summaryrefslogtreecommitdiff
path: root/api
diff options
context:
space:
mode:
authorJames Elliott <james-d-elliott@users.noreply.github.com>2022-12-14 16:18:34 +1100
committerGitHub <noreply@github.com>2022-12-14 16:18:34 +1100
commit241b9b19501c077ce43e0615042851e7b8b7ce87 (patch)
tree0170fc70930ad8823d0efcc4b1dda612bbf36099 /api
parent28cd927f8890e6c13c67bfc393795f9348b76aa4 (diff)
docs(api): update openapi.yml with oidc endpoints (#4572)
Diffstat (limited to 'api')
-rw-r--r--api/openapi.yml2158
1 files changed, 2148 insertions, 10 deletions
diff --git a/api/openapi.yml b/api/openapi.yml
index 15443a24e..f0f991d1d 100644
--- a/api/openapi.yml
+++ b/api/openapi.yml
@@ -1,5 +1,6 @@
+# yamllint disable rule:line-length
---
-openapi: 3.0.0
+openapi: 3.0.3
info:
title: Authelia API
description: >
@@ -7,12 +8,15 @@ info:
sign-on (SSO) for your applications via a web portal.
contact:
name: Authelia Support
- url: https://github.com/authelia/authelia#contact-options
+ url: https://www.authelia.com/contact/
email: team@authelia.com
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
version: 1.0.0
+servers:
+ - url: "{{ .BaseURL }}"
+ description: Authelia API
tags:
- name: State
description: Configuration, health and state endpoints
@@ -24,6 +28,12 @@ tags:
description: User configuration endpoints
- name: Second Factor
description: TOTP, Webauthn and Duo endpoints
+ externalDocs:
+ url: https://www.authelia.com/configuration/second-factor/introduction/
+ - name: OpenID Connect 1.0
+ description: OpenID Connect 1.0 and OAuth 2.0 Endpoints
+ externalDocs:
+ url: https://www.authelia.com/integration/openid-connect/introduction/
paths:
/api/configuration:
get:
@@ -596,7 +606,7 @@ paths:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
- description: This endpoint retreives a users available devices and capabilities from Duo.
+ description: This endpoint retrieves a users available devices and capabilities from Duo.
responses:
"200":
description: Successful Operation
@@ -631,6 +641,520 @@ paths:
description: Unauthorized
security:
- authelia_auth: []
+ /.well-known/openid-configuration:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect Discovery 1.0 Document
+ description: >
+ This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
+ an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
+ "400":
+ description: Bad Request
+ "500":
+ description: Internal Server Error
+ /.well-known/oauth-authorization-server:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OAuth 2.0 Authorization Server Metadata
+ description: >
+ This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
+ perform discovery for an OAuth 2.0 Authorization Server. See https://www.rfc-editor.org/rfc/rfc8414.
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
+ "400":
+ description: Bad Request
+ "500":
+ description: Internal Server Error
+ /jwks.json:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 JSON Web Key Set Document
+ description: >
+ This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
+ information from this OpenID Connect 1.0 Provider.
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jose.spec.JWKs'
+ /api/oidc/authorization:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 Authorization Endpoint
+ description: >
+ This endpoint performs OpenID Connect 1.0 Authorization.
+ parameters:
+ - in: query
+ name: id
+ required: false
+ description: The OpenID Connect 1.0 consent workflow ID.
+ schema:
+ type: string
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
+ - in: query
+ name: scope
+ description: The requested scope.
+ required: true
+ schema:
+ type: string
+ example: "openid profile groups"
+ - in: query
+ name: response_type
+ description: The OAuth 2.0 response type.
+ required: true
+ schema:
+ $ref: '#/components/schemas/openid.spec.ResponseType'
+ - in: query
+ name: client_id
+ description: The OAuth 2.0 client identifier.
+ required: true
+ schema:
+ type: string
+ example: "app"
+ - in: query
+ name: redirect_uri
+ description: >
+ Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
+ values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
+ Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
+ the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
+ defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
+ case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
+ into a native application.
+ required: true
+ schema:
+ type: string
+ example: "https://app.example.com"
+ - in: query
+ name: state
+ description: >
+ Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
+ Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
+ browser cookie.
+ required: false
+ schema:
+ type: string
+ example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
+ - in: query
+ name: response_mode
+ description: >
+ Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
+ Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
+ the default mode specified for the Response Type.
+ required: false
+ schema:
+ $ref: '#/components/schemas/openid.spec.ResponseMode'
+ - in: query
+ name: nonce
+ description: >
+ String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
+ is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
+ present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
+ Section 15.5.2.
+ required: false
+ schema:
+ type: string
+ example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
+ - in: query
+ name: display
+ description: >
+ Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
+ and consent user interface pages to the End-User.
+ required: false
+ schema:
+ $ref: '#/components/schemas/openid.spec.DisplayType'
+ - in: query
+ name: prompt
+ description: >
+ Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
+ Authorization Server prompts the End-User for reauthentication and consent.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: max_age
+ description: >
+ Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
+ was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
+ actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
+ [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
+ auth_time Claim Value.
+ required: false
+ schema:
+ type: integer
+ example: 3600
+ - in: query
+ name: ui_locales
+ description: >
+ Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
+ space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
+ "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
+ designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
+ of the requested locales are not supported by the OpenID Provider.
+ required: false
+ schema:
+ type: string
+ example: "en-US"
+ - in: query
+ name: claims_locales
+ description: >
+ Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
+ space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
+ result if some or all of the requested locales are not supported by the OpenID Provider.
+ required: false
+ schema:
+ type: string
+ example: "en-US"
+ - in: query
+ name: id_token_hint
+ required: false
+ description: >
+ Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
+ End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
+ is logged in or is logged in by the request, then the Authorization Server returns a positive response;
+ otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
+ present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
+ server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
+ not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
+ received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
+ signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
+ the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
+ re-encrypted ID token as the id_token_hint value.
+ schema:
+ type: string
+ - in: query
+ name: login_hint
+ description: >
+ Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
+ (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
+ (or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
+ It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
+ number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
+ discretion.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: acr_values
+ description: >
+ Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
+ specifies the acr values that the Authorization Server is being requested to use for processing this
+ Authentication Request, with the values appearing in order of preference. The Authentication Context Class
+ satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
+ The acr Claim is requested as a Voluntary Claim by this parameter.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: claims
+ description: >
+ Not Supported: The claims parameter value, as specified in Section 5.5.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: registration
+ description: >
+ Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
+ that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: request
+ description: >
+ Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
+ the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
+ Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
+ supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: code_challenge
+ description: >
+ RFC7636 Code Challenge.
