From 63b67c171b0a6a3a1a74cd91b42ea7947ac61cbf Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Mon, 14 Aug 2023 13:09:29 +0200 Subject: [PATCH] Add spec for hydra:v2.2.0-rc.3.pre.0 --- spec/hydra/v2.2.0-rc.3.json | 3884 +++++++++++++++++++++++++++++++++++ 1 file changed, 3884 insertions(+) create mode 100644 spec/hydra/v2.2.0-rc.3.json diff --git a/spec/hydra/v2.2.0-rc.3.json b/spec/hydra/v2.2.0-rc.3.json new file mode 100644 index 00000000000..1e6b8cd225d --- /dev/null +++ b/spec/hydra/v2.2.0-rc.3.json @@ -0,0 +1,3884 @@ +{ + "components": { + "responses": { + "emptyResponse": { + "description": "Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is\ntypically 201." + }, + "errorOAuth2BadRequest": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "Bad Request Error Response" + }, + "errorOAuth2Default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "Default Error Response" + }, + "errorOAuth2NotFound": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "Not Found Error Response" + }, + "listOAuth2Clients": { + "content": { + "application/json": { + "schema": { + "items": { + "$ref": "#/components/schemas/oAuth2Client" + }, + "type": "array" + } + } + }, + "description": "Paginated OAuth2 Client List Response" + } + }, + "schemas": { + "CreateVerifiableCredentialRequestBody": { + "properties": { + "format": { + "type": "string" + }, + "proof": { + "$ref": "#/components/schemas/VerifiableCredentialProof" + }, + "types": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "title": "CreateVerifiableCredentialRequestBody contains the request body to request a verifiable credential.", + "type": "object" + }, + "DefaultError": {}, + "JSONRawMessage": { + "title": "JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger." + }, + "NullBool": { + "nullable": true, + "type": "boolean" + }, + "NullDuration": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "pattern": "^([0-9]+(ns|us|ms|s|m|h))*$", + "title": "Time duration", + "type": "string" + }, + "NullInt": { + "nullable": true, + "type": "integer" + }, + "NullString": { + "nullable": true, + "type": "string" + }, + "NullTime": { + "format": "date-time", + "nullable": true, + "type": "string" + }, + "NullUUID": { + "format": "uuid4", + "nullable": true, + "type": "string" + }, + "RFC6749ErrorJson": { + "properties": { + "error": { + "type": "string" + }, + "error_debug": { + "type": "string" + }, + "error_description": { + "type": "string" + }, + "error_hint": { + "type": "string" + }, + "status_code": { + "format": "int64", + "type": "integer" + } + }, + "title": "RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.", + "type": "object" + }, + "StringSliceJSONFormat": { + "items": { + "type": "string" + }, + "title": "StringSliceJSONFormat represents []string{} which is encoded to/from JSON for SQL storage.", + "type": "array" + }, + "Time": { + "format": "date-time", + "type": "string" + }, + "UUID": { + "format": "uuid4", + "type": "string" + }, + "VerifiableCredentialProof": { + "properties": { + "jwt": { + "type": "string" + }, + "proof_type": { + "type": "string" + } + }, + "title": "VerifiableCredentialProof contains the proof of a verifiable credential.", + "type": "object" + }, + "acceptOAuth2ConsentRequest": { + "properties": { + "grant_access_token_audience": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "grant_scope": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "handled_at": { + "$ref": "#/components/schemas/nullTime" + }, + "remember": { + "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", + "type": "boolean" + }, + "remember_for": { + "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", + "format": "int64", + "type": "integer" + }, + "session": { + "$ref": "#/components/schemas/acceptOAuth2ConsentRequestSession" + } + }, + "title": "The request payload used to accept a consent request.", + "type": "object" + }, + "acceptOAuth2ConsentRequestSession": { + "properties": { + "access_token": { + "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!" + }, + "id_token": { + "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!" + } + }, + "title": "Pass session data to a consent request.", + "type": "object" + }, + "acceptOAuth2LoginRequest": { + "properties": { + "acr": { + "description": "ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", + "type": "string" + }, + "amr": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "context": { + "$ref": "#/components/schemas/JSONRawMessage" + }, + "extend_session_lifespan": { + "description": "Extend OAuth2 authentication session lifespan\n\nIf set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously.\n\nThis value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`.", + "type": "boolean" + }, + "force_subject_identifier": { + "description": "ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the\n(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID\nConnect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client.\n\nPlease note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the\nsub claim in the OAuth 2.0 Introspection.\n\nPer default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself\nyou can use this field. Please note that setting this field has no effect if `pairwise` is not configured in\nORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's\nconfiguration).\n\nPlease also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies\nthat you have to compute this value on every authentication process (probably depending on the client ID or some\nother unique value).\n\nIf you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.", + "type": "string" + }, + "identity_provider_session_id": { + "description": "IdentityProviderSessionID is the session ID of the end-user that authenticated.\nIf specified, we will use this value to propagate the logout.", + "type": "string" + }, + "remember": { + "description": "Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store\na cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she\nwill not be asked to log in again.", + "type": "boolean" + }, + "remember_for": { + "description": "RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered for the duration of the browser session (using a session cookie).", + "format": "int64", + "type": "integer" + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated.", + "type": "string" + } + }, + "required": [ + "subject" + ], + "title": "HandledLoginRequest is the request payload used to accept a login request.", + "type": "object" + }, + "createJsonWebKeySet": { + "description": "Create JSON Web Key Set Request Body", + "properties": { + "alg": { + "description": "JSON Web Key Algorithm\n\nThe algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`.", + "type": "string" + }, + "kid": { + "description": "JSON Web Key ID\n\nThe Key ID of the key to be created.", + "type": "string" + }, + "use": { + "description": "JSON Web Key Use\n\nThe \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".", + "type": "string" + } + }, + "required": [ + "alg", + "use", + "kid" + ], + "type": "object" + }, + "credentialSupportedDraft00": { + "description": "Includes information about the supported verifiable credentials.", + "properties": { + "cryptographic_binding_methods_supported": { + "description": "OpenID Connect Verifiable Credentials Cryptographic Binding Methods Supported\n\nContains a list of cryptographic binding methods supported for signing the proof.", + "items": { + "type": "string" + }, + "type": "array" + }, + "cryptographic_suites_supported": { + "description": "OpenID Connect Verifiable Credentials Cryptographic Suites Supported\n\nContains a list of cryptographic suites methods supported for signing the proof.", + "items": { + "type": "string" + }, + "type": "array" + }, + "format": { + "description": "OpenID Connect Verifiable Credentials Format\n\nContains the format that is supported by this authorization server.", + "type": "string" + }, + "types": { + "description": "OpenID Connect Verifiable Credentials Types\n\nContains the types of verifiable credentials supported.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "title": "Verifiable Credentials Metadata (Draft 00)", + "type": "object" + }, + "errorOAuth2": { + "description": "Error", + "properties": { + "error": { + "description": "Error", + "type": "string" + }, + "error_debug": { + "description": "Error Debug Information\n\nOnly available in dev mode.", + "type": "string" + }, + "error_description": { + "description": "Error Description", + "type": "string" + }, + "error_hint": { + "description": "Error Hint\n\nHelps the user identify the error cause.", + "example": "The redirect URL is not allowed.", + "type": "string" + }, + "status_code": { + "description": "HTTP Status Code", + "example": 401, + "format": "int64", + "type": "integer" + } + }, + "type": "object" + }, + "genericError": { + "properties": { + "code": { + "description": "The status code", + "example": 404, + "format": "int64", + "type": "integer" + }, + "debug": { + "description": "Debug information\n\nThis field is often not exposed to protect against leaking\nsensitive information.", + "example": "SQL field \"foo\" is not a bool.", + "type": "string" + }, + "details": { + "description": "Further error details" + }, + "id": { + "description": "The error ID\n\nUseful when trying to identify various errors in application logic.", + "type": "string" + }, + "message": { + "description": "Error message\n\nThe error's message.", + "example": "The resource could not be found", + "type": "string" + }, + "reason": { + "description": "A human-readable reason for the error", + "example": "User with ID 1234 does not exist.", + "type": "string" + }, + "request": { + "description": "The request ID\n\nThe request ID is often exposed internally in order to trace\nerrors across service architectures. This is often a UUID.", + "example": "d7ef54b1-ec15-46e6-bccb-524b82c035e6", + "type": "string" + }, + "status": { + "description": "The status description", + "example": "Not Found", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "healthNotReadyStatus": { + "properties": { + "errors": { + "additionalProperties": { + "type": "string" + }, + "description": "Errors contains a list of errors that caused the not ready status.", + "type": "object" + } + }, + "type": "object" + }, + "healthStatus": { + "properties": { + "status": { + "description": "Status always contains \"ok\".", + "type": "string" + } + }, + "type": "object" + }, + "introspectedOAuth2Token": { + "description": "Introspection contains an access token's session data as specified by\n[IETF RFC 7662](https://tools.ietf.org/html/rfc7662)", + "properties": { + "active": { + "description": "Active is a boolean indicator of whether or not the presented token\nis currently active. The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).", + "type": "boolean" + }, + "aud": { + "description": "Audience contains a list of the token's intended audiences.", + "items": { + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "ID is aclient identifier for the OAuth 2.0 client that\nrequested this token.", + "type": "string" + }, + "exp": { + "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.", + "format": "int64", + "type": "integer" + }, + "ext": { + "additionalProperties": {}, + "description": "Extra is arbitrary data set by the session.", + "type": "object" + }, + "iat": { + "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.", + "format": "int64", + "type": "integer" + }, + "iss": { + "description": "IssuerURL is a string representing the issuer of this token", + "type": "string" + }, + "nbf": { + "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.", + "format": "int64", + "type": "integer" + }, + "obfuscated_subject": { + "description": "ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization.\nIt is the `sub` value of the ID Token that was issued.", + "type": "string" + }, + "scope": { + "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.", + "type": "string" + }, + "sub": { + "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.", + "type": "string" + }, + "token_type": { + "description": "TokenType is the introspected token's type, typically `Bearer`.", + "type": "string" + }, + "token_use": { + "description": "TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.", + "type": "string" + }, + "username": { + "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.", + "type": "string" + } + }, + "required": [ + "active" + ], + "type": "object" + }, + "jsonPatch": { + "description": "A JSONPatch document as defined by RFC 6902", + "properties": { + "from": { + "description": "This field is used together with operation \"move\" and uses JSON Pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "/name", + "type": "string" + }, + "op": { + "description": "The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\".", + "example": "replace", + "type": "string" + }, + "path": { + "description": "The path to the target path. Uses JSON pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "/name", + "type": "string" + }, + "value": { + "description": "The value to be used within the operations.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "example": "foobar" + } + }, + "required": [ + "op", + "path" + ], + "type": "object" + }, + "jsonPatchDocument": { + "description": "A JSONPatchDocument request", + "items": { + "$ref": "#/components/schemas/jsonPatch" + }, + "type": "array" + }, + "jsonWebKey": { + "properties": { + "alg": { + "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key. The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.", + "example": "RS256", + "type": "string" + }, + "crv": { + "example": "P-256", + "type": "string" + }, + "d": { + "example": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE", + "type": "string" + }, + "dp": { + "example": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0", + "type": "string" + }, + "dq": { + "example": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk", + "type": "string" + }, + "e": { + "example": "AQAB", + "type": "string" + }, + "k": { + "example": "GawgguFyGrWKav7AX4VKUg", + "type": "string" + }, + "kid": { + "description": "The \"kid\" (key ID) parameter is used to match a specific key. This\nis used, for instance, to choose among a set of keys within a JWK Set\nduring key rollover. The structure of the \"kid\" value is\nunspecified. When \"kid\" values are used within a JWK Set, different\nkeys within the JWK Set SHOULD use distinct \"kid\" values. (One\nexample in which different keys might use the same \"kid\" value is if\nthey have different \"kty\" (key type) values but are considered to be\nequivalent alternatives by the application using them.) The \"kid\"\nvalue is a case-sensitive string.", + "example": "1603dfe0af8f4596", + "type": "string" + }, + "kty": { + "description": "The \"kty\" (key type) parameter identifies the cryptographic algorithm\nfamily used with the key, such as \"RSA\" or \"EC\". \"kty\" values should\neither be registered in the IANA \"JSON Web Key Types\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name. The \"kty\" value is a case-sensitive string.", + "example": "RSA", + "type": "string" + }, + "n": { + "example": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0", + "type": "string" + }, + "p": { + "example": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ", + "type": "string" + }, + "q": { + "example": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ", + "type": "string" + }, + "qi": { + "example": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU", + "type": "string" + }, + "use": { + "description": "Use (\"public key use\") identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Values are commonly \"sig\" (signature) or \"enc\" (encryption).", + "example": "sig", + "type": "string" + }, + "x": { + "example": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", + "type": "string" + }, + "x5c": { + "description": "The \"x5c\" (X.509 certificate chain) parameter contains a chain of one\nor more PKIX certificates [RFC5280]. The certificate chain is\nrepresented as a JSON array of certificate value strings. Each\nstring in the array is a base64-encoded (Section 4 of [RFC4648] --\nnot base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.\nThe PKIX certificate containing the key value MUST be the first\ncertificate.", + "items": { + "type": "string" + }, + "type": "array" + }, + "y": { + "example": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", + "type": "string" + } + }, + "required": [ + "use", + "kty", + "kid", + "alg" + ], + "type": "object" + }, + "jsonWebKeySet": { + "description": "JSON Web Key Set", + "properties": { + "keys": { + "description": "List of JSON Web Keys\n\nThe value of the \"keys\" parameter is an array of JSON Web Key (JWK)\nvalues. By default, the order of the JWK values within the array does\nnot imply an order of preference among them, although applications\nof JWK Sets can choose to assign a meaning to the order for their\npurposes, if desired.", + "items": { + "$ref": "#/components/schemas/jsonWebKey" + }, + "type": "array" + } + }, + "type": "object" + }, + "nullDuration": { + "nullable": true, + "pattern": "^[0-9]+(ns|us|ms|s|m|h)$", + "type": "string" + }, + "nullInt64": { + "nullable": true, + "type": "integer" + }, + "nullTime": { + "format": "date-time", + "title": "NullTime implements sql.NullTime functionality.", + "type": "string" + }, + "oAuth2Client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "properties": { + "access_token_strategy": { + "description": "OAuth 2.0 Access Token Strategy\n\nAccessTokenStrategy is the strategy used to generate access tokens.\nValid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens\nSetting the stragegy here overrides the global setting in `strategies.access_token`.", + "type": "string" + }, + "allowed_cors_origins": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "audience": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "authorization_code_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "authorization_code_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "authorization_code_grant_refresh_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "backchannel_logout_session_required": { + "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", + "type": "boolean" + }, + "backchannel_logout_uri": { + "description": "OpenID Connect Back-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", + "type": "string" + }, + "client_credentials_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "client_id": { + "description": "OAuth 2.0 Client ID\n\nThe ID is autogenerated and immutable.", + "type": "string" + }, + "client_name": { + "description": "OAuth 2.0 Client Name\n\nThe human-readable name of the client to be presented to the\nend-user during authorization.", + "type": "string" + }, + "client_secret": { + "description": "OAuth 2.0 Client Secret\n\nThe secret will be included in the create request as cleartext, and then\nnever again. The secret is kept in hashed format and is not recoverable once lost.", + "type": "string" + }, + "client_secret_expires_at": { + "description": "OAuth 2.0 Client Secret Expires At\n\nThe field is currently not supported and its value is always 0.", + "format": "int64", + "type": "integer" + }, + "client_uri": { + "description": "OAuth 2.0 Client URI\n\nClientURI is a URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", + "type": "string" + }, + "contacts": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "created_at": { + "description": "OAuth 2.0 Client Creation Date\n\nCreatedAt returns the timestamp of the client's creation.", + "format": "date-time", + "type": "string" + }, + "frontchannel_logout_session_required": { + "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", + "type": "boolean" + }, + "frontchannel_logout_uri": { + "description": "OpenID Connect Front-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", + "type": "string" + }, + "grant_types": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "implicit_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "implicit_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "jwks": { + "description": "OAuth 2.0 Client JSON Web Key Set\n\nClient's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as\nthe jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter\nis intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for\ninstance, by native applications that might not have a location to host the contents of the JWK Set. If a Client\ncan use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation\n(which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks\nparameters MUST NOT be used together." + }, + "jwks_uri": { + "description": "OAuth 2.0 Client JSON Web Key Set URL\n\nURL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", + "type": "string" + }, + "jwt_bearer_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "logo_uri": { + "description": "OAuth 2.0 Client Logo URI\n\nA URL string referencing the client's logo.", + "type": "string" + }, + "metadata": { + "$ref": "#/components/schemas/JSONRawMessage" + }, + "owner": { + "description": "OAuth 2.0 Client Owner\n\nOwner is a string identifying the owner of the OAuth 2.0 Client.", + "type": "string" + }, + "policy_uri": { + "description": "OAuth 2.0 Client Policy URI\n\nPolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", + "type": "string" + }, + "post_logout_redirect_uris": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "redirect_uris": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "refresh_token_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "refresh_token_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "refresh_token_grant_refresh_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "registration_access_token": { + "description": "OpenID