RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/api/openapi.yml

3853 lines
149 KiB
YAML
Raw Normal View History

[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
---
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openapi: 3.0.3
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
info:
title: Authelia API
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single
sign-on (SSO) for your applications via a web portal.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
contact:
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
name: Support
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
url: https://www.authelia.com/contact/
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
email: team@authelia.com
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
version: 1.0.0
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
servers:
- url: "{{ .BaseURL }}"
description: Authelia API
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
tags:
- name: State
description: Configuration, health and state endpoints
- name: Authentication
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
description: Authentication endpoints
- name: Authorization
description: Authorization endpoints
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- if .PasswordReset }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
- name: Password Reset
description: Password reset endpoints
- name: User Information
description: User configuration endpoints
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if (or .TOTP .Webauthn .Duo) }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
- name: Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
description: TOTP, Webauthn and Duo endpoints
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
externalDocs:
url: https://www.authelia.com/configuration/second-factor/introduction/
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .OpenIDConnect }}
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
- name: OpenID Connect 1.0
description: OpenID Connect 1.0 and OAuth 2.0 Endpoints
externalDocs:
url: https://www.authelia.com/integration/openid-connect/introduction/
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
paths:
/api/configuration:
get:
tags:
- State
summary: Application Configuration
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
The configuration endpoint provides detailed information including available second factor methods, if any
second factor policies exist and the TOTP period configuration.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.configuration.ConfigurationBody'
"403":
description: Forbidden
security:
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
- authelia_auth: []
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 11:58:27 +00:00
/api/configuration/password-policy:
get:
tags:
- State
summary: Password Policy Configuration
description: >
The password policy configuration endpoint provides a password policy for resetting passwords.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/health:
feat(server): handle head method (#5003) This implements some HEAD method handlers for various static resources and the /api/health endpoint.
2023-02-28 09:01:09 +00:00
head:
tags:
- State
summary: Application Health
description: The health check endpoint provides information about the health of Authelia.
responses:
"200":
description: Successful Operation
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
get:
tags:
- State
summary: Application Health
description: The health check endpoint provides information about the health of Authelia.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
/api/state:
get:
tags:
- State
summary: User Application State
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
The state endpoint provides detailed information including the user, current authenticate level and Authelia's
configured default redirection URL.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.StateResponse'
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
{{- $redir := "https://auth.example.com/?rd=https%3A%2F%2Fexample.com&rm=GET" }}
{{- if .Domain }}
{{- $redir = printf "%s?rd=%s&rm=GET" .BaseURL (urlquery (printf "https://%s" .Domain)) }}
{{- else if .BaseURL }}
{{- $redir = printf "%s?rd=%s&rm=GET" .BaseURL (urlquery .BaseURL) }}
{{- end }}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
{{- range $name, $config := .EndpointsAuthz }}
{{- $uri := printf "/api/authz/%s" $name }}
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
{{ $uri }}:
{{- if (eq $config.Implementation "Legacy") }}
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
tags:
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
- Authorization
summary: Authorization Verification (Legacy)
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
specific endpoint instead.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
parameters:
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
- name: X-Original-URL
in: header
description: Redirection URL
required: false
style: simple
explode: true
schema:
type: string
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
- $ref: '#/components/parameters/forwardedMethodParam'
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
- name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: false
style: simple
explode: true
example: "https"
schema:
type: string
- name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: false
style: simple
explode: true
example: "example.com"
schema:
type: string
- name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: false
style: simple
explode: true
example: "/path/example"
schema:
type: string
- $ref: '#/components/parameters/forwardedForParam'
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
- $ref: '#/components/parameters/authParam'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
set-cookie:
description: Sets a new cookie value
schema:
type: string
"302":
description: Found
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
"303":
description: See Other
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
"401":
description: Unauthorized
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
headers:
set-cookie:
description: Sets a new cookie value
schema:
type: string
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
{{- else if (eq $config.Implementation "ExtAuthz") }}
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ExtAuthz)
description: >
The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Envoy proxy.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
- $ref: '#/components/parameters/autheliaURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
set-cookie:
description: Sets a new cookie value
schema:
type: string
"302":
description: Found
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
"303":
description: See Other
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
"400":
description: Bad Request
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "ForwardAuth") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ForwardAuth)
description: >
The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
set-cookie:
description: Sets a new cookie value
schema:
type: string
"302":
description: Found
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
"303":
description: See Other
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
"400":
description: Bad Request
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "AuthRequest") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (AuthRequest)
description: >
The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
parameters:
- $ref: '#/components/parameters/originalMethodParam'
- $ref: '#/components/parameters/originalURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
set-cookie:
description: Sets a new cookie value
schema:
type: string
"400":
description: Bad Request
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"401":
description: Unauthorized
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
headers:
location:
description: Redirect Location for user authorization
example: {{ $redir }}
set-cookie:
description: Sets a new cookie value
schema:
type: string
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
security:
- authelia_auth: []
{{- end }}
{{- end }}
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/firstfactor:
post:
tags:
- Authentication
summary: Login
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
content:
application/json:
schema:
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
$ref: '#/components/schemas/handlers.bodyFirstFactorRequest'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
fix: user is now redirected when authenticated (#2082) * fix(handlers,web): user is now redirected when authenticated Fix: #1788 * remove dead code and fix ci issues * fix infinite loop in frontend * fix issue with integration tests * handle bot recommendation * fix integration test & add dot to comment * fix last integration test * Update api/openapi.yml Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> * Update web/src/services/SafeRedirection.ts Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * Update web/src/services/SafeRedirection.ts Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * Update api/openapi.yml * Update openapi.yml * refactor: valid -> safe * refactor: adjust merge conflicts * Apply suggestions from code review Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> * fix: adjust test return messaging Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 06:15:38 +00:00
/api/checks/safe-redirection:
post:
tags:
- Authentication
summary: Check whether URI is safe to redirect to.
description: >
End users usually needs to be redirected to a target website after authentication. This endpoint aims to check
if target URL is safe to redirect to. This prevents open redirect attacks.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody'
"401":
description: Unauthorized
security:
- authelia_auth: []
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/logout:
post:
tags:
- Authentication
summary: Logout
description: The logout endpoint allows a user to logout and destroy a sesssion.
fix(handlers): logout redirection validation (#1908)
2021-04-13 08:38:12 +00:00
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.logoutRequestBody'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
fix(handlers): logout redirection validation (#1908)
2021-04-13 08:38:12 +00:00
$ref: '#/components/schemas/handlers.logoutResponseBody'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
security:
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- if .PasswordReset }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/reset-password/identity/start:
post:
tags:
- Password Reset
summary: Identity Verification Token Creation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
This endpoint is step 1 of 3 in the password reset process.
