mirror of https://github.com/authelia/authelia.git
4655 lines
178 KiB
YAML
4655 lines
178 KiB
YAML
---
|
|
openapi: 3.1.0
|
|
info:
|
|
title: Authelia API
|
|
description: >
|
|
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single
|
|
sign-on (SSO) for your applications via a web portal.
|
|
contact:
|
|
name: Support
|
|
url: https://www.authelia.com/contact/
|
|
email: team@authelia.com
|
|
license:
|
|
name: Apache 2.0
|
|
url: https://www.apache.org/licenses/LICENSE-2.0
|
|
version: 1.0.0
|
|
servers:
|
|
- url: '{{ .BaseURL }}'
|
|
description: Authelia API
|
|
tags:
|
|
- name: State
|
|
description: Configuration, health and state endpoints
|
|
- name: Authentication
|
|
description: Authentication endpoints
|
|
- name: Authorization
|
|
description: Authorization endpoints
|
|
{{- if .PasswordReset }}
|
|
- name: Password Reset
|
|
description: Password reset endpoints
|
|
- name: User Information
|
|
description: User configuration endpoints
|
|
{{- end }}
|
|
{{- if (or .TOTP .WebAuthn .Duo) }}
|
|
- name: Second Factor
|
|
description: TOTP, WebAuthn and Duo endpoints
|
|
externalDocs:
|
|
url: https://www.authelia.com/configuration/second-factor/introduction/
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
- name: OpenID Connect 1.0
|
|
description: OpenID Connect 1.0 and OAuth 2.0 Endpoints
|
|
externalDocs:
|
|
url: https://www.authelia.com/integration/openid-connect/introduction/
|
|
{{- end }}
|
|
paths:
|
|
/api/configuration:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Application Configuration
|
|
description: >
|
|
The configuration endpoint provides detailed information including available second factor methods, if any
|
|
second factor policies exist and the TOTP period configuration.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.configuration.ConfigurationBody'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/configuration/password-policy:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Password Policy Configuration
|
|
description: >
|
|
The password policy configuration endpoint provides a password policy for resetting passwords.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody'
|
|
/api/health:
|
|
head:
|
|
tags:
|
|
- State
|
|
summary: Application Health
|
|
description: The health check endpoint provides information about the health of Authelia.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Application Health
|
|
description: The health check endpoint provides information about the health of Authelia.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
/api/state:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: User Application State
|
|
description: >
|
|
The state endpoint provides detailed information including the user, current authenticate level and Authelia's
|
|
configured default redirection URL.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.StateResponse'
|
|
{{- $app := "" }}{{ if .Domain }}{{ $app = printf "https://%s/" .Domain }}{{ else if .BaseURL }}{{ $app = .BaseURL }}{{ else }}{{ $app = "https://app.example.com" }}{{ end }}
|
|
{{- $redir := printf "%s?rd=%s&rm=GET" (.BaseURL | default "https://auth.example.com/") (urlquery $app) }}
|
|
{{- range $name, $config := .EndpointsAuthz }}
|
|
{{- $uri := printf "/api/authz/%s" $name }}
|
|
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
|
|
{{ $uri }}:
|
|
{{- if (eq $config.Implementation "Legacy") }}
|
|
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (Legacy)
|
|
description: >
|
|
The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
|
|
specific endpoint instead.
|
|
parameters:
|
|
- name: X-Original-URL
|
|
in: header
|
|
description: Redirection URL
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- name: X-Forwarded-Proto
|
|
in: header
|
|
description: Redirection URL (Scheme / Protocol)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: 'https'
|
|
schema:
|
|
type: string
|
|
- name: X-Forwarded-Host
|
|
in: header
|
|
description: Redirection URL (Host)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '{{ $.Domain | default "example.com" }}'
|
|
schema:
|
|
type: string
|
|
- name: X-Forwarded-URI
|
|
in: header
|
|
description: Redirection URL (URI)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '/path/example'
|
|
schema:
|
|
type: string
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
- $ref: '#/components/parameters/authParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"401":
|
|
description: Unauthorized
|
|
headers:
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "ExtAuthz") }}
|
|
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (ExtAuthz)
|
|
description: >
|
|
The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the Envoy proxy.
|
|
parameters:
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- $ref: '#/components/parameters/forwardedHostParam'
|
|
- $ref: '#/components/parameters/forwardedURIParam'
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
- $ref: '#/components/parameters/autheliaURLParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "ForwardAuth") }}
|
|
{{- range $method := list "get" "head" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (ForwardAuth)
|
|
description: >
|
|
The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
|
|
parameters:
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- $ref: '#/components/parameters/forwardedHostParam'
|
|
- $ref: '#/components/parameters/forwardedURIParam'
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "AuthRequest") }}
|
|
{{- range $method := list "get" "head" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (AuthRequest)
|
|
description: >
|
|
The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
|
|
parameters:
|
|
- $ref: '#/components/parameters/originalMethodParam'
|
|
- $ref: '#/components/parameters/originalURLParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
schema:
|
|
type: string
|
|
format: uri
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
/api/firstfactor:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Login
|
|
description: >
|
|
The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodyFirstFactorRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/checks/safe-redirection:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Check whether URI is safe to redirect to.
|
|
description: >
|
|
End users usually needs to be redirected to a target website after authentication. This endpoint aims to check
|
|
if target URL is safe to redirect to. This prevents open redirect attacks.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/logout:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Logout
|
|
description: The logout endpoint allows a user to logout and destroy a session.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.logoutRequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.logoutResponseBody'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- if .PasswordReset }}
|
|
/api/reset-password/identity/start:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Identity Verification Token Creation
|
|
description: >
|
|
This endpoint is step 1 of 3 in the password reset process.
|
|
|
|
It validates the user session and sends the user an email with a token and a link to reset their password. This
|
|
step also generates a session cookie for the rest of the process.
|
|
|
|
The same session cookie must be used for all steps in this process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/reset-password/identity/finish:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Identity Verification Token Validation
|
|
description: >
|
|
This endpoint is step 2 of 3 in the password reset process.
|
|
|
|
It validates the user session and reset token.
|
|
|
|
The same session cookie must be used for all steps in this process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/reset-password:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Password Reset
|
|
description: >
|
|
The password reset endpoint validates the user session and changes the password.
|
|
The same session cookie must be used for all steps in this process.
|
|
|
|
This endpoint is step 3 of 3 in the password reset process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
security:
|
|
- authelia_auth: []
|
|
delete:
|
|
tags:
|
|
- Password Reset
|
|
summary: Password Reset
|
|
description: >
|
|
The password reset endpoint revokes a JWT associated with a password reset
|
|
operation.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.PasswordResetBodyDELETE'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.API'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
/api/user/info:
|
|
get:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: >
|
|
The user info endpoint provides detailed information including a users display name, preferred and registered
|
|
second factor method(s).
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: >
|
|
The user info endpoint provides detailed information including a users display name, preferred and registered
|
|
second factor method(s). The POST method also ensures the preferred method is configured correctly.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/user/info/2fa_method:
|
|
post:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: The user info 2fa_method endpoint sets the users preferred second factor method.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo.MethodBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/user/session/elevation:
|
|
get:
|
|
tags:
|
|
- User Elevation
|
|
summary: User Session Elevation
|
|
description: >
|
|
The user session elevation endpoint returns information indicating if the current
|
|
user session has elevated privileges from identity verification.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.ElevationStatus.Response'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- User Elevation
|
|
summary: User Session Elevation
|
|
description: >
|
|
The user session elevation endpoint generates a new One-Time Code for the purpose
|
|
of elevating a user session. The One-Time Code is sent to a users email.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.ElevationVerify.Request'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
put:
|
|
tags:
|
|
- User Elevation
|
|
summary: User Session Elevation
|
|
description: >
|
|
The user session elevation endpoint verifies and consumes a One-Time Code, and
|
|
configures the session elevation.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.ElevationStart.Response'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/user/session/elevation/{id}:
|
|
delete:
|
|
tags:
|
|
- User Elevation
|
|
summary: User Session Elevation
|
|
description: >
|
|
The user session elevation endpoint deletes a pending One-Time Code from the
|
|
database so that it can't be used. This can be invoked by a user either by cancelling the One-Time Code window
|
|
or via the revoke link in the generated email.
|
|
parameters:
|
|
- in: path
|
|
name: id
|
|
description: The Delete ID of the pending User Session Elevation.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.API'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- if .TOTP }}
|
|
/api/secondfactor/totp/register:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: TOTP Configuration Register
|
|
description: >
|
|
The TOTP register endpoint provides information important for registering the TOTP
|
|
configuration for the user. This endpoint only returns information used for this same endpoint when utilizing
|
|
the PUT method verb.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPOptions'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
put:
|
|
tags:
|
|
- Second Factor
|
|
summary: TOTP Configuration Register
|
|
description: >
|
|
The TOTP register endpoint creates a temporary TOTP configuration which must then
|
|
be validated by the user using the POST method verb variant of this endpoint. Without validation the TOTP
|
|
configuration is not committed to the database and is instead temporarily stored in the session backend. This
|
|
action can also be followed by using the DELETE method verb for the same endpoint which will delete the
|
|
temporary configuration from the session.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPRegisterStartRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPRegisterStartResponse'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: TOTP Configuration Register
|
|
description: >
|
|
The TOTP register endpoint provides the validation step for the endpoint where the
|
|
user provides the TOTP configuration generated token. If successful the configuration is saved to the database.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPRegisterFinishRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
delete:
|
|
tags:
|
|
- Second Factor
|
|
summary: TOTP Configuration Register
|
|
description: >
|
|
The TOTP register endpoint removes the temporary TOTP configuration from the
|
|
session. It does NOT affect the TOTP configuration saved to the database.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/totp:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: TOTP Configuration
|
|
description: >
|
|
The TOTP endpoint provides information necessary to display the TOTP component to
|
|
validate their TOTP input such as the period and number of digits.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPConfiguration'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"404":
|
|
description: Not Found
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - TOTP
|
|
description: >
|
|
The TOTP endpoint performs second factor authentication with a TOTP configuration.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodySignTOTPRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
delete:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - TOTP
|
|
description: >
|
|
The TOTP endpoint deletes the TOTP configuration for the user from the database.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .WebAuthn }}
|
|
/api/secondfactor/webauthn:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - WebAuthn
|
|
description: >
|
|
The WebAuthn endpoint starts the second factor authentication process with the
|
|
FIDO2 WebAuthn credential.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - WebAuthn
|
|
description: >
|
|
The WebAuthn endpoint completes the second factor authentication process with the
|
|
FIDO2 WebAuthn credential.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: "#/components/schemas/webauthn.CredentialAssertionResponse"
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/webauthn/register:
|
|
put:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential Registration (Attestation)
|
|
description: >
|
|
The WebAuthn Register endpoint checks the intended description is okay and provides
|
|
the relevant credential creation options, and stores the creation options for a validation via the same endpoint
|
|
with the POST method verb.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.RegisterRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"409":
|
|
description: Conflict
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential Registration (Attestation)
|
|
description: >
|
|
The WebAuthn Register endpoint validates the authenticators response and finalizes
|
|
the WebAuthn registration.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.CredentialAttestationResponse'
|
|
responses:
|
|
"201":
|
|
description: Created
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
delete:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential Registration (Attestation)
|
|
description: >
|
|
The WebAuthn Register endpoint removes all WebAuthn registration data from the
|
|
session.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/webauthn/credential/{credentialID}:
|
|
put:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential
|
|
description: >
|
|
The WebAuthn credential endpoint updates the description of the specified WebAuthn
|
|
credential.