Connect Dynamic Client Registration Access Token\n\nRegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client\nusing Dynamic Client Registration.", + "type": "string" + }, + "registration_client_uri": { + "description": "OpenID Connect Dynamic Client Registration URL\n\nRegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", + "type": "string" + }, + "request_object_signing_alg": { + "description": "OpenID Connect Request Object Signing Algorithm\n\nJWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", + "type": "string" + }, + "request_uris": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "response_types": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "scope": { + "description": "OAuth 2.0 Client Scope\n\nScope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", + "example": "scope1 scope-2 scope.3 scope:4", + "type": "string" + }, + "sector_identifier_uri": { + "description": "OpenID Connect Sector Identifier URI\n\nURL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", + "type": "string" + }, + "skip_consent": { + "description": "SkipConsent skips the consent screen for this client. This field can only\nbe set from the admin API.", + "type": "boolean" + }, + "subject_type": { + "description": "OpenID Connect Subject Type\n\nThe `subject_types_supported` Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", + "type": "string" + }, + "token_endpoint_auth_method": { + "default": "client_secret_basic", + "description": "OAuth 2.0 Token Endpoint Authentication Method\n\nRequested Client Authentication method for the Token Endpoint. The options are:\n\n`client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.\n`client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.\n`private_key_jwt`: Use JSON Web Tokens to authenticate the client.\n`none`: Used for public clients (native apps, mobile apps) which can not have secrets.", + "type": "string" + }, + "token_endpoint_auth_signing_alg": { + "description": "OAuth 2.0 Token Endpoint Signing Algorithm\n\nRequested Client Authentication signing algorithm for the Token Endpoint.", + "type": "string" + }, + "tos_uri": { + "description": "OAuth 2.0 Client Terms of Service URI\n\nA URL string pointing to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", + "type": "string" + }, + "updated_at": { + "description": "OAuth 2.0 Client Last Update Date\n\nUpdatedAt returns the timestamp of the last update.", + "format": "date-time", + "type": "string" + }, + "userinfo_signed_response_alg": { + "description": "OpenID Connect Request Userinfo Signed Response Algorithm\n\nJWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", + "type": "string" + } + }, + "title": "OAuth 2.0 Client", + "type": "object" + }, + "oAuth2ClientTokenLifespans": { + "description": "Lifespans of different token types issued for this OAuth 2.0 Client.", + "properties": { + "authorization_code_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "authorization_code_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "authorization_code_grant_refresh_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "client_credentials_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "implicit_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "implicit_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "jwt_bearer_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "refresh_token_grant_access_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "refresh_token_grant_id_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + }, + "refresh_token_grant_refresh_token_lifespan": { + "$ref": "#/components/schemas/NullDuration" + } + }, + "title": "OAuth 2.0 Client Token Lifespans", + "type": "object" + }, + "oAuth2ConsentRequest": { + "properties": { + "acr": { + "description": "ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", + "type": "string" + }, + "amr": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "challenge": { + "description": "ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.", + "type": "string" + }, + "client": { + "$ref": "#/components/schemas/oAuth2Client" + }, + "context": { + "$ref": "#/components/schemas/JSONRawMessage" + }, + "login_challenge": { + "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", + "type": "string" + }, + "login_session_id": { + "description": "LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + "type": "string" + }, + "oidc_context": { + "$ref": "#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext" + }, + "request_url": { + "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", + "type": "string" + }, + "requested_access_token_audience": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "requested_scope": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "skip": { + "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.", + "type": "boolean" + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.", + "type": "string" + } + }, + "required": [ + "challenge" + ], + "title": "Contains information on an ongoing consent request.", + "type": "object" + }, + "oAuth2ConsentRequestOpenIDConnectContext": { + "properties": { + "acr_values": { + "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.\nIt is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n\u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values\nthat the Authorization Server is being requested to use for processing this Authentication Request, with the\nvalues appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication\nperformed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a\nVoluntary Claim by this parameter.", + "items": { + "type": "string" + }, + "type": "array" + }, + "display": { + "description": "Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.\nThe defined values are:\npage: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.\npopup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.\ntouch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.\nwap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display.\n\nThe Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.", + "type": "string" + }, + "id_token_hint_claims": { + "additionalProperties": {}, + "description": "IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the\nEnd-User's current or past authenticated session with the Client.", + "type": "object" + }, + "login_hint": { + "description": "LoginHint hints about the login identifier the End-User might use to log in (if necessary).\nThis hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)\nand then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a\nphone number in the format specified for the phone_number Claim. The use of this parameter is optional.", + "type": "string" + }, + "ui_locales": { + "description": "UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a\nspace-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value\n\"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation),\nfollowed by English (without a region designation). An error SHOULD NOT result if some or all of the requested\nlocales are not supported by the OpenID Provider.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "title": "Contains optional information about the OpenID Connect request.", + "type": "object" + }, + "oAuth2ConsentSession": { + "description": "A completed OAuth 2.0 Consent Session.", + "properties": { + "consent_request": { + "$ref": "#/components/schemas/oAuth2ConsentRequest" + }, + "expires_at": { + "properties": { + "access_token": { + "format": "date-time", + "type": "string" + }, + "authorize_code": { + "format": "date-time", + "type": "string" + }, + "id_token": { + "format": "date-time", + "type": "string" + }, + "par_context": { + "format": "date-time", + "type": "string" + }, + "refresh_token": { + "format": "date-time", + "type": "string" + } + }, + "type": "object" + }, + "grant_access_token_audience": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "grant_scope": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "handled_at": { + "$ref": "#/components/schemas/nullTime" + }, + "remember": { + "description": "Remember Consent\n\nRemember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", + "type": "boolean" + }, + "remember_for": { + "description": "Remember Consent For\n\nRememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", + "format": "int64", + "type": "integer" + }, + "session": { + "$ref": "#/components/schemas/acceptOAuth2ConsentRequestSession" + } + }, + "title": "OAuth 2.0 Consent Session", + "type": "object" + }, + "oAuth2ConsentSessions": { + "description": "List of OAuth 2.0 Consent Sessions", + "items": { + "$ref": "#/components/schemas/oAuth2ConsentSession" + }, + "type": "array" + }, + "oAuth2LoginRequest": { + "properties": { + "challenge": { + "description": "ID is the identifier (\"login challenge\") of the login request. It is used to\nidentify the session.", + "type": "string" + }, + "client": { + "$ref": "#/components/schemas/oAuth2Client" + }, + "oidc_context": { + "$ref": "#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext" + }, + "request_url": { + "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", + "type": "string" + }, + "requested_access_token_audience": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "requested_scope": { + "$ref": "#/components/schemas/StringSliceJSONFormat" + }, + "session_id": { + "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + "type": "string" + }, + "skip": { + "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", + "type": "boolean" + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type\nwhen accepting the login request, or the request will fail.", + "type": "string" + } + }, + "required": [ + "challenge", + "requested_scope", + "requested_access_token_audience", + "skip", + "subject", + "client", + "request_url" + ], + "title": "Contains information on an ongoing login request.", + "type": "object" + }, + "oAuth2LogoutRequest": { + "properties": { + "challenge": { + "description": "Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to\nidentify the session.", + "type": "string" + }, + "client": { + "$ref": "#/components/schemas/oAuth2Client" + }, + "request_url": { + "description": "RequestURL is the original Logout URL requested.", + "type": "string" + }, + "rp_initiated": { + "description": "RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.", + "type": "boolean" + }, + "sid": { + "description": "SessionID is the login session ID that was requested to log out.", + "type": "string" + }, + "subject": { + "description": "Subject is the user for whom the logout was request.", + "type": "string" + } + }, + "title": "Contains