lenticular_cloud2/specs/hydra.yaml

2961 lines
118 KiB
YAML
Raw Normal View History

openapi: 3.0.1
info:
title: ORY Hydra
description: Welcome to the ORY Hydra HTTP API documentation. You will find documentation
for all HTTP APIs here.
version: 1.9.2
servers:
- url: /
paths:
/.well-known/jwks.json:
get:
tags:
- public
summary: JSON Web Keys Discovery
description: |-
This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and,
if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like
[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.
operationId: wellKnown
responses:
200:
description: JSONWebKeySet
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/.well-known/openid-configuration:
get:
tags:
- public
summary: OpenID Connect Discovery
description: |-
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll
your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this
flow at https://openid.net/specs/openid-connect-discovery-1_0.html .
Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.
For a full list of clients go here: https://openid.net/developers/certified/
operationId: discoverOpenIDConfiguration
responses:
200:
description: wellKnown
content:
application/json:
schema:
$ref: '#/components/schemas/wellKnown'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/clients:
get:
tags:
- admin
summary: List OAuth 2.0 Clients
description: |-
This endpoint lists all clients in the database, and never returns client secrets. As a default it lists the first 100 clients. The `limit` parameter can be used to retrieve more clients, but it has an upper bound at 500 objects. Pagination should be used to retrieve more than 500 objects.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
The "Link" header is also included in successful responses, which contains one or more links for pagination, formatted like so: '<https://hydra-url/admin/clients?limit={limit}&offset={offset}>; rel="{page}"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'.
Multiple links can be included in this header, and will be separated by a comma.
operationId: listOAuth2Clients
parameters:
- name: limit
in: query
description: The maximum amount of policies returned, upper bound is 500 policies
schema:
type: integer
format: int64
- name: offset
in: query
description: The offset from where to start looking.
schema:
type: integer
format: int64
responses:
200:
description: A list of clients.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/oAuth2Client'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
post:
tags:
- admin
summary: Create an OAuth 2.0 Client
description: |-
Create a new OAuth 2.0 client If you pass `client_secret` the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
operationId: createOAuth2Client
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
required: true
responses:
201:
description: oAuth2Client
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
409:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/clients/{id}:
get:
tags:
- admin
summary: Get an OAuth 2.0 Client.
description: |-
Get an OAUth 2.0 client by its ID. This endpoint never returns passwords.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
operationId: getOAuth2Client
parameters:
- name: id
in: path
description: The id of the OAuth 2.0 Client.
required: true
schema:
type: string
responses:
200:
description: oAuth2Client
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
put:
tags:
- admin
summary: Update an OAuth 2.0 Client
description: |-
Update an existing OAuth 2.0 Client. If you pass `client_secret` the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
operationId: updateOAuth2Client
parameters:
- name: id
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
required: true
responses:
200:
description: oAuth2Client
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
delete:
tags:
- admin
summary: Deletes an OAuth 2.0 Client
description: |-
Delete an existing OAuth 2.0 Client by its ID.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
operationId: deleteOAuth2Client
parameters:
- name: id
in: path
description: The id of the OAuth 2.0 Client.
required: true
schema:
type: string
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/health/alive:
get:
tags:
- admin
summary: Check Alive Status
description: |-
This endpoint returns a 200 status code when the HTTP server is up running.
This status does currently not include checks whether the database connection is working.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
Be aware that if you are running multiple nodes of this service, the health status will never
refer to the cluster state, only to a single instance.
operationId: isInstanceAlive
responses:
200:
description: healthStatus
content:
application/json:
schema:
$ref: '#/components/schemas/healthStatus'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/health/ready:
get:
tags:
- public
summary: Check Readiness Status
description: |-
This endpoint returns a 200 status code when the HTTP server is up running and the environment dependencies (e.g.
the database) are responsive as well.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
Be aware that if you are running multiple nodes of this service, the health status will never
refer to the cluster state, only to a single instance.
operationId: isInstanceReady
responses:
200:
description: healthStatus
content:
application/json:
schema:
$ref: '#/components/schemas/healthStatus'
503:
description: healthNotReadyStatus
content:
application/json:
schema:
$ref: '#/components/schemas/healthNotReadyStatus'
/keys/{set}:
get:
tags:
- admin
summary: Retrieve a JSON Web Key Set
description: |-
This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: getJsonWebKeySet
parameters:
- name: set
in: path
description: The set
required: true
schema:
type: string
responses:
200:
description: JSONWebKeySet
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
put:
tags:
- admin
summary: Update a JSON Web Key Set
description: |-
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: updateJsonWebKeySet
parameters:
- name: set
in: path
description: The set
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
required: false
responses:
200:
description: JSONWebKeySet
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
post:
tags:
- admin
summary: Generate a New JSON Web Key
description: |-
This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: createJsonWebKeySet
parameters:
- name: set
in: path
description: The set
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySetGeneratorRequest'
required: false
responses:
201:
description: JSONWebKeySet
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
delete:
tags:
- admin
summary: Delete a JSON Web Key Set
description: |-
Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: deleteJsonWebKeySet
parameters:
- name: set
in: path
description: The set
required: true
schema:
type: string
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/keys/{set}/{kid}:
get:
tags:
- admin
summary: Fetch a JSON Web Key
description: This endpoint returns a singular JSON Web Key, identified by the
set and the specific key ID (kid).