|
|
parameters:
|
|
- $ref: '#/components/parameters/credentialID'
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.CredentialUpdateRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"409":
|
|
description: Conflict
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
delete:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential
|
|
description: >
|
|
The WebAuthn credential endpoint deletes the specified WebAuthn credential from
|
|
the database.
|
|
parameters:
|
|
- $ref: '#/components/parameters/credentialID'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
"403":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.KO'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .Duo }}
|
|
/api/secondfactor/duo:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint performs second factor authentication with a Duo Mobile Push.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodySignDuoRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/duo_devices:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint retrieves a users available devices and capabilities from Duo.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.DuoDevicesResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/duo_device:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint updates the users preferred Duo device and method.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.DuoDeviceBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.Response.OK'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
/.well-known/openid-configuration:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect Discovery 1.0 Document
|
|
description: >
|
|
This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
|
|
an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
/.well-known/oauth-authorization-server:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Authorization Server Metadata
|
|
description: >
|
|
This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
|
|
perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
/jwks.json:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 JSON Web Key Set Document
|
|
description: >
|
|
This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
|
|
information from this OpenID Connect 1.0 Provider.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/jose.spec.JWKs'
|
|
/api/oidc/authorization:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Authorization Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Authorization.
|
|
parameters:
|
|
- in: query
|
|
name: id
|
|
required: false
|
|
description: The OpenID Connect 1.0 consent workflow ID.
|
|
schema:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
|
|
- in: query
|
|
name: scope
|
|
description: The requested scope.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'openid profile groups'
|
|
- in: query
|
|
name: response_type
|
|
description: The OAuth 2.0 response type.
|
|
required: true
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
- in: query
|
|
name: client_id
|
|
description: The OAuth 2.0 client identifier.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'app'
|
|
- in: query
|
|
name: redirect_uri
|
|
description: >
|
|
Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
|
|
values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
|
|
Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
|
|
the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
|
|
defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
|
|
case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
|
|
into a native application.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'https://app.{{ .Domain | default "example.com" }}'
|
|
- in: query
|
|
name: state
|
|
description: >
|
|
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
|
|
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
|
|
browser cookie.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
|
|
- in: query
|
|
name: response_mode
|
|
description: >
|
|
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
|
|
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
|
|
the default mode specified for the Response Type.
|
|
required: false
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
- in: query
|
|
name: nonce
|
|
description: >
|
|
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
|
|
is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
|
|
present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
|
|
Section 15.5.2.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
|
|
- in: query
|
|
name: display
|
|
description: >
|
|
Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
|
|
and consent user interface pages to the End-User.
|
|
required: false
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
- in: query
|
|
name: prompt
|
|
description: >
|
|
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
|
|
Authorization Server prompts the End-User for reauthentication and consent.
|
|
required: false
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.Prompt'
|
|
- in: query
|
|
name: max_age
|
|
description: >
|
|
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
|
|
was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
|
|
actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
|
|
[OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
|
|
auth_time Claim Value.
|
|
required: false
|
|
schema:
|
|
type: integer
|
|
example: 3600
|
|
- in: query
|
|
name: ui_locales
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
|
|
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
|
|
designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
|
|
of the requested locales are not supported by the OpenID Provider.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'en-US'
|
|
- in: query
|
|
name: claims_locales
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
|
|
result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'en-US'
|
|
- in: query
|
|
name: id_token_hint
|
|
required: false
|
|
description: >
|
|
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
|
|
End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
|
|
is logged in or is logged in by the request, then the Authorization Server returns a positive response;
|
|
otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
|
|
present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
|
|
server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
|
|
not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
|
|
received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
|
|
signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
|
|
the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
|
|
re-encrypted ID token as the id_token_hint value.
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: login_hint
|
|
description: >
|
|
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
|
|
(if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
|
|
(or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
|
|
It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
|
|
number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
|
|
discretion.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: acr_values
|
|
description: >
|
|
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
|
|
specifies the acr values that the Authorization Server is being requested to use for processing this
|
|
Authentication Request, with the values appearing in order of preference. The Authentication Context Class
|
|
satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
|
|
The acr Claim is requested as a Voluntary Claim by this parameter.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: claims
|
|
description: >
|
|
Not Supported: The claims parameter value, as specified in Section 5.5.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: registration
|
|
description: >
|
|
Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
|
|
that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: request
|
|
description: >
|
|
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
|
|
the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
|
|
Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
|
|
supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: code_challenge
|
|
description: >
|
|
RFC7636 Code Challenge.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: code_challenge_method
|
|
required: false
|
|
description: >
|
|
RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
|
|
Code verifier transformation method is "S256" or "plain".
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
responses:
|
|
"200":
|
|
description: >
|
|
OK Response. It should be noted that it is not possible to properly describe responses for this endpoint.
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
description: The Form Post Response Mode content.
|
|
"303":
|
|
description: >
|
|
See Other. It should be noted that it is not possible to properly describe responses for this endpoint.
|
|
headers:
|
|
Location:
|
|
schema:
|
|
type: string
|
|
description: >
|
|
Redirection location for the consent flow, or the authorization response callback location when using
|
|
the Query or Fragment Response Modes.
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Authorization Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Authorization.
|
|
requestBody:
|
|
description: Authorize Request Parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.AuthorizeRequest'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
description: The Form Post Response Mode content.
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
Location:
|
|
schema:
|
|
type: string
|
|
description: >
|
|
Redirection location for the consent flow, or the authorization response callback location when using
|
|
the Query or Fragment Response Modes.
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- authelia_auth: []
|
|
/api/oidc/pushed-authorization-request:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Pushed Authorization Endpoint
|
|
description: >
|
|
This endpoint performs OAuth 2.0 Pushed Authorization.
|
|
requestBody:
|
|
description: Pushed Authorize Request Parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AuthorizeRequest'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: object
|
|
description: The Pushed Authorize Request Successful Response.
|
|
properties:
|
|
request_uri:
|
|
type: string
|
|
description: >
|
|
The request URI corresponding to the authorization request posted. This URI is a single-use
|
|
reference to the respective request data in the subsequent authorization request. The way the
|
|
authorization process obtains the authorization request data is at the discretion of the
|
|
authorization server and is out of scope of this specification. There is no need to make the
|
|
authorization request data available to other parties via this URI.
|
|
example: 'urn:ietf:params:oauth:request_uri:lXtUUGsLrMxI5cogDk6Zk1pc5-Zw95lT4fzY0eAbdiU'
|
|
expires_in:
|
|
type: integer
|
|
description: >
|
|
A JSON number that represents the lifetime of the request URI in seconds as a positive integer.
|
|
The request URI lifetime is at the discretion of the authorization server but will typically be
|
|
relatively short (e.g., between 5 and 600 seconds).
|
|
example: 300
|
|
"400":
|
|
description: Bad Request
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"413":
|
|
description: Content Too Large
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"429":
|
|
description: Too Many Requests
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
security:
|
|
- openid: []
|
|
/api/oidc/token:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Token Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Token Access Requests.
|
|
requestBody:
|
|
description: Access Request Parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessResponse'
|
|
"401":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"403":
|
|
description: Unauthorized
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
security:
|
|
- openid: []
|
|
/api/oidc/revocation:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Token Revocation Endpoint
|
|
description: >
|
|
This endpoint performs OAuth 2.0 Token Revocation Requests.
|
|
requestBody:
|
|
description: Required OAuth 2.0 revocation parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessServerTokenAssertionRequest'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
"401":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"403":
|
|
description: Unauthorized
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
security:
|
|
- openid: []
|
|
/api/oidc/introspection:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Token Introspection Endpoint
|
|
description: >
|
|
This endpoint performs OAuth 2.0 Token Introspection Requests.
|
|
requestBody:
|
|
description: Required OAuth 2.0 introspection parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessServerTokenAssertionRequest'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.IntrospectionResponse'
|
|
application/token-introspection+jwt:
|
|
schema:
|
|
description: |
|
|
The RFC7519 encoded JWT with the nested 'token_introspection' claim which contains the same structure
|
|
as the openid.spec.IntrospectionResponse described in this OpenAPI 3.0 specification.