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: code_challenge_method
+ required: false
+ description: >
+ RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
+ Code verifier transformation method is "S256" or "plain".
+ schema:
+ $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
+ responses:
+ "200":
+ description: OK
+ content:
+ text/html:
+ schema:
+ type: string
+ description: The Form Post Response Mode content.
+ "303":
+ description: See Other
+ headers:
+ Location:
+ schema:
+ type: string
+ description: >
+ Redirection location for the consent flow, or the authorization response callback location when using
+ the Query or Fragment Response Modes.
+ "400":
+ description: Bad Request
+ "500":
+ description: Internal Server Error
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 Authorization Endpoint
+ description: >
+ This endpoint performs OpenID Connect 1.0 Authorization.
+ requestBody:
+ description: Authorize Request Parameters.
+ required: true
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/openid.spec.AuthorizeRequest'
+ responses:
+ "200":
+ description: OK
+ content:
+ text/html:
+ schema:
+ type: string
+ description: The Form Post Response Mode content.
+ "303":
+ description: See Other
+ headers:
+ Location:
+ schema:
+ type: string
+ description: >
+ Redirection location for the consent flow, or the authorization response callback location when using
+ the Query or Fragment Response Modes.
+ "400":
+ description: Bad Request
+ "500":
+ description: Internal Server Error
+ security:
+ - authelia_auth: []
+ /api/oidc/token:
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 Token Endpoint
+ description: >
+ This endpoint performs OpenID Connect 1.0 Token Access Requests.
+ requestBody:
+ description: Access Request Parameters.
+ required: true
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/openid.spec.AccessResponse'
+ "401":
+ description: Forbidden
+ "403":
+ description: Unauthorized
+ "500":
+ description: Internal Server Error
+ security:
+ - openid: []
+ /api/oidc/revocation:
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OAuth 2.0 Token Revocation Endpoint
+ description: >
+ This endpoint performs OAuth 2.0 Token Revocation Requests.
+ requestBody:
+ description: Required OAuth 2.0 revocation parameters.
+ required: true
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/openid.spec.IntrospectionRequest'
+ responses:
+ "200":
+ description: OK
+ "401":
+ description: Forbidden
+ "403":
+ description: Unauthorized
+ "500":
+ description: Internal Server Error
+ security:
+ - openid: []
+ /api/oidc/introspection:
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OAuth 2.0 Token Introspection Endpoint
+ description: >
+ This endpoint performs OAuth 2.0 Token Introspection Requests.
+ requestBody:
+ description: Required OAuth 2.0 introspection parameters.
+ required: true
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/openid.spec.IntrospectionRequest'
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.implementation.Claims.Object'
+ "401":
+ description: Forbidden
+ "403":
+ description: Unauthorized
+ "500":
+ description: Internal Server Error
+ security:
+ - openid: []
+ /api/oidc/userinfo:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 UserInfo Endpoint
+ description: >
+ This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
+ parameters:
+ - in: query
+ name: access_token
+ description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
+ schema:
+ type: string
+ example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
+ responses:
+ "200":
+ description: OK
+ content:
+ application/jwt: {}
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.implementation.Claims.Object'
+ "401":
+ description: Forbidden
+ "403":
+ description: Unauthorized
+ "500":
+ description: Internal Server Error
+ security:
+ - openid: []
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 UserInfo Endpoint
+ description: >
+ This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
+ parameters:
+ - in: query
+ name: access_token
+ description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
+ schema:
+ type: string
+ example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
+ requestBody:
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ type: object
+ properties:
+ access_token:
+ description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
+ type: string
+ example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
+ responses:
+ "200":
+ description: OK
+ content:
+ application/jwt: {}
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.implementation.Claims.Object'
+ "401":
+ description: Forbidden
+ "403":
+ description: Unauthorized
+ "500":
+ description: Internal Server Error
+ security:
+ - openid: []
+ /api/oidc/consent:
+ get:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 Consent Information
+ description: >
+ This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
+ parameters:
+ - $ref: '#/components/parameters/idRequiredParam'
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.request.consent'
+ "403":
+ description: Forbidden
+ security:
+ - authelia_auth: []
+ post:
+ tags:
+ - OpenID Connect 1.0
+ summary: OpenID Connect 1.0 Consent Response
+ description: >
+ This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
+ responses:
+ "200":
+ description: OK
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/openid.response.consent'
+ "403":
+ description: Forbidden
+ security:
+ - authelia_auth: []
components:
parameters:
originalURLParam:
@@ -676,6 +1200,13 @@ components:
schema:
type: string
enum: ["basic"]
+ idRequiredParam:
+ name: id
+ in: query
+ description: The ID of what is being requested
+ required: true
+ schema:
+ type: string
schemas:
handlers.checkURIWithinDomainRequestBody:
type: object
@@ -805,7 +1336,9 @@ components:
example: openid_connect
workflowID:
type: string
- example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
requestMethod:
type: string
example: GET
@@ -871,7 +1404,9 @@ components:
example: openid_connect
workflowID:
type: string
- example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
handlers.bodySignTOTPRequest:
type: object
properties:
@@ -886,7 +1421,9 @@ components:
example: openid_connect
workflowID:
type: string
- example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
handlers.StateResponse:
type: object
properties:
@@ -919,7 +1456,7 @@ components:
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
otpauth_url:
type: string
- example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q # yamllint disable-line rule:line-length
+ example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
handlers.UserInfo:
type: object
properties:
@@ -995,7 +1532,7 @@ components:
properties:
token:
type: string
- example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY # yamllint disable-line rule:line-length
+ example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
middlewares.OkResponse:
type: object
properties:
@@ -1072,7 +1609,9 @@ components:
example: openid_connect
workflowID:
type: string
- example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
webauthn.PublicKeyCredentialCreationOptions:
type: object
properties:
@@ -1300,9 +1839,1608 @@ components:
written:
type: boolean
example: false
+ openid.request.consent:
+ type: object
+ properties:
+ status:
+ type: string
+ example: OK
+ data:
+ type: object
+ properties:
+ client_id:
+ type: string
+ description: The identifier of the client for the user to provide consent for.
