Milliways
/
lenticular_cloud2
4
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
lenticular_cloud2/specs/hydra.yaml

3267 lines
133 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

components:
responses:
emptyResponse:
description: |-
Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201.
errorOAuth2BadRequest:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: Bad Request Error Response
errorOAuth2Default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: Default Error Response
errorOAuth2NotFound:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: Not Found Error Response
listOAuth2Clients:
content:
application/json:
schema:
items:
$ref: '#/components/schemas/oAuth2Client'
type: array
description: Paginated OAuth2 Client List Response
schemas:
JSONRawMessage:
title: JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger.
NullBool:
nullable: true
type: boolean
NullDuration:
description: Specify a time duration in milliseconds, seconds, minutes, hours.
pattern: ^([0-9]+(ns|us|ms|s|m|h))*$
title: Time duration
type: string
NullInt:
nullable: true
type: integer
NullString:
nullable: true
type: string
NullTime:
format: date-time
nullable: true
type: string
NullUUID:
format: uuid4
nullable: true
type: string
StringSliceJSONFormat:
items:
type: string
title: StringSliceJSONFormat represents []string{} which is encoded to/from JSON for SQL storage.
type: array
Time:
format: date-time
type: string
UUID:
format: uuid4
type: string
acceptOAuth2ConsentRequest:
properties:
grant_access_token_audience:
$ref: '#/components/schemas/StringSliceJSONFormat'
grant_scope:
$ref: '#/components/schemas/StringSliceJSONFormat'
handled_at:
$ref: '#/components/schemas/nullTime'
remember:
description: |-
Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
client asks the same user for the same, or a subset of, scope.
type: boolean
remember_for:
description: |-
RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
authorization will be remembered indefinitely.
format: int64
type: integer
session:
$ref: '#/components/schemas/acceptOAuth2ConsentRequestSession'
title: The request payload used to accept a consent request.
type: object
acceptOAuth2ConsentRequestSession:
properties:
access_token:
description: |-
AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the
refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.
If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties
can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!
id_token:
description: |-
IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable
by anyone that has access to the ID Challenge. Use with care!
title: Pass session data to a consent request.
type: object
acceptOAuth2LoginRequest:
properties:
acr:
description: |-
ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
to express that, for example, a user authenticated using two factor authentication.
type: string
amr:
$ref: '#/components/schemas/StringSliceJSONFormat'
context:
$ref: '#/components/schemas/JSONRawMessage'
force_subject_identifier:
description: |-
ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the
(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID
Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client.
Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the
sub claim in the OAuth 2.0 Introspection.
Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself
you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in
ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's
configuration).
Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies
that you have to compute this value on every authentication process (probably depending on the client ID or some
other unique value).
If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.
type: string
remember:
description: |-
Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store
a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she
will not be asked to log in again.
type: boolean
remember_for:
description: |-
RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the
authorization will be remembered for the duration of the browser session (using a session cookie).
format: int64
type: integer
subject:
description: Subject is the user ID of the end-user that authenticated.
type: string
required:
- subject
title: HandledLoginRequest is the request payload used to accept a login request.
type: object
createJsonWebKeySet:
description: Create JSON Web Key Set Request Body
properties:
alg:
description: |-
JSON Web Key Algorithm
The algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`.
type: string
kid:
description: |-
JSON Web Key ID
The Key ID of the key to be created.
type: string
use:
description: |-
JSON Web Key Use
The "use" (public key use) parameter identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data. Valid values are "enc" and "sig".
type: string
required:
- alg
- use
- kid
type: object
errorOAuth2:
description: Error
properties:
error:
description: Error
type: string
error_debug:
description: |-
Error Debug Information
Only available in dev mode.
type: string
error_description:
description: Error Description
type: string
error_hint:
description: |-
Error Hint
Helps the user identify the error cause.
example: The redirect URL is not allowed.
type: string
status_code:
description: HTTP Status Code
example: 401
format: int64
type: integer
type: object
genericError:
properties:
code:
description: The status code
example: 404
format: int64
type: integer
debug:
description: |-
Debug information
This field is often not exposed to protect against leaking
sensitive information.
example: SQL field "foo" is not a bool.
type: string
details:
description: Further error details
id:
description: |-
The error ID
Useful when trying to identify various errors in application logic.
type: string
message:
description: |-
Error message
The error's message.
example: The resource could not be found
type: string
reason:
description: A human-readable reason for the error
example: User with ID 1234 does not exist.
type: string
request:
description: |-
The request ID
The request ID is often exposed internally in order to trace
errors across service architectures. This is often a UUID.
example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
type: string
status:
description: The status description
example: Not Found
type: string
required:
- message
type: object
healthNotReadyStatus:
properties:
errors:
additionalProperties:
type: string
description: Errors contains a list of errors that caused the not ready status.
type: object
type: object
healthStatus:
properties:
status:
description: Status always contains "ok".
type: string
type: object
introspectedOAuth2Token:
description: |-
Introspection contains an access token's session data as specified by
[IETF RFC 7662](https://tools.ietf.org/html/rfc7662)
properties:
active:
description: |-
Active is a boolean indicator of whether or not the presented token
is currently active. The specifics of a token's "active" state
will vary depending on the implementation of the authorization
server and the information it keeps about its tokens, but a "true"
value return for the "active" property will generally indicate
that a given token has been issued by this authorization server,
has not been revoked by the resource owner, and is within its
given time window of validity (e.g., after its issuance time and
before its expiration time).
type: boolean
aud:
description: Audience contains a list of the token's intended audiences.
items:
type: string
type: array
client_id:
description: |-
ID is aclient identifier for the OAuth 2.0 client that
requested this token.
type: string
exp:
description: |-
Expires at is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token will expire.
format: int64
type: integer
ext:
additionalProperties: {}
description: Extra is arbitrary data set by the session.
type: object
iat:
description: |-
Issued at is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token was
originally issued.
format: int64
type: integer
iss:
description: IssuerURL is a string representing the issuer of this token
type: string
nbf:
description: |-
NotBefore is an integer timestamp, measured in the number of seconds
since January 1 1970 UTC, indicating when this token is not to be
used before.
format: int64
type: integer
obfuscated_subject:
description: |-
ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
It is the `sub` value of the ID Token that was issued.
type: string
scope:
description: |-
Scope is a JSON string containing a space-separated list of
scopes associated with this token.
type: string
sub:
description: |-
Subject of the token, as defined in JWT [RFC7519].
Usually a machine-readable identifier of the resource owner who
authorized this token.
type: string
token_type:
description: TokenType is the introspected token's type, typically `Bearer`.
type: string
token_use:
description: TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
type: string
username:
description: |-
Username is a human-readable identifier for the resource owner who
authorized this token.
type: string
required:
- active
type: object
jsonPatch:
description: A JSONPatch document as defined by RFC 6902
properties:
from:
description: |-
This field is used together with operation "move" and uses JSON Pointer notation.
Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
example: /name
type: string
op:
description: The operation to be performed. One of "add", "remove", "replace", "move", "copy", or "test".
example: replace
type: string
path:
description: |-
The path to the target path. Uses JSON pointer notation.
Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
example: /name
type: string
value:
description: |-
The value to be used within the operations.
Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
example: foobar
required:
- op
- path
type: object
jsonPatchDocument:
description: A JSONPatchDocument request
items:
$ref: '#/components/schemas/jsonPatch'
type: array
jsonWebKey:
properties:
alg:
description: |-
The "alg" (algorithm) parameter identifies the algorithm intended for
use with the key. The values used should either be registered in the
IANA "JSON Web Signature and Encryption Algorithms" registry
established by [JWA] or be a value that contains a Collision-
Resistant Name.
example: RS256
type: string
crv:
example: P-256
type: string
d:
example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
type: string
dp:
example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
type: string
dq:
example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
type: string
e:
example: AQAB
type: string
k:
example: GawgguFyGrWKav7AX4VKUg
type: string
kid:
description: |-
The "kid" (key ID) parameter is used to match a specific key. This
is used, for instance, to choose among a set of keys within a JWK Set
during key rollover. The structure of the "kid" value is
unspecified. When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values. (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.) The "kid"
value is a case-sensitive string.
example: 1603dfe0af8f4596
type: string
kty:
description: |-
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key, such as "RSA" or "EC". "kty" values should
either be registered in the IANA "JSON Web Key Types" registry
established by [JWA] or be a value that contains a Collision-
Resistant Name. The "kty" value is a case-sensitive string.
example: RSA
type: string
'n':
example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
type: string
p:
example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
type: string
q:
example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
type: string
qi:
example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
type: string
use:
description: |-
Use ("public key use") identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data. Values are commonly "sig" (signature) or "enc" (encryption).
example: sig
type: string
x:
example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
type: string
x5c:
description: |-
The "x5c" (X.509 certificate chain) parameter contains a chain of one
or more PKIX certificates [RFC5280]. The certificate chain is
represented as a JSON array of certificate value strings. Each
string in the array is a base64-encoded (Section 4 of [RFC4648] --
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
The PKIX certificate containing the key value MUST be the first
certificate.
items:
type: string
type: array
'y':
example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
type: string
required:
- use
- kty
- kid
- alg
type: object
jsonWebKeySet:
description: JSON Web Key Set
properties:
keys:
description: |-
List of JSON Web Keys
The value of the "keys" parameter is an array of JSON Web Key (JWK)
values. By default, the order of the JWK values within the array does
not imply an order of preference among them, although applications
of JWK Sets can choose to assign a meaning to the order for their
purposes, if desired.
items:
$ref: '#/components/schemas/jsonWebKey'
type: array
type: object
nullDuration:
nullable: true
pattern: ^[0-9]+(ns|us|ms|s|m|h)$
type: string
nullInt64:
nullable: true
type: integer
nullTime:
format: date-time
title: NullTime implements sql.NullTime functionality.
type: string
oAuth2Client:
description: |-
OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
properties:
allowed_cors_origins:
$ref: '#/components/schemas/StringSliceJSONFormat'
audience:
$ref: '#/components/schemas/StringSliceJSONFormat'
authorization_code_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
authorization_code_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
authorization_code_grant_refresh_token_lifespan:
$ref: '#/components/schemas/NullDuration'
backchannel_logout_session_required:
description: |-
OpenID Connect Back-Channel Logout Session Required
Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout
Token to identify the RP session with the OP when the backchannel_logout_uri is used.
If omitted, the default value is false.
type: boolean
backchannel_logout_uri:
description: |-
OpenID Connect Back-Channel Logout URI
RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
type: string
client_credentials_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
client_id:
description: |-
OAuth 2.0 Client ID
The ID is autogenerated and immutable.
type: string
client_name:
description: |-
OAuth 2.0 Client Name
The human-readable name of the client to be presented to the
end-user during authorization.
type: string
client_secret:
description: |-
OAuth 2.0 Client Secret
The secret will be included in the create request as cleartext, and then
never again. The secret is kept in hashed format and is not recoverable once lost.
type: string
client_secret_expires_at:
description: |-
OAuth 2.0 Client Secret Expires At
The field is currently not supported and its value is always 0.
format: int64
type: integer
client_uri:
description: |-
OAuth 2.0 Client URI
ClientURI is a URL string of a web page providing information about the client.
If present, the server SHOULD display this URL to the end-user in
a clickable fashion.
type: string
contacts:
$ref: '#/components/schemas/StringSliceJSONFormat'
created_at:
description: |-
OAuth 2.0 Client Creation Date
CreatedAt returns the timestamp of the client's creation.
format: date-time
type: string
frontchannel_logout_session_required:
description: |-
OpenID Connect Front-Channel Logout Session Required
Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be
included to identify the RP session with the OP when the frontchannel_logout_uri is used.
If omitted, the default value is false.
type: boolean
frontchannel_logout_uri:
description: |-
OpenID Connect Front-Channel Logout URI
RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query
parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the
request and to determine which of the potentially multiple sessions is to be logged out; if either is
included, both MUST be.
type: string
grant_types:
$ref: '#/components/schemas/StringSliceJSONFormat'
implicit_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
implicit_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
jwks:
description: |-
OAuth 2.0 Client JSON Web Key Set
Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as
the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter
is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for
instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client
can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation
(which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks
parameters MUST NOT be used together.
jwks_uri:
description: |-
OAuth 2.0 Client JSON Web Key Set URL
URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains
the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the
Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing
and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced
JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both
signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used
to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST
match those in the certificate.
type: string
jwt_bearer_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
logo_uri:
description: |-
OAuth 2.0 Client Logo URI
A URL string referencing the client's logo.
type: string
metadata:
$ref: '#/components/schemas/JSONRawMessage'
owner:
description: |-
OAuth 2.0 Client Owner
Owner is a string identifying the owner of the OAuth 2.0 Client.
type: string
policy_uri:
description: |-
OAuth 2.0 Client Policy URI
PolicyURI is a URL string that points to a human-readable privacy policy document
that describes how the deployment organization collects, uses,
retains, and discloses personal data.
type: string
post_logout_redirect_uris:
$ref: '#/components/schemas/StringSliceJSONFormat'
redirect_uris:
$ref: '#/components/schemas/StringSliceJSONFormat'
refresh_token_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
refresh_token_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
refresh_token_grant_refresh_token_lifespan:
$ref: '#/components/schemas/NullDuration'
registration_access_token:
description: |-
OpenID Connect Dynamic Client Registration Access Token
RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client
using Dynamic Client Registration.
type: string
registration_client_uri:
description: |-
OpenID Connect Dynamic Client Registration URL
RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.
type: string
request_object_signing_alg:
description: |-
OpenID Connect Request Object Signing Algorithm
JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects
from this Client MUST be rejected, if not signed with this algorithm.
type: string
request_uris:
$ref: '#/components/schemas/StringSliceJSONFormat'
response_types:
$ref: '#/components/schemas/StringSliceJSONFormat'
scope:
description: |-
OAuth 2.0 Client Scope
Scope is a string containing a space-separated list of scope values (as
described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
can use when requesting access tokens.
example: scope1 scope-2 scope.3 scope:4
type: string
sector_identifier_uri:
description: |-
OpenID Connect Sector Identifier URI
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a
file with a single JSON array of redirect_uri values.
type: string
subject_type:
description: |-
OpenID Connect Subject Type
The `subject_types_supported` Discovery parameter contains a
list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.
type: string
token_endpoint_auth_method:
description: |-
OAuth 2.0 Token Endpoint Authentication Method
Requested Client Authentication method for the Token Endpoint. The options are:
`client_secret_post`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.