It validates the user session and sends the user an email with a token and a link to reset their password. This
step also generates a session cookie for the rest of the process.
The same session cookie must be used for all steps in this process.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
$ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/reset-password/identity/finish:
post:
tags:
- Password Reset
summary: Identity Verification Token Validation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
This endpoint is step 2 of 3 in the password reset process.
It validates the user session and reset token.
The same session cookie must be used for all steps in this process.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/reset-password:
post:
tags:
- Password Reset
summary: Password Reset
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
This endpoint is step 3 of 3 in the password reset process.
It validates the user session and changes the password.
The same session cookie must be used for all steps in this process.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
$ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/user/info:
get:
tags:
- User Information
summary: User Configuration
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
The user info endpoint provides detailed information including a users display name, preferred and registered
second factor method(s).
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo'
"403":
description: Forbidden
security:
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
- authelia_auth: []
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
post:
tags:
- User Information
summary: User Configuration
description: >
The user info endpoint provides detailed information including a users display name, preferred and registered
second factor method(s). The POST method also ensures the preferred method is configured correctly.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo'
"403":
description: Forbidden
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
/api/user/info/2fa_method:
post:
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
tags:
fix(api): fix grouping for user info endpoints (#2710)
2021-12-13 00:11:03 +00:00
- User Information
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
summary: User Configuration
description: The user info 2fa_method endpoint sets the users preferred second factor method.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo.MethodBody'
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
$ref: '#/components/schemas/middlewares.OkResponse'
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
"403":
description: Forbidden
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- if .TOTP }}
/api/user/info/totp:
get:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
tags:
- User Information
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
summary: User TOTP Configuration
description: >
The user TOTP info endpoint provides information necessary to display the TOTP component to validate their
TOTP input such as the period/frequency and number of digits.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
$ref: '#/components/schemas/handlers.UserInfoTOTP'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
"403":
description: Forbidden
security:
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
- authelia_auth: []
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/secondfactor/totp/identity/start:
post:
tags:
- Second Factor
summary: Identity Verification TOTP Token Creation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
This endpoint performs identity verification to begin the TOTP device registration process.
The session generated from this endpoint must be utilised for the subsequent step in the
`/api/secondfactor/totp/identity/finish` endpoint.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/secondfactor/totp/identity/finish:
post:
tags:
- Second Factor
summary: Identity Verification TOTP Token Validation and Device Creation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
This endpoint performs identity and token verification, upon success also generates TOTP device secret and
registers said device.
The session cookie generated from the `/api/secondfactor/totp/identity/start` endpoint must be utilised for the
step here.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.TOTPKeyResponse'
security:
- authelia_auth: []
/api/secondfactor/totp:
post:
tags:
- Second Factor
summary: Second Factor Authentication - TOTP
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: This endpoint performs second factor authentication with a TOTP key.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
$ref: '#/components/schemas/handlers.bodySignTOTPRequest'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.ErrorResponse'
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .Webauthn }}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
/api/secondfactor/webauthn/assertion:
get:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
tags:
- Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
summary: Second Factor Authentication - Webauthn (Request)
description: This endpoint starts the second factor authentication process with the FIDO2 Webauthn credential.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
$ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
"401":
description: Unauthorized
security:
- authelia_auth: []
post:
tags:
- Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
summary: Second Factor Authentication - Webauthn
description: This endpoint completes the second factor authentication process with the FIDO2 Webauthn credential.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
$ref: "#/components/schemas/webauthn.CredentialAssertionResponse"
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
/api/secondfactor/webauthn/identity/start:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
post:
tags:
- Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
summary: Identity Verification Webauthn Credential Creation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
This endpoint performs identity verification to begin the FIDO2 Webauthn credential attestation process
(registration).
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
The session generated from this endpoint must be utilised for the subsequent steps in the
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
`/api/secondfactor/webauthn/identity/finish` and `/api/secondfactor/webauthn/attestation` endpoints.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
/api/secondfactor/webauthn/identity/finish:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
post:
tags:
- Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
summary: Identity Verification FIDO2 Webauthn Credential Validation
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: >
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
This endpoint performs identity and token verification, upon success generates a FIDO2 Webauthn device
attestation challenge (registration).
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised
for the subsequent steps here and in the `/api/secondfactor/webauthn/attestation` endpoint.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
$ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
security:
- authelia_auth: []
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
/api/secondfactor/webauthn/attestation:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
post:
tags:
- Second Factor
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
summary: Webauthn Credential Attestation
description: This endpoint performs Webauthn credential attestation (registration).
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
$ref: '#/components/schemas/webauthn.CredentialAttestationResponse'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .Duo }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
/api/secondfactor/duo:
post:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
description: This endpoint performs second factor authentication with a Duo Mobile Push.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
requestBody:
required: true
content:
application/json:
schema:
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
$ref: '#/components/schemas/handlers.bodySignDuoRequest'
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
/api/secondfactor/duo_devices:
get:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
description: This endpoint retrieves a users available devices and capabilities from Duo.
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.DuoDevicesResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/secondfactor/duo_device:
post:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
description: This endpoint updates the users preferred Duo device and method.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.DuoDeviceBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .OpenIDConnect }}
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
/.well-known/openid-configuration:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect Discovery 1.0 Document
description: >
This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
"400":
description: Bad Request
"500":
description: Internal Server Error
/.well-known/oauth-authorization-server:
get:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Authorization Server Metadata
description: >
This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
docs: fix rfc references and fix misc issues (#4879)
2023-02-05 07:11:30 +00:00
perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
"400":
description: Bad Request
"500":
description: Internal Server Error
/jwks.json:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 JSON Web Key Set Document
description: >
This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
information from this OpenID Connect 1.0 Provider.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/jose.spec.JWKs'
/api/oidc/authorization:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Authorization Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Authorization.
parameters:
- in: query
name: id
required: false
description: The OpenID Connect 1.0 consent workflow ID.
schema:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
- in: query
name: scope
description: The requested scope.
required: true
schema:
type: string
example: "openid profile groups"
- in: query
name: response_type
description: The OAuth 2.0 response type.
required: true
schema:
$ref: '#/components/schemas/openid.spec.ResponseType'
- in: query
name: client_id
description: The OAuth 2.0 client identifier.
required: true
schema:
type: string
example: "app"
- in: query
name: redirect_uri
description: >
Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
into a native application.
required: true
schema:
type: string
example: "https://app.example.com"
- in: query
name: state
description: >
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
browser cookie.
required: false
schema:
type: string
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
- in: query
name: response_mode
description: >
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
the default mode specified for the Response Type.