operationId: getJsonWebKey
parameters:
- name: kid
in: path
description: The kid of the desired key
required: true
schema:
type: string
- name: set
in: path
description: The set
required: true
schema:
type: string
responses:
200:
description: JSONWebKeySet
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKeySet'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
put:
tags:
- admin
summary: Update a JSON Web Key
description: |-
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: updateJsonWebKey
parameters:
- name: kid
in: path
description: The kid of the desired key
required: true
schema:
type: string
- name: set
in: path
description: The set
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKey'
required: false
responses:
200:
description: JSONWebKey
content:
application/json:
schema:
$ref: '#/components/schemas/JSONWebKey'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
delete:
tags:
- admin
summary: Delete a JSON Web Key
description: |-
Use this endpoint to delete a single JSON Web Key.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: deleteJsonWebKey
parameters:
- name: kid
in: path
description: The kid of the desired key
required: true
schema:
type: string
- name: set
in: path
description: The set
required: true
schema:
type: string
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
403:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/metrics/prometheus:
get:
tags:
- admin
summary: Get Snapshot Metrics from the Hydra Service.
description: |-
If you're using k8s, you can then add annotations to your deployment like so:
```
metadata:
annotations:
prometheus.io/port: "4445"
prometheus.io/path: "/metrics/prometheus"
```
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
operationId: prometheus
responses:
200:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
/oauth2/auth:
get:
tags:
- public
summary: The OAuth 2.0 Authorize Endpoint
description: |-
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows.
OAuth2 is a very popular protocol and a library for your programming language will exists.
To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
operationId: oauthAuth
responses:
302:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/requests/consent:
get:
tags:
- admin
summary: Get Consent Request Information
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to
grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted
or rejected the request.
operationId: getConsentRequest
parameters:
- name: consent_challenge
in: query
required: true
schema:
type: string
responses:
200:
description: consentRequest
content:
application/json:
schema:
$ref: '#/components/schemas/consentRequest'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
409:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/requests/consent/accept:
put:
tags:
- admin
summary: Accept a Consent Request
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to
grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted
or rejected the request.
This endpoint tells ORY Hydra that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.
The consent provider includes additional information, such as session data for access and ID tokens, and if the
consent request should be used as basis for future requests.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
operationId: acceptConsentRequest
parameters:
- name: consent_challenge
in: query
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/acceptConsentRequest'
required: false
responses:
200:
description: completedRequest
content:
application/json:
schema:
$ref: '#/components/schemas/completedRequest'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/auth/requests/consent/reject:
put:
tags:
- admin
summary: Reject a Consent Request
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to
grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted
or rejected the request.
This endpoint tells ORY Hydra that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.
The consent provider must include a reason why the consent was not granted.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
operationId: rejectConsentRequest
parameters:
- name: consent_challenge
in: query
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/rejectRequest'
required: false
responses:
200:
description: completedRequest
content:
application/json:
schema:
$ref: '#/components/schemas/completedRequest'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/auth/requests/login:
get:
tags:
- admin
summary: Get a Login Request
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
(sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login
provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen")
a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
operationId: getLoginRequest
parameters:
- name: login_challenge
in: query
required: true
schema:
type: string
responses:
200:
description: loginRequest
content:
application/json:
schema:
$ref: '#/components/schemas/loginRequest'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
409:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/requests/login/accept:
put:
tags:
- admin
summary: Accept a Login Request
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
(sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login
provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen")
a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells ORY Hydra that the subject has successfully authenticated and includes additional information such as
the subject's ID and if ORY Hydra should remember the subject's subject agent for future authentication attempts by setting
a cookie.
The response contains a redirect URL which the login provider should redirect the user-agent to.
operationId: acceptLoginRequest
parameters:
- name: login_challenge
in: query
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/acceptLoginRequest'
required: false
responses:
200:
description: completedRequest
content:
application/json:
schema:
$ref: '#/components/schemas/completedRequest'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/auth/requests/login/reject:
put:
tags:
- admin
summary: Reject a Login Request
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider
(sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login
provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen")
a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells ORY Hydra that the subject has not authenticated and includes a reason why the authentication
was be denied.
The response contains a redirect URL which the login provider should redirect the user-agent to.
operationId: rejectLoginRequest
parameters:
- name: login_challenge
in: query
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/rejectRequest'
required: false
responses:
200:
description: completedRequest
content:
application/json:
schema:
$ref: '#/components/schemas/completedRequest'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/auth/requests/logout:
get:
tags:
- admin
summary: Get a Logout Request
description: Use this endpoint to fetch a logout request.
operationId: getLogoutRequest
parameters:
- name: logout_challenge
in: query
required: true
schema:
type: string
responses:
200:
description: logoutRequest
content:
application/json:
schema:
$ref: '#/components/schemas/logoutRequest'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/requests/logout/accept:
put:
tags:
- admin
summary: Accept a Logout Request
description: |-
When a user or an application requests ORY Hydra to log out a user, this endpoint is used to confirm that logout request.
No body is required.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
operationId: acceptLogoutRequest
parameters:
- name: logout_challenge
in: query
required: true
schema:
type: string
responses:
200:
description: completedRequest
content:
application/json:
schema:
$ref: '#/components/schemas/completedRequest'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/requests/logout/reject:
put:
tags:
- admin
summary: Reject a Logout Request
description: |-
When a user or an application requests ORY Hydra to log out a user, this endpoint is used to deny that logout request.
No body is required.
The response is empty as the logout provider has to chose what action to perform next.
operationId: rejectLogoutRequest
parameters:
- name: logout_challenge
in: query
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/rejectRequest'
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/rejectRequest'
required: false
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/auth/sessions/consent:
get:
tags:
- admin
summary: Lists All Consent Sessions of a Subject
description: |-
This endpoint lists all subject's granted consent sessions, including client and granted scope.
If the subject is unknown or has not granted any consent sessions yet, the endpoint returns an
empty JSON array with status code 200 OK.
The "Link" header is also included in successful responses, which contains one or more links for pagination, formatted like so: '<https://hydra-url/admin/oauth2/auth/sessions/consent?subject={user}&limit={limit}&offset={offset}>; rel="{page}"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'.