`client_secret_basic`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.
`private_key_jwt`: Use JSON Web Tokens to authenticate the client.
`none`: Used for public clients (native apps, mobile apps) which can not have secrets.
type: string
token_endpoint_auth_signing_alg:
description: |-
OAuth 2.0 Token Endpoint Signing Algorithm
Requested Client Authentication signing algorithm for the Token Endpoint.
type: string
tos_uri:
description: |-
OAuth 2.0 Client Terms of Service URI
A URL string pointing to a human-readable terms of service
document for the client that describes a contractual relationship
between the end-user and the client that the end-user accepts when
authorizing the client.
type: string
updated_at:
description: |-
OAuth 2.0 Client Last Update Date
UpdatedAt returns the timestamp of the last update.
format: date-time
type: string
userinfo_signed_response_alg:
description: |-
OpenID Connect Request Userinfo Signed Response Algorithm
JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT
[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims
as a UTF-8 encoded JSON object using the application/json content-type.
type: string
title: OAuth 2.0 Client
type: object
oAuth2ClientTokenLifespans:
description: Lifespans of different token types issued for this OAuth 2.0 Client.
properties:
authorization_code_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
authorization_code_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
authorization_code_grant_refresh_token_lifespan:
$ref: '#/components/schemas/NullDuration'
client_credentials_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
implicit_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
implicit_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
jwt_bearer_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
refresh_token_grant_access_token_lifespan:
$ref: '#/components/schemas/NullDuration'
refresh_token_grant_id_token_lifespan:
$ref: '#/components/schemas/NullDuration'
refresh_token_grant_refresh_token_lifespan:
$ref: '#/components/schemas/NullDuration'
title: OAuth 2.0 Client Token Lifespans
type: object
oAuth2ConsentRequest:
properties:
acr:
description: |-
ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
to express that, for example, a user authenticated using two factor authentication.
type: string
amr:
$ref: '#/components/schemas/StringSliceJSONFormat'
challenge:
description: |-
ID is the identifier ("authorization challenge") of the consent authorization request. It is used to
identify the session.
type: string
client:
$ref: '#/components/schemas/oAuth2Client'
context:
$ref: '#/components/schemas/JSONRawMessage'
login_challenge:
description: |-
LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate
a login and consent request in the login & consent app.
type: string
login_session_id:
description: |-
LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
type: string
oidc_context:
$ref: '#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext'
request_url:
description: |-
RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
might come in handy if you want to deal with additional request parameters.
type: string
requested_access_token_audience:
$ref: '#/components/schemas/StringSliceJSONFormat'
requested_scope:
$ref: '#/components/schemas/StringSliceJSONFormat'
skip:
description: |-
Skip, if true, implies that the client has requested the same scopes from the same user previously.
If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the
consent request using the usual API call.
type: boolean
subject:
description: |-
Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
requested by the OAuth 2.0 client.
type: string
required:
- challenge
title: Contains information on an ongoing consent request.
type: object
oAuth2ConsentRequestOpenIDConnectContext:
properties:
acr_values:
description: |-
ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.
It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.
OpenID Connect defines it as follows:
> Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values
that the Authorization Server is being requested to use for processing this Authentication Request, with the
values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication
performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a
Voluntary Claim by this parameter.
items:
type: string
type: array
display:
description: |-
Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
The defined values are:
page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.
type: string
id_token_hint_claims:
additionalProperties: {}
description: |-
IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the
End-User's current or past authenticated session with the Client.
type: object
login_hint:
description: |-
LoginHint hints about the login identifier the End-User might use to log in (if necessary).
This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)
and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a
phone number in the format specified for the phone_number Claim. The use of this parameter is optional.
type: string
ui_locales:
description: |-
UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation),
followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested
locales are not supported by the OpenID Provider.
items:
type: string
type: array
title: Contains optional information about the OpenID Connect request.
type: object
oAuth2ConsentSession:
description: A completed OAuth 2.0 Consent Session.
properties:
consent_request:
$ref: '#/components/schemas/oAuth2ConsentRequest'
expires_at:
properties:
access_token:
format: date-time
type: string
authorize_code:
format: date-time
type: string
id_token:
format: date-time
type: string
par_context:
format: date-time
type: string
refresh_token:
format: date-time
type: string
type: object
grant_access_token_audience:
$ref: '#/components/schemas/StringSliceJSONFormat'
grant_scope:
$ref: '#/components/schemas/StringSliceJSONFormat'
handled_at:
$ref: '#/components/schemas/nullTime'
remember:
description: |-
Remember Consent
Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
client asks the same user for the same, or a subset of, scope.
type: boolean
remember_for:
description: |-
Remember Consent For
RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
authorization will be remembered indefinitely.
format: int64
type: integer
session:
$ref: '#/components/schemas/acceptOAuth2ConsentRequestSession'
title: OAuth 2.0 Consent Session
type: object
oAuth2ConsentSessions:
description: List of OAuth 2.0 Consent Sessions
items:
$ref: '#/components/schemas/oAuth2ConsentSession'
type: array
oAuth2LoginRequest:
properties:
challenge:
description: |-
ID is the identifier ("login challenge") of the login request. It is used to
identify the session.
type: string
client:
$ref: '#/components/schemas/oAuth2Client'
oidc_context:
$ref: '#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext'
request_url:
description: |-
RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
might come in handy if you want to deal with additional request parameters.
type: string
requested_access_token_audience:
$ref: '#/components/schemas/StringSliceJSONFormat'
requested_scope:
$ref: '#/components/schemas/StringSliceJSONFormat'
session_id:
description: |-
SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
type: string
skip:
description: |-
Skip, if true, implies that the client has requested the same scopes from the same user previously.
If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.
This feature allows you to update / set session information.
type: boolean
subject:
description: |-
Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type
when accepting the login request, or the request will fail.
type: string
required:
- challenge
- requested_scope
- requested_access_token_audience
- skip
- subject
- client
- request_url
title: Contains information on an ongoing login request.
type: object
oAuth2LogoutRequest:
properties:
challenge:
description: |-
Challenge is the identifier ("logout challenge") of the logout authentication request. It is used to
identify the session.
type: string
client:
$ref: '#/components/schemas/oAuth2Client'
request_url:
description: RequestURL is the original Logout URL requested.
type: string
rp_initiated:
description: RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.
type: boolean
sid:
description: SessionID is the login session ID that was requested to log out.
type: string
subject:
description: Subject is the user for whom the logout was request.
type: string
title: Contains information about an ongoing logout request.
type: object
oAuth2RedirectTo:
description: Contains a redirect URL used to complete a login, consent, or logout request.
properties:
redirect_to:
description: RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed.
type: string
required:
- redirect_to
title: OAuth 2.0 Redirect Browser To
type: object
oAuth2TokenExchange:
description: OAuth2 Token Exchange Result
properties:
access_token:
description: The access token issued by the authorization server.