required: false
schema:
$ref: '#/components/schemas/openid.spec.ResponseMode'
- in: query
name: nonce
description: >
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
Section 15.5.2.
required: false
schema:
type: string
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
- in: query
name: display
description: >
Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
and consent user interface pages to the End-User.
required: false
schema:
$ref: '#/components/schemas/openid.spec.DisplayType'
- in: query
name: prompt
description: >
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
Authorization Server prompts the End-User for reauthentication and consent.
required: false
schema:
type: string
- in: query
name: max_age
description: >
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
[OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
auth_time Claim Value.
required: false
schema:
type: integer
example: 3600
- in: query
name: ui_locales
description: >
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
of the requested locales are not supported by the OpenID Provider.
required: false
schema:
type: string
example: "en-US"
- in: query
name: claims_locales
description: >
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
result if some or all of the requested locales are not supported by the OpenID Provider.
required: false
schema:
type: string
example: "en-US"
- in: query
name: id_token_hint
required: false
description: >
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
is logged in or is logged in by the request, then the Authorization Server returns a positive response;
otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
re-encrypted ID token as the id_token_hint value.
schema:
type: string
- in: query
name: login_hint
description: >
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
(if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
(or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
discretion.
required: false
schema:
type: string
- in: query
name: acr_values
description: >
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
specifies the acr values that the Authorization Server is being requested to use for processing this
Authentication Request, with the values appearing in order of preference. The Authentication Context Class
satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
The acr Claim is requested as a Voluntary Claim by this parameter.
required: false
schema:
type: string
- in: query
name: claims
description: >
Not Supported: The claims parameter value, as specified in Section 5.5.
required: false
schema:
type: string
- in: query
name: registration
description: >
Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
required: false
schema:
type: string
- in: query
name: request
description: >
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
required: false
schema:
type: string
- in: query
name: code_challenge
description: >
RFC7636 Code Challenge.
required: false
schema:
type: string
- in: query
name: code_challenge_method
required: false
description: >
RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
Code verifier transformation method is "S256" or "plain".
schema:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
responses:
"200":
description: OK
content:
text/html:
schema:
type: string
description: The Form Post Response Mode content.
"303":
description: See Other
headers:
Location:
schema:
type: string
description: >
Redirection location for the consent flow, or the authorization response callback location when using
the Query or Fragment Response Modes.
"400":
description: Bad Request
"500":
description: Internal Server Error
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Authorization Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Authorization.
requestBody:
description: Authorize Request Parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.AuthorizeRequest'
responses:
"200":
description: OK
content:
text/html:
schema:
type: string
description: The Form Post Response Mode content.
"303":
description: See Other
headers:
Location:
schema:
type: string
description: >
Redirection location for the consent flow, or the authorization response callback location when using
the Query or Fragment Response Modes.
"400":
description: Bad Request
"500":
description: Internal Server Error
security:
- authelia_auth: []
/api/oidc/token:
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Token Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Token Access Requests.
requestBody:
description: Access Request Parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
- $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
- $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
responses:
"200":
description: OK
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessResponse'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/revocation:
post:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Token Revocation Endpoint
description: >
This endpoint performs OAuth 2.0 Token Revocation Requests.
requestBody:
description: Required OAuth 2.0 revocation parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
responses:
"200":
description: OK
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/introspection:
post:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Token Introspection Endpoint
description: >
This endpoint performs OAuth 2.0 Token Introspection Requests.
requestBody:
description: Required OAuth 2.0 introspection parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/userinfo:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 UserInfo Endpoint
description: >
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
parameters:
- in: query
name: access_token
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema:
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
responses:
"200":
description: OK
content:
application/jwt: {}
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 UserInfo Endpoint
description: >
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
parameters:
- in: query
name: access_token
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema:
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
requestBody:
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
access_token:
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
responses:
"200":
description: OK
content:
application/jwt: {}
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/consent:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Consent Information
description: >
This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
parameters:
- $ref: '#/components/parameters/idRequiredParam'
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.request.consent'
"403":
description: Forbidden
security:
- authelia_auth: []
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Consent Response
description: >
This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.response.consent'
"403":
description: Forbidden
security:
- authelia_auth: []
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
components:
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
parameters:
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
originalMethodParam:
name: X-Original-Method
in: header
description: Request Method
required: true
style: simple
explode: true
schema:
type: string
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
originalURLParam:
name: X-Original-URL
in: header
description: Redirection URL
required: true
style: simple
explode: true
schema:
type: string
forwardedMethodParam:
name: X-Forwarded-Method
in: header
description: Request Method
required: false
style: simple
explode: true
schema:
type: string
feat(configuration): allow rfc4918 http verbs in acl (#2988) This allows the HTTP Method verbs from RFC4918 to be used. See https://datatracker.ietf.org/doc/html/rfc4918 for more information.
2022-04-01 10:53:10 +00:00
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
forwardedProtoParam:
name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: true
style: simple
explode: true
example: "https"
schema:
type: string
forwardedHostParam:
name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: true
style: simple
explode: true
example: "example.com"
schema:
type: string
forwardedURIParam:
name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: true
style: simple
explode: true
example: "/path/example"
schema:
type: string
forwardedForParam:
name: X-Forwarded-For
in: header
description: Clients IP address or IP address chain
required: false
style: simple
explode: true
example: "192.168.0.55,192.168.0.20"
schema:
type: string
autheliaURLParam:
name: X-Authelia-URL
in: header
description: Authelia Portal URL
required: false
style: simple
explode: true
example: "https://auth.example.com"
schema:
type: string
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
authParam:
name: auth
in: query
description: Switch authorization header and prompt for basic auth
required: false
schema:
type: string
enum: ["basic"]
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
idRequiredParam:
name: id
in: query
description: The ID of what is being requested
required: true
schema:
type: string
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
schemas:
fix(api): /api/checks/safe-redirection missing schemas (#2340) The following schemas for /api/checks/safe-redirection were missed in #2082: * handlers.checkURIWithinDomainRequestBody * handlers.checkURIWithinDomainResponseBody
2021-09-04 11:48:49 +00:00
handlers.checkURIWithinDomainRequestBody:
type: object
properties:
uri:
type: string
example: https://secure.example.com
handlers.checkURIWithinDomainResponseBody:
type: object
properties:
ok:
type: boolean
example: true
description: If redirection URL is safe.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
handlers.configuration.ConfigurationBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
available_methods:
type: array
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
description: List of available 2FA methods. If no methods exist 2FA is disabled.