+ example: "app"
+ client_description:
+ description: The descriptive name of the client for the user to provide consent for.
+ type: string
+ example: "App Platform"
+ scopes:
+ description: The list of the requested scopes for the user to provide consent for.
+ type: array
+ items:
+ type: string
+ enum:
+ - "openid"
+ - "offline_access"
+ - "groups"
+ - "email"
+ - "profile"
+ audience:
+ description: The list of the requested audiences for the user to provide consent for.
+ type: array
+ items:
+ type: string
+ pre_configuration:
+ description: Indicates if this client supports pre-configuration.
+ type: boolean
+ example: true
+ openid.response.consent:
+ type: object
+ properties:
+ status:
+ type: string
+ example: OK
+ data:
+ type: object
+ properties:
+ id:
+ description: The identifier of the consent session.
+ type: string
+ format: uuid
+ pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
+ example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
+ client_id:
+ description: The identifier of the client for the user to provide consent for.
+ type: string
+ example: "app"
+ consent:
+ description: Indicates if the user consented to the consent request.
+ type: boolean
+ example: true
+ pre_configure:
+ description: Indicates if the user consented to pre-configuration.
+ type: boolean
+ example: true
+ openid.spec.Metadata.OAuth2AuthorizationServer:
+ type: object
+ required:
+ - issuer
+ - authorization_endpoint
+ - subject_types_supported
+ - response_types_supported
+ - require_pushed_authorization_requests
+ properties:
+ authorization_endpoint:
+ description: >
+ URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
+ See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: string
+ example: "{{ .BaseURL }}api/oidc/authorization"
+ claims_supported:
+ description: >
+ JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
+ values for. Note that for privacy or other reasons, this might not be an exhaustive list.
+ type: array
+ example:
+ - "amr"
+ - "aud"
+ - "azp"
+ - "client_id"
+ - "exp"
+ - "iat"
+ - "iss"
+ - "jti"
+ - "rat"
+ - "sub"
+ - "auth_time"
+ - "nonce"
+ - "email"
+ - "email_verified"
+ - "alt_emails"
+ - "groups"
+ - "preferred_username"
+ - "name"
+ items:
+ $ref: '#/components/schemas/openid.implementation.Claims.Array'
+ code_challenge_methods_supported:
+ description: >
+ JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
+ server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
+ 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
+ Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
+ PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ type: array
+ example: ["S256", "none"]
+ items:
+ $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
+ grant_types_supported:
+ type: array
+ description: >
+ JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
+ Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
+ Types. If omitted, the default value is ["authorization_code", "implicit"].
+ example: ["authorization_code", "implicit"]
+ items:
+ $ref: '#/components/schemas/openid.spec.GrantType'
+ introspection_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
+ Introspection: https://datatracker.ietf.org/doc/html/rfc7662
+ type: string
+ example: "{{ .BaseURL }}api/oidc/introspection"
+ introspection_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of client authentication methods supported by this introspection endpoint. The
+ valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
+ Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
+ Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
+ omitted, the set of supported authentication methods MUST be determined by other means. See Also:
+ IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
+ https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
+ type: array
+ example: ["client_secret_post"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ introspection_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
+ endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
+ for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
+ present if either of these authentication methods are specified in the
+ "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
+ omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ issuer:
+ description:
+ URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
+ If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
+ by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
+ type: string
+ example: "{{ .BaseURL }}"
+ jwks_uri:
+ description: >
+ URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
+ signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
+ to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
+ parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
+ Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
+ RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
+ keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
+ type: string
+ example: "{{ .BaseURL }}jwks.json"
+ op_policy_uri:
+ description:
+ URL that the OpenID Provider provides to the person registering the Client to read about the OP's
+ requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
+ display this URL to the person registering the Client if it is given.
+ type: string
+ op_tos_uri:
+ description: >
+ URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
+ terms of service. The registration process SHOULD display this URL to the person registering the Client if
+ it is given.
+ type: string
+ pushed_authorization_request_endpoint:
+ description: >
+ The URL of the pushed authorization request endpoint at which a client can post an authorization request to
+ exchange for a "request_uri" value usable at the authorization server.
+ type: string
+ example: "{{ .BaseURL }}api/oidc/par"
+ registration_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
+ OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
+ type: string
+ example: "{{ .BaseURL }}api/oidc/registration"
+ require_pushed_authorization_requests:
+ description: >
+ Boolean parameter indicating whether the authorization server accepts authorization request data only via
+ PAR. If omitted, the default value is "false".
+ type: boolean
+ example: false
+ response_modes_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
+ OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
+ OpenID Providers is ["query", "fragment"].
+ type: array
+ example: ["query", "fragment"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ResponseMode'
+ response_types_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
+ Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
+ type: array
+ example: ["code", "id_token", "token id_token"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ResponseType'
+ revocation_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
+ See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
+ type: string
+ example: "{{ .BaseURL }}api/oidc/revocation"
+ revocation_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of client authentication methods supported by this revocation endpoint. The
+ valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
+ Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
+ -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
+ IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+ type: array
+ example: ["client_secret_post"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ revocation_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
+ endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
+ the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
+ either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
+ entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
+ See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ scopes_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
+ MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
+ when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
+ See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: array
+ example:
+ - "openid"
+ - "offline_access"
+ - "profile"
+ - "email"
+ - "groups"
+ items:
+ $ref: '#/components/schemas/openid.implementation.Scopes.Object'
+ service_documentation:
+ description: >
+ URL of a page containing human-readable information that developers might want or need to know when using
+ the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
+ then information on how to register Clients needs to be provided in this documentation.
+ type: string
+ example: "https://authelia.com"
+ subject_types_supported:
+ description: >
+ JSON array containing a list of the Subject Identifier types that this OP supports.
+ Valid types include pairwise and public.