type: string
expires_in:
description: |-
The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
format: int64
type: integer
id_token:
description: To retrieve a refresh token request the id_token scope.
format: int64
type: integer
refresh_token:
description: |-
The refresh token, which can be used to obtain new
access tokens. To retrieve it add the scope "offline" to your access token request.
type: string
scope:
description: The scope of the access token
type: string
token_type:
description: The type of the token issued
type: string
type: object
oidcConfiguration:
description: |-
Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms
among others.
properties:
authorization_endpoint:
description: OAuth 2.0 Authorization Endpoint URL
example: https://playground.ory.sh/ory-hydra/public/oauth2/auth
type: string
backchannel_logout_session_supported:
description: |-
OpenID Connect Back-Channel Logout Session Required
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP
session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP
type: boolean
backchannel_logout_supported:
description: |-
OpenID Connect Back-Channel Logout Supported
Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
type: boolean
claims_parameter_supported:
description: |-
OpenID Connect Claims Parameter Parameter Supported
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
type: boolean
claims_supported:
description: |-
OpenID Connect Supported Claims
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
items:
type: string
type: array
code_challenge_methods_supported:
description: |-
OAuth 2.0 PKCE Supported Code Challenge Methods
JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported
by this authorization server.
items:
type: string
type: array
end_session_endpoint:
description: |-
OpenID Connect End-Session Endpoint
URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
type: string
frontchannel_logout_session_supported:
description: |-
OpenID Connect Front-Channel Logout Session Required
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify
the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
included in ID Tokens issued by the OP.
type: boolean
frontchannel_logout_supported:
description: |-
OpenID Connect Front-Channel Logout Supported
Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.
type: boolean
grant_types_supported:
description: |-
OAuth 2.0 Supported Grant Types
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
items:
type: string
type: array
id_token_signed_response_alg:
description: |-
OpenID Connect Default ID Token Signing Algorithms
Algorithm used to sign OpenID Connect ID Tokens.
items:
type: string
type: array
id_token_signing_alg_values_supported:
description: |-
OpenID Connect Supported ID Token Signing Algorithms
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
to encode the Claims in a JWT.
items:
type: string
type: array
issuer:
description: |-
OpenID Connect Issuer URL
An URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
example: https://playground.ory.sh/ory-hydra/public/
type: string
jwks_uri:
description: |-
OpenID Connect Well-Known JSON Web Keys URL
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
example: https://{slug}.projects.oryapis.com/.well-known/jwks.json
type: string
registration_endpoint:
description: OpenID Connect Dynamic Client Registration Endpoint URL
example: https://playground.ory.sh/ory-hydra/admin/client
type: string
request_object_signing_alg_values_supported:
description: |-
OpenID Connect Supported Request Object Signing Algorithms
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,
which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when
the Request Object is passed by value (using the request parameter) and when it is passed by reference
(using the request_uri parameter).
items:
type: string
type: array
request_parameter_supported:
description: |-
OpenID Connect Request Parameter Supported
Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
type: boolean
request_uri_parameter_supported:
description: |-
OpenID Connect Request URI Parameter Supported
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
type: boolean
require_request_uri_registration:
description: |-
OpenID Connect Requires Request URI Registration
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
using the request_uris registration parameter.
type: boolean
response_modes_supported:
description: |-
OAuth 2.0 Supported Response Modes
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
items:
type: string
type: array
response_types_supported:
description: |-
OAuth 2.0 Supported Response Types
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
Providers MUST support the code, id_token, and the token id_token Response Type values.
items:
type: string
type: array
revocation_endpoint:
description: |-
OAuth 2.0 Token Revocation URL
URL of the authorization server's OAuth 2.0 revocation endpoint.
type: string
scopes_supported:
description: |-
OAuth 2.0 Supported Scope Values
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
items:
type: string
type: array
subject_types_supported:
description: |-
OpenID Connect Supported Subject Types
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
pairwise and public.
items:
type: string
type: array
token_endpoint:
description: OAuth 2.0 Token Endpoint URL
example: https://playground.ory.sh/ory-hydra/public/oauth2/token
type: string
token_endpoint_auth_methods_supported:
description: |-
OAuth 2.0 Supported Client Authentication Methods
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
items:
type: string
type: array
userinfo_endpoint:
description: |-
OpenID Connect Userinfo URL
URL of the OP's UserInfo Endpoint.
type: string
userinfo_signed_response_alg:
description: |-
OpenID Connect User Userinfo Signing Algorithm
Algorithm used to sign OpenID Connect Userinfo Responses.
items:
type: string
type: array
userinfo_signing_alg_values_supported:
description: |-
OpenID Connect Supported Userinfo Signing Algorithm
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
items:
type: string
type: array
required:
- issuer
- authorization_endpoint
- token_endpoint
- jwks_uri
- subject_types_supported
- response_types_supported
- id_token_signing_alg_values_supported
- id_token_signed_response_alg
- userinfo_signed_response_alg
title: OpenID Connect Discovery Metadata
type: object
oidcUserInfo:
description: OpenID Connect Userinfo
properties:
birthdate:
description: End-User's birthday, represented as an ISO 8601:2004 [ISO86012004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
type: string
email:
description: End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
type: string
email_verified:
description: True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
type: boolean
family_name:
description: Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
type: string
gender:
description: End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
type: string
given_name:
description: Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
type: string
locale:
description: End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO6391] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO31661] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.
type: string
middle_name:
description: Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
type: string
name:
description: End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
type: string
nickname:
description: Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
type: string
phone_number:
description: End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
type: string
phone_number_verified:
description: True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
type: boolean
picture:
description: URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
type: string
preferred_username:
description: Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.
type: string
profile:
description: URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
type: string
sub:
description: Subject - Identifier for the End-User at the IssuerURL.
type: string
updated_at:
description: Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
format: int64
type: integer
website:
description: URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
type: string
zoneinfo:
description: String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
type: string
type: object
pagination:
properties:
page_size:
default: 250
description: |-
Items per page
This is the number of items per page to return.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
format: int64
maximum: 1000
minimum: 1
type: integer
page_token:
default: '1'
description: |-
Next Page Token
The next page token.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
minimum: 1
type: string
type: object
paginationHeaders:
properties:
link:
description: |-
The link header contains pagination links.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: header
type: string
x-total-count:
description: |-
The total number of clients.
in: header
type: string
type: object
rejectOAuth2Request:
properties:
error:
description: |-
The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).