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
items:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
enum:
- "totp"
- "webauthn"
- "mobile_push"
example: [totp, webauthn, mobile_push]
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 11:58:27 +00:00
handlers.configuration.PasswordPolicyConfigurationBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
mode:
type: string
description: The password policy mode.
enum:
- "disabled"
- "standard"
- "zxcvbn"
min_length:
type: integer
description: The minimum password length when using the standard mode.
max_length:
type: integer
description: The maximum password length when using the standard mode.
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server.
2022-04-15 09:30:51 +00:00
min_score:
type: integer
description: The minimum password score when using the zxcvbn mode.
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 11:58:27 +00:00
require_uppercase:
type: boolean
description: If uppercase characters are required when using the standard mode.
require_lowercase:
type: boolean
description: If uppercase characters are required when using the standard mode.
require_number:
type: boolean
description: If numeric characters are required when using the standard mode.
require_special:
type: boolean
description: If special characters are required when using the standard mode.
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
handlers.DuoDeviceBody:
required:
- device
- method
fix(handlers): logout redirection validation (#1908)
2021-04-13 08:38:12 +00:00
type: object
properties:
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
device:
fix(handlers): logout redirection validation (#1908)
2021-04-13 08:38:12 +00:00
type: string
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
example: ABCDE123456789FGHIJK
method:
type: string
example: push
handlers.DuoDevicesResponse:
fix(handlers): logout redirection validation (#1908)
2021-04-13 08:38:12 +00:00
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
result:
type: string
example: auth
devices:
type: array
items:
type: object
properties:
device:
type: string
example: ABCDE123456789FGHIJK
display_name:
type: string
example: iOS (+XX XXX XXX 123)
capabilities:
type: array
items:
type: string
example: push
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
handlers.bodyFirstFactorRequest:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
required:
- username
- password
type: object
properties:
username:
type: string
example: john
password:
type: string
example: password
targetURL:
type: string
example: https://home.example.com
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
workflow:
type: string
example: openid_connect
workflowID:
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
requestMethod:
type: string
example: GET
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
keepMeLoggedIn:
type: boolean
example: true
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
handlers.logoutRequestBody:
type: object
properties:
targetURL:
type: string
example: https://redirect.example.com
handlers.logoutResponseBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
safeTargetURL:
type: boolean
example: true
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
handlers.redirectResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
redirect:
type: string
example: https://home.example.com
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- if .PasswordReset }}
handlers.PasswordResetStep1RequestBody:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
required:
- username
type: object
properties:
username:
type: string
example: john
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
handlers.PasswordResetStep2RequestBody:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
required:
- password
type: object
properties:
password:
type: string
example: password
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .Duo }}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
handlers.bodySignDuoRequest:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
targetURL:
type: string
example: https://secure.example.com
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
passcode:
type: string
workflow:
type: string
example: openid_connect
workflowID:
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
handlers.StateResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
username:
type: string
example: john
authentication_level:
type: integer
example: 1
default_redirection_url:
type: string
example: https://home.example.com
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
middlewares.ErrorResponse:
type: object
properties:
status:
type: string
example: KO
message:
type: string
example: Authentication failed, please retry later.
middlewares.IdentityVerificationFinishBody:
required:
- token
type: object
properties:
token:
type: string
example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
middlewares.OkResponse:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
status:
type: string
example: OK
data:
type: object
handlers.UserInfo:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
display_name:
type: string
example: John Doe
method:
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
enum:
- "totp"
- "webauthn"
- "mobile_push"
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
example: totp
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
has_webauthn:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: boolean
example: false
has_totp:
type: boolean
example: true
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
has_duo:
type: boolean
example: true
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
handlers.UserInfo.MethodBody:
required:
- method
type: object
properties:
method:
type: string
enum:
- "totp"
- "webauthn"
- "mobile_push"
example: totp
{{- if .TOTP }}
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
handlers.UserInfoTOTP:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
period:
default: 30
description: The period defined in the users TOTP configuration
type: integer
example: 30
digits:
default: 6
description: The number of digits defined in the users TOTP configuration
type: integer
example: 6
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
handlers.bodySignTOTPRequest:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
token:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
example: "123456"
targetURL:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
example: https://secure.example.com
workflow:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
example: openid_connect
workflowID:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
handlers.TOTPKeyResponse:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
status:
type: string
example: OK
data:
type: object
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
properties:
base32_secret:
type: string
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
otpauth_url:
type: string
example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
{{- end }}
{{- if .Webauthn }}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
webauthn.PublicKeyCredential:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
rawId:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
format: byte
id:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
type:
type: string
webauthn.AuthenticatorResponse:
type: object
properties:
clientDataJSON:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
format: byte
webauthn.CredentialAttestationResponse:
allOf:
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
- type: object
properties:
clientExtensionResults:
type: object
properties:
appidExclude:
type: boolean
response:
allOf:
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
- type: object
properties:
attestationObject:
type: string
format: byte
webauthn.CredentialAssertionResponse:
allOf:
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
- type: object
properties:
response:
allOf:
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
- type: object
required: [authenticatorData, clientDataJSON, signature]
properties:
authenticatorData:
type: string
format: byte
clientDataJSON:
type: string
format: byte
clientExtensionResults:
type: object
properties:
appid:
type: boolean
example: false
signature:
type: string
format: byte
userHandle:
type: string
format: byte
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
workflow:
type: string
example: openid_connect
workflowID:
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
webauthn.PublicKeyCredentialCreationOptions:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
publicKey:
allOf:
- $ref: '#/components/schemas/webauthn.AttestationType'
- $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria'
- $ref: '#/components/schemas/webauthn.CredentialUserEntity'
- $ref: '#/components/schemas/webauthn.CredentialRPEntity'
- type: object
required:
- "challenge"
- "pubKeyCredParams"
properties:
challenge:
type: string
format: byte
pubKeyCredParams:
type: array
items:
type: object
required:
- "alg"
- "type"
properties:
alg:
type: integer
type:
type: string
example: public-key
enum:
- "public-key"
timeout:
type: integer
example: 60000
excludeCredentials:
type: array
items:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
extensions:
type: object
properties:
appidExclude:
type: string
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
example: {{ .BaseURL }}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
webauthn.PublicKeyCredentialRequestOptions:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
publicKey:
allOf:
- $ref: '#/components/schemas/webauthn.UserVerification'
- type: object
required:
- "challenge"
properties:
challenge:
type: string
timeout:
type: integer
example: 60000
rpId:
type: string
example: auth.example.com
allowCredentials:
type: array
items:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
extensions:
type: object
properties:
appid:
type: string
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 04:48:55 +00:00
example: {{ .BaseURL }}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
webauthn.Transports:
type: object
properties:
transports:
type: array
items:
type: string
example:
- "usb"
- "nfc"
enum:
- "usb"
- "nfc"
- "ble"
- "internal"
webauthn.UserVerification:
type: object
properties:
userVerification:
type: string
example: preferred
enum:
- "required"
- "preferred"
- "discouraged"
webauthn.AttestationType:
type: object
properties:
attestation:
type: string
example: direct
enum:
- "none"
- "indirect"
- "direct"
webauthn.AuthenticatorSelectionCriteria:
type: object
properties:
authenticatorSelection:
type: object
properties:
authenticatorAttachment:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
example: cross-platform
enum:
- "platform"
- "cross-platform"
residentKey:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
example: discouraged
enum:
- "discouraged"
- "preferred"
- "required"
requireResidentKey:
type: boolean
webauthn.CredentialDescriptor:
allOf:
- $ref: '#/components/schemas/webauthn.Transports'
- type: object
required:
- "id"
- "type"
properties:
id:
type: string
format: byte
type:
type: string
example: public-key
enum:
- "public-key"
webauthn.CredentialEntity:
type: object
required:
- "id"
- "name"
properties:
id:
type: string
name:
type: string
icon:
type: string
webauthn.CredentialRPEntity:
type: object
required:
- "rp"
properties:
rp:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialEntity'
webauthn.CredentialUserEntity:
type: object
required:
- "user"
properties:
user:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialEntity'
- type: object
required:
- "displayName"
properties:
displayName:
type: string
webauthn.AuthenticationExtensionsClientOutputs:
type: object
properties:
clientExtensionResults:
type: object
properties:
appid:
type: boolean
example: true
appidExclude:
type: boolean
example: false
uvm:
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
type: array
items:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
type: string
format: byte
credProps:
type: object
properties:
rk:
type: boolean
example: false
largeBlob:
type: object
properties:
supported:
type: boolean
example: false
blob:
type: string
written:
type: boolean
example: false
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
{{- if .OpenIDConnect }}
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.request.consent:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
client_id:
type: string
description: The identifier of the client for the user to provide consent for.
example: "app"
client_description:
description: The descriptive name of the client for the user to provide consent for.
type: string
example: "App Platform"
scopes:
description: The list of the requested scopes for the user to provide consent for.
type: array
items:
type: string
enum:
- "openid"
- "offline_access"
- "groups"
- "email"
- "profile"
audience:
description: The list of the requested audiences for the user to provide consent for.
type: array
items:
type: string
pre_configuration:
description: Indicates if this client supports pre-configuration.
type: boolean
example: true
openid.response.consent:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
id:
description: The identifier of the consent session.
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
client_id:
description: The identifier of the client for the user to provide consent for.
type: string
example: "app"
consent:
description: Indicates if the user consented to the consent request.
type: boolean
example: true
pre_configure:
description: Indicates if the user consented to pre-configuration.
type: boolean
example: true
openid.spec.Metadata.OAuth2AuthorizationServer:
type: object
required:
- issuer
- authorization_endpoint
- subject_types_supported
- response_types_supported
- require_pushed_authorization_requests
properties:
authorization_endpoint:
description: >
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/authorization"
claims_supported:
description: >
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
type: array
example:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
items:
$ref: '#/components/schemas/openid.implementation.Claims.Array'
code_challenge_methods_supported:
description: >
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
type: array
example: ["S256", "none"]
items:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
grant_types_supported:
type: array
description: >
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
Types. If omitted, the default value is ["authorization_code", "implicit"].
example: ["authorization_code", "implicit"]
items:
$ref: '#/components/schemas/openid.spec.GrantType'
introspection_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
Introspection: https://datatracker.ietf.org/doc/html/rfc7662
type: string
example: "{{ .BaseURL }}api/oidc/introspection"
introspection_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
omitted, the set of supported authentication methods MUST be determined by other means. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
introspection_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
present if either of these authentication methods are specified in the
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
issuer:
description:
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string
example: "{{ .BaseURL }}"
jwks_uri:
description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string
example: "{{ .BaseURL }}jwks.json"
op_policy_uri:
description:
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
display this URL to the person registering the Client if it is given.
type: string
op_tos_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
terms of service. The registration process SHOULD display this URL to the person registering the Client if
it is given.
type: string
pushed_authorization_request_endpoint:
description: >
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server.
type: string
example: "{{ .BaseURL }}api/oidc/par"
registration_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string
example: "{{ .BaseURL }}api/oidc/registration"
require_pushed_authorization_requests:
description: >
Boolean parameter indicating whether the authorization server accepts authorization request data only via
PAR. If omitted, the default value is "false".
type: boolean
example: false
response_modes_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
OpenID Providers is ["query", "fragment"].
type: array
example: ["query", "fragment"]
items:
$ref: '#/components/schemas/openid.spec.ResponseMode'
response_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
type: array
example: ["code", "id_token", "token id_token"]
items:
$ref: '#/components/schemas/openid.spec.ResponseType'
revocation_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string
example: "{{ .BaseURL }}api/oidc/revocation"
revocation_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
revocation_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
scopes_supported:
description: >
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: array
example:
- "openid"
- "offline_access"
- "profile"
- "email"
- "groups"
items:
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
service_documentation:
description: >
URL of a page containing human-readable information that developers might want or need to know when using
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation.
type: string
example: "https://authelia.com"
subject_types_supported:
description: >
JSON array containing a list of the Subject Identifier types that this OP supports.
Valid types include pairwise and public.
type: array
example: ["public", "pairwise"]
items:
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
token_endpoint:
description: >
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/token"
token_endpoint_auth_methods_supported:
description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
token_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
ui_locales_supported:
type: array
description: >
Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
example: ["en-US"]
items:
type: string
openid.spec.Metadata.OpenIDConfiguration:
type: object
required:
- "issuer"
- "authorization_endpoint"
- "subject_types_supported"
- "response_types_supported"
- "require_pushed_authorization_requests"
- "request_uri_parameter_supported"
- "require_request_uri_registration"
- "claims_parameter_supported"
- "frontchannel_logout_supported"
- "frontchannel_logout_session_supported"
- "backchannel_logout_supported"
- "backchannel_logout_session_supported"
properties:
acr_values_supported:
description:
JSON array containing a list of the Authentication Context Class References that this OP supports.
type: array
items:
type: string
authorization_endpoint:
description: >
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/authorization"
backchannel_logout_session_supported:
description: >
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
If omitted, the default value is false.
type: boolean
example: false
backchannel_logout_supported:
description: >
Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
omitted, the default value is false.