|
|
type: string
|
|
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20vIiwiYXVkIjoiaHR0cHM6Ly9hcHAuZXhhbXBsZS5jb20vcmVzb3VyY2UiLCJpYXQiOjE1MTQ3OTc4OTIsInRva2VuX2ludHJvc3BlY3Rpb24iOnsiYWN0aXZlIjp0cnVlLCJleHAiOjE1MTQ3OTc5NDIsImNsaWVudF9pZCI6ImV4YW1wbGUiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiaWF0IjoxNTE0Nzk3ODIyLCJzdWIiOiI5Y2JhMzJhMC02M2EyLTQyZDUtODNlYi1kZmM3NTc4OGEyMjIiLCJhdWQiOiJodHRwczovL2FwcC5leGFtcGxlLmNvbS9yZXNvdXJjZSIsInVzZXJuYW1lIjoiam9obiJ9fQ.9rN-G3uaj28Geiktfvknl-G6EnZxOGJjpXcemvsllYA'
|
|
"401":
|
|
description: Forbidden
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"403":
|
|
description: Unauthorized
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
"500":
|
|
description: Internal Server Error
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
|
|
security:
|
|
- openid: []
|
|
/api/oidc/userinfo:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 UserInfo Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
|
|
parameters:
|
|
- in: query
|
|
name: access_token
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
schema:
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/jwt: {}
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Object'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 UserInfo Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
|
|
parameters:
|
|
- in: query
|
|
name: access_token
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
schema:
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
requestBody:
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
type: object
|
|
properties:
|
|
access_token:
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/jwt: {}
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Object'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
/api/oidc/consent:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Consent Information
|
|
description: >
|
|
This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
|
|
parameters:
|
|
- $ref: '#/components/parameters/idRequiredParam'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.request.consent'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Consent Response
|
|
description: >
|
|
This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.response.consent'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
components:
|
|
parameters:
|
|
credentialID:
|
|
in: path
|
|
name: credentialID
|
|
schema:
|
|
type: integer
|
|
required: true
|
|
description: Numeric WebAuthn Credential ID
|
|
originalMethodParam:
|
|
name: X-Original-Method
|
|
in: header
|
|
description: Request Method
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
enum:
|
|
- 'GET'
|
|
- 'HEAD'
|
|
- 'POST'
|
|
- 'PUT'
|
|
- 'PATCH'
|
|
- 'DELETE'
|
|
- 'TRACE'
|
|
- 'CONNECT'
|
|
- 'OPTIONS'
|
|
- 'COPY'
|
|
- 'LOCK'
|
|
- 'MKCOL'
|
|
- 'MOVE'
|
|
- 'PROPFIND'
|
|
- 'PROPPATCH'
|
|
- 'UNLOCK'
|
|
originalURLParam:
|
|
name: X-Original-URL
|
|
in: header
|
|
description: Redirection URL
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
forwardedMethodParam:
|
|
name: X-Forwarded-Method
|
|
in: header
|
|
description: Request Method
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
enum:
|
|
- 'GET'
|
|
- 'HEAD'
|
|
- 'POST'
|
|
- 'PUT'
|
|
- 'PATCH'
|
|
- 'DELETE'
|
|
- 'TRACE'
|
|
- 'CONNECT'
|
|
- 'OPTIONS'
|
|
- 'COPY'
|
|
- 'LOCK'
|
|
- 'MKCOL'
|
|
- 'MOVE'
|
|
- 'PROPFIND'
|
|
- 'PROPPATCH'
|
|
- 'UNLOCK'
|
|
forwardedProtoParam:
|
|
name: X-Forwarded-Proto
|
|
in: header
|
|
description: Redirection URL (Scheme / Protocol)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: 'https'
|
|
schema:
|
|
type: string
|
|
forwardedHostParam:
|
|
name: X-Forwarded-Host
|
|
in: header
|
|
description: Redirection URL (Host)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: '{{ .Domain | default "example.com" }}'
|
|
schema:
|
|
type: string
|
|
forwardedURIParam:
|
|
name: X-Forwarded-URI
|
|
in: header
|
|
description: Redirection URL (URI)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: '/path/example'
|
|
schema:
|
|
type: string
|
|
forwardedForParam:
|
|
name: X-Forwarded-For
|
|
in: header
|
|
description: Clients IP address or IP address chain
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '192.168.0.55,192.168.0.20'
|
|
schema:
|
|
type: string
|
|
autheliaURLParam:
|
|
name: X-Authelia-URL
|
|
in: header
|
|
description: Authelia Portal URL
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '{{ .BaseURL | default "https://auth.example.com" }}'
|
|
schema:
|
|
type: string
|
|
authParam:
|
|
name: auth
|
|
in: query
|
|
description: Switch authorization header and prompt for basic auth
|
|
required: false
|
|
schema:
|
|
type: string
|
|
enum: ["basic"]
|
|
idRequiredParam:
|
|
name: id
|
|
in: query
|
|
description: The ID of what is being requested
|
|
required: true
|
|
schema:
|
|
type: string
|
|
schemas:
|
|
handlers.checkURIWithinDomainRequestBody:
|
|
type: object
|
|
properties:
|
|
uri:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
handlers.checkURIWithinDomainResponseBody:
|
|
type: object
|
|
properties:
|
|
ok:
|
|
type: boolean
|
|
example: true
|
|
description: If redirection URL is safe.
|
|
handlers.configuration.ConfigurationBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
available_methods:
|
|
type: array
|
|
description: List of available 2FA methods. If no methods exist 2FA is disabled.
|
|
items:
|
|
enum:
|
|
- 'totp'
|
|
- 'webauthn'
|
|
- 'mobile_push'
|
|
example: [totp, webauthn, mobile_push]
|
|
handlers.configuration.PasswordPolicyConfigurationBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
mode:
|
|
type: string
|
|
description: The password policy mode.
|
|
enum:
|
|
- 'disabled'
|
|
- 'standard'
|
|
- 'zxcvbn'
|
|
min_length:
|
|
type: integer
|
|
description: The minimum password length when using the standard mode.
|
|
max_length:
|
|
type: integer
|
|
description: The maximum password length when using the standard mode.
|
|
min_score:
|
|
type: integer
|
|
description: The minimum password score when using the zxcvbn mode.
|
|
require_uppercase:
|
|
type: boolean
|
|
description: If uppercase characters are required when using the standard mode.
|
|
require_lowercase:
|
|
type: boolean
|
|
description: If uppercase characters are required when using the standard mode.
|
|
require_number:
|
|
type: boolean
|
|
description: If numeric characters are required when using the standard mode.
|
|
require_special:
|
|
type: boolean
|
|
description: If special characters are required when using the standard mode.
|
|
handlers.DuoDeviceBody:
|
|
required:
|
|
- 'device'
|
|
- 'method'
|
|
type: object
|
|
properties:
|
|
device:
|
|
type: string
|
|
example: ABCDE123456789FGHIJK
|
|
method:
|
|
type: string
|
|
example: push
|
|
handlers.DuoDevicesResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
result:
|
|
type: string
|
|
example: auth
|
|
devices:
|
|
type: array
|
|
items:
|
|
type: object
|
|
properties:
|
|
device:
|
|
type: string
|
|
example: ABCDE123456789FGHIJK
|
|
display_name:
|
|
type: string
|
|
example: iOS (+XX XXX XXX 123)
|
|
capabilities:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example: push
|
|
handlers.bodyFirstFactorRequest:
|
|
required:
|
|
- 'username'
|
|
- 'password'
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
password:
|
|
type: string
|
|
example: password
|
|
targetURL:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
requestMethod:
|
|
type: string
|
|
example: GET
|
|
keepMeLoggedIn:
|
|
type: boolean
|
|
example: true
|
|
handlers.logoutRequestBody:
|
|
type: object
|
|
properties:
|
|
targetURL:
|
|
type: string
|
|
example: 'https://redirect.{{ .Domain | default "example.com" }}'
|
|
handlers.logoutResponseBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
safeTargetURL:
|
|
type: boolean
|
|
example: true
|
|
handlers.redirectResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
redirect:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
{{- if .PasswordReset }}
|
|
handlers.PasswordResetStep1RequestBody:
|
|
required:
|
|
- 'username'
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
handlers.PasswordResetStep2RequestBody:
|
|
required:
|
|
- 'password'
|
|
type: object
|
|
properties:
|
|
password:
|
|
type: string
|
|
example: password
|
|
handlers.PasswordResetBodyDELETE:
|
|
required:
|
|
- 'token'
|
|
type: object
|
|
properties:
|
|
token:
|
|
type: string
|
|
{{- end }}
|
|
{{- if .Duo }}
|
|
handlers.bodySignDuoRequest:
|
|
type: object
|
|
properties:
|
|
targetURL:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
passcode:
|
|
type: string
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
{{- end }}
|
|
handlers.StateResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
authentication_level:
|
|
type: integer
|
|
example: 1
|
|
default_redirection_url:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
middlewares.ErrorResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: KO
|
|
message:
|
|
type: string
|
|
example: Authentication failed, please retry later.
|
|
middlewares.IdentityVerificationFinishBody:
|
|
required:
|
|
- 'token'
|
|
type: object
|
|
properties:
|
|
token:
|
|
type: string
|
|
example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
|
|
middlewares.Response.API:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/middlewares.Response.OK'
|
|
- $ref: '#/components/schemas/middlewares.Response.KO'
|
|
middlewares.Response.OK:
|
|
type: object
|
|
properties:
|
|
status:
|
|
enum:
|
|
- 'OK'
|
|
type: string
|
|
example: 'OK'
|
|
data:
|
|
type: object
|
|
description: 'The data content for the response.'
|
|
middlewares.Response.KO:
|
|
type: object
|
|
properties:
|
|
status:
|
|
enum:
|
|
- 'KO'
|
|
type: string
|
|
example: 'KO'
|
|
message:
|
|
type: string
|
|
example: 'Operation Failed.'
|
|
handlers.UserInfo:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
display_name:
|
|
type: string
|
|
example: John Doe
|
|
method:
|
|
type: string
|
|
enum:
|
|
- 'totp'
|
|
- 'webauthn'
|
|
- 'mobile_push'
|
|
example: totp
|
|
has_webauthn:
|
|
type: boolean
|
|
example: false
|
|
has_totp:
|
|
type: boolean
|
|
example: true
|
|
has_duo:
|
|
type: boolean
|
|
example: true
|
|
handlers.UserInfo.MethodBody:
|
|
required:
|
|
- 'method'
|
|
type: object
|
|
properties:
|
|
method:
|
|
type: string
|
|
enum:
|
|
- 'totp'
|
|
- 'webauthn'
|
|
- 'mobile_push'
|
|
example: totp
|
|
handlers.ElevationStatus.Response:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
elevated:
|
|
description: The indicator of if the session is elevated.
|
|
type: boolean
|
|
expires:
|
|
description: The number of seconds the elevation is still valid for.
|
|
type: integer
|
|
example: 300
|
|
delete_id:
|
|
description: The value required to delete the current elevation.