Defaults to `request_denied`.
type: string
error_debug:
description: |-
Debug contains information to help resolve the problem as a developer. Usually not exposed
to the public but only in the server logs.
type: string
error_description:
description: Description of the error in a human readable format.
type: string
error_hint:
description: Hint to help resolve the error.
type: string
status_code:
description: |-
Represents the HTTP status code of the error (e.g. 401 or 403)
Defaults to 400
format: int64
type: integer
title: The request payload used to accept a login or consent request.
type: object
tokenPagination:
properties:
page_size:
default: 250
description: |-
Items per page
This is the number of items per page to return.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
format: int64
maximum: 1000
minimum: 1
type: integer
page_token:
default: '1'
description: |-
Next Page Token
The next page token.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
minimum: 1
type: string
type: object
tokenPaginationHeaders:
properties:
link:
description: |-
The link header contains pagination links.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: header
type: string
x-total-count:
description: |-
The total number of clients.
in: header
type: string
type: object
tokenPaginationRequestParameters:
description: |-
The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:
`<https://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}&page_token={offset}>; rel="{page}"`
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
properties:
page_size:
default: 250
description: |-
Items per Page
This is the number of items per page to return.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
format: int64
maximum: 500
minimum: 1
type: integer
page_token:
default: '1'
description: |-
Next Page Token
The next page token.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
minimum: 1
type: string
title: Pagination Request Parameters
type: object
tokenPaginationResponseHeaders:
description: |-
The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:
`<https://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}&page_token={offset}>; rel="{page}"`
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
properties:
link:
description: |-
The Link HTTP Header
The `Link` header contains a comma-delimited list of links to the following pages:
first: The first page of results.
next: The next page of results.
prev: The previous page of results.
last: The last page of results.
Pages are omitted if they do not exist. For example, if there is no next page, the `next` link is omitted. Examples:
</clients?page_size=5&page_token=0>; rel="first",</clients?page_size=5&page_token=15>; rel="next",</clients?page_size=5&page_token=5>; rel="prev",</clients?page_size=5&page_token=20>; rel="last"
type: string
x-total-count:
description: |-
The X-Total-Count HTTP Header
The `X-Total-Count` header contains the total number of items in the collection.
format: int64
type: integer
title: Pagination Response Header
type: object
trustOAuth2JwtGrantIssuer:
description: Trust OAuth2 JWT Bearer Grant Type Issuer Request Body
properties:
allow_any_subject:
description: The "allow_any_subject" indicates that the issuer is allowed to have any principal as the subject of the JWT.
type: boolean
expires_at:
description: The "expires_at" indicates, when grant will expire, so we will reject assertion from "issuer" targeting "subject".
format: date-time
type: string
issuer:
description: The "issuer" identifies the principal that issued the JWT assertion (same as "iss" claim in JWT).
example: https://jwt-idp.example.com
type: string
jwk:
$ref: '#/components/schemas/jsonWebKey'
scope:
description: The "scope" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
example:
- openid
- offline
items:
type: string
type: array
subject:
description: The "subject" identifies the principal that is the subject of the JWT.
example: mike@example.com
type: string
required:
- issuer
- scope
- jwk
- expires_at
type: object
trustedOAuth2JwtGrantIssuer:
description: OAuth2 JWT Bearer Grant Type Issuer Trust Relationship
properties:
allow_any_subject:
description: The "allow_any_subject" indicates that the issuer is allowed to have any principal as the subject of the JWT.
type: boolean
created_at:
description: The "created_at" indicates, when grant was created.
format: date-time
type: string
expires_at:
description: The "expires_at" indicates, when grant will expire, so we will reject assertion from "issuer" targeting "subject".
format: date-time
type: string
id:
example: 9edc811f-4e28-453c-9b46-4de65f00217f
type: string
issuer:
description: The "issuer" identifies the principal that issued the JWT assertion (same as "iss" claim in JWT).
example: https://jwt-idp.example.com
type: string
public_key:
$ref: '#/components/schemas/trustedOAuth2JwtGrantJsonWebKey'
scope:
description: The "scope" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
example:
- openid
- offline
items:
type: string
type: array
subject:
description: The "subject" identifies the principal that is the subject of the JWT.
example: mike@example.com
type: string
type: object
trustedOAuth2JwtGrantIssuers:
description: OAuth2 JWT Bearer Grant Type Issuer Trust Relationships
items:
$ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
type: array
trustedOAuth2JwtGrantJsonWebKey:
description: OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key
properties:
kid:
description: The "key_id" is key unique identifier (same as kid header in jws/jwt).
example: 123e4567-e89b-12d3-a456-426655440000
type: string
set:
description: The "set" is basically a name for a group(set) of keys. Will be the same as "issuer" in grant.
example: https://jwt-idp.example.com
type: string
type: object
version:
properties:
version:
description: Version is the service's version.
type: string
type: object
securitySchemes:
basic:
scheme: basic
type: http
bearer:
scheme: bearer
type: http
oauth2:
flows:
authorizationCode:
authorizationUrl: https://hydra.demo.ory.sh/oauth2/auth
scopes:
offline: A scope required when requesting refresh tokens (alias for `offline_access`)
offline_access: A scope required when requesting refresh tokens
openid: Request an OpenID Connect ID Token
tokenUrl: https://hydra.demo.ory.sh/oauth2/token
type: oauth2
info:
contact:
email: hi@ory.sh
description: |
Documentation for all of Ory Hydra's APIs.
license:
name: Apache 2.0
title: Ory Hydra
version: '2.0.3'
openapi: 3.0.3
paths:
/.well-known/jwks.json:
get:
description: |-
This endpoint returns JSON Web Keys required to verifying OpenID Connect ID Tokens and,
if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like
[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.
operationId: discoverJsonWebKeys
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
description: jsonWebKeySet
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Discover Well-Known JSON Web Keys
tags:
- wellknown
/.well-known/openid-configuration:
get:
description: |-
A mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.
Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.
For a full list of clients go here: https://openid.net/developers/certified/
operationId: discoverOidcConfiguration
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oidcConfiguration'
description: oidcConfiguration
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: OpenID Connect Discovery
tags:
- oidc
/admin/clients:
get:
description: |-
This endpoint lists all clients in the database, and never returns client secrets.
As a default it lists the first 100 clients.
operationId: listOAuth2Clients
parameters:
- description: |-
Items per Page
This is the number of items per page to return.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: query
name: page_size
schema:
default: 250
format: int64
maximum: 500
minimum: 1
type: integer
- description: |-
Next Page Token
The next page token.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: query
name: page_token
schema:
default: '1'
minimum: 1
type: string
- description: The name of the clients to filter by.
in: query
name: client_name
schema:
type: string
- description: The owner of the clients to filter by.
in: query
name: owner
schema:
type: string
responses:
'200':
$ref: '#/components/responses/listOAuth2Clients'
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: List OAuth 2.0 Clients
tags:
- oAuth2
post:
description: |-
Create a new OAuth 2.0 client. If you pass `client_secret` the secret is used, otherwise a random secret
is generated. The secret is echoed in the response. It is not possible to retrieve it later on.
operationId: createOAuth2Client
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: OAuth 2.0 Client Request Body
required: true
x-originalParamName: Body
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
'400':
$ref: '#/components/responses/errorOAuth2BadRequest'
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: Create OAuth 2.0 Client
tags:
- oAuth2
/admin/clients/{id}:
delete:
description: |-
Delete an existing OAuth 2.0 Client by its ID.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
Make sure that this endpoint is well protected and only callable by first-party components.
operationId: deleteOAuth2Client
parameters:
- description: The id of the OAuth 2.0 Client.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Delete OAuth 2.0 Client
tags:
- oAuth2
get:
description: |-
Get an OAuth 2.0 client by its ID. This endpoint never returns the client secret.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
operationId: getOAuth2Client
parameters:
- description: The id of the OAuth 2.0 Client.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: Get an OAuth 2.0 Client
tags:
- oAuth2
patch:
description: |-
Patch an existing OAuth 2.0 Client using JSON Patch. If you pass `client_secret`
the secret will be updated and returned via the API. This is the
only time you will be able to retrieve the client secret, so write it down and keep it safe.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
operationId: patchOAuth2Client
parameters:
- description: The id of the OAuth 2.0 Client.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/jsonPatchDocument'
description: OAuth 2.0 Client JSON Patch Body
required: true
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
'404':
$ref: '#/components/responses/errorOAuth2NotFound'
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: Patch OAuth 2.0 Client
tags:
- oAuth2
put:
description: |-
Replaces an existing OAuth 2.0 Client with the payload you send. If you pass `client_secret` the secret is used,
otherwise the existing secret is used.