+ type: array
+ example: ["public", "pairwise"]
+ items:
+ $ref: '#/components/schemas/openid.spec.SubjectIdentifier'
+ token_endpoint:
+ description: >
+ URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
+ used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: string
+ example: "{{ .BaseURL }}api/oidc/token"
+ token_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
+ are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
+ 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
+ omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
+ 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
+ OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
+ type: array
+ example: ["client_secret_post"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ token_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
+ the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
+ and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
+ See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ ui_locales_supported:
+ type: array
+ description: >
+ Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
+ language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
+ example: ["en-US"]
+ items:
+ type: string
+ openid.spec.Metadata.OpenIDConfiguration:
+ type: object
+ required:
+ - "issuer"
+ - "authorization_endpoint"
+ - "subject_types_supported"
+ - "response_types_supported"
+ - "require_pushed_authorization_requests"
+ - "request_uri_parameter_supported"
+ - "require_request_uri_registration"
+ - "claims_parameter_supported"
+ - "frontchannel_logout_supported"
+ - "frontchannel_logout_session_supported"
+ - "backchannel_logout_supported"
+ - "backchannel_logout_session_supported"
+ properties:
+ acr_values_supported:
+ description:
+ JSON array containing a list of the Authentication Context Class References that this OP supports.
+ type: array
+ items:
+ type: string
+ authorization_endpoint:
+ description: >
+ URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
+ See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: string
+ example: "{{ .BaseURL }}api/oidc/authorization"
+ backchannel_logout_session_supported:
+ description: >
+ Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
+ the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
+ If omitted, the default value is false.
+ type: boolean
+ example: false
+ backchannel_logout_supported:
+ description: >
+ Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
+ omitted, the default value is false.
+ type: boolean
+ example: false
+ claim_types_supported:
+ description: >
+ JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
+ described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
+ normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
+ OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
+ type: array
+ example: ["normal"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClaimType'
+ claims_locales_supported:
+ description: >
+ Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
+ [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
+ See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
+ type: array
+ example: ["en-US"]
+ items:
+ type: string
+ claims_parameter_supported:
+ description: >
+ Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
+ If omitted, the default value is false.
+ type: boolean
+ example: false
+ claims_supported:
+ description: >
+ JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
+ values for. Note that for privacy or other reasons, this might not be an exhaustive list.
+ type: array
+ example:
+ - "amr"
+ - "aud"
+ - "azp"
+ - "client_id"
+ - "exp"
+ - "iat"
+ - "iss"
+ - "jti"
+ - "rat"
+ - "sub"
+ - "auth_time"
+ - "nonce"
+ - "email"
+ - "email_verified"
+ - "alt_emails"
+ - "groups"
+ - "preferred_username"
+ - "name"
+ items:
+ $ref: '#/components/schemas/openid.implementation.Claims.Array'
+ code_challenge_methods_supported:
+ description: >
+ JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
+ server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
+ 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
+ Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
+ PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
+ https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ type: array
+ example: ["S256", "plain"]
+ items:
+ $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
+ display_values_supported:
+ description: >
+ JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
+ are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
+ 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+ type: array
+ example: ["page"]
+ items:
+ $ref: '#/components/schemas/openid.spec.DisplayType'
+ frontchannel_logout_session_supported:
+ description: >
+ Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
+ identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
+ also included in ID Tokens issued by the OP. If omitted, the default value is false.
+ type: boolean
+ example: false
+ frontchannel_logout_supported:
+ description: >
+ Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
+ omitted, the default value is false.
+ type: boolean
+ example: false
+ grant_types_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
+ Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
+ Types. If omitted, the default value is ["authorization_code", "implicit"].
+ type: array
+ example: ["authorization_code", "implicit"]
+ items:
+ $ref: '#/components/schemas/openid.spec.GrantType'
+ id_token_encryption_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
+ Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
+ https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["A256GCMKW"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.alg'
+ id_token_encryption_enc_values_supported:
+ description: >
+ JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
+ Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
+ JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["A256GCM"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.enc'
+ id_token_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
+ to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
+ but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
+ (such as when using the Authorization Code Flow).
+ See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWS.None'
+ introspection_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
+ Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
+ type: string
+ example: "{{ .BaseURL }}api/oidc/introspection"
+ introspection_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of client authentication methods supported by this introspection endpoint. The
+ valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
+ Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
+ Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
+ 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
+ IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
+ https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
+ type: array
+ example: ["client_secret_post"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ introspection_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
+ endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
+ for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
+ present if either of these authentication methods are specified in the
+ "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
+ omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ issuer:
+ description: >
+ URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
+ If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
+ by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
+ type: string
+ example: "{{ .BaseURL }}"
+ jwks_uri:
+ description: >
+ URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
+ signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
+ to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
+ parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
+ Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
+ RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
+ keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
+ type: string
+ example: "{{ .BaseURL }}jwks.json"
+ op_policy_uri:
+ description: >
+ URL that the OpenID Provider provides to the person registering the Client to read about the OP's
+ requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
+ display this URL to the person registering the Client if it is given.
+ type: string
+ op_tos_uri:
+ description: >
+ URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
+ terms of service. The registration process SHOULD display this URL to the person registering the Client
+ if it is given.
+ type: string
+ pushed_authorization_request_endpoint:
+ description: >
+ The URL of the pushed authorization request endpoint at which a client can post an authorization request to
+ exchange for a "request_uri" value usable at the authorization server.
+ type: string
+ example: "{{ .BaseURL }}api/oidc/par"
+ registration_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
+ OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
+ type: string
+ example: "{{ .BaseURL }}api/oidc/registration"
+ request_object_encryption_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
+ Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
+ reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
+ type: array
+ example: ["A256GCMKW"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.alg'
+ request_object_encryption_enc_values_supported:
+ description: >
+ JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
+ Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
+ reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
+ JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["A256GCM"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.enc'
+ request_object_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
+ Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
+ used both when the Request Object is passed by value (using the request parameter) and when it is passed by
+ reference (using the request_uri parameter). Servers SHOULD support none and RS256.
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWS.None'
+ request_uri_parameter_supported:
+ description: >
+ Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
+ support. If omitted, the default value is true.
+ type: boolean
+ example: true
+ require_pushed_authorization_requests:
+ description: >
+ Boolean parameter indicating whether the authorization server accepts authorization request data only via
+ PAR. If omitted, the default value is "false".
+ type: boolean
+ example: false
+ require_request_uri_registration:
+ description: >
+ Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
+ request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
+ default value is false.