information about an ongoing logout request.", + "type": "object" + }, + "oAuth2RedirectTo": { + "description": "Contains a redirect URL used to complete a login, consent, or logout request.", + "properties": { + "redirect_to": { + "description": "RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed.", + "type": "string" + } + }, + "required": [ + "redirect_to" + ], + "title": "OAuth 2.0 Redirect Browser To", + "type": "object" + }, + "oAuth2TokenExchange": { + "description": "OAuth2 Token Exchange Result", + "properties": { + "access_token": { + "description": "The access token issued by the authorization server.", + "type": "string" + }, + "expires_in": { + "description": "The lifetime in seconds of the access token. For\nexample, the value \"3600\" denotes that the access token will\nexpire in one hour from the time the response was generated.", + "format": "int64", + "type": "integer" + }, + "id_token": { + "description": "To retrieve a refresh token request the id_token scope.", + "format": "int64", + "type": "integer" + }, + "refresh_token": { + "description": "The refresh token, which can be used to obtain new\naccess tokens. To retrieve it add the scope \"offline\" to your access token request.", + "type": "string" + }, + "scope": { + "description": "The scope of the access token", + "type": "string" + }, + "token_type": { + "description": "The type of the token issued", + "type": "string" + } + }, + "type": "object" + }, + "oidcConfiguration": { + "description": "Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms\namong others.", + "properties": { + "authorization_endpoint": { + "description": "OAuth 2.0 Authorization Endpoint URL", + "example": "https://playground.ory.sh/ory-hydra/public/oauth2/auth", + "type": "string" + }, + "backchannel_logout_session_supported": { + "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP\nsession with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP", + "type": "boolean" + }, + "backchannel_logout_supported": { + "description": "OpenID Connect Back-Channel Logout Supported\n\nBoolean value specifying whether the OP supports back-channel logout, with true indicating support.", + "type": "boolean" + }, + "claims_parameter_supported": { + "description": "OpenID Connect Claims Parameter Parameter Supported\n\nBoolean value specifying whether the OP supports use of the claims parameter, with true indicating support.", + "type": "boolean" + }, + "claims_supported": { + "description": "OpenID Connect Supported Claims\n\nJSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "code_challenge_methods_supported": { + "description": "OAuth 2.0 PKCE Supported Code Challenge Methods\n\nJSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported\nby this authorization server.", + "items": { + "type": "string" + }, + "type": "array" + }, + "credentials_endpoint_draft_00": { + "description": "OpenID Connect Verifiable Credentials Endpoint\n\nContains the URL of the Verifiable Credentials Endpoint.", + "type": "string" + }, + "credentials_supported_draft_00": { + "description": "OpenID Connect Verifiable Credentials Supported\n\nJSON array containing a list of the Verifiable Credentials supported by this authorization server.", + "items": { + "$ref": "#/components/schemas/credentialSupportedDraft00" + }, + "type": "array" + }, + "end_session_endpoint": { + "description": "OpenID Connect End-Session Endpoint\n\nURL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.", + "type": "string" + }, + "frontchannel_logout_session_supported": { + "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify\nthe RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also\nincluded in ID Tokens issued by the OP.", + "type": "boolean" + }, + "frontchannel_logout_supported": { + "description": "OpenID Connect Front-Channel Logout Supported\n\nBoolean value specifying whether the OP supports HTTP-based logout, with true indicating support.", + "type": "boolean" + }, + "grant_types_supported": { + "description": "OAuth 2.0 Supported Grant Types\n\nJSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.", + "items": { + "type": "string" + }, + "type": "array" + }, + "id_token_signed_response_alg": { + "description": "OpenID Connect Default ID Token Signing Algorithms\n\nAlgorithm used to sign OpenID Connect ID Tokens.", + "items": { + "type": "string" + }, + "type": "array" + }, + "id_token_signing_alg_values_supported": { + "description": "OpenID Connect Supported ID Token Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.", + "items": { + "type": "string" + }, + "type": "array" + }, + "issuer": { + "description": "OpenID Connect Issuer URL\n\nAn URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.", + "example": "https://playground.ory.sh/ory-hydra/public/", + "type": "string" + }, + "jwks_uri": { + "description": "OpenID Connect Well-Known JSON Web Keys URL\n\nURL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", + "example": "https://{slug}.projects.oryapis.com/.well-known/jwks.json", + "type": "string" + }, + "registration_endpoint": { + "description": "OpenID Connect Dynamic Client Registration Endpoint URL", + "example": "https://playground.ory.sh/ory-hydra/admin/client", + "type": "string" + }, + "request_object_signing_alg_values_supported": { + "description": "OpenID Connect Supported Request Object Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,\nwhich are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when\nthe Request Object is passed by value (using the request parameter) and when it is passed by reference\n(using the request_uri parameter).", + "items": { + "type": "string" + }, + "type": "array" + }, + "request_parameter_supported": { + "description": "OpenID Connect Request Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request parameter, with true indicating support.", + "type": "boolean" + }, + "request_uri_parameter_supported": { + "description": "OpenID Connect Request URI Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.", + "type": "boolean" + }, + "require_request_uri_registration": { + "description": "OpenID Connect Requires Request URI Registration\n\nBoolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.", + "type": "boolean" + }, + "response_modes_supported": { + "description": "OAuth 2.0 Supported Response Modes\n\nJSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.", + "items": { + "type": "string" + }, + "type": "array" + }, + "response_types_supported": { + "description": "OAuth 2.0 Supported Response Types\n\nJSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.", + "items": { + "type": "string" + }, + "type": "array" + }, + "revocation_endpoint": { + "description": "OAuth 2.0 Token Revocation URL\n\nURL of the authorization server's OAuth 2.0 revocation endpoint.", + "type": "string" + }, + "scopes_supported": { + "description": "OAuth 2.0 Supported Scope Values\n\nJSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used", + "items": { + "type": "string" + }, + "type": "array" + }, + "subject_types_supported": { + "description": "OpenID Connect Supported Subject Types\n\nJSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.", + "items": { + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "OAuth 2.0 Token Endpoint URL", + "example": "https://playground.ory.sh/ory-hydra/public/oauth2/token", + "type": "string" + }, + "token_endpoint_auth_methods_supported": { + "description": "OAuth 2.0 Supported Client Authentication Methods\n\nJSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_endpoint": { + "description": "OpenID Connect Userinfo URL\n\nURL of the OP's UserInfo Endpoint.", + "type": "string" + }, + "userinfo_signed_response_alg": { + "description": "OpenID Connect User Userinfo Signing Algorithm\n\nAlgorithm used to sign OpenID Connect Userinfo Responses.", + "items": { + "type": "string" + }, + "type": "array" + }, + "userinfo_signing_alg_values_supported": { + "description": "OpenID Connect Supported Userinfo Signing Algorithm\n\nJSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "issuer", + "authorization_endpoint", + "token_endpoint", + "jwks_uri", + "subject_types_supported", + "response_types_supported", + "id_token_signing_alg_values_supported", + "id_token_signed_response_alg", + "userinfo_signed_response_alg" + ], + "title": "OpenID Connect Discovery Metadata", + "type": "object" + }, + "oidcUserInfo": { + "description": "OpenID Connect Userinfo", + "properties": { + "birthdate": { + "description": "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.", + "type": "string" + }, + "email": { + "description": "End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.", + "type": "string" + }, + "email_verified": { + "description": "True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.", + "type": "boolean" + }, + "family_name": { + "description": "Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.", + "type": "string" + }, + "gender": { + "description": "End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.", + "type": "string" + }, + "given_name": { + "description": "Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.", + "type": "string" + }, + "locale": { + "description": "End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.", + "type": "string" + }, + "middle_name": { + "description": "Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.", + "type": "string" + }, + "name": { + "description": "End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.", + "type": "string" + }, + "nickname": { + "description": "Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.", + "type": "string" + }, + "phone_number": { + "description": "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.", + "type": "string" + }, + "phone_number_verified": { + "description": "True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.", + "type": "boolean" + }, + "picture": { + "description": "URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.", + "type": "string" + }, + "preferred_username": { + "description": "Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.", + "type": "string" + }, + "profile": { + "description": "URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.", + "type": "string" + }, + "sub": { + "description": "Subject - Identifier for the End-User at the IssuerURL.", + "type": "string" + }, + "updated_at": { + "description": "Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.", + "format": "int64", + "type": "integer" + }, + "website": { + "description": "URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.", + "type": "string" + }, + "zoneinfo": { + "description": "String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.", + "type": "string" + } + }, + "type": "object" + }, + "pagination": { + "properties": { + "page_size": { + "default": 250, + "description": "Items per page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "format": "int64", + "maximum": 1000, + "minimum": 1, + "type": "integer" + }, + "page_token": { + "default": "1", + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "minimum": 1, + "type": "string" + } + }, + "type": "object" + }, + "paginationHeaders": { + "properties": { + "link": { + "description": "The link header contains pagination links.