Multiple links can be included in this header, and will be separated by a comma.
operationId: listSubjectConsentSessions
parameters:
- name: subject
in: query
required: true
schema:
type: string
responses:
200:
description: A list of used consent requests.
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/PreviousConsentSession'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
delete:
tags:
- admin
summary: Revokes Consent Sessions of a Subject for a Specific OAuth 2.0 Client
description: |-
This endpoint revokes a subject's granted consent sessions for a specific OAuth 2.0 Client and invalidates all
associated OAuth 2.0 Access Tokens.
operationId: revokeConsentSessions
parameters:
- name: subject
in: query
description: The subject (Subject) who's consent sessions should be deleted.
required: true
schema:
type: string
- name: client
in: query
description: If set, deletes only those consent sessions by the Subject that
have been granted to the specified OAuth 2.0 Client ID
schema:
type: string
- name: all
in: query
description: If set to `?all=true`, deletes all consent sessions by the Subject
that have been granted.
schema:
type: boolean
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/auth/sessions/login:
delete:
tags:
- admin
summary: |-
Invalidates All Login Sessions of a Certain User
Invalidates a Subject's Authentication Session
description: |-
This endpoint invalidates a subject's authentication session. After revoking the authentication session, the subject
has to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect
Front- or Back-channel logout.
operationId: revokeAuthenticationSession
parameters:
- name: subject
in: query
required: true
schema:
type: string
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
404:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/flush:
post:
tags:
- admin
summary: Flush Expired OAuth2 Access Tokens
description: |-
This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be
not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted
automatically when performing the refresh flow.
operationId: flushInactiveOAuth2Tokens
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/flushInactiveOAuth2TokensRequest'
required: false
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
x-codegen-request-body-name: Body
/oauth2/introspect:
post:
tags:
- admin
summary: Introspect OAuth2 Tokens
description: |-
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token
is neither expired nor revoked. If a token is active, additional information on the token will be included. You can
set additional data for a token by setting `accessTokenExtra` during the consent flow.
For more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/).
operationId: introspectOAuth2Token
requestBody:
content:
application/x-www-form-urlencoded:
schema:
required:
- token
properties:
token:
type: string
description: |-
The string value of the token. For access tokens, this
is the "access_token" value returned from the token endpoint
defined in OAuth 2.0. For refresh tokens, this is the "refresh_token"
value returned.
scope:
type: string
description: |-
An optional, space separated list of required scopes. If the access token was not granted one of the
scopes, the result of active will be false.
required: true
responses:
200:
description: oAuth2TokenIntrospection
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2TokenIntrospection'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/oauth2/revoke:
post:
tags:
- public
summary: Revoke OAuth2 Tokens
description: |-
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no
longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.
Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by
the client the token was generated for.
operationId: revokeOAuth2Token
requestBody:
content:
application/x-www-form-urlencoded:
schema:
required:
- token
properties:
token:
type: string
required: true
responses:
200:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
security:
- basic: []
- oauth2: []
/oauth2/sessions/logout:
get:
tags:
- public
summary: OpenID Connect Front-Backchannel Enabled Logout
description: |-
This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout:
https://openid.net/specs/openid-connect-frontchannel-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html
operationId: disconnectUser
responses:
302:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
/oauth2/token:
post:
tags:
- public
summary: The OAuth 2.0 Token Endpoint
description: |-
The client makes a request to the token endpoint by sending the
following parameters using the "application/x-www-form-urlencoded" HTTP
request entity-body.
> Do not implement a client for this endpoint yourself. Use a library. There are many libraries
> available for any programming language. You can find a list of libraries here: https://oauth.net/code/
>
> Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!
operationId: oauth2Token
requestBody:
content:
application/x-www-form-urlencoded:
schema:
required:
- grant_type
properties:
grant_type:
type: string
code:
type: string
refresh_token:
type: string
redirect_uri:
type: string
client_id:
type: string
required: true
responses:
200:
description: oauth2TokenResponse
content:
application/json:
schema:
$ref: '#/components/schemas/oauth2TokenResponse'
400:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
security:
- basic: []
- oauth2: []
/oauth2/tokens:
delete:
tags:
- admin
summary: Delete OAuth2 Access Tokens from a Client
description: This endpoint deletes OAuth2 access tokens issued for a client
from the database
operationId: deleteOAuth2Token
parameters:
- name: client_id
in: query
required: true
schema:
type: string
responses:
204:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
content: {}
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
/userinfo:
get:
tags:
- public
summary: OpenID Connect Userinfo
description: |-
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of
the provided OAuth 2.0 Access Token.
For more information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
operationId: userinfo
responses:
200:
description: userinfoResponse
content:
application/json:
schema:
$ref: '#/components/schemas/userinfoResponse'
401:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
500:
description: genericError
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
security:
- oauth2: []
/version:
get:
tags:
- admin
summary: Get Service Version
description: |-
This endpoint returns the service version typically notated using semantic versioning.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
operationId: getVersion
responses:
200:
description: version
content:
application/json:
schema:
$ref: '#/components/schemas/version'
components:
schemas:
ContainerWaitOKBodyError:
type: object
properties:
Message:
type: string
description: Details of an error
description: ContainerWaitOKBodyError container waiting error, if any
JSONRawMessage:
#title: JSONRawMessage represents a json.RawMessage that works well with JSON,
# SQL, and Swagger.
type: object
JSONWebKey:
required:
- alg
- kid
- kty
- use
type: object
properties:
alg:
type: string
description: |-
The "alg" (algorithm) parameter identifies the algorithm intended for
use with the key. The values used should either be registered in the
IANA "JSON Web Signature and Encryption Algorithms" registry
established by [JWA] or be a value that contains a Collision-
Resistant Name.