+ type: boolean
+ example: false
+ response_modes_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
+ OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
+ OpenID Providers is ["query", "fragment"].
+ type: array
+ example: ["query", "fragment"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ResponseMode'
+ response_types_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
+ Providers MUST support the code, id_token, and the token id_token Response Type values.
+ type: array
+ example: ["code", "id_token", "token id_token"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ResponseType'
+ revocation_endpoint:
+ description: >
+ URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
+ OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
+ type: string
+ example: "{{ .BaseURL }}api/oidc/revocation"
+ revocation_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of client authentication methods supported by this revocation endpoint. The
+ valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
+ Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
+ -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
+ See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
+ OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+ type: array
+ example: ["client_secret_basic"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ revocation_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
+ endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
+ the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
+ either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
+ entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
+ See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ scopes_supported:
+ description: >
+ JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
+ The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
+ values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
+ supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
+ https://openid.net/specs/openid-connect-core-1_0.html
+ type: array
+ example:
+ - "openid"
+ - "offline_access"
+ - "profile"
+ - "email"
+ - "groups"
+ items:
+ $ref: '#/components/schemas/openid.implementation.Scopes.Object'
+ service_documentation:
+ description: >
+ URL of a page containing human-readable information that developers might want or need to know when using
+ the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
+ then information on how to register Clients needs to be provided in this documentation.
+ type: string
+ example: "https://www.authelia.com"
+ subject_types_supported:
+ description: >
+ JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
+ pairwise and public.
+ type: array
+ example: ["public", "pairwise"]
+ items:
+ $ref: '#/components/schemas/openid.spec.SubjectIdentifier'
+ token_endpoint:
+ description: >
+ URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
+ used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: string
+ example: "{{ .BaseURL }}api/oidc/token"
+ token_endpoint_auth_methods_supported:
+ description: >
+ JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
+ are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
+ 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
+ omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
+ 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
+ OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
+ type: array
+ example: ["client_secret_post"]
+ items:
+ $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
+ token_endpoint_auth_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
+ for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
+ private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
+ The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.jws'
+ ui_locales_supported:
+ description: >
+ Languages and scripts supported for the user interface, represented as a JSON array of BCP47
+ [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
+ type: array
+ example: ["en-US"]
+ items:
+ type: string
+ userinfo_encryption_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
+ UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
+ https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
+ JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["A256GCMKW"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.alg'
+ userinfo_encryption_enc_values_supported:
+ description: >
+ JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
+ Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
+ JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["A256GCM"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWE.enc'
+ userinfo_endpoint:
+ description: >
+ URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
+ path, and query parameter components.
+ See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
+ type: string
+ example: "{{ .BaseURL }}api/oidc/userinfo"
+ userinfo_signing_alg_values_supported:
+ description: >
+ JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
+ UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
+ JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT:
+ https://datatracker.ietf.org/doc/html/rfc7519
+ type: array
+ example: ["none", "RS256"]
+ items:
+ $ref: '#/components/schemas/jose.spec.JWS.None'
+ openid.implementation.Claims.Array:
+ type: array
+ items:
+ type: string
+ enum:
+ - "amr"
+ - "aud"
+ - "azp"
+ - "client_id"
+ - "exp"
+ - "iat"
+ - "iss"
+ - "jti"
+ - "rat"
+ - "sub"
+ - "auth_time"
+ - "nonce"
+ - "email"
+ - "email_verified"
+ - "alt_emails"
+ - "groups"
+ - "preferred_username"
+ - "name"
+ openid.implementation.Claims.Object:
+ description: OpenID Connect 1.0 User Claims.
+ type: object
+ properties:
+ amr:
+ type: array
+ items:
+ type: string
+ enum:
+ - "mfa"
+ - "mca"
+ - "user"
+ - "pin"
+ - "pwd"
+ - "otp"
+ - "hwk"
+ - "sms"
+ aud:
+ type: array
+ items:
+ type: string
+ azp:
+ type: string
+ client_id:
+ type: string
+ scope:
+ type: string
+ scp:
+ type: array
+ items:
+ type: string
+ exp:
+ type: integer
+ iat:
+ type: integer
+ iss:
+ type: string
+ jti:
+ type: string
+ rat:
+ type: integer
+ sub:
+ type: string
+ auth_time:
+ type: integer
+ nonce:
+ type: string
+ email:
+ type: string
+ email_verified:
+ type: boolean
+ alt_emails:
+ type: array
+ items:
+ type: string
+ groups:
+ type: array
+ items:
+ type: string
+ preferred_username:
+ type: string
+ name:
+ type: string
+ openid.implementation.Scopes.Object:
+ description: The scope.
+ type: string
+ oneOf:
+ - $ref: '#/components/schemas/openid.spec.Scopes'
+ - type: string
+ enum:
+ - "groups"
+ openid.spec.Scopes:
+ type: string
+ enum:
+ - "openid"
+ - "offline_access"
+ - "profile"
+ - "email"
+ - "address"
+ - "phone"
+ openid.spec.IntrospectionRequest:
+ type: object
+ required:
+ - "token"
+ properties:
+ token:
+ description: >
+ The string value of the token. For access tokens, this
+ is the "access_token" value returned from the token endpoint
+ defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
+ this is the "refresh_token" value returned from the token endpoint
+ as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
+ are outside the scope of this specification.
+ type: string
+ example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
+ token_type_hint:
+ description: >
+ A hint about the type of the token submitted for
+ introspection. The protected resource MAY pass this parameter to
+ help the authorization server optimize the token lookup. If the
+ server is unable to locate the token using the given hint, it MUST
+ extend its search across all of its supported token types. An
+ authorization server MAY ignore this parameter, particularly if it
+ is able to detect the token type automatically. Values for this
+ field are defined in the "OAuth Token Type Hints" registry defined
+ in OAuth Token Revocation [RFC7009].
+ type: string
+ example: "access_token"
+ enum:
+ - "access_token"
+ - "refresh_token"
+ openid.spec.AccessRequest.ClientAuth:
+ type: object
+ properties:
+ client_id:
+ description: >
+ REQUIRED if the client is not authenticating with the
+ authorization server as described in Section 3.2.1. of [RFC6749].
+ The client identifier as described in Section 2.2 of [RFC6749].