|
|
type: string
|
|
handlers.ElevationStart.Response:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
delete_id:
|
|
description: The value required to delete the pending elevation.
|
|
type: string
|
|
handlers.ElevationVerify.Request:
|
|
type: object
|
|
properties:
|
|
otc:
|
|
description: The One-Time Code sent to the users email address.
|
|
type: string
|
|
{{- if .TOTP }}
|
|
handlers.TOTPOptions:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
algorithm:
|
|
default: 'SHA1'
|
|
description: The default algorithm for the generated configuration.
|
|
type: string
|
|
example: 'SHA1'
|
|
length:
|
|
default: 30
|
|
description: The default period or length of time for the generated configuration.
|
|
type: integer
|
|
example: 30
|
|
digits:
|
|
default: 6
|
|
description: The default digits for the generated configuration.
|
|
type: integer
|
|
example: 6
|
|
algorithms:
|
|
default:
|
|
- 'SHA1'
|
|
description: The allowed algorithm values for the generated configuration.
|
|
example:
|
|
- 'SHA1'
|
|
type: array
|
|
items:
|
|
type: string
|
|
lengths:
|
|
default:
|
|
- 30
|
|
description: The allowed period or length values for the generated configuration.
|
|
example:
|
|
- 30
|
|
type: array
|
|
items:
|
|
type: integer
|
|
periods:
|
|
default:
|
|
- 6
|
|
description: The allowed digits values for the generated configuration.
|
|
example:
|
|
- 6
|
|
type: array
|
|
items:
|
|
type: integer
|
|
handlers.TOTPRegisterStartRequest:
|
|
type: object
|
|
properties:
|
|
algorithm:
|
|
default: 'SHA1'
|
|
description: The algorithm for the generated configuration.
|
|
type: string
|
|
example: 'SHA1'
|
|
length:
|
|
default: 30
|
|
description: The period or length of time for the generated configuration.
|
|
type: integer
|
|
example: 30
|
|
digits:
|
|
default: 6
|
|
description: The digits for the generated configuration.
|
|
type: integer
|
|
example: 6
|
|
handlers.TOTPRegisterStartResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
base32_secret:
|
|
description: The base32 encoded secret for the TOTP configuration.
|
|
type: string
|
|
otpauth_url:
|
|
description: The TOTP scheme URL for the TOTP configuration used to generate the QR code.
|
|
type: string
|
|
handlers.TOTPRegisterFinishRequest:
|
|
type: object
|
|
properties:
|
|
token:
|
|
description: The value generated by the authenticator.
|
|
type: string
|
|
example: '123456'
|
|
handlers.TOTPConfiguration:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
period:
|
|
default: 30
|
|
description: The period defined in the users TOTP configuration
|
|
type: integer
|
|
example: 30
|
|
digits:
|
|
default: 6
|
|
description: The number of digits defined in the users TOTP configuration
|
|
type: integer
|
|
example: 6
|
|
handlers.bodySignTOTPRequest:
|
|
type: object
|
|
properties:
|
|
token:
|
|
type: string
|
|
example: '123456'
|
|
targetURL:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
handlers.TOTPKeyResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
base32_secret:
|
|
type: string
|
|
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
|
|
otpauth_url:
|
|
type: string
|
|
example: 'otpauth://totp/{{ .Domain | default "example.com" }}:john?algorithm=SHA1&digits=6&issuer=auth.{{ .Domain | default "example.com" }}&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q'
|
|
{{- end }}
|
|
{{- if .WebAuthn }}
|
|
webauthn.PublicKeyCredential:
|
|
type: object
|
|
properties:
|
|
rawId:
|
|
type: string
|
|
format: byte
|
|
id:
|
|
type: string
|
|
type:
|
|
type: string
|
|
webauthn.AuthenticatorResponse:
|
|
type: object
|
|
properties:
|
|
clientDataJSON:
|
|
type: string
|
|
format: byte
|
|
webauthn.CredentialAttestationResponse:
|
|
type: object
|
|
properties:
|
|
credential:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
|
|
- type: object
|
|
properties:
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appidExclude:
|
|
type: boolean
|
|
response:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
|
|
- type: object
|
|
properties:
|
|
attestationObject:
|
|
type: string
|
|
format: byte
|
|
description:
|
|
type: string
|
|
webauthn.CredentialAssertionResponse:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
|
|
- type: object
|
|
properties:
|
|
response:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
|
|
- type: object
|
|
required:
|
|
- 'authenticatorData'
|
|
- 'clientDataJSON'
|
|
- 'signature'
|
|
properties:
|
|
authenticatorData:
|
|
type: string
|
|
format: byte
|
|
clientDataJSON:
|
|
type: string
|
|
format: byte
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: boolean
|
|
example: false
|
|
signature:
|
|
type: string
|
|
format: byte
|
|
userHandle:
|
|
type: string
|
|
format: byte
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
webauthn.CredentialUpdateRequest:
|
|
type: object
|
|
properties:
|
|
description:
|
|
type: string
|
|
webauthn.RegisterRequest:
|
|
type: object
|
|
properties:
|
|
description:
|
|
description: The description the registered credential will have.
|
|
type: string
|
|
example: 'My Main Credential'
|
|
webauthn.PublicKeyCredentialCreationOptions:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
publicKey:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AttestationType'
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria'
|
|
- $ref: '#/components/schemas/webauthn.CredentialUserEntity'
|
|
- $ref: '#/components/schemas/webauthn.CredentialRPEntity'
|
|
- type: object
|
|
required:
|
|
- 'challenge'
|
|
- 'pubKeyCredParams'
|
|
properties:
|
|
challenge:
|
|
type: string
|
|
format: byte
|
|
pubKeyCredParams:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- 'alg'
|
|
- 'type'
|
|
properties:
|
|
alg:
|
|
type: integer
|
|
type:
|
|
type: string
|
|
example: public-key
|
|
enum:
|
|
- 'public-key'
|
|
timeout:
|
|
type: integer
|
|
example: 60000
|
|
excludeCredentials:
|
|
type: array
|
|
items:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
|
|
extensions:
|
|
type: object
|
|
properties:
|
|
appidExclude:
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
webauthn.PublicKeyCredentialRequestOptions:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
publicKey:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.UserVerification'
|
|
- type: object
|
|
required:
|
|
- 'challenge'
|
|
properties:
|
|
challenge:
|
|
type: string
|
|
timeout:
|
|
type: integer
|
|
example: 60000
|
|
rpId:
|
|
type: string
|
|
example: 'auth.{{ .Domain | default "example.com" }}'
|
|
allowCredentials:
|
|
type: array
|
|
items:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
|
|
extensions:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
webauthn.Transports:
|
|
type: object
|
|
properties:
|
|
transports:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example:
|
|
- 'usb'
|
|
- 'nfc'
|
|
enum:
|
|
- 'usb'
|
|
- 'nfc'
|
|
- 'ble'
|
|
- 'internal'
|
|
webauthn.UserVerification:
|
|
type: object
|
|
properties:
|
|
userVerification:
|
|
type: string
|
|
example: preferred
|
|
enum:
|
|
- 'required'
|
|
- 'preferred'
|
|
- 'discouraged'
|
|
webauthn.AttestationType:
|
|
type: object
|
|
properties:
|
|
attestation:
|
|
type: string
|
|
example: direct
|
|
enum:
|
|
- 'none'
|
|
- 'indirect'
|
|
- 'direct'
|
|
webauthn.AuthenticatorSelectionCriteria:
|
|
type: object
|
|
properties:
|
|
authenticatorSelection:
|
|
type: object
|
|
properties:
|
|
authenticatorAttachment:
|
|
type: string
|
|
example: cross-platform
|
|
enum:
|
|
- 'platform'
|
|
- 'cross-platform'
|
|
residentKey:
|
|
type: string
|
|
example: discouraged
|
|
enum:
|
|
- 'discouraged'
|
|
- 'preferred'
|
|
- 'required'
|
|
requireResidentKey:
|
|
type: boolean
|
|
webauthn.CredentialDescriptor:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.Transports'
|
|
- type: object
|
|
required:
|
|
- 'id'
|
|
- 'type'
|
|
properties:
|
|
id:
|
|
type: string
|
|
format: byte
|
|
type:
|
|
type: string
|
|
example: public-key
|
|
enum:
|
|
- 'public-key'
|
|
webauthn.CredentialEntity:
|
|
type: object
|
|
required:
|
|
- 'id'
|
|
- 'name'
|
|
properties:
|
|
id:
|
|
type: string
|
|
name:
|
|
type: string
|
|
icon:
|
|
type: string
|
|
webauthn.CredentialRPEntity:
|
|
type: object
|
|
required:
|
|
- 'rp'
|
|
properties:
|
|
rp:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialEntity'
|
|
webauthn.CredentialUserEntity:
|
|
type: object
|
|
required:
|
|
- 'user'
|
|
properties:
|
|
user:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialEntity'
|
|
- type: object
|
|
required:
|
|
- 'displayName'
|
|
properties:
|
|
displayName:
|
|
type: string
|
|
webauthn.AuthenticationExtensionsClientOutputs:
|
|
type: object
|
|
properties:
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: boolean
|
|
example: true
|
|
appidExclude:
|
|
type: boolean
|
|
example: false
|
|
uvm:
|
|
type: array
|
|
items:
|
|
type: string
|
|
format: byte
|
|
credProps:
|
|
type: object
|
|
properties:
|
|
rk:
|
|
type: boolean
|
|
example: false
|
|
largeBlob:
|
|
type: object
|
|
properties:
|
|
supported:
|
|
type: boolean
|
|
example: false
|
|
blob:
|
|
type: string
|
|
written:
|
|
type: boolean
|
|
example: false
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
openid.request.consent:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
client_id:
|
|
type: string
|
|
description: The identifier of the client for the user to provide consent for.
|
|
example: 'app'
|
|
client_description:
|
|
description: The descriptive name of the client for the user to provide consent for.
|
|
type: string
|
|
example: 'App Platform'
|
|
scopes:
|
|
description: The list of the requested scopes for the user to provide consent for.