If set, the secret is echoed in the response. It is not possible to retrieve it later on.
OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
operationId: setOAuth2Client
parameters:
- description: OAuth 2.0 Client ID
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: OAuth 2.0 Client Request Body
required: true
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
'400':
$ref: '#/components/responses/errorOAuth2BadRequest'
'404':
$ref: '#/components/responses/errorOAuth2NotFound'
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: Set OAuth 2.0 Client
tags:
- oAuth2
/admin/clients/{id}/lifespans:
put:
description: Set lifespans of different token types issued for this OAuth 2.0 client. Does not modify other fields.
operationId: setOAuth2ClientLifespans
parameters:
- description: OAuth 2.0 Client ID
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2ClientTokenLifespans'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Set OAuth2 Client Token Lifespans
tags:
- oAuth2
/admin/keys/{set}:
delete:
description: |-
Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: deleteJsonWebKeySet
parameters:
- description: The JSON Web Key Set
in: path
name: set
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Delete JSON Web Key Set
tags:
- jwk
get:
description: |-
This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: getJsonWebKeySet
parameters:
- description: JSON Web Key Set ID
in: path
name: set
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
description: jsonWebKeySet
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Retrieve a JSON Web Key Set
tags:
- jwk
post:
description: |-
This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: createJsonWebKeySet
parameters:
- description: The JSON Web Key Set ID
in: path
name: set
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/createJsonWebKeySet'
required: true
x-originalParamName: Body
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
description: jsonWebKeySet
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Create JSON Web Key
tags:
- jwk
put:
description: |-
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: setJsonWebKeySet
parameters:
- description: The JSON Web Key Set ID
in: path
name: set
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
description: jsonWebKeySet
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Update a JSON Web Key Set
tags:
- jwk
/admin/keys/{set}/{kid}:
delete:
description: |-
Use this endpoint to delete a single JSON Web Key.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A
JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses
this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens),
and allows storing user-defined keys as well.
operationId: deleteJsonWebKey
parameters:
- description: The JSON Web Key Set
in: path
name: set
required: true
schema:
type: string
- description: The JSON Web Key ID (kid)
in: path
name: kid
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Delete JSON Web Key
tags:
- jwk
get:
description: This endpoint returns a singular JSON Web Key contained in a set. It is identified by the set and the specific key ID (kid).
operationId: getJsonWebKey
parameters:
- description: JSON Web Key Set ID
in: path
name: set
required: true
schema:
type: string
- description: JSON Web Key ID
in: path
name: kid
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKeySet'
description: jsonWebKeySet
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Get JSON Web Key
tags:
- jwk
put:
description: |-
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
operationId: setJsonWebKey
parameters:
- description: The JSON Web Key Set ID
in: path
name: set
required: true
schema:
type: string
- description: JSON Web Key ID
in: path
name: kid
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKey'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/jsonWebKey'
description: jsonWebKey
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Set JSON Web Key
tags:
- jwk
/admin/oauth2/auth/requests/consent:
get:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
or rejected the request.
The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
head over to the OAuth 2.0 documentation.
operationId: getOAuth2ConsentRequest
parameters:
- description: OAuth 2.0 Consent Request Challenge
in: query
name: consent_challenge
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2ConsentRequest'
description: oAuth2ConsentRequest
'410':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Get OAuth 2.0 Consent Request
tags:
- oAuth2
/admin/oauth2/auth/requests/consent/accept:
put:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
or rejected the request.
This endpoint tells Ory that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.
The consent provider includes additional information, such as session data for access and ID tokens, and if the
consent request should be used as basis for future requests.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
head over to the OAuth 2.0 documentation.
operationId: acceptOAuth2ConsentRequest
parameters:
- description: OAuth 2.0 Consent Request Challenge
in: query
name: consent_challenge
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/acceptOAuth2ConsentRequest'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Accept OAuth 2.0 Consent Request
tags:
- oAuth2
/admin/oauth2/auth/requests/consent/reject:
put:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
or rejected the request.
This endpoint tells Ory that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.
The consent provider must include a reason why the consent was not granted.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
head over to the OAuth 2.0 documentation.
operationId: rejectOAuth2ConsentRequest
parameters:
- description: OAuth 2.0 Consent Request Challenge
in: query
name: consent_challenge
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/rejectOAuth2Request'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Reject OAuth 2.0 Consent Request
tags:
- oAuth2
/admin/oauth2/auth/requests/login:
get:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell the Ory OAuth2 Service about it.
Per default, the login provider is Ory itself. You may use a different login provider which needs to be a web-app
you write and host, and it must be able to authenticate ("show the subject a login screen")
a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
operationId: getOAuth2LoginRequest
parameters:
- description: OAuth 2.0 Login Request Challenge
in: query
name: login_challenge
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2LoginRequest'
description: oAuth2LoginRequest
'410':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Get OAuth 2.0 Login Request
tags:
- oAuth2
/admin/oauth2/auth/requests/login/accept:
put:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell the Ory OAuth2 Service about it.
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells Ory that the subject has successfully authenticated and includes additional information such as
the subject's ID and if Ory should remember the subject's subject agent for future authentication attempts by setting
a cookie.
The response contains a redirect URL which the login provider should redirect the user-agent to.
operationId: acceptOAuth2LoginRequest
parameters:
- description: OAuth 2.0 Login Request Challenge
in: query
name: login_challenge
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/acceptOAuth2LoginRequest'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Accept OAuth 2.0 Login Request
tags:
- oAuth2
/admin/oauth2/auth/requests/login/reject:
put:
description: |-
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
to authenticate the subject and then tell the Ory OAuth2 Service about it.
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells Ory that the subject has not authenticated and includes a reason why the authentication
was denied.
The response contains a redirect URL which the login provider should redirect the user-agent to.
operationId: rejectOAuth2LoginRequest
parameters:
- description: OAuth 2.0 Login Request Challenge
in: query
name: login_challenge
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/rejectOAuth2Request'
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Reject OAuth 2.0 Login Request
tags:
- oAuth2
/admin/oauth2/auth/requests/logout:
get:
description: Use this endpoint to fetch an Ory OAuth 2.0 logout request.
operationId: getOAuth2LogoutRequest
parameters:
- in: query
name: logout_challenge
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2LogoutRequest'
description: oAuth2LogoutRequest
'410':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Get OAuth 2.0 Session Logout Request
tags:
- oAuth2
/admin/oauth2/auth/requests/logout/accept:
put:
description: |-
When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to confirm that logout request.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
operationId: acceptOAuth2LogoutRequest
parameters:
- description: OAuth 2.0 Logout Request Challenge
in: query
name: logout_challenge
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2RedirectTo'
description: oAuth2RedirectTo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Accept OAuth 2.0 Session Logout Request
tags:
- oAuth2
/admin/oauth2/auth/requests/logout/reject:
put:
description: |-
When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to deny that logout request.