example: RS256
crv:
type: string
example: P-256
d:
type: string
example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
dp:
type: string
example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
dq:
type: string
example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
e:
type: string
example: AQAB
k:
type: string
example: GawgguFyGrWKav7AX4VKUg
kid:
type: string
description: |-
The "kid" (key ID) parameter is used to match a specific key. This
is used, for instance, to choose among a set of keys within a JWK Set
during key rollover. The structure of the "kid" value is
unspecified. When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values. (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.) The "kid"
value is a case-sensitive string.
example: 1603dfe0af8f4596
kty:
type: string
description: |-
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key, such as "RSA" or "EC". "kty" values should
either be registered in the IANA "JSON Web Key Types" registry
established by [JWA] or be a value that contains a Collision-
Resistant Name. The "kty" value is a case-sensitive string.
example: RSA
n:
type: string
example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
p:
type: string
example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
q:
type: string
example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
qi:
type: string
example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
use:
type: string
description: |-
Use ("public key use") identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data. Values are commonly "sig" (signature) or "enc" (encryption).
example: sig
x:
type: string
example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
x5c:
type: array
description: |-
The "x5c" (X.509 certificate chain) parameter contains a chain of one
or more PKIX certificates [RFC5280]. The certificate chain is
represented as a JSON array of certificate value strings. Each
string in the array is a base64-encoded (Section 4 of [RFC4648] --
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
The PKIX certificate containing the key value MUST be the first
certificate.
items:
type: string
y:
type: string
example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
description: |-
It is important that this model object is named JSONWebKey for
"swagger generate spec" to generate only on definition of a
JSONWebKey.
JSONWebKeySet:
type: object
properties:
keys:
type: array
description: |-
The value of the "keys" parameter is an array of JWK values. By
default, the order of the JWK values within the array does not imply
an order of preference among them, although applications of JWK Sets
can choose to assign a meaning to the order for their purposes, if
desired.
items:
$ref: '#/components/schemas/JSONWebKey'
description: |-
It is important that this model object is named JSONWebKeySet for
"swagger generate spec" to generate only on definition of a
JSONWebKeySet. Since one with the same name is previously defined as
client.Client.JSONWebKeys and this one is last, this one will be
effectively written in the swagger spec.
JoseJSONWebKeySet:
type: object
NullTime:
#title: NullTime implements sql.NullTime functionality.
type: string
format: date-time
PluginConfig:
#title: PluginConfig The config of a plugin.
required:
- Args
- Description
- Documentation
- Entrypoint
- Env
- Interface
- IpcHost
- Linux
- Mounts
- Network
- PidHost
- PropagatedMount
- WorkDir
type: object
properties:
Args:
$ref: '#/components/schemas/PluginConfigArgs'
Description:
type: string
description: description
DockerVersion:
type: string
description: Docker Version used to create the plugin
Documentation:
type: string
description: documentation
Entrypoint:
type: array
description: entrypoint
items:
type: string
Env:
type: array
description: env
items:
$ref: '#/components/schemas/PluginEnv'
Interface:
$ref: '#/components/schemas/PluginConfigInterface'
IpcHost:
type: boolean
description: ipc host
Linux:
$ref: '#/components/schemas/PluginConfigLinux'
Mounts:
type: array
description: mounts
items:
$ref: '#/components/schemas/PluginMount'
Network:
$ref: '#/components/schemas/PluginConfigNetwork'
PidHost:
type: boolean
description: pid host
PropagatedMount:
type: string
description: propagated mount
User:
$ref: '#/components/schemas/PluginConfigUser'
WorkDir:
type: string
description: work dir
rootfs:
$ref: '#/components/schemas/PluginConfigRootfs'
PluginConfigArgs:
required:
- Description
- Name
- Settable
- Value
type: object
properties:
Description:
type: string
description: description
Name:
type: string
description: name
Settable:
type: array
description: settable
items:
type: string
Value:
type: array
description: value
items:
type: string
description: PluginConfigArgs plugin config args
PluginConfigInterface:
required:
- Socket
- Types
type: object
properties:
Socket:
type: string
description: socket
Types:
type: array
description: types
items:
$ref: '#/components/schemas/PluginInterfaceType'
description: PluginConfigInterface The interface between Docker and the plugin
PluginConfigLinux:
required:
- AllowAllDevices
- Capabilities
- Devices
type: object
properties:
AllowAllDevices:
type: boolean
description: allow all devices
Capabilities:
type: array
description: capabilities
items:
type: string
Devices:
type: array
description: devices
items:
$ref: '#/components/schemas/PluginDevice'
description: PluginConfigLinux plugin config linux
PluginConfigNetwork:
required:
- Type
type: object
properties:
Type:
type: string
description: type
description: PluginConfigNetwork plugin config network
PluginConfigRootfs:
type: object
properties:
diff_ids:
type: array
description: diff ids
items:
type: string
type:
type: string
description: type
description: PluginConfigRootfs plugin config rootfs
PluginConfigUser:
type: object
properties:
GID:
type: integer
description: g ID
format: uint32
UID:
type: integer
description: UID
format: uint32
description: PluginConfigUser plugin config user
PluginDevice:
required:
- Description
- Name
- Path
- Settable
type: object
properties:
Description:
type: string
description: description
Name:
type: string
description: name
Path:
type: string
description: path
Settable:
type: array
description: settable
items:
type: string
description: PluginDevice plugin device
PluginEnv:
required:
- Description
- Name
- Settable
- Value
type: object
properties:
Description:
type: string
description: description
Name:
type: string
description: name
Settable:
type: array
description: settable
items:
type: string
Value:
type: string
description: value
description: PluginEnv plugin env
PluginInterfaceType:
required:
- Capability
- Prefix
- Version
type: object
properties:
Capability:
type: string
description: capability
Prefix:
type: string
description: prefix
Version:
type: string
description: version
description: PluginInterfaceType plugin interface type
PluginMount:
required:
- Description
- Destination
- Name
- Options
- Settable
- Source
- Type
type: object
properties:
Description:
type: string
description: description
Destination:
type: string
description: destination
Name:
type: string
description: name
Options:
type: array
description: options
items:
type: string
Settable:
type: array
description: settable
items:
type: string
Source:
type: string
description: source
Type:
type: string
description: type
description: PluginMount plugin mount
PluginSettings:
#title: PluginSettings Settings that can be modified by users.