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- 'openid'
|
|
- 'offline_access'
|
|
- 'groups'
|
|
- 'email'
|
|
- 'profile'
|
|
audience:
|
|
description: The list of the requested audiences for the user to provide consent for.
|
|
type: array
|
|
items:
|
|
type: string
|
|
pre_configuration:
|
|
description: Indicates if this client supports pre-configuration.
|
|
type: boolean
|
|
example: true
|
|
openid.response.consent:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
id:
|
|
description: The identifier of the consent session.
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
|
|
client_id:
|
|
description: The identifier of the client for the user to provide consent for.
|
|
type: string
|
|
example: 'app'
|
|
consent:
|
|
description: Indicates if the user consented to the consent request.
|
|
type: boolean
|
|
example: true
|
|
pre_configure:
|
|
description: Indicates if the user consented to pre-configuration.
|
|
type: boolean
|
|
example: true
|
|
openid.spec.Metadata.OAuth2AuthorizationServer:
|
|
type: object
|
|
required:
|
|
- 'issuer'
|
|
- 'authorization_endpoint'
|
|
- 'subject_types_supported'
|
|
- 'response_types_supported'
|
|
- 'require_pushed_authorization_requests'
|
|
properties:
|
|
authorization_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/authorization'
|
|
claims_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
|
|
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
|
|
type: array
|
|
example:
|
|
- 'amr'
|
|
- 'aud'
|
|
- 'azp'
|
|
- 'client_id'
|
|
- 'exp'
|
|
- 'iat'
|
|
- 'iss'
|
|
- 'jti'
|
|
- 'rat'
|
|
- 'sub'
|
|
- 'auth_time'
|
|
- 'nonce'
|
|
- 'email'
|
|
- 'email_verified'
|
|
- 'alt_emails'
|
|
- 'groups'
|
|
- 'preferred_username'
|
|
- 'name'
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Array'
|
|
code_challenge_methods_supported:
|
|
description: >
|
|
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
|
|
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
|
|
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
|
|
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
|
|
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
type: array
|
|
example: ["S256", "none"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
grant_types_supported:
|
|
type: array
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
|
|
Types. If omitted, the default value is ["authorization_code", "implicit"].
|
|
example: ["authorization_code", "implicit"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.GrantType'
|
|
introspection_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
|
|
Introspection: https://datatracker.ietf.org/doc/html/rfc7662
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/introspection'
|
|
introspection_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
|
|
Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
|
|
omitted, the set of supported authentication methods MUST be determined by other means. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
|
|
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
introspection_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
|
|
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
|
|
present if either of these authentication methods are specified in the
|
|
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
|
|
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
issuer:
|
|
description:
|
|
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
|
|
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
|
|
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
jwks_uri:
|
|
description: >
|
|
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
|
|
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
|
|
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
|
|
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
|
|
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
|
|
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
|
|
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
|
|
type: string
|
|
example: '{{ .BaseURL }}jwks.json'
|
|
op_policy_uri:
|
|
description:
|
|
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
|
|
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
|
|
display this URL to the person registering the Client if it is given.
|
|
type: string
|
|
op_tos_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
|
|
terms of service. The registration process SHOULD display this URL to the person registering the Client if
|
|
it is given.
|
|
type: string
|
|
pushed_authorization_request_endpoint:
|
|
description: >
|
|
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
|
|
exchange for a "request_uri" value usable at the authorization server.
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/par'
|
|
registration_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
|
|
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/registration'
|
|
require_pushed_authorization_requests:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server accepts authorization request data only via
|
|
PAR. If omitted, the default value is "false".
|
|
type: boolean
|
|
example: false
|
|
response_modes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
|
|
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
|
|
OpenID Providers is ["query", "fragment"].
|
|
type: array
|
|
example: ["query", "fragment"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
response_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
|
|
Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
|
|
type: array
|
|
example: ["code", "id_token", "token id_token"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
revocation_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
|
|
See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/revocation'
|
|
revocation_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
|
|
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
revocation_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
|
|
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
|
|
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
|
|
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
scopes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
|
|
MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
|
|
when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
|
|
See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: array
|
|
example:
|
|
- 'openid'
|
|
- 'offline_access'
|
|
- 'profile'
|
|
- 'email'
|
|
- 'groups'
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
|
|
service_documentation:
|
|
description: >
|
|
URL of a page containing human-readable information that developers might want or need to know when using
|
|
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
|
|
then information on how to register Clients needs to be provided in this documentation.
|
|
type: string
|
|
example: 'https://authelia.com'
|
|
subject_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Subject Identifier types that this OP supports.
|
|
Valid types include pairwise and public.
|
|
type: array
|
|
example: ["public", "pairwise"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
|
|
token_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
|
|
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/token'
|
|
token_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
|
|
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
|
|
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
|
|
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
|
|
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
|
|
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
token_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
|
|
the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
|
|
and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
ui_locales_supported:
|
|
type: array
|
|
description: >
|
|
Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
|
|
language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
authorization_response_iss_parameter_supported:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server provides the iss parameter in the
|
|
authorization response as defined in Section 2. If omitted, the default value is false.
|
|
type: boolean
|
|
example: true
|
|
openid.spec.Metadata.OpenIDConfiguration:
|
|
type: object
|
|
required:
|
|
- 'issuer'
|
|
- 'authorization_endpoint'
|
|
- 'subject_types_supported'
|
|
- 'response_types_supported'
|
|
- 'require_pushed_authorization_requests'
|
|
- 'request_uri_parameter_supported'
|
|
- 'require_request_uri_registration'
|
|
- 'claims_parameter_supported'
|
|
- 'frontchannel_logout_supported'
|
|
- 'frontchannel_logout_session_supported'
|
|
- 'backchannel_logout_supported'
|
|
- 'backchannel_logout_session_supported'
|
|
properties:
|
|
acr_values_supported:
|
|
description:
|
|
JSON array containing a list of the Authentication Context Class References that this OP supports.
|
|
type: array
|
|
items:
|
|
type: string
|
|
authorization_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/authorization'
|
|
backchannel_logout_session_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
|
|
the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
|
|
If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
backchannel_logout_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
|
|
omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
claim_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
|
|
described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
|
|
normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
|
|
OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
|
|
type: array
|
|
example: ["normal"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClaimType'
|
|
claims_locales_supported:
|
|
description: >
|
|
Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
|
|
[RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
|
|
See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
type: array
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
claims_parameter_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
|
|
If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
claims_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
|
|
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
|
|
type: array
|
|
example:
|
|
- 'amr'
|
|
- 'aud'
|
|
- 'azp'
|
|
- 'client_id'
|
|
- 'exp'
|
|
- 'iat'
|
|
- 'iss'
|
|
- 'jti'
|
|
- 'rat'
|
|
- 'sub'
|
|
- 'auth_time'
|
|
- 'nonce'
|
|
- 'email'
|
|
- 'email_verified'
|
|
- 'alt_emails'
|
|
- 'groups'
|
|
- 'preferred_username'
|
|
- 'name'
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Array'
|
|
code_challenge_methods_supported:
|
|
description: >
|
|
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
|
|
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
|
|
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
|
|
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
|
|
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
|
|
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
type: array
|
|
example: ["S256", "plain"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
display_values_supported:
|
|
description: >
|
|
JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
|
|
are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
|
|
3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
type: array
|
|
example: ["page"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
frontchannel_logout_session_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
|
|
identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
|
|
also included in ID Tokens issued by the OP. If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
frontchannel_logout_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
|
|
omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
grant_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
|
|
Types. If omitted, the default value is ["authorization_code", "implicit"].
|
|
type: array
|
|
example: ["authorization_code", "implicit"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.GrantType'
|
|
id_token_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
|
|
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
|
|
https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
id_token_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
|
|
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
id_token_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
|
|
to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
|
|
but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
|
|
(such as when using the Authorization Code Flow).
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
introspection_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
|
|
Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/introspection'
|
|
introspection_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
|
|
Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
|
|
7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
|
|
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
introspection_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
|
|
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
|
|
present if either of these authentication methods are specified in the
|
|
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
|
|
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
issuer:
|
|
description: >
|
|
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
|
|
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
|
|
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
jwks_uri:
|
|
description: >
|
|
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
|
|
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
|
|
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
|
|
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
|
|
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
|
|
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
|
|
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
|
|
type: string
|
|
example: '{{ .BaseURL }}jwks.json'
|
|
op_policy_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
|
|
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
|
|
display this URL to the person registering the Client if it is given.
|
|
type: string
|
|
op_tos_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
|
|
terms of service. The registration process SHOULD display this URL to the person registering the Client
|
|
if it is given.
|
|
type: string
|
|
pushed_authorization_request_endpoint:
|
|
description: >
|
|
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
|
|
exchange for a "request_uri" value usable at the authorization server.
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/par'
|
|
registration_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
|
|
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/registration'
|
|
request_object_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
|
|
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
|
|
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
request_object_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
|
|
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
|
|
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
request_object_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
|
|
Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
|
|
used both when the Request Object is passed by value (using the request parameter) and when it is passed by
|
|
reference (using the request_uri parameter). Servers SHOULD support none and RS256.
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
request_uri_parameter_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
|
|
support. If omitted, the default value is true.
|
|
type: boolean
|
|
example: true
|
|
require_pushed_authorization_requests:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server accepts authorization request data only via
|
|
PAR. If omitted, the default value is "false".
|
|
type: boolean
|
|
example: false
|
|
require_request_uri_registration:
|
|
description: >
|
|
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
|
|
request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
|
|
default value is false.
|
|
type: boolean
|
|
example: false
|
|
response_modes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
|
|
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
|
|
OpenID Providers is ["query", "fragment"].
|
|
type: array
|
|
example: ["query", "fragment"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
response_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the code, id_token, and the token id_token Response Type values.
|
|
type: array
|
|
example: ["code", "id_token", "token id_token"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
revocation_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
|
|
OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/revocation'
|
|
revocation_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
|
|
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
|
|
See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
|
|
type: array
|
|
example: ["client_secret_basic"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
revocation_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
|
|
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
|
|
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
|
|
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
scopes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
|
|
The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
|
|
values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
|
|
supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
|
|
https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: array
|
|
example:
|
|
- 'openid'
|
|
- 'offline_access'
|
|
- 'profile'
|
|
- 'email'
|
|
- 'groups'
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
|
|
service_documentation:
|
|
description: >
|
|
URL of a page containing human-readable information that developers might want or need to know when using
|
|
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
|
|
then information on how to register Clients needs to be provided in this documentation.
|
|
type: string
|
|
example: 'https://www.authelia.com'
|
|
subject_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
|
|
pairwise and public.
|
|
type: array
|
|
example: ["public", "pairwise"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
|
|
token_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
|
|
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/token'
|
|
token_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
|
|
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
|
|
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
|
|
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
|
|
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
|
|
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
token_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
|
|
for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
|
|
private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
|
|
The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
ui_locales_supported:
|
|
description: >
|
|
Languages and scripts supported for the user interface, represented as a JSON array of BCP47
|
|
[RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
type: array
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
userinfo_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
|
|
UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
|
|
https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
userinfo_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
|
|
Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
userinfo_endpoint:
|
|
description: >
|
|
URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
|
|
path, and query parameter components.