No HTTP request body is required.
The response is empty as the logout provider has to chose what action to perform next.
operationId: rejectOAuth2LogoutRequest
parameters:
- in: query
name: logout_challenge
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Reject OAuth 2.0 Session Logout Request
tags:
- oAuth2
/admin/oauth2/auth/sessions/consent:
delete:
description: |-
This endpoint revokes a subject's granted consent sessions and invalidates all
associated OAuth 2.0 Access Tokens. You may also only revoke sessions for a specific OAuth 2.0 Client ID.
operationId: revokeOAuth2ConsentSessions
parameters:
- description: |-
OAuth 2.0 Consent Subject
The subject whose consent sessions should be deleted.
in: query
name: subject
required: true
schema:
type: string
- description: |-
OAuth 2.0 Client ID
If set, deletes only those consent sessions that have been granted to the specified OAuth 2.0 Client ID.
in: query
name: client
schema:
type: string
- description: |-
Revoke All Consent Sessions
If set to `true` deletes all consent sessions by the Subject that have been granted.
in: query
name: all
schema:
type: boolean
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Revoke OAuth 2.0 Consent Sessions of a Subject
tags:
- oAuth2
get:
description: |-
This endpoint lists all subject's granted consent sessions, including client and granted scope.
If the subject is unknown or has not granted any consent sessions yet, the endpoint returns an
empty JSON array with status code 200 OK.
operationId: listOAuth2ConsentSessions
parameters:
- description: |-
Items per Page
This is the number of items per page to return.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: query
name: page_size
schema:
default: 250
format: int64
maximum: 500
minimum: 1
type: integer
- description: |-
Next Page Token
The next page token.
For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
in: query
name: page_token
schema:
default: '1'
minimum: 1
type: string
- description: The subject to list the consent sessions for.
in: query
name: subject
required: true
schema:
type: string
- description: The login session id to list the consent sessions for.
in: query
name: login_session_id
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2ConsentSessions'
description: oAuth2ConsentSessions
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: List OAuth 2.0 Consent Sessions of a Subject
tags:
- oAuth2
/admin/oauth2/auth/sessions/login:
delete:
description: |-
This endpoint invalidates a subject's authentication session. After revoking the authentication session, the subject
has to re-authenticate at the Ory OAuth2 Provider. This endpoint does not invalidate any tokens and
does not work with OpenID Connect Front- or Back-channel logout.
operationId: revokeOAuth2LoginSessions
parameters:
- description: |-
OAuth 2.0 Subject
The subject to revoke authentication sessions for.
in: query
name: subject
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Revokes All OAuth 2.0 Login Sessions of a Subject
tags:
- oAuth2
/admin/oauth2/introspect:
post:
description: |-
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token
is neither expired nor revoked. If a token is active, additional information on the token will be included. You can
set additional data for a token by setting `session.access_token` during the consent flow.
operationId: introspectOAuth2Token
requestBody:
content:
application/x-www-form-urlencoded:
schema:
properties:
scope:
description: |-
An optional, space separated list of required scopes. If the access token was not granted one of the
scopes, the result of active will be false.
type: string
x-formData-name: scope
token:
description: |-
The string value of the token. For access tokens, this
is the "access_token" value returned from the token endpoint
defined in OAuth 2.0. For refresh tokens, this is the "refresh_token"
value returned.
required:
- token
type: string
x-formData-name: token
required:
- token
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/introspectedOAuth2Token'
description: introspectedOAuth2Token
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Introspect OAuth2 Access and Refresh Tokens
tags:
- oAuth2
/admin/oauth2/tokens:
delete:
description: This endpoint deletes OAuth2 access tokens issued to an OAuth 2.0 Client from the database.
operationId: deleteOAuth2Token
parameters:
- description: OAuth 2.0 Client ID
in: query
name: client_id
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client
tags:
- oAuth2
/admin/trust/grants/jwt-bearer/issuers:
get:
description: Use this endpoint to list all trusted JWT Bearer Grant Type Issuers.
operationId: listTrustedOAuth2JwtGrantIssuers
parameters:
- in: query
name: MaxItems
schema:
format: int64
type: integer
- in: query
name: DefaultItems
schema:
format: int64
type: integer
- description: If optional "issuer" is supplied, only jwt-bearer grants with this issuer will be returned.
in: query
name: issuer
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/trustedOAuth2JwtGrantIssuers'
description: trustedOAuth2JwtGrantIssuers
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: List Trusted OAuth2 JWT Bearer Grant Type Issuers
tags:
- oAuth2
post:
description: |-
Use this endpoint to establish a trust relationship for a JWT issuer
to perform JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
and Authorization Grants [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).
operationId: trustOAuth2JwtGrantIssuer
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/trustOAuth2JwtGrantIssuer'
x-originalParamName: Body
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
description: trustedOAuth2JwtGrantIssuer
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Trust OAuth2 JWT Bearer Grant Type Issuer
tags:
- oAuth2
/admin/trust/grants/jwt-bearer/issuers/{id}:
delete:
description: |-
Use this endpoint to delete trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you
created the trust relationship.
Once deleted, the associated issuer will no longer be able to perform the JSON Web Token (JWT) Profile
for OAuth 2.0 Client Authentication and Authorization Grant.
operationId: deleteTrustedOAuth2JwtGrantIssuer
parameters:
- description: The id of the desired grant
in: path
name: id
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Delete Trusted OAuth2 JWT Bearer Grant Type Issuer
tags:
- oAuth2
get:
description: |-
Use this endpoint to get a trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you
created the trust relationship.
operationId: getTrustedOAuth2JwtGrantIssuer
parameters:
- description: The id of the desired grant
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
description: trustedOAuth2JwtGrantIssuer
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Get Trusted OAuth2 JWT Bearer Grant Type Issuer
tags:
- oAuth2
/health/alive:
get:
description: |-
This endpoint returns a HTTP 200 status code when Ory Hydra is accepting incoming
HTTP requests. This status does currently not include checks whether the database connection is working.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
Be aware that if you are running multiple nodes of this service, the health status will never
refer to the cluster state, only to a single instance.
operationId: isAlive
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/healthStatus'
description: Ory Hydra is ready to accept connections.
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
summary: Check HTTP Server Status
tags:
- metadata
/health/ready:
get:
description: |-
This endpoint returns a HTTP 200 status code when Ory Hydra is up running and the environment dependencies (e.g.
the database) are responsive as well.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
Be aware that if you are running multiple nodes of Ory Hydra, the health status will never
refer to the cluster state, only to a single instance.
operationId: isReady
responses:
'200':
content:
application/json:
schema:
properties:
status:
description: Always "ok".
type: string
type: object
description: Ory Hydra is ready to accept requests.