required:
- Args
- Devices
- Env
- Mounts
type: object
properties:
Args:
type: array
description: args
items:
type: string
Devices:
type: array
description: devices
items:
$ref: '#/components/schemas/PluginDevice'
Env:
type: array
description: env
items:
type: string
Mounts:
type: array
description: mounts
items:
$ref: '#/components/schemas/PluginMount'
PreviousConsentSession:
type: object
properties:
consent_request:
$ref: '#/components/schemas/consentRequest'
grant_access_token_audience:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
grant_scope:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
handled_at:
$ref: '#/components/schemas/NullTime'
remember:
type: boolean
description: |-
Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
client asks the same user for the same, or a subset of, scope.
remember_for:
type: integer
description: |-
RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
authorization will be remembered indefinitely.
format: int64
session:
$ref: '#/components/schemas/consentRequestSession'
description: |-
The response used to return used consent requests
same as HandledLoginRequest, just with consent_request exposed as json
StringSlicePipeDelimiter:
#title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string.
type: array
items:
type: string
VolumeUsageData:
required:
- RefCount
- Size
type: object
properties:
RefCount:
type: integer
description: |-
The number of containers referencing this volume. This field
is set to `-1` if the reference-count is not available.
format: int64
Size:
type: integer
description: |-
Amount of disk space used by the volume (in bytes). This information
is only available for volumes created with the `"local"` volume
driver. For volumes created with other volume drivers, this field
is set to `-1` ("not available")
format: int64
description: |-
VolumeUsageData Usage details about the volume. This information is used by the
`GET /system/df` endpoint, and omitted in other endpoints.
acceptConsentRequest:
#title: The request payload used to accept a consent request.
type: object
properties:
grant_access_token_audience:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
grant_scope:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
handled_at:
$ref: '#/components/schemas/NullTime'
remember:
type: boolean
description: |-
Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
client asks the same user for the same, or a subset of, scope.
remember_for:
type: integer
description: |-
RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
authorization will be remembered indefinitely.
format: int64
session:
$ref: '#/components/schemas/consentRequestSession'
acceptLoginRequest:
#title: HandledLoginRequest is the request payload used to accept a login request.
required:
- subject
type: object
properties:
acr:
type: string
description: |-
ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
to express that, for example, a user authenticated using two factor authentication.
context:
$ref: '#/components/schemas/JSONRawMessage'
force_subject_identifier:
type: string
description: |-
ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the
(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID
Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client.
Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the
sub claim in the OAuth 2.0 Introspection.
Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself
you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in
ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's
configuration).
Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies
that you have to compute this value on every authentication process (probably depending on the client ID or some
other unique value).
If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.
remember:
type: boolean
description: |-
Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store
a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she
will not be asked to log in again.
remember_for:
type: integer
description: |-
RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the
authorization will be remembered for the duration of the browser session (using a session cookie).
format: int64
subject:
type: string
description: Subject is the user ID of the end-user that authenticated.
completedRequest:
#title: The response payload sent when accepting or rejecting a login or consent
# request.
required:
- redirect_to
type: object
properties:
redirect_to:
type: string
description: RedirectURL is the URL which you should redirect the user to
once the authentication process is completed.
consentRequest:
#title: Contains information on an ongoing consent request.
required:
- challenge
type: object
properties:
acr:
type: string
description: |-
ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
to express that, for example, a user authenticated using two factor authentication.
challenge:
type: string
description: |-
ID is the identifier ("authorization challenge") of the consent authorization request. It is used to
identify the session.
client:
$ref: '#/components/schemas/oAuth2Client'
context:
$ref: '#/components/schemas/JSONRawMessage'
login_challenge:
type: string
description: |-
LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate
a login and consent request in the login & consent app.
login_session_id:
type: string
description: |-
LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
oidc_context:
$ref: '#/components/schemas/openIDConnectContext'
request_url:
type: string
description: |-
RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
might come in handy if you want to deal with additional request parameters.
requested_access_token_audience:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
requested_scope:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
skip:
type: boolean
description: |-
Skip, if true, implies that the client has requested the same scopes from the same user previously.
If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the
consent request using the usual API call.
subject:
type: string
description: |-
Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
requested by the OAuth 2.0 client.
consentRequestSession:
#title: Used to pass session data to a consent request.
type: object
properties:
access_token:
type: object
properties: {}
description: |-
AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the
refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.