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/userinfo'
|
|
userinfo_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
|
|
UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
|
|
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["none", "RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
authorization_signing_alg_values_supported:
|
|
description: >
|
|
OPTIONAL. A JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) supported by
|
|
the authorization endpoint to sign the response.
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS'
|
|
authorization_response_iss_parameter_supported:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server provides the iss parameter in the
|
|
authorization response as defined in Section 2. If omitted, the default value is false.
|
|
type: boolean
|
|
example: true
|
|
openid.spec.IntrospectionResponse:
|
|
type: object
|
|
required:
|
|
- 'active'
|
|
properties:
|
|
active:
|
|
type: boolean
|
|
description: >
|
|
REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a
|
|
token's "active" state will vary depending on the implementation of the authorization server and the
|
|
information it keeps about its tokens, but a "true" value return for the "active" property will generally
|
|
indicate that a given token has been issued by this authorization server, has not been revoked by the
|
|
resource owner, and is within its given time window of validity (e.g., after its issuance time and before
|
|
its expiration time). See Section 4 for information on implementation of such checks.
|
|
scope:
|
|
type: string
|
|
description: >
|
|
OPTIONAL. A JSON string containing a space-separated list of scopes associated with this token, in the
|
|
format described in Section 3.3 of OAuth 2.0 [RFC6749].
|
|
client_id:
|
|
type: string
|
|
description: 'OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.'
|
|
username:
|
|
type: string
|
|
description: 'OPTIONAL. Human-readable identifier for the resource owner who authorized this token.'
|
|
token_type:
|
|
type: string
|
|
enum:
|
|
- 'bearer'
|
|
example: 'bearer'
|
|
description: 'OPTIONAL. Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].'
|
|
exp:
|
|
type: integer
|
|
description: >
|
|
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
|
|
this token will expire, as defined in JWT [RFC7519].
|
|
iat:
|
|
type: integer
|
|
description: >
|
|
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
|
|
this token was originally issued, as defined in JWT [RFC7519].
|
|
nbf:
|
|
type: integer
|
|
description: >
|
|
OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
|
|
this token is not to be used before, as defined in JWT [RFC7519].
|
|
sub:
|
|
type: string
|
|
description: >
|
|
OPTIONAL. Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the
|
|
resource owner who authorized this token.
|
|
aud:
|
|
oneOf:
|
|
- type: array
|
|
items:
|
|
type: string
|
|
description: >
|
|
OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended
|
|
audience for this token, as defined in JWT [RFC7519].
|
|
- type: string
|
|
description: >
|
|
OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended
|
|
audience for this token, as defined in JWT [RFC7519].
|
|
iss:
|
|
type: string
|
|
description: 'OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].'
|
|
jti:
|
|
type: string
|
|
description: 'OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].'
|
|
|
|
openid.implementation.Claims.Array:
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- 'amr'
|
|
- 'aud'
|
|
- 'azp'
|
|
- 'client_id'
|
|
- 'exp'
|
|
- 'iat'
|
|
- 'iss'
|
|
- 'jti'
|
|
- 'rat'
|
|
- 'sub'
|
|
- 'auth_time'
|
|
- 'nonce'
|
|
- 'email'
|
|
- 'email_verified'
|
|
- 'alt_emails'
|
|
- 'groups'
|
|
- 'preferred_username'
|
|
- 'name'
|
|
openid.implementation.Claims.Object:
|
|
description: OpenID Connect 1.0 User Claims.
|
|
type: object
|
|
properties:
|
|
amr:
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- 'mfa'
|
|
- 'mca'
|
|
- 'user'
|
|
- 'pin'
|
|
- 'pwd'
|
|
- 'otp'
|
|
- 'hwk'
|
|
- 'sms'
|
|
aud:
|
|
type: array
|
|
items:
|
|
type: string
|
|
azp:
|
|
type: string
|
|
client_id:
|
|
type: string
|
|
scope:
|
|
type: string
|
|
scp:
|
|
type: array
|
|
items:
|
|
type: string
|
|
exp:
|
|
type: integer
|
|
iat:
|
|
type: integer
|
|
iss:
|
|
type: string
|
|
jti:
|
|
type: string
|
|
rat:
|
|
type: integer
|
|
sub:
|
|
type: string
|
|
auth_time:
|
|
type: integer
|
|
nonce:
|
|
type: string
|
|
email:
|
|
type: string
|
|
email_verified:
|
|
type: boolean
|
|
alt_emails:
|
|
type: array
|
|
items:
|
|
type: string
|
|
groups:
|
|
type: array
|
|
items:
|
|
type: string
|
|
preferred_username:
|
|
type: string
|
|
name:
|
|
type: string
|
|
openid.implementation.Scopes.Object:
|
|
description: The scope.
|
|
type: string
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.Scopes'
|
|
- type: string
|
|
enum:
|
|
- 'groups'
|
|
openid.spec.Scopes:
|
|
type: string
|
|
enum:
|
|
- 'openid'
|
|
- 'offline_access'
|
|
- 'profile'
|
|
- 'email'
|
|
- 'address'
|
|
- 'phone'
|
|
openid.spec.ErrorResponseGeneric:
|
|
description: >
|
|
An OpenID Connect 1.0 and OAuth 2.0 error response Note this is a generic error response and may describe a
|
|
possible response for a given endpoint that is not entirely accurate or possible. This is only meant to
|
|
represent all of the potential response typesThe enum may also not be exhaustive as the relevant specifications
|
|
are incredibly vast.
|
|
required:
|
|
- 'error'
|
|
properties:
|
|
error:
|
|
description: REQUIRED. A single ASCII [USASCII] error code from the enum.
|
|
type: string
|
|
enum:
|
|
- 'invalid_request'
|
|
- 'invalid_client'
|
|
- 'invalid_grant'
|
|
- 'invalid_scope'
|
|
- 'invalid_request_uri'
|
|
- 'invalid_request_object'
|
|
- 'unauthorized_client'
|
|
- 'unsupported_grant_type'
|
|
- 'unsupported_response_type'
|
|
- 'unsupported_token_type'
|
|
- 'request_not_supported'
|
|
- 'request_uri_not_supported'
|
|
- 'registration_not_supported'
|
|
- 'access_denied'
|
|
- 'server_error'
|
|
- 'temporarily_unavailable'
|
|
- 'unmet_authentication_requirements'
|
|
- 'interaction_required'
|
|
- 'login_required'
|
|
- 'account_selection_required'
|
|
- 'consent_required'
|
|
error_description:
|
|
description: >
|
|
OPTIONAL. Human-readable ASCII [USASCII] text providing additional information, used to assist the client
|
|
developer in understanding the error that occurred. Values for the "error_description" parameter MUST NOT
|
|
include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
|
|
type: string
|
|
error_uri:
|
|
description: >
|
|
OPTIONAL. A URI identifying a human-readable web page with information about the error, used to provide the
|
|
client developer with additional information about the error. Values for the "error_uri" parameter MUST
|
|
conform to the URI-reference syntax and thus MUST NOT include characters outside the set %x21 / %x23-5B /
|
|
%x5D-7E.
|
|
type: string
|
|
error_hint:
|
|
description: An additional hint about the cause of the error.
|
|
type: string
|
|
error_debug:
|
|
description: Additional debug information about the cause of the error.
|
|
type: string
|
|
state:
|
|
description: >
|
|
OAuth 2.0 state value. REQUIRED if the Authorization Request included the state parameter. Set to the value
|
|
received from the Client.
|
|
type: string
|
|
openid.spec.AccessServerTokenAssertionRequest:
|
|
required:
|
|
- 'token'
|
|
type: object
|
|
properties:
|
|
token:
|
|
description: >
|
|
The string value of the token. For access tokens, this
|
|
is the 'access_token" value returned from the token endpoint
|
|
defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
|
|
this is the "refresh_token" value returned from the token endpoint
|
|
as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
|
|
are outside the scope of this specification.
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
type: string
|
|
token_type_hint:
|
|
description: >
|
|
A hint about the type of the token submitted for
|
|
introspection. The protected resource MAY pass this parameter to
|
|
help the authorization server optimize the token lookup. If the
|
|
server is unable to locate the token using the given hint, it MUST
|
|
extend its search across all of its supported token types. An
|
|
authorization server MAY ignore this parameter, particularly if it
|
|
is able to detect the token type automatically. Values for this
|
|
field are defined in the "OAuth Token Type Hints" registry defined
|
|
in OAuth Token Revocation [RFC7009].
|
|
enum:
|
|
- 'access_token'
|
|
- 'refresh_token'
|
|
example: 'access_token'
|
|
type: string
|
|
openid.spec.AccessRequest.ClientAuth:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT'
|
|
openid.spec.AccessRequest.ClientAuth.Secret:
|
|
required:
|
|
- 'client_id'
|
|
- 'client_secret'
|
|
type: object
|
|
properties:
|
|
client_id:
|
|
description: >
|
|
REQUIRED if the client is not authenticating with the authorization server as described in
|
|
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
|
|
example: 'my_client'
|
|
type: string
|
|
client_secret:
|
|
description: >
|
|
REQUIRED. The client secret. The client MAY omit the
|
|
parameter if the client secret is an empty string.