+ type: string
+ example: "authelia_dc_mn123kjn12kj3123njk"
+ client_secret:
+ description: >
+ REQUIRED. The client secret. The client MAY omit the
+ parameter if the client secret is an empty string.
+ type: string
+ format: password
+ openid.spec.AccessRequest.AuthorizationCodeFlow:
+ allOf:
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
+ - type: object
+ required:
+ - "code"
+ - "grant_type"
+ properties:
+ grant_type:
+ description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
+ type: string
+ enum:
+ - "authorization_code"
+ code:
+ description: The Authorization Code.
+ type: string
+ example: "authelia_ac_1j2kn3knj12n3kj12n"
+ code_verifier:
+ description: The Authorization Code Verifier (PKCE).
+ type: string
+ example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3"
+ redirect_uri:
+ description: The original Redirect URI used in the Authorization Request.
+ type: string
+ example: "https://app.example.com/oidc/callback"
+ openid.spec.AccessRequest.DeviceCodeFlow:
+ allOf:
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
+ - type: object
+ required:
+ - "grant_type"
+ - "device_code"
+ properties:
+ grant_type:
+ description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
+ type: string
+ enum:
+ - "urn:ietf:params:oauth:grant-type:device_code"
+ device_code:
+ description: The Device Authorization Code.
+ type: string
+ example: "authelia_dc_mn123kjn12kj3123njk"
+ openid.spec.AccessRequest.RefreshTokenFlow:
+ allOf:
+ - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
+ - type: object
+ required:
+ - "grant_type"
+ - "device_code"
+ properties:
+ grant_type:
+ description: Value MUST be set to "refresh_token".
+ type: string
+ enum:
+ - "refresh_token"
+ refresh_token:
+ description: The Refresh Token.
+ example: "authelia_rt_1n2j3kihn12kj3n12k"
+ scope:
+ description: >
+ The scope of the access request as described by
+ Section 3.3. The requested scope MUST NOT include any scope
+ not originally granted by the resource owner, and if omitted is
+ treated as equal to the scope originally granted by the
+ resource owner.
+ openid.spec.AccessResponse:
+ type: object
+ properties:
+ access_token:
+ description: The access token issued by the authorization server.
+ type: string
+ example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
+ refresh_token:
+ type: string
+ description: >
+ The refresh token, which can be used to obtain new access tokens using the
+ same authorization grant as described in Section 6.
+ token_type:
+ type: string
+ description: >
+ The access token type provides the client with the information
+ required to successfully utilize the access token to make a protected
+ resource request (along with type-specific attributes). The client
+ MUST NOT use an access token if it does not understand the token
+ type.
+ enum:
+ - "bearer"
+ expires_in:
+ type: integer
+ description: >
+ The lifetime in seconds of the access token. For
+ example, the value "3600" denotes that the access token will
+ expire in one hour from the time the response was generated.
+ If omitted, the authorization server SHOULD provide the
+ expiration time via other means or document the default value.
+ state:
+ type: string
+ description: Exactly the state value passed in the authorization request if present.
+ scope:
+ type: string
+ description: >
+ The scope of the access token as described by Section 3.3 if it differs from the requested scope.
+ openid.spec.AuthorizeRequest:
+ type: object
+ required:
+ - "scope"
+ - "response_type"
+ - "client_id"
+ - "redirect_uri"
+ properties:
+ scope:
+ description: The requested scope.
+ type: string
+ example: "openid profile groups"
+ response_type:
+ $ref: '#/components/schemas/openid.spec.ResponseType'
+ client_id:
+ description: The OAuth 2.0 client identifier.
+ type: string
+ example: "app"
+ redirect_uri:
+ description: >
+ Redirection URI to which the response will be sent. This URI MUST exactly match one of the
+ Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
+ performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
+ flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
+ that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
+ allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
+ scheme, such as one that is intended to identify a callback into a native application.
+ type: string
+ example: "https://app.example.com"
+ state:
+ description: >
+ Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
+ Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
+ parameter with a browser cookie.
+ type: string
+ example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
+ response_mode:
+ $ref: '#/components/schemas/openid.spec.ResponseMode'
+ nonce:
+ description: >
+ String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
+ The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
+ entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
+ implementation notes, see Section 15.5.2.
+ type: string
+ example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
+ display:
+ $ref: '#/components/schemas/openid.spec.DisplayType'
+ prompt:
+ description: >
+ Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether
+ the Authorization Server prompts the End-User for reauthentication and consent.
+ type: string
+ max_age:
+ description: >
+ Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
+ End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
+ OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
+ to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
+ Token returned MUST include an auth_time Claim Value.
+ type: integer
+ ui_locales:
+ description: >
+ Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
+ space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
+ the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
+ a region designation), followed by English (without a region designation). An error SHOULD NOT
+ result if some or all of the requested locales are not supported by the OpenID Provider.
+ type: string
+ claims_locales:
+ description: >
+ Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
+ a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
+ SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
+ type: string
+ id_token_hint:
+ description: >
+ Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
+ the End-User's current or past authenticated session with the Client. If the End-User identified by
+ the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
+ positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
+ id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
+ returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
+ not present. The Authorization Server need not be listed as an audience of the ID Token when it is
+ used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
+ it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
+ ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
+ that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
+ id_token_hint value.
+ type: string
+ login_hint:
+ description: >
+ Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
+ log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
+ address (or other identifier) and then wants to pass that value as a hint to the discovered
+ authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
+ This value MAY also be a phone number in the format specified for the phone_number Claim. The use
+ of this parameter is left to the OP's discretion.
+ type: string
+ acr_values:
+ description: >
+ Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
+ specifies the acr values that the Authorization Server is being requested to use for processing this
+ Authentication Request, with the values appearing in order of preference. The Authentication Context
+ Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
+ Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
+ type: string
+ claims:
+ description: >
+ Not Supported: The claims parameter value, as specified in Section 5.5.
+ type: string
+ registration:
+ description: >
+ Not Supported: This parameter is used by the Client to provide information about itself to a
+ Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
+ specified in Section 7.2.1.
+ type: string
+ request:
+ description: >
+ Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be
+ encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
+ issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
+ Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
+ algorithm used is RSA1_5.
+ type: string
+ openid.spec.SubjectIdentifier:
+ description: >
+ A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
+ End-User, which is intended to be consumed by the Client.