\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).\n\nin: header", + "type": "string" + }, + "x-total-count": { + "description": "The total number of clients.\n\nin: header", + "type": "string" + } + }, + "type": "object" + }, + "rejectOAuth2Request": { + "properties": { + "error": { + "description": "The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).\n\nDefaults to `request_denied`.", + "type": "string" + }, + "error_debug": { + "description": "Debug contains information to help resolve the problem as a developer. Usually not exposed\nto the public but only in the server logs.", + "type": "string" + }, + "error_description": { + "description": "Description of the error in a human readable format.", + "type": "string" + }, + "error_hint": { + "description": "Hint to help resolve the error.", + "type": "string" + }, + "status_code": { + "description": "Represents the HTTP status code of the error (e.g. 401 or 403)\n\nDefaults to 400", + "format": "int64", + "type": "integer" + } + }, + "title": "The request payload used to accept a login or consent request.", + "type": "object" + }, + "tokenPagination": { + "properties": { + "page_size": { + "default": 250, + "description": "Items per page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "format": "int64", + "maximum": 1000, + "minimum": 1, + "type": "integer" + }, + "page_token": { + "default": "1", + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "minimum": 1, + "type": "string" + } + }, + "type": "object" + }, + "tokenPaginationHeaders": { + "properties": { + "link": { + "description": "The link header contains pagination links.\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).\n\nin: header", + "type": "string" + }, + "x-total-count": { + "description": "The total number of clients.\n\nin: header", + "type": "string" + } + }, + "type": "object" + }, + "tokenPaginationRequestParameters": { + "description": "The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:\n`\u003chttps://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}\u0026page_token={offset}\u003e; rel=\"{page}\"`\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "properties": { + "page_size": { + "default": 250, + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "format": "int64", + "maximum": 500, + "minimum": 1, + "type": "integer" + }, + "page_token": { + "default": "1", + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "minimum": 1, + "type": "string" + } + }, + "title": "Pagination Request Parameters", + "type": "object" + }, + "tokenPaginationResponseHeaders": { + "description": "The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:\n`\u003chttps://{project-slug}.projects.oryapis.com/admin/clients?page_size={limit}\u0026page_token={offset}\u003e; rel=\"{page}\"`\n\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "properties": { + "link": { + "description": "The Link HTTP Header\n\nThe `Link` header contains a comma-delimited list of links to the following pages:\n\nfirst: The first page of results.\nnext: The next page of results.\nprev: The previous page of results.\nlast: The last page of results.\n\nPages are omitted if they do not exist. For example, if there is no next page, the `next` link is omitted. Examples:\n\n\u003c/clients?page_size=5\u0026page_token=0\u003e; rel=\"first\",\u003c/clients?page_size=5\u0026page_token=15\u003e; rel=\"next\",\u003c/clients?page_size=5\u0026page_token=5\u003e; rel=\"prev\",\u003c/clients?page_size=5\u0026page_token=20\u003e; rel=\"last\"", + "type": "string" + }, + "x-total-count": { + "description": "The X-Total-Count HTTP Header\n\nThe `X-Total-Count` header contains the total number of items in the collection.", + "format": "int64", + "type": "integer" + } + }, + "title": "Pagination Response Header", + "type": "object" + }, + "trustOAuth2JwtGrantIssuer": { + "description": "Trust OAuth2 JWT Bearer Grant Type Issuer Request Body", + "properties": { + "allow_any_subject": { + "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", + "type": "boolean" + }, + "expires_at": { + "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", + "format": "date-time", + "type": "string" + }, + "issuer": { + "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", + "example": "https://jwt-idp.example.com", + "type": "string" + }, + "jwk": { + "$ref": "#/components/schemas/jsonWebKey" + }, + "scope": { + "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", + "example": [ + "openid", + "offline" + ], + "items": { + "type": "string" + }, + "type": "array" + }, + "subject": { + "description": "The \"subject\" identifies the principal that is the subject of the JWT.", + "example": "mike@example.com", + "type": "string" + } + }, + "required": [ + "issuer", + "scope", + "jwk", + "expires_at" + ], + "type": "object" + }, + "trustedOAuth2JwtGrantIssuer": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trust Relationship", + "properties": { + "allow_any_subject": { + "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", + "type": "boolean" + }, + "created_at": { + "description": "The \"created_at\" indicates, when grant was created.", + "format": "date-time", + "type": "string" + }, + "expires_at": { + "description": "The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\".", + "format": "date-time", + "type": "string" + }, + "id": { + "example": "9edc811f-4e28-453c-9b46-4de65f00217f", + "type": "string" + }, + "issuer": { + "description": "The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT).", + "example": "https://jwt-idp.example.com", + "type": "string" + }, + "public_key": { + "$ref": "#/components/schemas/trustedOAuth2JwtGrantJsonWebKey" + }, + "scope": { + "description": "The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749])", + "example": [ + "openid", + "offline" + ], + "items": { + "type": "string" + }, + "type": "array" + }, + "subject": { + "description": "The \"subject\" identifies the principal that is the subject of the JWT.", + "example": "mike@example.com", + "type": "string" + } + }, + "type": "object" + }, + "trustedOAuth2JwtGrantIssuers": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trust Relationships", + "items": { + "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" + }, + "type": "array" + }, + "trustedOAuth2JwtGrantJsonWebKey": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key", + "properties": { + "kid": { + "description": "The \"key_id\" is key unique identifier (same as kid header in jws/jwt).", + "example": "123e4567-e89b-12d3-a456-426655440000", + "type": "string" + }, + "set": { + "description": "The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant.", + "example": "https://jwt-idp.example.com", + "type": "string" + } + }, + "type": "object" + }, + "unexpectedError": { + "type": "string" + }, + "verifiableCredentialPrimingResponse": { + "properties": { + "c_nonce": { + "type": "string" + }, + "c_nonce_expires_in": { + "format": "int64", + "type": "integer" + }, + "error": { + "type": "string" + }, + "error_debug": { + "type": "string" + }, + "error_description": { + "type": "string" + }, + "error_hint": { + "type": "string" + }, + "format": { + "type": "string" + }, + "status_code": { + "format": "int64", + "type": "integer" + } + }, + "title": "VerifiableCredentialPrimingResponse contains the nonce to include in the proof-of-possession JWT.", + "type": "object" + }, + "verifiableCredentialResponse": { + "properties": { + "credential_draft_00": { + "type": "string" + }, + "format": { + "type": "string" + } + }, + "title": "VerifiableCredentialResponse contains the verifiable credential.", + "type": "object" + }, + "version": { + "properties": { + "version": { + "description": "Version is the service's version.", + "type": "string" + } + }, + "type": "object" + } + }, + "securitySchemes": { + "basic": { + "scheme": "basic", + "type": "http" + }, + "bearer": { + "scheme": "bearer", + "type": "http" + }, + "oauth2": { + "flows": { + "authorizationCode": { + "authorizationUrl": "https://hydra.demo.ory.sh/oauth2/auth", + "scopes": { + "offline": "A scope required when requesting refresh tokens (alias for `offline_access`)", + "offline_access": "A scope required when requesting refresh tokens", + "openid": "Request an OpenID Connect ID Token" + }, + "tokenUrl": "https://hydra.demo.ory.sh/oauth2/token" + } + }, + "type": "oauth2" + } + } + }, + "info": { + "contact": { + "email": "hi@ory.sh" + }, + "description": "Documentation for all of Ory Hydra's APIs.\n", + "license": { + "name": "Apache 2.0" + }, + "title": "Ory Hydra API", + "version": "" + }, + "openapi": "3.0.3", + "paths": { + "/.well-known/jwks.json": { + "get": { + "description": "This endpoint returns JSON Web Keys required to verifying OpenID Connect ID Tokens and,\nif enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like\n[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.", + "operationId": "discoverJsonWebKeys", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "description": "jsonWebKeySet" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Discover Well-Known JSON Web Keys", + "tags": [ + "wellknown" + ] + } + }, + "/.well-known/openid-configuration": { + "get": { + "description": "A mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.\n\nPopular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.\nFor a full list of clients go here: https://openid.net/developers/certified/", + "operationId": "discoverOidcConfiguration", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oidcConfiguration" + } + } + }, + "description": "oidcConfiguration" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "OpenID Connect Discovery", + "tags": [ + "oidc" + ] + } + }, + "/admin/clients": { + "get": { + "description": "This endpoint lists all clients in the database, and never returns client secrets.