If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties
can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!
id_token:
type: object
properties: {}
description: |-
IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable
by anyone that has access to the ID Challenge. Use with care!
flushInactiveOAuth2TokensRequest:
type: object
properties:
notAfter:
type: string
description: |-
NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history
of recently issued tokens for auditing.
format: date-time
genericError:
#title: Error response
required:
- error
type: object
properties:
debug:
type: string
description: Debug contains debug information. This is usually not available
and has to be enabled.
example: The database adapter was unable to find the element
error:
type: string
description: Name is the error name.
example: The requested resource could not be found
error_description:
type: string
description: Description contains further information on the nature of the
error.
example: Object with ID 12345 does not exist
status_code:
type: integer
description: Code represents the error status code (404, 403, 401, ...).
format: int64
example: 404
description: Error responses are sent when an error (e.g. unauthorized, bad
request, ...) occurred.
healthNotReadyStatus:
type: object
properties:
errors:
type: object
additionalProperties:
type: string
description: Errors contains a list of errors that caused the not ready
status.
healthStatus:
type: object
properties:
status:
type: string
description: Status always contains "ok".
jsonWebKeySetGeneratorRequest:
required:
- alg
- kid
- use
type: object
properties:
alg:
type: string
description: The algorithm to be used for creating the key. Supports "RS256",
"ES512", "HS512", and "HS256"
kid:
type: string
description: The kid of the key to be created
use:
type: string
description: |-
The "use" (public key use) parameter identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data. Valid values are "enc" and "sig".
loginRequest:
#title: Contains information on an ongoing login request.
required:
- challenge
- client
- request_url
- requested_access_token_audience
- requested_scope
- skip
- subject
type: object
properties:
challenge:
type: string
description: |-
ID is the identifier ("login challenge") of the login request. It is used to
identify the session.
client:
$ref: '#/components/schemas/oAuth2Client'
oidc_context:
$ref: '#/components/schemas/openIDConnectContext'
request_url:
type: string
description: |-
RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
might come in handy if you want to deal with additional request parameters.
requested_access_token_audience:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
requested_scope:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
session_id:
type: string
description: |-
SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
skip:
type: boolean
description: |-
Skip, if true, implies that the client has requested the same scopes from the same user previously.
If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.
This feature allows you to update / set session information.
subject:
type: string
description: |-
Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type
when accepting the login request, or the request will fail.
logoutRequest:
#title: Contains information about an ongoing logout request.
type: object
properties:
request_url:
type: string
description: RequestURL is the original Logout URL requested.
rp_initiated:
type: boolean
description: RPInitiated is set to true if the request was initiated by
a Relying Party (RP), also known as an OAuth 2.0 Client.
sid:
type: string
description: SessionID is the login session ID that was requested to log
out.
subject:
type: string
description: Subject is the user for whom the logout was request.
oAuth2Client:
#title: Client represents an OAuth 2.0 Client.
type: object
properties:
allowed_cors_origins:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
audience:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
backchannel_logout_session_required:
type: boolean
description: |-
Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout
Token to identify the RP session with the OP when the backchannel_logout_uri is used.
If omitted, the default value is false.
backchannel_logout_uri:
type: string
description: RP URL that will cause the RP to log itself out when sent a
Logout Token by the OP.
client_id:
type: string
description: ID is the id for this client.
client_name:
type: string
description: |-
Name is the human-readable string name of the client to be presented to the
end-user during authorization.
client_secret:
type: string
description: |-
Secret is the client's secret. The secret will be included in the create request as cleartext, and then
never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users
that they need to write the secret down as it will not be made available again.
client_secret_expires_at:
type: integer
description: |-
SecretExpiresAt is an integer holding the time at which the client
secret will expire or 0 if it will not expire. The time is
represented as the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC until the date/time of expiration.
This feature is currently not supported and it's value will always
be set to 0.
format: int64
client_uri:
type: string
description: |-
ClientURI is an URL string of a web page providing information about the client.
If present, the server SHOULD display this URL to the end-user in
a clickable fashion.
contacts:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
created_at:
type: string
description: CreatedAt returns the timestamp of the client's creation.
format: date-time
frontchannel_logout_session_required:
type: boolean
description: |-
Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be
included to identify the RP session with the OP when the frontchannel_logout_uri is used.
If omitted, the default value is false.
frontchannel_logout_uri:
type: string
description: |-
RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query
parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the
request and to determine which of the potentially multiple sessions is to be logged out; if either is
included, both MUST be.
grant_types:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
jwks:
$ref: '#/components/schemas/JoseJSONWebKeySet'
jwks_uri:
type: string
description: |-
URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains
the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the
Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing
and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced
JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both
signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used
to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST
match those in the certificate.
logo_uri:
type: string
description: LogoURI is an URL string that references a logo for the client.
metadata:
$ref: '#/components/schemas/JSONRawMessage'
owner:
type: string
description: Owner is a string identifying the owner of the OAuth 2.0 Client.
policy_uri:
type: string
description: |-
PolicyURI is a URL string that points to a human-readable privacy policy document
that describes how the deployment organization collects, uses,
retains, and discloses personal data.
post_logout_redirect_uris:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
redirect_uris:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
request_object_signing_alg:
type: string
description: |-
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects
from this Client MUST be rejected, if not signed with this algorithm.
request_uris:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
response_types:
$ref: '#/components/schemas/StringSlicePipeDelimiter'
scope:
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
description: |-
Scope is a string containing a space-separated list of scope values (as
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
can use when requesting access tokens.
sector_identifier_uri:
type: string
description: |-
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a
file with a single JSON array of redirect_uri values.
subject_type:
type: string
description: |-
SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a
list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.
token_endpoint_auth_method:
type: string
description: |-
Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,
client_secret_basic, private_key_jwt, and none.
token_endpoint_auth_signing_alg:
type: string
description: Requested Client Authentication signing algorithm for the Token
Endpoint.
tos_uri:
type: string
description: |-
TermsOfServiceURI is a URL string that points to a human-readable terms of service
document for the client that describes a contractual relationship
between the end-user and the client that the end-user accepts when
authorizing the client.
updated_at:
type: string
description: UpdatedAt returns the timestamp of the last update.
format: date-time
userinfo_signed_response_alg:
type: string
description: |-
JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT
[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims
as a UTF-8 encoded JSON object using the application/json content-type.