+ type: string
+ enum:
+ - "public"
+ - "pairwise"
+ openid.spec.ClientAuthMethod:
+ description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
+ type: string
+ enum:
+ - "client_secret_basic"
+ - "client_secret_post"
+ - "client_secret_jwt"
+ - "private_key_jwt"
+ - "none"
+ openid.spec.DisplayType:
+ description: >
+ ASCII string value that specifies how the Authorization Server displays the authentication and consent user
+ interface pages to the End-User.
+ type: string
+ example: "page"
+ enum:
+ - "page"
+ - "popup"
+ - "touch"
+ - "wap"
+ openid.spec.ResponseType:
+ description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
+ type: string
+ example: "code"
+ enum:
+ - "code"
+ - "id_token"
+ - "token"
+ - "code token"
+ - "code id_token"
+ - "token id_token"
+ - "code id_token token"
+ - "none"
+ openid.spec.ResponseMode:
+ description: >
+ Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
+ Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
+ the default mode specified for the Response Type.
+ type: string
+ example: "query"
+ enum:
+ - "query"
+ - "fragment"
+ - "form_post"
+ openid.spec.GrantType:
+ description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
+ type: string
+ example: "authorization_code"
+ enum:
+ - "authorization_code"
+ - "refresh_token"
+ - "implicit"
+ - "password"
+ - "client_credentials"
+ - "urn:ietf:params:oauth:grant-type:device_code"
+ openid.spec.CodeChallengeMethod:
+ description: The RFC7636 Code Challenge Verifier Method.
+ type: string
+ example: "S256"
+ enum:
+ - "plain"
+ - "S256"
+ openid.spec.ClaimType:
+ description: The representation of claims.
+ type: string
+ example: "normal"
+ enum:
+ - "normal"
+ - "aggregated"
+ - "distributed"
+ jose.spec.None:
+ description: The JSON Web Signature Algorithm
+ type: string
+ enum:
+ - "none"
+ jose.spec.JWS.None:
+ description: The JSON Web Signature Algorithm
+ type: string
+ oneOf:
+ - $ref: '#/components/schemas/jose.spec.None'
+ - $ref: '#/components/schemas/jose.spec.jws'
+ jose.spec.jws:
+ description: The JSON Web Signature Algorithm
+ type: string
+ enum:
+ - "HS256"
+ - "HS384"
+ - "HS512"
+ - "RS256"
+ - "RS384"
+ - "RS512"
+ - "ES256"
+ - "ES384"
+ - "ES512"
+ - "PS256"
+ - "PS384"
+ - "PS512"
+ jose.spec.JWE.alg:
+ description: The JSON Web Encryption Algorithm (CEK)
+ type: string
+ enum:
+ - "RSA1_5"
+ - "RSA-OAEP"
+ - "RSA-OAEP-256"
+ - "A128KW"
+ - "A192KW"
+ - "A256KW"
+ - "dir"
+ - "ECDH-ES"
+ - "ECDH-ES+A128KW"
+ - "ECDH-ES+A192KW"
+ - "ECDH-ES+A256KW"
+ - "A128GCMKW"
+ - "A192GCMKW"
+ - "A256GCMKW"
+ - "PBES2-HS256+A128KW"
+ - "PBES2-HS384+A192KW"
+ - "PBES2-HS512+A256KW"
+ jose.spec.JWE.enc:
+ description: The JSON Web Encryption Algorithm (Claims)
+ type: string
+ enum:
+ - "A128CBC-HS256"
+ - "A192CBC-HS384"
+ - "A256CBC-HS512"
+ - "A128CBC"
+ - "A256CBC"
+ - "A128GCM"
+ - "A256GCM"
+ jose.spec.JWK.base:
+ type: object
+ properties:
+ use:
+ description: >
+ The "use" (public key use) parameter identifies the intended use of
+ the public key. The "use" parameter is employed to indicate whether
+ a public key is used for encrypting data or verifying the signature
+ on data.
+ type: string
+ example: "sig"
+ enum:
+ - "sig"
+ - "enc"
+ key_ops:
+ description: >
+ The "key_ops" (key operations) parameter identifies the operation(s)
+ for which the key is intended to be used. The "key_ops" parameter is
+ intended for use cases in which public, private, or symmetric keys
+ may be present.
+ type: array
+ example: ["sign"]
+ items:
+ type: string
+ enum:
+ - "sign"
+ - "verify"
+ - "encrypt"
+ - "decrypt"
+ - "wrapKey"
+ - "unwrapKey"
+ - "deriveKey"
+ - "deriveBits"
+ kid:
+ description: >
+ The "kid" (key ID) parameter is used to match a specific key. This
+ is used, for instance, to choose among a set of keys within a JWK Set
+ during key rollover. The structure of the "kid" value is
+ unspecified. When "kid" values are used within a JWK Set, different
+ keys within the JWK Set SHOULD use distinct "kid" values. (One
+ example in which different keys might use the same "kid" value is if
+ they have different "kty" (key type) values but are considered to be
+ equivalent alternatives by the application using them.) The "kid"
+ value is a case-sensitive string. Use of this member is OPTIONAL.
+ When used with JWS or JWE, the "kid" value is used to match a JWS or
+ JWE "kid" Header Parameter value.
+ type: string
+ x5u:
+ description: >
+ The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
+ resource for an X.509 public key certificate or certificate chain
+ [RFC5280]. The identified resource MUST provide a representation of
+ the certificate or certificate chain that conforms to RFC 5280
+ [RFC5280] in PEM-encoded form, with each certificate delimited as
+ specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
+ certificate MUST match the public key represented by other members of
+ the JWK. The protocol used to acquire the resource MUST provide
+ integrity protection; an HTTP GET request to retrieve the certificate
+ MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
+ validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
+ member is OPTIONAL.
+ type: string
+ x5c:
+ description: >
+ The "x5c" (X.509 certificate chain) parameter contains a chain of one
+ or more PKIX certificates [RFC5280]. The certificate chain is
+ represented as a JSON array of certificate value strings. Each
+ string in the array is a base64-encoded (Section 4 of [RFC4648] --
+ not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
+ The PKIX certificate containing the key value MUST be the first
+ certificate. This MAY be followed by additional certificates, with
+ each subsequent certificate being the one used to certify the
+ previous one. The key in the first certificate MUST match the public
+ key represented by other members of the JWK. Use of this member is
+ OPTIONAL.