\nAs a default it lists the first 100 clients.", + "operationId": "listOAuth2Clients", + "parameters": [ + { + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 500, + "minimum": 1, + "type": "integer" + } + }, + { + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "default": "1", + "minimum": 1, + "type": "string" + } + }, + { + "description": "The name of the clients to filter by.", + "in": "query", + "name": "client_name", + "schema": { + "type": "string" + } + }, + { + "description": "The owner of the clients to filter by.", + "in": "query", + "name": "owner", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "$ref": "#/components/responses/listOAuth2Clients" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "List OAuth 2.0 Clients", + "tags": [ + "oAuth2" + ] + }, + "post": { + "description": "Create a new OAuth 2.0 client. If you pass `client_secret` the secret is used, otherwise a random secret\nis generated. The secret is echoed in the response. It is not possible to retrieve it later on.", + "operationId": "createOAuth2Client", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "OAuth 2.0 Client Request Body", + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "201": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "400": { + "$ref": "#/components/responses/errorOAuth2BadRequest" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "Create OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/clients/{id}": { + "delete": { + "description": "Delete an existing OAuth 2.0 Client by its ID.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.\n\nMake sure that this endpoint is well protected and only callable by first-party components.", + "operationId": "deleteOAuth2Client", + "parameters": [ + { + "description": "The id of the OAuth 2.0 Client.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Delete OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + }, + "get": { + "description": "Get an OAuth 2.0 client by its ID. This endpoint never returns the client secret.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "operationId": "getOAuth2Client", + "parameters": [ + { + "description": "The id of the OAuth 2.0 Client.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "Get an OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + }, + "patch": { + "description": "Patch an existing OAuth 2.0 Client using JSON Patch. If you pass `client_secret`\nthe secret will be updated and returned via the API. This is the\nonly time you will be able to retrieve the client secret, so write it down and keep it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "operationId": "patchOAuth2Client", + "parameters": [ + { + "description": "The id of the OAuth 2.0 Client.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonPatchDocument" + } + } + }, + "description": "OAuth 2.0 Client JSON Patch Body", + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "404": { + "$ref": "#/components/responses/errorOAuth2NotFound" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "Patch OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + }, + "put": { + "description": "Replaces an existing OAuth 2.0 Client with the payload you send. If you pass `client_secret` the secret is used,\notherwise the existing secret is used.\n\nIf set, the secret is echoed in the response. It is not possible to retrieve it later on.\n\nOAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "operationId": "setOAuth2Client", + "parameters": [ + { + "description": "OAuth 2.0 Client ID", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "OAuth 2.0 Client Request Body", + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "400": { + "$ref": "#/components/responses/errorOAuth2BadRequest" + }, + "404": { + "$ref": "#/components/responses/errorOAuth2NotFound" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "Set OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/clients/{id}/lifespans": { + "put": { + "description": "Set lifespans of different token types issued for this OAuth 2.0 client. Does not modify other fields.", + "operationId": "setOAuth2ClientLifespans", + "parameters": [ + { + "description": "OAuth 2.0 Client ID", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2ClientTokenLifespans" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Set OAuth2 Client Token Lifespans", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/keys/{set}": { + "delete": { + "description": "Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", + "operationId": "deleteJsonWebKeySet", + "parameters": [ + { + "description": "The JSON Web Key Set", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Delete JSON Web Key Set", + "tags": [ + "jwk" + ] + }, + "get": { + "description": "This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", + "operationId": "getJsonWebKeySet", + "parameters": [ + { + "description": "JSON Web Key Set ID", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "description": "jsonWebKeySet" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Retrieve a JSON Web Key Set", + "tags": [ + "jwk" + ] + }, + "post": { + "description": "This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", + "operationId": "createJsonWebKeySet", + "parameters": [ + { + "description": "The JSON Web Key Set ID", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/createJsonWebKeySet" + } + } + }, + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "201": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "description": "jsonWebKeySet" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Create JSON Web Key", + "tags": [ + "jwk" + ] + }, + "put": { + "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", + "operationId": "setJsonWebKeySet", + "parameters": [ + { + "description": "The JSON Web Key Set ID", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "description": "jsonWebKeySet" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Update a JSON Web Key Set", + "tags": [ + "jwk" + ] + } + }, + "/admin/keys/{set}/{kid}": { + "delete": { + "description": "Use this endpoint to delete a single JSON Web Key.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A\nJWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses\nthis functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens),\nand allows storing user-defined keys as well.", + "operationId": "deleteJsonWebKey", + "parameters": [ + { + "description": "The JSON Web Key Set", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "The JSON Web Key ID (kid)", + "in": "path", + "name": "kid", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Delete JSON Web Key", + "tags": [ + "jwk" + ] + }, + "get": { + "description": "This endpoint returns a singular JSON Web Key contained in a set. It is identified by the set and the specific key ID (kid).", + "operationId": "getJsonWebKey", + "parameters": [ + { + "description": "JSON Web Key Set ID", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "JSON Web Key ID", + "in": "path", + "name": "kid", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKeySet" + } + } + }, + "description": "jsonWebKeySet" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Get JSON Web Key", + "tags": [ + "jwk" + ] + }, + "put": { + "description": "Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.", + "operationId": "setJsonWebKey", + "parameters": [ + { + "description": "The JSON Web Key Set ID", + "in": "path", + "name": "set", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "JSON Web Key ID", + "in": "path", + "name": "kid", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKey" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/jsonWebKey" + } + } + }, + "description": "jsonWebKey" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Set JSON Web Key", + "tags": [ + "jwk" + ] + } + }, + "/admin/oauth2/auth/requests/consent": { + "get": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", + "operationId": "getOAuth2ConsentRequest", + "parameters": [ + { + "description": "OAuth 2.0 Consent Request Challenge", + "in": "query", + "name": "consent_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2ConsentRequest" + } + } + }, + "description": "oAuth2ConsentRequest" + }, + "410": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Get OAuth 2.0 Consent Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/consent/accept": { + "put": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThis endpoint tells Ory that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider includes additional information, such as session data for access and ID tokens, and if the\nconsent request should be used as basis for future requests.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", + "operationId": "acceptOAuth2ConsentRequest", + "parameters": [ + { + "description": "OAuth 2.0 Consent Request Challenge", + "in": "query", + "name": "consent_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/acceptOAuth2ConsentRequest" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Accept OAuth 2.0 Consent Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/consent/reject": { + "put": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if\nthe OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.\n\nThe consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent\nprovider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted\nor rejected the request.\n\nThis endpoint tells Ory that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.\nThe consent provider must include a reason why the consent was not granted.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.\n\nThe default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please\nhead over to the OAuth 2.0 documentation.", + "operationId": "rejectOAuth2ConsentRequest", + "parameters": [ + { + "description": "OAuth 2.0 Consent Request Challenge", + "in": "query", + "name": "consent_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/rejectOAuth2Request" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Reject OAuth 2.0 Consent Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/login": { + "get": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nPer default, the login provider is Ory itself. You may use a different login provider which needs to be a web-app\nyou write and host, and it must be able to authenticate (\"show the subject a login screen\")\na subject (in OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.", + "operationId": "getOAuth2LoginRequest", + "parameters": [ + { + "description": "OAuth 2.0 Login Request Challenge", + "in": "query", + "name": "login_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2LoginRequest" + } + } + }, + "description": "oAuth2LoginRequest" + }, + "410": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Get OAuth 2.0 Login Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/login/accept": { + "put": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells Ory that the subject has successfully authenticated and includes additional information such as\nthe subject's ID and if Ory should remember the subject's subject agent for future authentication attempts by setting\na cookie.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", + "operationId": "acceptOAuth2LoginRequest", + "parameters": [ + { + "description": "OAuth 2.0 Login Request Challenge", + "in": "query", + "name": "login_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/acceptOAuth2LoginRequest" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Accept OAuth 2.0 Login Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/login/reject": { + "put": { + "description": "When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider\nto authenticate the subject and then tell the Ory OAuth2 Service about it.