oAuth2TokenIntrospection:
#title: 'Introspection contains an access token''s session data as specified
# by IETF RFC 7662, see:'
required:
- active
type: object
properties:
active:
type: boolean
description: |-
Active is a boolean indicator of whether or not the presented token
is currently active. The specifics of a token's "active" state
will vary depending on the implementation of the authorization
server and the information it keeps about its tokens, but a "true"
value return for the "active" property will generally indicate
that a given token has been issued by this authorization server,
has not been revoked by the resource owner, and is within its
given time window of validity (e.g., after its issuance time and
before its expiration time).
aud:
type: array
description: Audience contains a list of the token's intended audiences.
items:
type: string
client_id:
type: string
description: |-
ID is aclient identifier for the OAuth 2.0 client that
requested this token.
exp:
type: integer
description: |-
Expires at is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token will expire.
format: int64
ext:
type: object
properties: {}
description: Extra is arbitrary data set by the session.
iat:
type: integer
description: |-
Issued at is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token was
originally issued.
format: int64
iss:
type: string
description: IssuerURL is a string representing the issuer of this token
nbf:
type: integer
description: |-
NotBefore is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token is not to be
used before.
format: int64
obfuscated_subject:
type: string
description: |-
ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
It is the `sub` value of the ID Token that was issued.
scope:
type: string
description: |-
Scope is a JSON string containing a space-separated list of
scopes associated with this token.
sub:
type: string
description: |-
Subject of the token, as defined in JWT [RFC7519].
Usually a machine-readable identifier of the resource owner who
authorized this token.
token_type:
type: string
description: TokenType is the introspected token's type, typically `Bearer`.
token_use:
type: string
description: TokenUse is the introspected token's use, for example `access_token`
or `refresh_token`.
username:
type: string
description: |-
Username is a human-readable identifier for the resource owner who
authorized this token.
description: https://tools.ietf.org/html/rfc7662
oauth2TokenResponse:
type: object
properties:
access_token:
type: string
expires_in:
type: integer
format: int64
id_token:
type: string
refresh_token:
type: string
scope:
type: string
token_type:
type: string
description: The Access Token Response
openIDConnectContext:
#title: Contains optional information about the OpenID Connect request.
type: object
properties:
acr_values:
type: array
description: |-
ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.
It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.
OpenID Connect defines it as follows:
> Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values
that the Authorization Server is being requested to use for processing this Authentication Request, with the
values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication
performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a
Voluntary Claim by this parameter.
items:
type: string
display:
type: string
description: |-
Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
The defined values are:
page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.
id_token_hint_claims:
type: object
properties: {}
description: |-
IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the
End-User's current or past authenticated session with the Client.
login_hint:
type: string
description: |-
LoginHint hints about the login identifier the End-User might use to log in (if necessary).
This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)
and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a
phone number in the format specified for the phone_number Claim. The use of this parameter is optional.
ui_locales:
type: array
description: |-
UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation),
followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested
locales are not supported by the OpenID Provider.
items:
type: string
rejectRequest:
#title: The request payload used to accept a login or consent request.
type: object
properties:
error:
type: string
description: |-
The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).
Defaults to `request_denied`.
error_debug:
type: string
description: |-
Debug contains information to help resolve the problem as a developer. Usually not exposed
to the public but only in the server logs.
error_description:
type: string
description: Description of the error in a human readable format.
error_hint:
type: string
description: Hint to help resolve the error.
status_code:
type: integer
description: |-
Represents the HTTP status code of the error (e.g. 401 or 403)
Defaults to 400
format: int64
userinfoResponse:
type: object
properties:
birthdate:
type: string
description: End-User's birthday, represented as an ISO 8601:2004 [ISO86012004]
YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.
To represent only the year, YYYY format is allowed. Note that depending
on the underlying platform's date related function, providing just year
can result in varying month and day, so the implementers need to take
this factor into account to correctly process the dates.
email:
type: string
description: End-User's preferred e-mail address. Its value MUST conform
to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon
this value being unique, as discussed in Section 5.7.
email_verified:
type: boolean
description: True if the End-User's e-mail address has been verified; otherwise
false. When this Claim Value is true, this means that the OP took affirmative
steps to ensure that this e-mail address was controlled by the End-User
at the time the verification was performed. The means by which an e-mail
address is verified is context-specific, and dependent upon the trust
framework or contractual agreements within which the parties are operating.
family_name:
type: string
description: Surname(s) or last name(s) of the End-User. Note that in some
cultures, people can have multiple family names or no family name; all
can be present, with the names being separated by space characters.
gender:
type: string
description: End-User's gender. Values defined by this specification are
female and male. Other values MAY be used when neither of the defined
values are applicable.
given_name:
type: string
description: Given name(s) or first name(s) of the End-User. Note that in
some cultures, people can have multiple given names; all can be present,
with the names being separated by space characters.
locale:
type: string
description: End-User's locale, represented as a BCP47 [RFC5646] language
tag. This is typically an ISO 639-1 Alpha-2 [ISO6391] language code in
lowercase and an ISO 3166-1 Alpha-2 [ISO31661] country code in uppercase,
separated by a dash. For example, en-US or fr-CA. As a compatibility note,
some implementations have used an underscore as the separator rather than
a dash, for example, en_US; Relying Parties MAY choose to accept this
locale syntax as well.
middle_name:
type: string
description: Middle name(s) of the End-User. Note that in some cultures,
people can have multiple middle names; all can be present, with the names
being separated by space characters. Also note that in some cultures,
middle names are not used.
name:
type: string
description: End-User's full name in displayable form including all name
parts, possibly including titles and suffixes, ordered according to the
End-User's locale and preferences.
nickname:
type: string
description: Casual name of the End-User that may or may not be the same
as the given_name. For instance, a nickname value of Mike might be returned
alongside a given_name value of Michael.
