url": { "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", "type": "string" }, "requested_access_token_audience": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "requested_scope": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "skip": { "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.", "type": "boolean" }, "subject": { "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.", "type": "string" } } }, "consentRequestSession": { "type": "object", "title": "Used to pass session data to a consent request.", "properties": { "access_token": { "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!", "type": "object", "additionalProperties": true }, "id_token": { "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!", "type": "object", "additionalProperties": true } } }, "flushInactiveOAuth2TokensRequest": { "type": "object", "properties": { "notAfter": { "description": "NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history\nof recently issued tokens for auditing.", "type": "string", "format": "date-time" } } }, "flushLoginConsentRequest": { "type": "object", "properties": { "notAfter": { "description": "NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history\nof recent login and consent database entries for auditing.", "type": "string", "format": "date-time" } } }, "genericError": { "type": "object", "required": [ "message" ], "properties": { "code": { "description": "The status code", "type": "integer", "format": "int64", "example": 404 }, "debug": { "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", "type": "string", "example": "SQL field \"foo\" is not a bool." }, "details": { "description": "Further error details", "type": "object", "additionalProperties": true }, "id": { "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", "type": "string" }, "message": { "description": "Error message\n\nThe error's message.", "type": "string", "example": "The resource could not be found" }, "reason": { "description": "A human-readable reason for the error", "type": "string", "example": "User with ID 1234 does not exist." }, "request": { "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", "type": "string", "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6" }, "status": { "description": "The status description", "type": "string", "example": "Not Found" } } }, "healthNotReadyStatus": { "type": "object", "properties": { "errors": { "description": "Errors contains a list of errors that caused the not ready status.", "type": "object", "additionalProperties": { "type": "string" } } } }, "healthStatus": { "type": "object", "properties": { "status": { "description": "Status always contains \"ok\".", "type": "string" } } }, "jsonError": { "description": "Error responses are sent when an error (e.g. unauthorized, bad request, ...) occurred.", "type": "object", "title": "Generic Error Response", "properties": { "error": { "description": "Name is the error name.", "type": "string", "example": "The requested resource could not be found" }, "error_debug": { "description": "Debug contains debug information. This is usually not available and has to be enabled.", "type": "string", "example": "The database adapter was unable to find the element" }, "error_description": { "description": "Description contains further information on the nature of the error.", "type": "string", "example": "Object with ID 12345 does not exist" }, "status_code": { "description": "Code represents the error status code (404, 403, 401, ...).", "type": "integer", "format": "int64", "example": 404 } } }, "jsonWebKeySetGeneratorRequest": { "type": "object", "required": [ "alg", "use", "kid" ], "properties": { "alg": { "description": "The algorithm to be used for creating the key. Supports \"RS256\", \"ES256\", \"ES512\", \"HS512\", and \"HS256\"", "type": "string" }, "kid": { "description": "The kid of the key to be created", "type": "string" }, "use": { "description": "The \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".", "type": "string" } } }, "loginRequest": { "type": "object", "title": "Contains information on an ongoing login request.", "required": [ "challenge", "requested_scope", "requested_access_token_audience", "skip", "subject", "client", "request_url" ], "properties": { "challenge": { "description": "ID is the identifier (\"login challenge\") of the login request. It is used to\nidentify the session.", "type": "string" }, "client": { "$ref": "#/definitions/oAuth2Client" }, "oidc_context": { "$ref": "#/definitions/openIDConnectContext" }, "request_url": { "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", "type": "string" }, "requested_access_token_audience": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "requested_scope": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "session_id": { "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", "type": "string" }, "skip": { "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", "type": "boolean" }, "subject": { "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type\nwhen accepting the login request, or the request will fail.", "type": "string" } } }, "logoutRequest": { "type": "object", "title": "Contains information about an ongoing logout request.", "properties": { "challenge": { "description": "Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to\nidentify the session.", "type": "string" }, "client": { "$ref": "#/definitions/oAuth2Client" }, "request_url": { "description": "RequestURL is the original Logout URL requested.", "type": "string" }, "rp_initiated": { "description": "RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.", "type": "boolean" }, "sid": { "description": "SessionID is the login session ID that was requested to log out.", "type": "string" }, "subject": { "description": "Subject is the user for whom the logout was request.", "type": "string" } } }, "nullTime": { "type": "string", "format": "date-time", "title": "NullTime implements sql.NullTime functionality." }, "oAuth2AccessRequest": { "type": "object", "title": "Requester is a token endpoint's request context.", "properties": { "client_id": { "description": "ClientID