type: boolean
example: false
claim_types_supported:
description: >
JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
type: array
example: ["normal"]
items:
$ref: '#/components/schemas/openid.spec.ClaimType'
claims_locales_supported:
description: >
Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
[RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
type: array
example: ["en-US"]
items:
type: string
claims_parameter_supported:
description: >
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
If omitted, the default value is false.
type: boolean
example: false
claims_supported:
description: >
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
type: array
example:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
items:
$ref: '#/components/schemas/openid.implementation.Claims.Array'
code_challenge_methods_supported:
description: >
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
type: array
example: ["S256", "plain"]
items:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
display_values_supported:
description: >
JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type: array
example: ["page"]
items:
$ref: '#/components/schemas/openid.spec.DisplayType'
frontchannel_logout_session_supported:
description: >
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
also included in ID Tokens issued by the OP. If omitted, the default value is false.
type: boolean
example: false
frontchannel_logout_supported:
description: >
Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
omitted, the default value is false.
type: boolean
example: false
grant_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
Types. If omitted, the default value is ["authorization_code", "implicit"].
type: array
example: ["authorization_code", "implicit"]
items:
$ref: '#/components/schemas/openid.spec.GrantType'
id_token_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
id_token_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
id_token_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
(such as when using the Authorization Code Flow).
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
introspection_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
type: string
example: "{{ .BaseURL }}api/oidc/introspection"
introspection_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
introspection_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
present if either of these authentication methods are specified in the
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
issuer:
description: >
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string
example: "{{ .BaseURL }}"
jwks_uri:
description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string
example: "{{ .BaseURL }}jwks.json"
op_policy_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
display this URL to the person registering the Client if it is given.
type: string
op_tos_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
terms of service. The registration process SHOULD display this URL to the person registering the Client
if it is given.
type: string
pushed_authorization_request_endpoint:
description: >
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server.
type: string
example: "{{ .BaseURL }}api/oidc/par"
registration_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string
example: "{{ .BaseURL }}api/oidc/registration"
request_object_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
request_object_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
request_object_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
used both when the Request Object is passed by value (using the request parameter) and when it is passed by
reference (using the request_uri parameter). Servers SHOULD support none and RS256.
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
request_uri_parameter_supported:
description: >
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
support. If omitted, the default value is true.
type: boolean
example: true
require_pushed_authorization_requests:
description: >
Boolean parameter indicating whether the authorization server accepts authorization request data only via
PAR. If omitted, the default value is "false".
type: boolean
example: false
require_request_uri_registration:
description: >
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
default value is false.
type: boolean
example: false
response_modes_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
OpenID Providers is ["query", "fragment"].
type: array
example: ["query", "fragment"]
items:
$ref: '#/components/schemas/openid.spec.ResponseMode'
response_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
Providers MUST support the code, id_token, and the token id_token Response Type values.
type: array
example: ["code", "id_token", "token id_token"]
items:
$ref: '#/components/schemas/openid.spec.ResponseType'
revocation_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string
example: "{{ .BaseURL }}api/oidc/revocation"
revocation_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
type: array
example: ["client_secret_basic"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
revocation_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
scopes_supported:
description: >
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
https://openid.net/specs/openid-connect-core-1_0.html
type: array
example:
- "openid"
- "offline_access"
- "profile"
- "email"
- "groups"
items:
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
service_documentation:
description: >
URL of a page containing human-readable information that developers might want or need to know when using
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation.
type: string
example: "https://www.authelia.com"
subject_types_supported:
description: >
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
pairwise and public.
type: array
example: ["public", "pairwise"]
items:
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
token_endpoint:
description: >
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/token"
token_endpoint_auth_methods_supported:
description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
token_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
ui_locales_supported:
description: >
Languages and scripts supported for the user interface, represented as a JSON array of BCP47
[RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
type: array
example: ["en-US"]
items:
type: string
userinfo_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
userinfo_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
userinfo_endpoint:
description: >
URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
path, and query parameter components.
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/userinfo"
userinfo_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
docs: fix rfc references and fix misc issues (#4879)
2023-02-05 07:11:30 +00:00
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
JWT: https://datatracker.ietf.org/doc/html/rfc7519
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: array
example: ["none", "RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
openid.implementation.Claims.Array:
type: array
items:
type: string
enum:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
openid.implementation.Claims.Object:
description: OpenID Connect 1.0 User Claims.
type: object
properties:
amr:
type: array
items:
type: string
enum:
- "mfa"
- "mca"
- "user"
- "pin"
- "pwd"
- "otp"
- "hwk"
- "sms"
aud:
type: array
items:
type: string
azp:
type: string
client_id:
type: string
scope:
type: string
scp:
type: array
items:
type: string
exp:
type: integer
iat:
type: integer
iss:
type: string
jti:
type: string
rat:
type: integer
sub:
type: string
auth_time:
type: integer
nonce:
type: string
email:
type: string
email_verified:
type: boolean
alt_emails:
type: array
items:
type: string
groups:
type: array
items:
type: string
preferred_username:
type: string
name:
type: string
openid.implementation.Scopes.Object:
description: The scope.
type: string
oneOf:
- $ref: '#/components/schemas/openid.spec.Scopes'
- type: string
enum:
- "groups"
openid.spec.Scopes:
type: string
enum:
- "openid"
- "offline_access"
- "profile"
- "email"
- "address"
- "phone"
openid.spec.IntrospectionRequest:
required:
- "token"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: object
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
properties:
token:
description: >
The string value of the token. For access tokens, this
is the "access_token" value returned from the token endpoint
defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
this is the "refresh_token" value returned from the token endpoint
as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
are outside the scope of this specification.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
token_type_hint:
description: >
A hint about the type of the token submitted for
introspection. The protected resource MAY pass this parameter to
help the authorization server optimize the token lookup. If the
server is unable to locate the token using the given hint, it MUST
extend its search across all of its supported token types. An
authorization server MAY ignore this parameter, particularly if it
is able to detect the token type automatically. Values for this
field are defined in the "OAuth Token Type Hints" registry defined
in OAuth Token Revocation [RFC7009].
enum:
- "access_token"
- "refresh_token"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "access_token"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AccessRequest.ClientAuth:
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret'
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT'
openid.spec.AccessRequest.ClientAuth.Base:
required:
- "client_id"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: object
properties:
client_id:
description: >
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
REQUIRED if the client is not authenticating with the authorization server as described in
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
example: "my_client"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: string
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
openid.spec.AccessRequest.ClientAuth.Secret:
required:
- "client_secret"
type: object
properties:
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
client_secret:
description: >
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.
format: password
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
openid.spec.AccessRequest.ClientAuth.JWT:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
- type: object
required:
- "client_assertion"
- "client_assertion_type"
properties:
client_assertion:
description: >
The value of the client_assertion_type parameter MUST be
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
enum:
- "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
example: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
type: string
client_assertion_type:
description: >
A JWT signed with HS256 using the client secret value or RS256 using a registered public key.
Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should
work but this has not been tested.
format: password
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AccessRequest.AuthorizationCodeFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "code"
- "grant_type"
properties:
grant_type:
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
description: Value MUST be set to "code".
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
enum:
- "authorization_code"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
code:
description: The Authorization Code.
example: "authelia_ac_1j2kn3knj12n3kj12n"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
code_verifier:
description: The Authorization Code Verifier (PKCE).
example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
redirect_uri:
description: The original Redirect URI used in the Authorization Request.
example: "https://app.example.com/oidc/callback"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AccessRequest.DeviceCodeFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "grant_type"
- "device_code"
properties:
grant_type:
description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
enum:
- "urn:ietf:params:oauth:grant-type:device_code"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
device_code:
description: The Device Authorization Code.
example: "authelia_dc_mn123kjn12kj3123njk"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AccessRequest.RefreshTokenFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "grant_type"
- "device_code"
properties:
grant_type:
description: Value MUST be set to "refresh_token".
enum:
- "refresh_token"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
refresh_token:
description: The Refresh Token.
example: "authelia_rt_1n2j3kihn12kj3n12k"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
scope:
description: >
The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "openid profile groups"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AccessResponse:
type: object
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
required:
- "access_token"
- "token_type"
- "expires_in"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
properties:
access_token:
description: The access token issued by the authorization server.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
type: string
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
id_token:
description: The id token issued by the authorization server.
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
type: string
refresh_token:
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
description: >
The refresh token, which can be used to obtain new access tokens using the
same authorization grant as described in Section 6.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: string
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
token_type:
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
description: >
The access token type provides the client with the information
required to successfully utilize the access token to make a protected
resource request (along with type-specific attributes). The client
MUST NOT use an access token if it does not understand the token
type.
enum:
- "bearer"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "bearer"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
expires_in:
description: >
The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: 3600
type: integer
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
state:
description: Exactly the state value passed in the authorization request if present.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: string
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
scope:
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
description: >
The scope of the access token as described by Section 3.3 if it differs from the requested scope.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "openid profile groups"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.AuthorizeRequest:
type: object
required:
- "scope"
- "response_type"
- "client_id"
- "redirect_uri"
properties:
scope:
description: The requested scope.
example: "openid profile groups"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
response_type:
$ref: '#/components/schemas/openid.spec.ResponseType'
client_id:
description: The OAuth 2.0 client identifier.
example: "app"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
redirect_uri:
description: >
Redirection URI to which the response will be sent. This URI MUST exactly match one of the
Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
scheme, such as one that is intended to identify a callback into a native application.
example: "https://app.example.com"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
state:
description: >
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
parameter with a browser cookie.
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
response_mode:
$ref: '#/components/schemas/openid.spec.ResponseMode'
nonce:
description: >
String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
implementation notes, see Section 15.5.2.
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
display:
$ref: '#/components/schemas/openid.spec.DisplayType'
prompt:
description: >
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether
the Authorization Server prompts the End-User for reauthentication and consent.
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
enum:
- "none"
- "login"
- "consent"
- "select_account"
- "login consent"
- "login select_account"
- "consent select_account"
example: "consent"
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
type: string
max_age:
description: >
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
Token returned MUST include an auth_time Claim Value.
type: integer
ui_locales:
description: >
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
a region designation), followed by English (without a region designation). An error SHOULD NOT
result if some or all of the requested locales are not supported by the OpenID Provider.
type: string
claims_locales:
description: >
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
type: string
id_token_hint:
description: >
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
the End-User's current or past authenticated session with the Client. If the End-User identified by
the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
not present. The Authorization Server need not be listed as an audience of the ID Token when it is
used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
id_token_hint value.
type: string
login_hint:
description: >
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
address (or other identifier) and then wants to pass that value as a hint to the discovered
authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
This value MAY also be a phone number in the format specified for the phone_number Claim. The use
of this parameter is left to the OP's discretion.
type: string
acr_values:
description: >
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
specifies the acr values that the Authorization Server is being requested to use for processing this
Authentication Request, with the values appearing in order of preference. The Authentication Context
Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
type: string
claims:
description: >
Not Supported: The claims parameter value, as specified in Section 5.5.
type: string
registration:
description: >
Not Supported: This parameter is used by the Client to provide information about itself to a
Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
specified in Section 7.2.1.
type: string
request:
description: >
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be
encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
algorithm used is RSA1_5.
type: string
openid.spec.SubjectIdentifier:
description: >
A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
End-User, which is intended to be consumed by the Client.
enum:
- "public"
- "pairwise"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.ClientAuthMethod:
description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
enum:
- "client_secret_basic"
- "client_secret_post"
- "client_secret_jwt"
- "private_key_jwt"
- "none"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.DisplayType:
description: >
ASCII string value that specifies how the Authorization Server displays the authentication and consent user
interface pages to the End-User.
enum:
- "page"
- "popup"
- "touch"
- "wap"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "page"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.ResponseType:
description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
enum:
- "code"
- "id_token"
- "token"
- "code token"
- "code id_token"
- "token id_token"
- "code id_token token"
- "none"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "code"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.ResponseMode:
description: >
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
the default mode specified for the Response Type.
enum:
- "query"
- "fragment"
- "form_post"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "query"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.GrantType:
description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
enum:
- "authorization_code"
- "refresh_token"
- "implicit"
- "password"
- "client_credentials"
- "urn:ietf:params:oauth:grant-type:device_code"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "authorization_code"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.CodeChallengeMethod:
description: The RFC7636 Code Challenge Verifier Method.
enum:
- "plain"
- "S256"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "S256"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid.spec.ClaimType:
description: The representation of claims.