|
|
format: password
|
|
type: string
|
|
openid.spec.AccessRequest.ClientAuth.JWT:
|
|
required:
|
|
- 'client_assertion'
|
|
- 'client_assertion_type'
|
|
properties:
|
|
client_id:
|
|
description: >
|
|
REQUIRED if the client is not authenticating with the authorization server as described in
|
|
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
|
|
example: 'my_client'
|
|
type: string
|
|
client_assertion:
|
|
description: >
|
|
The value of the client_assertion_type parameter MUST be
|
|
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
|
|
enum:
|
|
- 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
|
|
example: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
|
|
type: string
|
|
client_assertion_type:
|
|
description: >
|
|
A JWT signed with HS256 using the client secret value or RS256 using a registered public key.
|
|
Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should
|
|
work but this has not been tested.
|
|
format: password
|
|
type: string
|
|
openid.spec.AccessRequest.AuthorizationCodeFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- 'code'
|
|
- 'grant_type'
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "code".
|
|
enum:
|
|
- 'authorization_code'
|
|
type: string
|
|
code:
|
|
description: The Authorization Code.
|
|
example: 'authelia_ac_1j2kn3knj12n3kj12n'
|
|
type: string
|
|
code_verifier:
|
|
description: The Authorization Code Verifier (PKCE).
|
|
example: '88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3'
|
|
type: string
|
|
redirect_uri:
|
|
description: The original Redirect URI used in the Authorization Request.
|
|
example: 'https://app.{{ .Domain | default "example.com" }}/oidc/callback'
|
|
type: string
|
|
openid.spec.AccessRequest.DeviceCodeFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- 'grant_type'
|
|
- 'device_code'
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
|
|
enum:
|
|
- 'urn:ietf:params:oauth:grant-type:device_code'
|
|
type: string
|
|
device_code:
|
|
description: The Device Authorization Code.
|
|
example: 'authelia_dc_mn123kjn12kj3123njk'
|
|
type: string
|
|
openid.spec.AccessRequest.RefreshTokenFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- 'grant_type'
|
|
- 'refresh_token'
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "refresh_token".
|
|
enum:
|
|
- 'refresh_token'
|
|
type: string
|
|
refresh_token:
|
|
description: The Refresh Token.
|
|
example: 'authelia_rt_1n2j3kihn12kj3n12k'
|
|
type: string
|
|
scope:
|
|
description: >
|
|
The scope of the access request as described by
|
|
Section 3.3. The requested scope MUST NOT include any scope
|
|
not originally granted by the resource owner, and if omitted is
|
|
treated as equal to the scope originally granted by the
|
|
resource owner.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
openid.spec.AccessResponse:
|
|
type: object
|
|
required:
|
|
- 'access_token'
|
|
- 'token_type'
|
|
- 'expires_in'
|
|
properties:
|
|
access_token:
|
|
description: The access token issued by the authorization server.
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
type: string
|
|
id_token:
|
|
description: The id token issued by the authorization server.
|
|
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
|
|
type: string
|
|
refresh_token:
|
|
description: >
|
|
The refresh token, which can be used to obtain new access tokens using the
|
|
same authorization grant as described in Section 6.
|
|
example: 'authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i'
|
|
type: string
|
|
token_type:
|
|
description: >
|
|
The access token type provides the client with the information
|
|
required to successfully utilize the access token to make a protected
|
|
resource request (along with type-specific attributes). The client
|
|
MUST NOT use an access token if it does not understand the token
|
|
type.
|
|
enum:
|
|
- 'bearer'
|
|
example: 'bearer'
|
|
type: string
|
|
expires_in:
|
|
description: >
|
|
The lifetime in seconds of the access token. For
|
|
example, the value "3600" denotes that the access token will
|
|
expire in one hour from the time the response was generated.
|
|
If omitted, the authorization server SHOULD provide the
|
|
expiration time via other means or document the default value.
|
|
example: 3600
|
|
type: integer
|
|
state:
|
|
description: Exactly the state value passed in the authorization request if present.
|
|
example: '5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB'
|
|
type: string
|
|
scope:
|
|
description: >
|
|
The scope of the access token as described by Section 3.3 if it differs from the requested scope.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
openid.spec.AuthorizeRequest:
|
|
type: object
|
|
required:
|
|
- 'scope'
|
|
- 'response_type'
|
|
- 'client_id'
|
|
- 'redirect_uri'
|
|
properties:
|
|
scope:
|
|
description: The requested scope.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
response_type:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
client_id:
|
|
description: The OAuth 2.0 client identifier.
|
|
example: 'app'
|
|
type: string
|
|
redirect_uri:
|
|
description: >
|
|
Redirection URI to which the response will be sent. This URI MUST exactly match one of the
|
|
Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
|
|
performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
|
|
flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
|
|
that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
|
|
allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
|
|
scheme, such as one that is intended to identify a callback into a native application.
|
|
example: 'https://app.{{ .Domain | default "example.com" }}'
|
|
type: string
|
|
state:
|
|
description: >
|
|
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
|
|
Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
|
|
parameter with a browser cookie.
|
|
example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
|
|
type: string
|
|
response_mode:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
nonce:
|
|
description: >
|
|
String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
|
|
The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
|
|
entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
|
|
implementation notes, see Section 15.5.2.
|
|
example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
|
|
type: string
|
|
display:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
prompt:
|
|
$ref: '#/components/schemas/openid.spec.Prompt'
|
|
max_age:
|
|
description: >
|
|
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
|
|
End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
|
|
OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
|
|
to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
|
|
Token returned MUST include an auth_time Claim Value.
|
|
type: integer
|
|
ui_locales:
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
|
|
the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
|
|
a region designation), followed by English (without a region designation). An error SHOULD NOT
|
|
result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
type: string
|
|
claims_locales:
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
|
|
a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
|
|
SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
type: string
|
|
id_token_hint:
|
|
description: >
|
|
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
|
|
the End-User's current or past authenticated session with the Client. If the End-User identified by
|
|
the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
|
|
positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
|
|
id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
|
|
returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
|
|
not present. The Authorization Server need not be listed as an audience of the ID Token when it is
|
|
used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
|
|
it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
|
|
ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
|
|
that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
|
|
id_token_hint value.
|
|
type: string
|
|
login_hint:
|
|
description: >
|
|
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
|
|
log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
|
|
address (or other identifier) and then wants to pass that value as a hint to the discovered
|
|
authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
|
|
This value MAY also be a phone number in the format specified for the phone_number Claim. The use
|
|
of this parameter is left to the OP's discretion.
|
|
type: string
|
|
acr_values:
|
|
description: >
|
|
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
|
|
specifies the acr values that the Authorization Server is being requested to use for processing this
|
|
Authentication Request, with the values appearing in order of preference. The Authentication Context
|
|
Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
|
|
Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
|
|
type: string
|
|
claims:
|
|
description: >
|
|
Not Supported: The claims parameter value, as specified in Section 5.5.
|
|
type: string
|
|
registration:
|
|
description: >
|
|
Not Supported: This parameter is used by the Client to provide information about itself to a
|
|
Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
|
|
specified in Section 7.2.1.
|
|
type: string
|
|
request:
|
|
description: >
|
|
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be
|
|
encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
|
|
issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
|
|
Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
|
|
algorithm used is RSA1_5.
|
|
type: string
|
|
openid.spec.SubjectIdentifier:
|
|
description: >
|
|
A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
|
|
End-User, which is intended to be consumed by the Client.
|
|
enum:
|
|
- 'public'
|
|
- 'pairwise'
|
|
type: string
|
|
openid.spec.ClientAuthMethod:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
|
|
enum:
|
|
- 'client_secret_basic'
|
|
- 'client_secret_post'
|
|
- 'client_secret_jwt'
|
|
- 'private_key_jwt'
|
|
- 'none'
|
|
type: string
|
|
openid.spec.DisplayType:
|
|
description: >
|
|
ASCII string value that specifies how the Authorization Server displays the authentication and consent user
|
|
interface pages to the End-User.
|
|
enum:
|
|
- 'page'
|
|
- 'popup'
|
|
- 'touch'
|
|
- 'wap'
|
|
example: 'page'
|
|
type: string
|
|
openid.spec.Prompt:
|
|
description: >
|
|
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
|
|
Authorization Server prompts the End-User for reauthentication and consent.
|
|
enum:
|
|
- 'none'
|
|
- 'login'
|
|
- 'consent'
|
|
- 'select_account'
|
|
- 'login consent'
|
|
- 'login select_account'
|
|
- 'consent select_account'
|
|
example: 'none'
|
|
type: string
|
|
openid.spec.ResponseType:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
|
|
enum:
|
|
- 'code'
|
|
- 'id_token'
|
|
- 'token'
|
|
- "code token"
|
|
- "code id_token"
|
|
- "token id_token"
|
|
- "code id_token token"
|
|
- 'none'
|
|
example: 'code'
|
|
type: string
|
|
openid.spec.ResponseMode:
|
|
description: >
|
|
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
|
|
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
|
|
the default mode specified for the Response Type.
|
|
enum:
|
|
- 'form_post'
|
|
- 'query'
|
|
- 'fragment'
|
|
- 'jwt'
|
|
- 'form_post.jwt'
|
|
- 'query.jwt'
|
|
- 'fragment.jwt'
|
|
example: 'query'
|
|
type: string
|
|
openid.spec.GrantType:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
|
|
enum:
|
|
- 'authorization_code'
|
|
- 'refresh_token'
|
|
- 'implicit'
|
|
- 'password'
|
|
- 'client_credentials'
|
|
- "urn:ietf:params:oauth:grant-type:device_code"
|
|
example: 'authorization_code'
|
|
type: string
|
|
openid.spec.CodeChallengeMethod:
|
|
description: The RFC7636 Code Challenge Verifier Method.
|
|
enum:
|
|
- 'plain'
|
|
- 'S256'
|
|
example: 'S256'
|
|
type: string
|
|
openid.spec.ClaimType:
|
|
description: The representation of claims.