is the identifier of the OAuth 2.0 client.", "type": "string" }, "grant_types": { "description": "GrantTypes is the requests grant types.", "type": "array", "items": { "type": "string" } }, "granted_audience": { "description": "GrantedAudience is the list of audiences granted to the OAuth 2.0 client.", "type": "array", "items": { "type": "string" } }, "granted_scopes": { "description": "GrantedScopes is the list of scopes granted to the OAuth 2.0 client.", "type": "array", "items": { "type": "string" } } } }, "oAuth2Client": { "type": "object", "title": "Client represents an OAuth 2.0 Client.", "properties": { "allowed_cors_origins": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "audience": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "authorization_code_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "authorization_code_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "authorization_code_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "backchannel_logout_session_required": { "description": "Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": "boolean" }, "backchannel_logout_uri": { "description": "RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", "type": "string" }, "client_credentials_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "client_id": { "description": "ID is the id for this client.", "type": "string" }, "client_name": { "description": "Name is the human-readable string name of the client to be presented to the\nend-user during authorization.", "type": "string" }, "client_secret": { "description": "Secret is the client's secret. The secret will be included in the create request as cleartext, and then\nnever again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users\nthat they need to write the secret down as it will not be made available again.", "type": "string" }, "client_secret_expires_at": { "description": "SecretExpiresAt is an integer holding the time at which the client\nsecret will expire or 0 if it will not expire. The time is\nrepresented as the number of seconds from 1970-01-01T00:00:00Z as\nmeasured in UTC until the date/time of expiration.\n\nThis feature is currently not supported and it's value will always\nbe set to 0.", "type": "integer", "format": "int64" }, "client_uri": { "description": "ClientURI is an URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", "type": "string" }, "contacts": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "created_at": { "description": "CreatedAt returns the timestamp of the client's creation.", "type": "string", "format": "date-time" }, "frontchannel_logout_session_required": { "description": "Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": "boolean" }, "frontchannel_logout_uri": { "description": "RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", "type": "string" }, "grant_types": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "implicit_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "implicit_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "jwks": { "$ref": "#/definitions/JoseJSONWebKeySet" }, "jwks_uri": { "description": "URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", "type": "string" }, "jwt_bearer_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "logo_uri": { "description": "LogoURI is an URL string that references a logo for the client.", "type": "string" }, "metadata": { "$ref": "#/definitions/JSONRawMessage" }, "owner": { "description": "Owner is a string identifying the owner of the OAuth 2.0 Client.", "type": "string" }, "password_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "password_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "policy_uri": { "description": "PolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", "type": "string" }, "post_logout_redirect_uris": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "redirect_uris": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "refresh_token_grant_access_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "refresh_token_grant_id_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "refresh_token_grant_refresh_token_lifespan": { "$ref": "#/definitions/NullDuration" }, "registration_access_token": { "description": "RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client.", "type": "string" }, "registration_client_uri": { "description": "RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", "type": "string" }, "request_object_signing_alg": { "description": "JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", "type": "string" }, "request_uris": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "response_types": { "$ref": "#/definitions/StringSlicePipeDelimiter" }, "scope": { "description": "Scope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", "type": "string", "pattern": "([a-zA-Z0-9\\.\\*]+\\s?)+" }, "sector_identifier_uri": { "description": "URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", "type": "string" }, "subject_type": { "description": "SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", "type": "string" }, "token_endpoint_auth_method": { "description": "Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,\nclient_secret_basic, private_key_jwt, and none.", "type": "string" }, "token_endpoint_auth_signing_alg": { "description": "Requested Client Authentication signing algorithm for the Token Endpoint.", "type": "string" }, "tos_uri": { "description": "TermsOfServiceURI is a URL string that points to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", "type": "string" }, "updated_at": { "description": "UpdatedAt returns the timestamp of the last update.", "type": "string", "format": "date-time" }, "userinfo_signed_response_alg": { "description": "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", "type": "string" } } }, "oAuth2TokenIntrospection": { "description": "https://tools.ietf.org/html/rfc7662", "type": "object", "title": "Introspection contains an access token's session data as specified by IETF RFC 7662, see:", "required": [ "active" ], "properties": { "active": { "description": "Active is a boolean