+ type: array
+ items:
+ type: string
+ format: byte
+ x5t:
+ description: >
+ The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
+ base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
+ encoding of an X.509 certificate [RFC5280]. Note that certificate
+ thumbprints are also sometimes known as certificate fingerprints.
+ The key in the certificate MUST match the public key represented by
+ other members of the JWK. Use of this member is OPTIONAL.
+ type: string
+ format: byte
+ x5t#S256:
+ description: >
+ The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
+ base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
+ encoding of an X.509 certificate [RFC5280]. Note that certificate
+ thumbprints are also sometimes known as certificate fingerprints.
+ The key in the certificate MUST match the public key represented by
+ other members of the JWK. Use of this member is OPTIONAL.
+ type: string
+ format: byte
+ jose.spec.JWK.RSA:
+ description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
+ allOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.base'
+ - type: object
+ required:
+ - "kty"
+ - "n"
+ - "e"
+ properties:
+ kty:
+ description: >
+ The "kty" (key type) parameter identifies the cryptographic algorithm
+ family used with the key.
+ type: string
+ example: "RSA"
+ enum:
+ - "RSA"
+ alg:
+ description: The JSON Web Signature Algorithm
+ type: string
+ example: "RS256"
+ enum:
+ - "RS256"
+ - "RS384"
+ - "RS512"
+ - "PS256"
+ - "PS384"
+ - "PS512"
+ n:
+ description: >
+ RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
+ represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ e:
+ description: >
+ RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
+ It is represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ jose.spec.JWK.RSA.Private:
+ description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
+ allOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.base'
+ - $ref: '#/components/schemas/jose.spec.JWK.RSA'
+ - type: object
+ required:
+ - "d"
+ properties:
+ d:
+ description: >
+ RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
+ private key. It is represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ p:
+ description: >
+ RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
+ It is represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ q:
+ description: >
+ RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
+ represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ dp:
+ description: >
+ RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
+ (CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
+ type: string
+ dq:
+ description: >
+ RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
+ second factor. It is represented as a Base64urlUInt-encoded value.
+ type: string
+ qi:
+ description: >
+ RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
+ factor. It is represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ oth:
+ description: >
+ The "oth" (other primes info) parameter contains an array of
+ information about any third and subsequent primes, should they exist.
+ type: array
+ items:
+ type: object
+ required:
+ - "r"
+ - "d"
+ - "t"
+ properties:
+ r:
+ description: >
+ The "r" (prime factor) parameter within an "oth" array member
+ represents the value of a subsequent prime factor. It is represented
+ as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ d:
+ description: >
+ The "d" (factor CRT exponent) parameter within an "oth" array member
+ represents the CRT exponent of the corresponding prime factor. It is
+ represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ t:
+ description: >
+ The "t" (factor CRT coefficient) parameter within an "oth" array
+ member represents the CRT coefficient of the corresponding prime
+ factor. It is represented as a Base64urlUInt-encoded value.
+ type: string
+ format: byte
+ jose.spec.JWK.EC:
+ description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
+ allOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.base'
+ - type: object
+ required:
+ - "kty"
+ - "crv"
+ - "x"
+ properties:
+ kty:
+ description: >
+ The "kty" (key type) parameter identifies the cryptographic algorithm
+ family used with the key.
+ type: string
+ example: "EC"
+ enum:
+ - "EC"
+ alg:
+ description: The JSON Web Signature Algorithm
+ type: string
+ example: "ES256"
+ enum:
+ - "ES256"
+ - "ES384"
+ - "ES512"
+ x:
+ description: >
+ EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
+ It is represented as the base64url encoding of the octet string representation of the coordinate, as
+ defined in Section 2.3.5 of SEC1 [SEC1].
+ type: string
+ format: byte
+ y:
+ description: >
+ EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
+ It is represented as the base64url encoding of the octet string representation of the coordinate, as
+ defined in Section 2.3.5 of SEC1 [SEC1].
+ type: string
+ format: byte
+ crv:
+ description: >
+ The curve parameter identifies the cryptographic curve used with the key. Curve
+ values from [DSS] used by this specification.
+ type: string
+ example: "P-521"
+ enum:
+ - "P-256"
+ - "P-384"
+ - "P-521"
+ - "Ed25519"
+ - "Ed448"
+ - "X25519"
+ - "X448"
+ - "secp256k1"
+ jose.spec.JWK.EC.Private:
+ description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
+ allOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.base'
+ - $ref: '#/components/schemas/jose.spec.JWK.EC'
+ - type: object
+ required:
+ - "d"
+ properties:
+ d:
+ description: >
+ ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
+ is represented as the base64url encoding of the octet string representation of the private key value,
+ as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
+ ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
+ type: string
+ format: byte
+ jose.spec.JWK.Symmetric:
+ description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
+ allOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.base'
+ - type: object
+ required:
+ - "k"
+ properties:
+ kty:
+ description: >
+ The "kty" (key type) parameter identifies the cryptographic algorithm
+ family used with the key.
+ type: string
+ example: "oct"
+ enum:
+ - "oct"
+ k:
+ description: >
+ The "k" (key value) parameter contains the value of the symmetric (or
+ other single-valued) key. It is represented as the base64url
+ encoding of the octet sequence containing the key value.
+ type: string
+ format: byte
+ jose.spec.JWK:
+ type: string
+ anyOf:
+ - $ref: '#/components/schemas/jose.spec.JWK.RSA'
+ - $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
+ - $ref: '#/components/schemas/jose.spec.JWK.EC'
+ - $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
+ - $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
+ jose.spec.JWKs:
+ type: object
+ description: The JSON Web Key Sets Document as defined by RFC7517.
+ properties:
+ keys:
+ description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
+ type: array
+ items:
+ $ref: '#/components/schemas/jose.spec.JWK'
securitySchemes:
authelia_auth:
type: apiKey
- name: "{{.Session}}"
+ name: "{{ .Session }}"
in: cookie
+ openid:
+ type: openIdConnect
+ openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration"
...