phone_number:
type: string
description: End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED
as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2)
687 2400. If the phone number contains an extension, it is RECOMMENDED
that the extension be represented using the RFC 3966 [RFC3966] extension
syntax, for example, +1 (604) 555-1234;ext=5678.
phone_number_verified:
type: boolean
description: True if the End-User's phone number has been verified; otherwise
false. When this Claim Value is true, this means that the OP took affirmative
steps to ensure that this phone number was controlled by the End-User
at the time the verification was performed. The means by which a phone
number is verified is context-specific, and dependent upon the trust framework
or contractual agreements within which the parties are operating. When
true, the phone_number Claim MUST be in E.164 format and any extensions
MUST be represented in RFC 3966 format.
picture:
type: string
description: URL of the End-User's profile picture. This URL MUST refer
to an image file (for example, a PNG, JPEG, or GIF image file), rather
than to a Web page containing an image. Note that this URL SHOULD specifically
reference a profile photo of the End-User suitable for displaying when
describing the End-User, rather than an arbitrary photo taken by the End-User.
preferred_username:
type: string
description: Non-unique shorthand name by which the End-User wishes to be
referred to at the RP, such as janedoe or j.doe. This value MAY be any
valid JSON string including special characters such as @, /, or whitespace.
profile:
type: string
description: URL of the End-User's profile page. The contents of this Web
page SHOULD be about the End-User.
sub:
type: string
description: Subject - Identifier for the End-User at the IssuerURL.
updated_at:
type: integer
description: Time the End-User's information was last updated. Its value
is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
as measured in UTC until the date/time.
format: int64
website:
type: string
description: URL of the End-User's Web page or blog. This Web page SHOULD
contain information published by the End-User or an organization that
the End-User is affiliated with.
zoneinfo:
type: string
description: String from zoneinfo [zoneinfo] time zone database representing
the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
description: The userinfo response
version:
type: object
properties:
version:
type: string
description: Version is the service's version.
wellKnown:
#title: WellKnown represents important OpenID Connect discovery metadata
required:
- authorization_endpoint
- id_token_signing_alg_values_supported
- issuer
- jwks_uri
- response_types_supported
- subject_types_supported
- token_endpoint
type: object
properties:
authorization_endpoint:
type: string
description: URL of the OP's OAuth 2.0 Authorization Endpoint.
example: https://playground.ory.sh/ory-hydra/public/oauth2/auth
backchannel_logout_session_supported:
type: boolean
description: |-
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP
session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP
backchannel_logout_supported:
type: boolean
description: Boolean value specifying whether the OP supports back-channel
logout, with true indicating support.
claims_parameter_supported:
type: boolean
description: Boolean value specifying whether the OP supports use of the
claims parameter, with true indicating support.
claims_supported:
type: array
description: |-
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
items:
type: string
end_session_endpoint:
type: string
description: URL at the OP to which an RP can perform a redirect to request
that the End-User be logged out at the OP.
frontchannel_logout_session_supported:
type: boolean
description: |-
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify
the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
included in ID Tokens issued by the OP.
frontchannel_logout_supported:
type: boolean
description: Boolean value specifying whether the OP supports HTTP-based
logout, with true indicating support.
grant_types_supported:
type: array
description: JSON array containing a list of the OAuth 2.0 Grant Type values
that this OP supports.
items:
type: string
id_token_signing_alg_values_supported:
type: array
description: |-
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
to encode the Claims in a JWT.
items:
type: string
issuer:
type: string
description: |-
URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
example: https://playground.ory.sh/ory-hydra/public/
jwks_uri:
type: string
description: |-
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
example: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json
registration_endpoint:
type: string
description: URL of the OP's Dynamic Client Registration Endpoint.
example: https://playground.ory.sh/ory-hydra/admin/client
request_object_signing_alg_values_supported:
type: array
description: |-
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,
which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when
the Request Object is passed by value (using the request parameter) and when it is passed by reference
(using the request_uri parameter).
items:
type: string
request_parameter_supported:
type: boolean
description: Boolean value specifying whether the OP supports use of the
request parameter, with true indicating support.
request_uri_parameter_supported:
type: boolean
description: Boolean value specifying whether the OP supports use of the
request_uri parameter, with true indicating support.
require_request_uri_registration:
type: boolean
description: |-
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
using the request_uris registration parameter.
response_modes_supported:
type: array
description: JSON array containing a list of the OAuth 2.0 response_mode
values that this OP supports.
items:
type: string
response_types_supported:
type: array
description: |-
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
Providers MUST support the code, id_token, and the token id_token Response Type values.
items:
type: string
revocation_endpoint:
type: string
description: URL of the authorization server's OAuth 2.0 revocation endpoint.
scopes_supported:
type: array
description: |-
SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
items:
type: string
subject_types_supported:
type: array
description: |-
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
pairwise and public.
items:
type: string
token_endpoint:
type: string
description: URL of the OP's OAuth 2.0 Token Endpoint
example: https://playground.ory.sh/ory-hydra/public/oauth2/token
token_endpoint_auth_methods_supported:
type: array
description: |-
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
items:
type: string
userinfo_endpoint:
type: string
description: URL of the OP's UserInfo Endpoint.
userinfo_signing_alg_values_supported:
type: array
description: JSON array containing a list of the JWS [JWS] signing algorithms
(alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims
in a JWT [JWT].
items:
type: string
description: |-
It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms
among others.
securitySchemes:
basic:
type: http
scheme: basic
oauth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://hydra.demo.ory.sh/oauth2/auth
tokenUrl: https://hydra.demo.ory.sh/oauth2/token
scopes:
offline: A scope required when requesting refresh tokens (alias for `offline_access`)
offline_access: A scope required when requesting refresh tokens
openid: Request an OpenID Connect ID Token
x-forwarded-proto: string
x-request-id: string