\n\nThe authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login\nprovider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.\n\nThis endpoint tells Ory that the subject has not authenticated and includes a reason why the authentication\nwas denied.\n\nThe response contains a redirect URL which the login provider should redirect the user-agent to.", + "operationId": "rejectOAuth2LoginRequest", + "parameters": [ + { + "description": "OAuth 2.0 Login Request Challenge", + "in": "query", + "name": "login_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/rejectOAuth2Request" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Reject OAuth 2.0 Login Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/logout": { + "get": { + "description": "Use this endpoint to fetch an Ory OAuth 2.0 logout request.", + "operationId": "getOAuth2LogoutRequest", + "parameters": [ + { + "in": "query", + "name": "logout_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2LogoutRequest" + } + } + }, + "description": "oAuth2LogoutRequest" + }, + "410": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Get OAuth 2.0 Session Logout Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/logout/accept": { + "put": { + "description": "When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to confirm that logout request.\n\nThe response contains a redirect URL which the consent provider should redirect the user-agent to.", + "operationId": "acceptOAuth2LogoutRequest", + "parameters": [ + { + "description": "OAuth 2.0 Logout Request Challenge", + "in": "query", + "name": "logout_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2RedirectTo" + } + } + }, + "description": "oAuth2RedirectTo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Accept OAuth 2.0 Session Logout Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/requests/logout/reject": { + "put": { + "description": "When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to deny that logout request.\nNo HTTP request body is required.\n\nThe response is empty as the logout provider has to chose what action to perform next.", + "operationId": "rejectOAuth2LogoutRequest", + "parameters": [ + { + "in": "query", + "name": "logout_challenge", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Reject OAuth 2.0 Session Logout Request", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/sessions/consent": { + "delete": { + "description": "This endpoint revokes a subject's granted consent sessions and invalidates all\nassociated OAuth 2.0 Access Tokens. You may also only revoke sessions for a specific OAuth 2.0 Client ID.", + "operationId": "revokeOAuth2ConsentSessions", + "parameters": [ + { + "description": "OAuth 2.0 Consent Subject\n\nThe subject whose consent sessions should be deleted.", + "in": "query", + "name": "subject", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "OAuth 2.0 Client ID\n\nIf set, deletes only those consent sessions that have been granted to the specified OAuth 2.0 Client ID.", + "in": "query", + "name": "client", + "schema": { + "type": "string" + } + }, + { + "description": "Revoke All Consent Sessions\n\nIf set to `true` deletes all consent sessions by the Subject that have been granted.", + "in": "query", + "name": "all", + "schema": { + "type": "boolean" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Revoke OAuth 2.0 Consent Sessions of a Subject", + "tags": [ + "oAuth2" + ] + }, + "get": { + "description": "This endpoint lists all subject's granted consent sessions, including client and granted scope.\nIf the subject is unknown or has not granted any consent sessions yet, the endpoint returns an\nempty JSON array with status code 200 OK.", + "operationId": "listOAuth2ConsentSessions", + "parameters": [ + { + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_size", + "schema": { + "default": 250, + "format": "int64", + "maximum": 500, + "minimum": 1, + "type": "integer" + } + }, + { + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "in": "query", + "name": "page_token", + "schema": { + "default": "1", + "minimum": 1, + "type": "string" + } + }, + { + "description": "The subject to list the consent sessions for.", + "in": "query", + "name": "subject", + "required": true, + "schema": { + "type": "string" + } + }, + { + "description": "The login session id to list the consent sessions for.", + "in": "query", + "name": "login_session_id", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2ConsentSessions" + } + } + }, + "description": "oAuth2ConsentSessions" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "List OAuth 2.0 Consent Sessions of a Subject", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/auth/sessions/login": { + "delete": { + "description": "This endpoint invalidates authentication sessions. After revoking the authentication session(s), the subject\nhas to re-authenticate at the Ory OAuth2 Provider. This endpoint does not invalidate any tokens.\n\nIf you send the subject in a query param, all authentication sessions that belong to that subject are revoked.\nNo OpennID Connect Front- or Back-channel logout is performed in this case.\n\nAlternatively, you can send a SessionID via `sid` query param, in which case, only the session that is connected\nto that SessionID is revoked. OpenID Connect Back-channel logout is performed in this case.", + "operationId": "revokeOAuth2LoginSessions", + "parameters": [ + { + "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", + "in": "query", + "name": "subject", + "schema": { + "type": "string" + } + }, + { + "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", + "in": "query", + "name": "sid", + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/introspect": { + "post": { + "description": "The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token\nis neither expired nor revoked. If a token is active, additional information on the token will be included. You can\nset additional data for a token by setting `session.access_token` during the consent flow.", + "operationId": "introspectOAuth2Token", + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "properties": { + "scope": { + "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.", + "type": "string", + "x-formData-name": "scope" + }, + "token": { + "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue returned.", + "required": [ + "token" + ], + "type": "string", + "x-formData-name": "token" + } + }, + "required": [ + "token" + ], + "type": "object" + } + } + } + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/introspectedOAuth2Token" + } + } + }, + "description": "introspectedOAuth2Token" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Introspect OAuth2 Access and Refresh Tokens", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/oauth2/tokens": { + "delete": { + "description": "This endpoint deletes OAuth2 access tokens issued to an OAuth 2.0 Client from the database.", + "operationId": "deleteOAuth2Token", + "parameters": [ + { + "description": "OAuth 2.0 Client ID", + "in": "query", + "name": "client_id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/trust/grants/jwt-bearer/issuers": { + "get": { + "description": "Use this endpoint to list all trusted JWT Bearer Grant Type Issuers.", + "operationId": "listTrustedOAuth2JwtGrantIssuers", + "parameters": [ + { + "in": "query", + "name": "MaxItems", + "schema": { + "format": "int64", + "type": "integer" + } + }, + { + "in": "query", + "name": "DefaultItems", + "schema": { + "format": "int64", + "type": "integer" + } + }, + { + "description": "If optional \"issuer\" is supplied, only jwt-bearer grants with this issuer will be returned.", + "in": "query", + "name": "issuer", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuers" + } + } + }, + "description": "trustedOAuth2JwtGrantIssuers" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "List Trusted OAuth2 JWT Bearer Grant Type Issuers", + "tags": [ + "oAuth2" + ] + }, + "post": { + "description": "Use this endpoint to establish a trust relationship for a JWT issuer\nto perform JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication\nand Authorization Grants [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).", + "operationId": "trustOAuth2JwtGrantIssuer", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/trustOAuth2JwtGrantIssuer" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "201": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" + } + } + }, + "description": "trustedOAuth2JwtGrantIssuer" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Trust OAuth2 JWT Bearer Grant Type Issuer", + "tags": [ + "oAuth2" + ] + } + }, + "/admin/trust/grants/jwt-bearer/issuers/{id}": { + "delete": { + "description": "Use this endpoint to delete trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.\n\nOnce deleted, the associated issuer will no longer be able to perform the JSON Web Token (JWT) Profile\nfor OAuth 2.0 Client Authentication and Authorization Grant.", + "operationId": "deleteTrustedOAuth2JwtGrantIssuer", + "parameters": [ + { + "description": "The id of the desired grant", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Delete Trusted OAuth2 JWT Bearer Grant Type Issuer", + "tags": [ + "oAuth2" + ] + }, + "get": { + "description": "Use this endpoint to get a trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you\ncreated the trust relationship.", + "operationId": "getTrustedOAuth2JwtGrantIssuer", + "parameters": [ + { + "description": "The id of the desired grant", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/trustedOAuth2JwtGrantIssuer" + } + } + }, + "description": "trustedOAuth2JwtGrantIssuer" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Get Trusted OAuth2 JWT Bearer Grant Type Issuer", + "tags": [ + "oAuth2" + ] + } + }, + "/credentials": { + "post": { + "description": "This endpoint creates a verifiable credential that attests that the user\nauthenticated with the provided access token owns a certain public/private key\npair.\n\nMore information can be found at\nhttps://openid.net/specs/openid-connect-userinfo-vc-1_0.html.", + "operationId": "createVerifiableCredential", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/CreateVerifiableCredentialRequestBody" + } + } + }, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/verifiableCredentialResponse" + } + } + }, + "description": "verifiableCredentialResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/verifiableCredentialPrimingResponse" + } + } + }, + "description": "verifiableCredentialPrimingResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "Issues a Verifiable Credential", + "tags": [ + "oidc" + ] + } + }, + "/health/alive": { + "get": { + "description": "This endpoint returns a HTTP 200 status code when Ory Hydra is accepting incoming\nHTTP requests. This status does currently not include checks whether the database connection is working.