indicator of whether or not the presented token\nis currently active. The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).", "type": "boolean" }, "aud": { "description": "Audience contains a list of the token's intended audiences.", "type": "array", "items": { "type": "string" } }, "client_id": { "description": "ID is aclient identifier for the OAuth 2.0 client that\nrequested this token.", "type": "string" }, "exp": { "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.", "type": "integer", "format": "int64" }, "ext": { "description": "Extra is arbitrary data set by the session.", "type": "object", "additionalProperties": true }, "iat": { "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.", "type": "integer", "format": "int64" }, "iss": { "description": "IssuerURL is a string representing the issuer of this token", "type": "string" }, "nbf": { "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.", "type": "integer", "format": "int64" }, "obfuscated_subject": { "description": "ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization.\nIt is the `sub` value of the ID Token that was issued.", "type": "string" }, "scope": { "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.", "type": "string" }, "sub": { "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.", "type": "string" }, "token_type": { "description": "TokenType is the introspected token's type, typically `Bearer`.", "type": "string" }, "token_use": { "description": "TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.", "type": "string" }, "username": { "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.", "type": "string" } } }, "oauth2TokenResponse": { "description": "The Access Token Response", "type": "object", "properties": { "access_token": { "type": "string" }, "expires_in": { "type": "integer", "format": "int64" }, "id_token": { "type": "string" }, "refresh_token": { "type": "string" }, "scope": { "type": "string" }, "token_type": { "type": "string" } } }, "oauthTokenResponse": { "description": "The token response", "type": "object", "properties": { "access_token": { "description": "The access token issued by the authorization server.", "type": "string" }, "expires_in": { "description": "The lifetime in seconds of the access token. For\nexample, the value \"3600\" denotes that the access token will\nexpire in one hour from the time the response was generated.", "type": "integer", "format": "int64" }, "id_token": { "description": "To retrieve a refresh token request the id_token scope.", "type": "integer", "format": "int64" }, "refresh_token": { "description": "The refresh token, which can be used to obtain new\naccess tokens. To retrieve it add the scope \"offline\" to your access token request.", "type": "string" }, "scope": { "description": "The scope of the access token", "type": "integer", "format": "int64" }, "token_type": { "description": "The type of the token issued", "type": "string" } } }, "openIDConnectContext": { "type": "object", "title": "Contains optional information about the OpenID Connect request.", "properties": { "acr_values": { "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.\nIt is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n\u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values\nthat the Authorization Server is being requested to use for processing this Authentication Request, with the\nvalues appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication\nperformed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a\nVoluntary Claim by this parameter.", "type": "array", "items": { "type": "string" } }, "display": { "description": "Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.\nThe defined values are:\npage: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.\npopup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.\ntouch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.\nwap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display.\n\nThe Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.", "type": "string" }, "id_token_hint_claims": { "description": "IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the\nEnd-User's current or past authenticated session with the Client.", "type": "object", "additionalProperties": true }, "login_hint": { "description": "LoginHint hints about the login identifier the End-User might use to log in (if necessary).\nThis hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)\nand then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a\nphone number in the format specified for the phone_number Claim. The use of this parameter is optional.", "type": "string" }, "ui_locales": { "description": "UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a\nspace-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value\n\"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation),\nfollowed by English (without a region designation). An error SHOULD NOT result if some or all of the requested\nlocales are not supported by the OpenID Provider.", "type": "array", "items": { "type": "string" } } } }, "patchDocument": { "description": "A JSONPatch document as defined by RFC 6902", "type": "object", "required": [ "op", "path" ], "properties": { "from": { "description": "A JSON-pointer", "type": "string" }, "op": { "description": "The operation to be performed", "type": "string", "example": "\"replace\"" }, "path": { "description": "A JSON-pointer", "type": "string", "example": "\"/name\"" }, "value": { "description": "The value to be used within the operations", "type": "object" } } }, "patchRequest": { "description": "A JSONPatch request", "type": "array", "items": { "$ref": "#/definitions/patchDocument" } }, "refreshTokenHookRequest": { "type": "object", "title": "RefreshTokenHookRequest is the request body sent to the refresh token hook.", "properties": { "client_id": { "description": "ClientID is the identifier of the OAuth 2.0 client.", "type": "string" }, "granted_audience": { "description": "GrantedAudience is the list of audiences granted to the OAuth 2.0 client.", "type": "array", "items": { "type": "string" } }, "granted_scopes": { "description": "GrantedScopes is the list of scopes granted to the OAuth 2.0 client.", "type": "array", "items": { "type": "string" } }, "requester": { "$ref": "#/definitions/oAuth2AccessRequest" }, "session": { "$ref": "#/definitions/Session" }, "subject": { "description": "Subject is the identifier of the authenticated end-user.", "type": "string" } } }, "refreshTokenHookResponse": { "type": "object", "title": "RefreshTokenHookResponse is the response body received from the refresh token hook.", "properties": { "session": { "$ref": "#/definitions/consentRequestSession" } } }, "rejectRequest": { "type": "object", "title": "The request payload used to accept a login or consent request.", "properties": { "error": { "description": "The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).