|
|
enum:
|
|
- 'normal'
|
|
- 'aggregated'
|
|
- 'distributed'
|
|
example: 'normal'
|
|
type: string
|
|
jose.spec.None:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
enum:
|
|
- 'none'
|
|
jose.spec.JWS.None:
|
|
description: The JSON Web Signature Algorithm
|
|
oneOf:
|
|
- $ref: '#/components/schemas/jose.spec.None'
|
|
- $ref: '#/components/schemas/jose.spec.JWS'
|
|
type: string
|
|
jose.spec.JWS:
|
|
description: The JSON Web Signature Algorithm
|
|
enum:
|
|
- 'HS256'
|
|
- 'HS384'
|
|
- 'HS512'
|
|
- 'RS256'
|
|
- 'RS384'
|
|
- 'RS512'
|
|
- 'ES256'
|
|
- 'ES384'
|
|
- 'ES512'
|
|
- 'PS256'
|
|
- 'PS384'
|
|
- 'PS512'
|
|
type: string
|
|
jose.spec.JWE.alg:
|
|
description: The JSON Web Encryption Algorithm (CEK)
|
|
enum:
|
|
- 'RSA1_5'
|
|
- 'RSA-OAEP'
|
|
- 'RSA-OAEP-256'
|
|
- 'A128KW'
|
|
- 'A192KW'
|
|
- 'A256KW'
|
|
- 'dir'
|
|
- 'ECDH-ES'
|
|
- 'ECDH-ES+A128KW'
|
|
- 'ECDH-ES+A192KW'
|
|
- 'ECDH-ES+A256KW'
|
|
- 'A128GCMKW'
|
|
- 'A192GCMKW'
|
|
- 'A256GCMKW'
|
|
- 'PBES2-HS256+A128KW'
|
|
- 'PBES2-HS384+A192KW'
|
|
- 'PBES2-HS512+A256KW'
|
|
type: string
|
|
jose.spec.JWE.enc:
|
|
description: The JSON Web Encryption Algorithm (Claims)
|
|
enum:
|
|
- 'A128CBC-HS256'
|
|
- 'A192CBC-HS384'
|
|
- 'A256CBC-HS512'
|
|
- 'A128CBC'
|
|
- 'A256CBC'
|
|
- 'A128GCM'
|
|
- 'A256GCM'
|
|
type: string
|
|
jose.spec.JWK.base:
|
|
type: object
|
|
properties:
|
|
use:
|
|
description: >
|
|
The "use" (public key use) parameter identifies the intended use of
|
|
the public key. The "use" parameter is employed to indicate whether
|
|
a public key is used for encrypting data or verifying the signature
|
|
on data.
|
|
enum:
|
|
- 'sig'
|
|
- 'enc'
|
|
example: 'sig'
|
|
type: string
|
|
key_ops:
|
|
description: >
|
|
The "key_ops" (key operations) parameter identifies the operation(s)
|
|
for which the key is intended to be used. The "key_ops" parameter is
|
|
intended for use cases in which public, private, or symmetric keys
|
|
may be present.
|
|
example: ['sign']
|
|
type: array
|
|
items:
|
|
enum:
|
|
- 'sign'
|
|
- 'verify'
|
|
- 'encrypt'
|
|
- 'decrypt'
|
|
- 'wrapKey'
|
|
- 'unwrapKey'
|
|
- 'deriveKey'
|
|
- 'deriveBits'
|
|
type: string
|
|
kid:
|
|
description: >
|
|
The "kid" (key ID) parameter is used to match a specific key. This
|
|
is used, for instance, to choose among a set of keys within a JWK Set
|
|
during key rollover. The structure of the "kid" value is
|
|
unspecified. When "kid" values are used within a JWK Set, different
|
|
keys within the JWK Set SHOULD use distinct "kid" values. (One
|
|
example in which different keys might use the same "kid" value is if
|
|
they have different "kty" (key type) values but are considered to be
|
|
equivalent alternatives by the application using them.) The "kid"
|
|
value is a case-sensitive string. Use of this member is OPTIONAL.
|
|
When used with JWS or JWE, the "kid" value is used to match a JWS or
|
|
JWE "kid" Header Parameter value.
|
|
type: string
|
|
x5u:
|
|
description: >
|
|
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
|
|
resource for an X.509 public key certificate or certificate chain
|
|
[RFC5280]. The identified resource MUST provide a representation of
|
|
the certificate or certificate chain that conforms to RFC 5280
|
|
[RFC5280] in PEM-encoded form, with each certificate delimited as
|
|
specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
|
|
certificate MUST match the public key represented by other members of
|
|
the JWK. The protocol used to acquire the resource MUST provide
|
|
integrity protection; an HTTP GET request to retrieve the certificate
|
|
MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
|
|
validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
|
|
member is OPTIONAL.
|
|
type: string
|
|
x5c:
|
|
description: >
|
|
The "x5c" (X.509 certificate chain) parameter contains a chain of one
|
|
or more PKIX certificates [RFC5280]. The certificate chain is
|
|
represented as a JSON array of certificate value strings. Each
|
|
string in the array is a base64-encoded (Section 4 of [RFC4648] --
|
|
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
|
|
The PKIX certificate containing the key value MUST be the first
|
|
certificate. This MAY be followed by additional certificates, with
|
|
each subsequent certificate being the one used to certify the
|
|
previous one. The key in the first certificate MUST match the public
|
|
key represented by other members of the JWK. Use of this member is
|
|
OPTIONAL.
|
|
type: array
|
|
items:
|
|
format: byte
|
|
type: string
|
|
x5t:
|
|
description: >
|
|
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
|
|
base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
|
|
encoding of an X.509 certificate [RFC5280]. Note that certificate
|
|
thumbprints are also sometimes known as certificate fingerprints.
|
|
The key in the certificate MUST match the public key represented by
|
|
other members of the JWK. Use of this member is OPTIONAL.
|
|
format: byte
|
|
type: string
|
|
x5t#S256:
|
|
description: >
|
|
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
|
|
base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
|
|
encoding of an X.509 certificate [RFC5280]. Note that certificate
|
|
thumbprints are also sometimes known as certificate fingerprints.
|
|
The key in the certificate MUST match the public key represented by
|
|
other members of the JWK. Use of this member is OPTIONAL.
|
|
format: byte
|
|
type: string
|
|
jose.spec.JWK.RSA:
|
|
description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- required:
|
|
- 'kty'
|
|
- 'n'
|
|
- 'e'
|
|
type: object
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'RSA'
|
|
enum:
|
|
- 'RSA'
|
|
alg:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
example: 'RS256'
|
|
enum:
|
|
- 'RS256'
|
|
- 'RS384'
|
|
- 'RS512'
|
|
- 'PS256'
|
|
- 'PS384'
|
|
- 'PS512'
|
|
n:
|
|
description: >
|
|
RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
e:
|
|
description: >
|
|
RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
|
|
It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.RSA.Private:
|
|
description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
|
|
- type: object
|
|
required:
|
|
- 'd'
|
|
properties:
|
|
d:
|
|
description: >
|
|
RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
|
|
private key. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
p:
|
|
description: >
|
|
RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
|
|
It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
q:
|
|
description: >
|
|
RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
dp:
|
|
description: >
|
|
RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
|
|
(CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
dq:
|
|
description: >
|
|
RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
|
|
second factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
qi:
|
|
description: >
|
|
RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
|
|
factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
oth:
|
|
description: >
|
|
The "oth" (other primes info) parameter contains an array of
|
|
information about any third and subsequent primes, should they exist.
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- 'r'
|
|
- 'd'
|
|
- 't'
|
|
properties:
|
|
r:
|
|
description: >
|
|
The "r" (prime factor) parameter within an "oth" array member
|
|
represents the value of a subsequent prime factor. It is represented
|
|
as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
d:
|
|
description: >
|
|
The "d" (factor CRT exponent) parameter within an "oth" array member
|
|
represents the CRT exponent of the corresponding prime factor. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
t:
|
|
description: >
|
|
The "t" (factor CRT coefficient) parameter within an "oth" array
|
|
member represents the CRT coefficient of the corresponding prime
|
|
factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.EC:
|
|
description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- type: object
|
|
required:
|
|
- 'kty'
|
|
- 'crv'
|
|
- 'x'
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'EC'
|
|
enum:
|
|
- 'EC'
|
|
alg:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
example: 'ES256'
|
|
enum:
|
|
- 'ES256'
|
|
- 'ES384'
|
|
- 'ES512'
|
|
x:
|
|
description: >
|
|
EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
|
|
It is represented as the base64url encoding of the octet string representation of the coordinate, as
|
|
defined in Section 2.3.5 of SEC1 [SEC1].
|
|
type: string
|
|
format: byte
|
|
y:
|
|
description: >
|
|
EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
|
|
It is represented as the base64url encoding of the octet string representation of the coordinate, as
|
|
defined in Section 2.3.5 of SEC1 [SEC1].
|
|
type: string
|
|
format: byte
|
|
crv:
|
|
description: >
|
|
The curve parameter identifies the cryptographic curve used with the key. Curve
|
|
values from [DSS] used by this specification.
|
|
type: string
|
|
example: 'P-521'
|
|
enum:
|
|
- 'P-256'
|
|
- 'P-384'
|
|
- 'P-521'
|
|
- 'Ed25519'
|
|
- 'Ed448'
|
|
- 'X25519'
|
|
- 'X448'
|
|
- 'secp256k1'
|
|
jose.spec.JWK.EC.Private:
|
|
description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC'
|
|
- type: object
|
|
required:
|
|
- 'd'
|
|
properties:
|
|
d:
|
|
description: >
|
|
ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
|
|
is represented as the base64url encoding of the octet string representation of the private key value,
|
|
as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
|
|
ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.Symmetric:
|
|
description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- type: object
|
|
required:
|
|
- 'k'
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'oct'
|
|
enum:
|
|
- 'oct'
|
|
k:
|
|
description: >
|
|
The "k" (key value) parameter contains the value of the symmetric (or
|
|
other single-valued) key. It is represented as the base64url
|
|
encoding of the octet sequence containing the key value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK:
|
|
type: string
|
|
anyOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
|
|
jose.spec.JWKs:
|
|
type: object
|
|
description: The JSON Web Key Sets Document as defined by RFC7517.
|
|
properties:
|
|
keys:
|
|
description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
|
|
type: array
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWK'
|
|
{{- end }}
|
|
securitySchemes:
|
|
authelia_auth:
|
|
type: apiKey
|
|
name: '{{ .Session }}'
|
|
in: cookie
|
|
{{- if .OpenIDConnect }}
|
|
openid:
|
|
type: openIdConnect
|
|
openIdConnectUrl: '{{ .BaseURL }}.well-known/openid-configuration'
|
|
{{- end }}
|
|
...
|