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the health status will never\nrefer to the cluster state, only to a single instance.", + "operationId": "isAlive", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/healthStatus" + } + } + }, + "description": "Ory Hydra is ready to accept connections." + }, + "500": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "summary": "Check HTTP Server Status", + "tags": [ + "metadata" + ] + } + }, + "/health/ready": { + "get": { + "description": "This endpoint returns a HTTP 200 status code when Ory Hydra is up running and the environment dependencies (e.g.\nthe database) are responsive as well.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of Ory Hydra, the health status will never\nrefer to the cluster state, only to a single instance.", + "operationId": "isReady", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "properties": { + "status": { + "description": "Always \"ok\".", + "type": "string" + } + }, + "type": "object" + } + } + }, + "description": "Ory Hydra is ready to accept requests." + }, + "503": { + "content": { + "application/json": { + "schema": { + "properties": { + "errors": { + "additionalProperties": { + "type": "string" + }, + "description": "Errors contains a list of errors that caused the not ready status.", + "type": "object" + } + }, + "type": "object" + } + } + }, + "description": "Ory Kratos is not yet ready to accept requests." + } + }, + "summary": "Check HTTP Server and Database Status", + "tags": [ + "metadata" + ] + } + }, + "/oauth2/auth": { + "get": { + "description": "Use open source libraries to perform OAuth 2.0 and OpenID Connect\navailable for any programming language. You can find a list of libraries at https://oauth.net/code/\n\nThe Ory SDK is not yet able to this endpoint properly.", + "operationId": "oAuth2Authorize", + "responses": { + "302": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "summary": "OAuth 2.0 Authorize Endpoint", + "tags": [ + "oAuth2" + ] + } + }, + "/oauth2/register": { + "post": { + "description": "This endpoint behaves like the administrative counterpart (`createOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nPlease note that using this endpoint you are not able to choose the `client_secret` nor the `client_id` as those\nvalues will be server generated when specifying `token_endpoint_auth_method` as `client_secret_basic` or\n`client_secret_post`.\n\nThe `client_secret` will be returned in the response and you will not be able to retrieve it later on.\nWrite the secret down and keep it somewhere safe.", + "operationId": "createOidcDynamicClient", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "Dynamic Client Registration Request Body", + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "201": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "400": { + "$ref": "#/components/responses/errorOAuth2BadRequest" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "summary": "Register OAuth2 Client using OpenID Dynamic Client Registration", + "tags": [ + "oidc" + ] + } + }, + "/oauth2/register/{id}": { + "delete": { + "description": "This endpoint behaves like the administrative counterpart (`deleteOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint\nis disabled by default. It can be enabled by an administrator.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "operationId": "deleteOidcDynamicClient", + "parameters": [ + { + "description": "The id of the OAuth 2.0 Client.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "204": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/genericError" + } + } + }, + "description": "genericError" + } + }, + "security": [ + { + "bearer": [] + } + ], + "summary": "Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration Management Protocol", + "tags": [ + "oidc" + ] + }, + "get": { + "description": "This endpoint behaves like the administrative counterpart (`getOAuth2Client`) but is capable of facing the\npublic internet directly and can be used in self-service. It implements the OpenID Connect\nDynamic Client Registration Protocol.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.", + "operationId": "getOidcDynamicClient", + "parameters": [ + { + "description": "The id of the OAuth 2.0 Client.", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "security": [ + { + "bearer": [] + } + ], + "summary": "Get OAuth2 Client using OpenID Dynamic Client Registration", + "tags": [ + "oidc" + ] + }, + "put": { + "description": "This endpoint behaves like the administrative counterpart (`setOAuth2Client`) but is capable of facing the\npublic internet directly to be used by third parties. It implements the OpenID Connect\nDynamic Client Registration Protocol.\n\nThis feature is disabled per default. It can be enabled by a system administrator.\n\nIf you pass `client_secret` the secret is used, otherwise the existing secret is used. If set, the secret is echoed in the response.\nIt is not possible to retrieve it later on.\n\nTo use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client\nuses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.\nIf it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "operationId": "setOidcDynamicClient", + "parameters": [ + { + "description": "OAuth 2.0 Client ID", + "in": "path", + "name": "id", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "OAuth 2.0 Client Request Body", + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2Client" + } + } + }, + "description": "oAuth2Client" + }, + "404": { + "$ref": "#/components/responses/errorOAuth2NotFound" + }, + "default": { + "$ref": "#/components/responses/errorOAuth2Default" + } + }, + "security": [ + { + "bearer": [] + } + ], + "summary": "Set OAuth2 Client using OpenID Dynamic Client Registration", + "tags": [ + "oidc" + ] + } + }, + "/oauth2/revoke": { + "post": { + "description": "Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no\nlonger be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.\nRevoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by\nthe client the token was generated for.", + "operationId": "revokeOAuth2Token", + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "properties": { + "client_id": { + "type": "string", + "x-formData-name": "client_id" + }, + "client_secret": { + "type": "string", + "x-formData-name": "client_secret" + }, + "token": { + "required": [ + "token" + ], + "type": "string", + "x-formData-name": "token" + } + }, + "required": [ + "token" + ], + "type": "object" + } + } + } + }, + "responses": { + "200": { + "$ref": "#/components/responses/emptyResponse" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "security": [ + { + "basic": [] + }, + { + "oauth2": [] + } + ], + "summary": "Revoke OAuth 2.0 Access or Refresh Token", + "tags": [ + "oAuth2" + ] + } + }, + "/oauth2/sessions/logout": { + "get": { + "description": "This endpoint initiates and completes user logout at the Ory OAuth2 \u0026 OpenID provider and initiates OpenID Connect Front- / Back-channel logout:\n\nhttps://openid.net/specs/openid-connect-frontchannel-1_0.html\nhttps://openid.net/specs/openid-connect-backchannel-1_0.html\n\nBack-channel logout is performed asynchronously and does not affect logout flow.", + "operationId": "revokeOidcSession", + "responses": { + "302": { + "$ref": "#/components/responses/emptyResponse" + } + }, + "summary": "OpenID Connect Front- and Back-channel Enabled Logout", + "tags": [ + "oidc" + ] + } + }, + "/oauth2/token": { + "post": { + "description": "Use open source libraries to perform OAuth 2.0 and OpenID Connect\navailable for any programming language. You can find a list of libraries here https://oauth.net/code/\n\nThe Ory SDK is not yet able to this endpoint properly.", + "operationId": "oauth2TokenExchange", + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "properties": { + "client_id": { + "type": "string", + "x-formData-name": "client_id" + }, + "code": { + "type": "string", + "x-formData-name": "code" + }, + "grant_type": { + "required": [ + "grant_type" + ], + "type": "string", + "x-formData-name": "grant_type" + }, + "redirect_uri": { + "type": "string", + "x-formData-name": "redirect_uri" + }, + "refresh_token": { + "type": "string", + "x-formData-name": "refresh_token" + } + }, + "required": [ + "grant_type" + ], + "type": "object" + } + } + } + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oAuth2TokenExchange" + } + } + }, + "description": "oAuth2TokenExchange" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "security": [ + { + "basic": [] + }, + { + "oauth2": [] + } + ], + "summary": "The OAuth 2.0 Token Endpoint", + "tags": [ + "oAuth2" + ] + } + }, + "/userinfo": { + "get": { + "description": "This endpoint returns the payload of the ID Token, including `session.id_token` values, of\nthe provided OAuth 2.0 Access Token's consent request.\n\nIn the case of authentication error, a WWW-Authenticate header might be set in the response\nwith more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3)\nfor more details about header format.", + "operationId": "getOidcUserInfo", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/oidcUserInfo" + } + } + }, + "description": "oidcUserInfo" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorOAuth2" + } + } + }, + "description": "errorOAuth2" + } + }, + "security": [ + { + "oauth2": [] + } + ], + "summary": "OpenID Connect Userinfo", + "tags": [ + "oidc" + ] + } + }, + "/version": { + "get": { + "description": "This endpoint returns the version of Ory Hydra.\n\nIf the service supports TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware that if you are running multiple nodes of this service, the version will never\nrefer to the cluster state, only to a single instance.", + "operationId": "getVersion", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "properties": { + "version": { + "description": "The version of Ory Hydra.", + "type": "string" + } + }, + "type": "object" + } + } + }, + "description": "Returns the Ory Hydra version." + } + }, + "summary": "Return Running Software Version.", + "tags": [ + "metadata" + ] + } + } + }, + "tags": [ + { + "description": "OAuth 2.0", + "name": "oAuth2" + }, + { + "description": "OpenID Connect", + "name": "oidc" + }, + { + "description": "JSON Web Keys", + "name": "jwk" + }, + { + "description": "Well-Known Endpoints", + "name": "wellknown" + }, + { + "description": "Service Metadata", + "name": "metadata" + } + ], + "x-forwarded-proto": "string", + "x-request-id": "string" +} \ No newline at end of file