\n\nDefaults to `request_denied`.", "type": "string" }, "error_debug": { "description": "Debug contains information to help resolve the problem as a developer. Usually not exposed\nto the public but only in the server logs.", "type": "string" }, "error_description": { "description": "Description of the error in a human readable format.", "type": "string" }, "error_hint": { "description": "Hint to help resolve the error.", "type": "string" }, "status_code": { "description": "Represents the HTTP status code of the error (e.g. 401 or 403)\n\nDefaults to 400", "type": "integer", "format": "int64" } } }, "requestWasHandledResponse": { "type": "object", "title": "The response payload sent when there is an attempt to access already handled request.", "required": [ "redirect_to" ], "properties": { "redirect_to": { "description": "Original request URL to which you should redirect the user if request was already handled.", "type": "string" } } }, "trustJwtGrantIssuerBody": { "type": "object", "required": [ "issuer", "scope", "jwk", "expires_at" ], "properties": { "allow_any_subject": { "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", "type": "boolean" }, "expires_at": { "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", "type": "string", "format": "date-time" }, "issuer": { "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", "type": "string", "example": "https://jwt-idp.example.com" }, "jwk": { "$ref": "#/definitions/JSONWebKey" }, "scope": { "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", "type": "array", "items": { "type": "string" }, "example": [ "openid", "offline" ] }, "subject": { "description": "The \"subject\" identifies the principal that is the subject of the JWT.", "type": "string", "example": "mike@example.com" } } }, "trustedJsonWebKey": { "type": "object", "properties": { "kid": { "description": "The \"key_id\" is key unique identifier (same as kid header in jws/jwt).", "type": "string", "example": "123e4567-e89b-12d3-a456-426655440000" }, "set": { "description": "The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant.", "type": "string", "example": "https://jwt-idp.example.com" } } }, "trustedJwtGrantIssuer": { "type": "object", "properties": { "allow_any_subject": { "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", "type": "boolean" }, "created_at": { "description": "The \"created_at\" indicates, when grant was created.", "type": "string", "format": "date-time" }, "expires_at": { "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", "type": "string", "format": "date-time" }, "id": { "type": "string", "example": "9edc811f-4e28-453c-9b46-4de65f00217f" }, "issuer": { "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", "type": "string", "example": "https://jwt-idp.example.com" }, "public_key": { "$ref": "#/definitions/trustedJsonWebKey" }, "scope": { "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", "type": "array", "items": { "type": "string" }, "example": [ "openid", "offline" ] }, "subject": { "description": "The \"subject\" identifies the principal that is the subject of the JWT.", "type": "string", "example": "mike@example.com" } } }, "trustedJwtGrantIssuers": { "type": "array", "items": { "$ref": "#/definitions/trustedJwtGrantIssuer" } }, "userinfoResponse": { "description": "The userinfo response", "type": "object", "properties": { "birthdate": { "description": "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.", "type": "string" }, "email": { "description": "End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.", "type": "string" }, "email_verified": { "description": "True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.", "type": "boolean" }, "family_name": { "description": "Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.", "type": "string" }, "gender": { "description": "End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.", "type": "string" }, "given_name": { "description": "Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.", "type": "string" }, "locale": { "description": "End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.", "type": "string" }, "middle_name": { "description": "Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.", "type": "string" }, "name": { "description": "End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.", "type": "string" }, "nickname": { "description": "Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.", "type": "string" }, "phone_number": { "description": "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.", "type": "string" }, "phone_number_verified": { "description": "True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.", "type": "boolean" }, "picture": { "description": "URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.", "type": "string" }, "preferred_username": { "description": "Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.", "type": "string" }, "profile": { "description": "URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.", "type": "string" }, "sub": { "description": "Subject - Identifier for the End-User at the