'503':
content:
application/json:
schema:
properties:
errors:
additionalProperties:
type: string
description: Errors contains a list of errors that caused the not ready status.
type: object
type: object
description: Ory Kratos is not yet ready to accept requests.
summary: Check HTTP Server and Database Status
tags:
- metadata
/oauth2/auth:
get:
description: |-
Use open source libraries to perform OAuth 2.0 and OpenID Connect
available for any programming language. You can find a list of libraries at https://oauth.net/code/
The Ory SDK is not yet able to this endpoint properly.
operationId: oAuth2Authorize
responses:
'302':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
summary: OAuth 2.0 Authorize Endpoint
tags:
- oAuth2
/oauth2/register:
post:
description: |-
This endpoint behaves like the administrative counterpart (`createOAuth2Client`) but is capable of facing the
public internet directly and can be used in self-service. It implements the OpenID Connect
Dynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint
is disabled by default. It can be enabled by an administrator.
Please note that using this endpoint you are not able to choose the `client_secret` nor the `client_id` as those
values will be server generated when specifying `token_endpoint_auth_method` as `client_secret_basic` or
`client_secret_post`.
The `client_secret` will be returned in the response and you will not be able to retrieve it later on.
Write the secret down and keep it somewhere safe.
operationId: createOidcDynamicClient
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: Dynamic Client Registration Request Body
required: true
x-originalParamName: Body
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
'400':
$ref: '#/components/responses/errorOAuth2BadRequest'
default:
$ref: '#/components/responses/errorOAuth2Default'
summary: Register OAuth2 Client using OpenID Dynamic Client Registration
tags:
- oidc
/oauth2/register/{id}:
delete:
description: |-
This endpoint behaves like the administrative counterpart (`deleteOAuth2Client`) but is capable of facing the
public internet directly and can be used in self-service. It implements the OpenID Connect
Dynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint
is disabled by default. It can be enabled by an administrator.
To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
operationId: deleteOidcDynamicClient
parameters:
- description: The id of the OAuth 2.0 Client.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/genericError'
description: genericError
security:
- bearer: []
summary: Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration Management Protocol
tags:
- oidc
get:
description: |-
This endpoint behaves like the administrative counterpart (`getOAuth2Client`) but is capable of facing the
public internet directly and can be used in self-service. It implements the OpenID Connect
Dynamic Client Registration Protocol.
To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
operationId: getOidcDynamicClient
parameters:
- description: The id of the OAuth 2.0 Client.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
default:
$ref: '#/components/responses/errorOAuth2Default'
security:
- bearer: []
summary: Get OAuth2 Client using OpenID Dynamic Client Registration
tags:
- oidc
put:
description: |-
This endpoint behaves like the administrative counterpart (`setOAuth2Client`) but is capable of facing the
public internet directly to be used by third parties. It implements the OpenID Connect
Dynamic Client Registration Protocol.
This feature is disabled per default. It can be enabled by a system administrator.
If you pass `client_secret` the secret is used, otherwise the existing secret is used. If set, the secret is echoed in the response.
It is not possible to retrieve it later on.
To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
operationId: setOidcDynamicClient
parameters:
- description: OAuth 2.0 Client ID
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: OAuth 2.0 Client Request Body
required: true
x-originalParamName: Body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2Client'
description: oAuth2Client
'404':
$ref: '#/components/responses/errorOAuth2NotFound'
default:
$ref: '#/components/responses/errorOAuth2Default'
security:
- bearer: []
summary: Set OAuth2 Client using OpenID Dynamic Client Registration
tags:
- oidc
/oauth2/revoke:
post:
description: |-
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no
longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.
Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by
the client the token was generated for.
operationId: revokeOAuth2Token
requestBody:
content:
application/x-www-form-urlencoded:
schema:
properties:
client_id:
type: string
x-formData-name: client_id
client_secret:
type: string
x-formData-name: client_secret
token:
required:
- token
type: string
x-formData-name: token
required:
- token
type: object
responses:
'200':
$ref: '#/components/responses/emptyResponse'
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
security:
- basic: []
- oauth2: []
summary: Revoke OAuth 2.0 Access or Refresh Token
tags:
- oAuth2
/oauth2/sessions/logout:
get:
description: |-
This endpoint initiates and completes user logout at the Ory OAuth2 & OpenID provider and initiates OpenID Connect Front- / Back-channel logout:
https://openid.net/specs/openid-connect-frontchannel-1_0.html
https://openid.net/specs/openid-connect-backchannel-1_0.html
Back-channel logout is performed asynchronously and does not affect logout flow.
operationId: revokeOidcSession
responses:
'302':
$ref: '#/components/responses/emptyResponse'
summary: OpenID Connect Front- and Back-channel Enabled Logout
tags:
- oidc
/oauth2/token:
post:
description: |-
Use open source libraries to perform OAuth 2.0 and OpenID Connect
available for any programming language. You can find a list of libraries here https://oauth.net/code/
The Ory SDK is not yet able to this endpoint properly.
operationId: oauth2TokenExchange
requestBody:
content:
application/x-www-form-urlencoded:
schema:
properties:
client_id:
type: string
x-formData-name: client_id
code:
type: string
x-formData-name: code
grant_type:
required:
- grant_type
type: string
x-formData-name: grant_type
redirect_uri:
type: string
x-formData-name: redirect_uri
refresh_token:
type: string
x-formData-name: refresh_token
required:
- grant_type
type: object
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oAuth2TokenExchange'
description: oAuth2TokenExchange
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
security:
- basic: []
- oauth2: []
summary: The OAuth 2.0 Token Endpoint
tags:
- oAuth2
/userinfo:
get:
description: |-
This endpoint returns the payload of the ID Token, including `session.id_token` values, of
the provided OAuth 2.0 Access Token's consent request.
In the case of authentication error, a WWW-Authenticate header might be set in the response
with more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3)
for more details about header format.
operationId: getOidcUserInfo
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/oidcUserInfo'
description: oidcUserInfo
default:
content:
application/json:
schema:
$ref: '#/components/schemas/errorOAuth2'
description: errorOAuth2
security:
- oauth2: []
summary: OpenID Connect Userinfo
tags:
- oidc
/version:
get:
description: |-
This endpoint returns the version of Ory Hydra.
If the service supports TLS Edge Termination, this endpoint does not require the
`X-Forwarded-Proto` header to be set.
Be aware that if you are running multiple nodes of this service, the version will never
refer to the cluster state, only to a single instance.
operationId: getVersion
responses:
'200':
content:
application/json:
schema:
properties:
version:
description: The version of Ory Hydra.
type: string
type: object
description: Returns the Ory Hydra version.
summary: Return Running Software Version.
tags:
- metadata
tags:
- description: OAuth 2.0
name: oAuth2
- description: OpenID Connect
name: oidc
- description: JSON Web Keys
name: jwk
- description: Well-Known Endpoints
name: wellknown
- description: Service Metadata
name: metadata
x-forwarded-proto: string
x-request-id: string
Reference in New Issue View Git Blame Copy Permalink