IssuerURL.", "type": "string" }, "updated_at": { "description": "Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.", "type": "integer", "format": "int64" }, "website": { "description": "URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.", "type": "string" }, "zoneinfo": { "description": "String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.", "type": "string" } } }, "version": { "type": "object", "properties": { "version": { "description": "Version is the service's version.", "type": "string" } } }, "wellKnown": { "description": "It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms\namong others.", "type": "object", "title": "WellKnown represents important OpenID Connect discovery metadata", "required": [ "issuer", "authorization_endpoint", "token_endpoint", "jwks_uri", "subject_types_supported", "response_types_supported", "id_token_signing_alg_values_supported" ], "properties": { "authorization_endpoint": { "description": "URL of the OP's OAuth 2.0 Authorization Endpoint.", "type": "string", "example": "https://playground.ory.sh/ory-hydra/public/oauth2/auth" }, "backchannel_logout_session_supported": { "description": "Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP\nsession with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP", "type": "boolean" }, "backchannel_logout_supported": { "description": "Boolean value specifying whether the OP supports back-channel logout, with true indicating support.", "type": "boolean" }, "claims_parameter_supported": { "description": "Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.", "type": "boolean" }, "claims_supported": { "description": "JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.", "type": "array", "items": { "type": "string" } }, "code_challenge_methods_supported": { "description": "JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported\nby this authorization server.", "type": "array", "items": { "type": "string" } }, "end_session_endpoint": { "description": "URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.", "type": "string" }, "frontchannel_logout_session_supported": { "description": "Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify\nthe RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also\nincluded in ID Tokens issued by the OP.", "type": "boolean" }, "frontchannel_logout_supported": { "description": "Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.", "type": "boolean" }, "grant_types_supported": { "description": "JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.", "type": "array", "items": { "type": "string" } }, "id_token_signing_alg_values_supported": { "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.", "type": "array", "items": { "type": "string" } }, "issuer": { "description": "URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.", "type": "string", "example": "https://playground.ory.sh/ory-hydra/public/" }, "jwks_uri": { "description": "URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", "type": "string", "example": "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json" }, "registration_endpoint": { "description": "URL of the OP's Dynamic Client Registration Endpoint.", "type": "string", "example": "https://playground.ory.sh/ory-hydra/admin/client" }, "request_object_signing_alg_values_supported": { "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,\nwhich are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when\nthe Request Object is passed by value (using the request parameter) and when it is passed by reference\n(using the request_uri parameter).", "type": "array", "items": { "type": "string" } }, "request_parameter_supported": { "description": "Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.", "type": "boolean" }, "request_uri_parameter_supported": { "description": "Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.", "type": "boolean" }, "require_request_uri_registration": { "description": "Boolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.", "type": "boolean" }, "response_modes_supported": { "description": "JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.", "type": "array", "items": { "type": "string" } }, "response_types_supported": { "description": "JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.", "type": "array", "items": { "type": "string" } }, "revocation_endpoint": { "description": "URL of the authorization server's OAuth 2.0 revocation endpoint.", "type": "string" }, "scopes_supported": { "description": "SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used", "type": "array", "items": { "type": "string" } }, "subject_types_supported": { "description": "JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.", "type": "array", "items": { "type": "string" } }, "token_endpoint": { "description": "URL of the OP's OAuth 2.0 Token Endpoint", "type": "string", "example": "https://playground.ory.sh/ory-hydra/public/oauth2/token" }, "token_endpoint_auth_methods_supported": { "description": "JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0", "type": "array", "items": { "type": "string" } }, "userinfo_endpoint": { "description": "URL of the OP's UserInfo Endpoint.", "type": "string" }, "userinfo_signing_alg_values_supported": { "description": "JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].", "type": "array", "items": { "type": "string" } } } } ,"UUID":{"type": "string", "format": "uuid4"}}, "responses": { "emptyResponse": { "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is\ntypically 201." }, "handledConsentRequestList": { "description": "A list of used consent requests.", "schema": { "type": "array", "items": { "$ref": "#/definitions/PreviousConsentSession" } } }, "oAuth2ClientList": { "description": "A list of clients.", "schema": { "type": "array", "items": { "$ref": "#/definitions/oAuth2Client" } } } }, "securityDefinitions": { "basic": { "type": "basic" }, "oauth2": { "type": "oauth2", "flow": "accessCode", "authorizationUrl": "https://hydra.demo.ory.sh/oauth2/auth", "tokenUrl": "https://hydra.demo.ory.sh/oauth2/token", "scopes": { "offline": "A scope required when requesting refresh tokens (alias for `offline_access`)", "offline_access": "A scope required when requesting refresh tokens", "openid": "Request an OpenID Connect ID Token" } } }, "x-forwarded-proto": "string", "x-request-id": "string" }