enum:
- "normal"
- "aggregated"
- "distributed"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "normal"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.None:
description: The JSON Web Signature Algorithm
type: string
enum:
- "none"
jose.spec.JWS.None:
description: The JSON Web Signature Algorithm
oneOf:
- $ref: '#/components/schemas/jose.spec.None'
- $ref: '#/components/schemas/jose.spec.jws'
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.jws:
description: The JSON Web Signature Algorithm
enum:
- "HS256"
- "HS384"
- "HS512"
- "RS256"
- "RS384"
- "RS512"
- "ES256"
- "ES384"
- "ES512"
- "PS256"
- "PS384"
- "PS512"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.JWE.alg:
description: The JSON Web Encryption Algorithm (CEK)
enum:
- "RSA1_5"
- "RSA-OAEP"
- "RSA-OAEP-256"
- "A128KW"
- "A192KW"
- "A256KW"
- "dir"
- "ECDH-ES"
- "ECDH-ES+A128KW"
- "ECDH-ES+A192KW"
- "ECDH-ES+A256KW"
- "A128GCMKW"
- "A192GCMKW"
- "A256GCMKW"
- "PBES2-HS256+A128KW"
- "PBES2-HS384+A192KW"
- "PBES2-HS512+A256KW"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.JWE.enc:
description: The JSON Web Encryption Algorithm (Claims)
enum:
- "A128CBC-HS256"
- "A192CBC-HS384"
- "A256CBC-HS512"
- "A128CBC"
- "A256CBC"
- "A128GCM"
- "A256GCM"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.JWK.base:
type: object
properties:
use:
description: >
The "use" (public key use) parameter identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data.
enum:
- "sig"
- "enc"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
example: "sig"
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
key_ops:
description: >
The "key_ops" (key operations) parameter identifies the operation(s)
for which the key is intended to be used. The "key_ops" parameter is
intended for use cases in which public, private, or symmetric keys
may be present.
example: ["sign"]
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: array
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
items:
enum:
- "sign"
- "verify"
- "encrypt"
- "decrypt"
- "wrapKey"
- "unwrapKey"
- "deriveKey"
- "deriveBits"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
kid:
description: >
The "kid" (key ID) parameter is used to match a specific key. This
is used, for instance, to choose among a set of keys within a JWK Set
during key rollover. The structure of the "kid" value is
unspecified. When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values. (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.) The "kid"
value is a case-sensitive string. Use of this member is OPTIONAL.
When used with JWS or JWE, the "kid" value is used to match a JWS or
JWE "kid" Header Parameter value.
type: string
x5u:
description: >
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
resource for an X.509 public key certificate or certificate chain
[RFC5280]. The identified resource MUST provide a representation of
the certificate or certificate chain that conforms to RFC 5280
[RFC5280] in PEM-encoded form, with each certificate delimited as
specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
certificate MUST match the public key represented by other members of
the JWK. The protocol used to acquire the resource MUST provide
integrity protection; an HTTP GET request to retrieve the certificate
MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
member is OPTIONAL.
type: string
x5c:
description: >
The "x5c" (X.509 certificate chain) parameter contains a chain of one
or more PKIX certificates [RFC5280]. The certificate chain is
represented as a JSON array of certificate value strings. Each
string in the array is a base64-encoded (Section 4 of [RFC4648] --
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
The PKIX certificate containing the key value MUST be the first
certificate. This MAY be followed by additional certificates, with
each subsequent certificate being the one used to certify the
previous one. The key in the first certificate MUST match the public
key represented by other members of the JWK. Use of this member is
OPTIONAL.
type: array
items:
format: byte
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
x5t:
description: >
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
encoding of an X.509 certificate [RFC5280]. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.
The key in the certificate MUST match the public key represented by
other members of the JWK. Use of this member is OPTIONAL.
format: byte
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
x5t#S256:
description: >
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
encoding of an X.509 certificate [RFC5280]. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.
The key in the certificate MUST match the public key represented by
other members of the JWK. Use of this member is OPTIONAL.
format: byte
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: string
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
jose.spec.JWK.RSA:
description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
- required:
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
- "kty"
- "n"
- "e"
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt.
2023-03-06 02:35:58 +00:00
type: object
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "RSA"
enum:
- "RSA"
alg:
description: The JSON Web Signature Algorithm
type: string
example: "RS256"
enum:
- "RS256"
- "RS384"
- "RS512"
- "PS256"
- "PS384"
- "PS512"
n:
description: >
RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
e:
description: >
RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
jose.spec.JWK.RSA.Private:
description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
- type: object
required:
- "d"
properties:
d:
description: >
RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
private key. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
p:
description: >
RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
q:
description: >
RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
dp:
description: >
RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
(CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
type: string
dq:
description: >
RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
second factor. It is represented as a Base64urlUInt-encoded value.
type: string
qi:
description: >
RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
factor. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
oth:
description: >
The "oth" (other primes info) parameter contains an array of
information about any third and subsequent primes, should they exist.
type: array
items:
type: object
required:
- "r"
- "d"
- "t"
properties:
r:
description: >
The "r" (prime factor) parameter within an "oth" array member
represents the value of a subsequent prime factor. It is represented
as a Base64urlUInt-encoded value.
type: string
format: byte
d:
description: >
The "d" (factor CRT exponent) parameter within an "oth" array member
represents the CRT exponent of the corresponding prime factor. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
t:
description: >
The "t" (factor CRT coefficient) parameter within an "oth" array
member represents the CRT coefficient of the corresponding prime
factor. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
jose.spec.JWK.EC:
description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- type: object
required:
- "kty"
- "crv"
- "x"
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "EC"
enum:
- "EC"
alg:
description: The JSON Web Signature Algorithm
type: string
example: "ES256"
enum:
- "ES256"
- "ES384"
- "ES512"
x:
description: >
EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
It is represented as the base64url encoding of the octet string representation of the coordinate, as
defined in Section 2.3.5 of SEC1 [SEC1].
type: string
format: byte
y:
description: >
EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
It is represented as the base64url encoding of the octet string representation of the coordinate, as
defined in Section 2.3.5 of SEC1 [SEC1].
type: string
format: byte
crv:
description: >
The curve parameter identifies the cryptographic curve used with the key. Curve
values from [DSS] used by this specification.
type: string
example: "P-521"
enum:
- "P-256"
- "P-384"
- "P-521"
- "Ed25519"
- "Ed448"
- "X25519"
- "X448"
- "secp256k1"
jose.spec.JWK.EC.Private:
description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- $ref: '#/components/schemas/jose.spec.JWK.EC'
- type: object
required:
- "d"
properties:
d:
description: >
ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
is represented as the base64url encoding of the octet string representation of the private key value,
as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
type: string
format: byte
jose.spec.JWK.Symmetric:
description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- type: object
required:
- "k"
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "oct"
enum:
- "oct"
k:
description: >
The "k" (key value) parameter contains the value of the symmetric (or
other single-valued) key. It is represented as the base64url
encoding of the octet sequence containing the key value.
type: string
format: byte
jose.spec.JWK:
type: string
anyOf:
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
- $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
- $ref: '#/components/schemas/jose.spec.JWK.EC'
- $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
- $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
jose.spec.JWKs:
type: object
description: The JSON Web Key Sets Document as defined by RFC7517.
properties:
keys:
description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
type: array
items:
$ref: '#/components/schemas/jose.spec.JWK'
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
[FEATURE] Add API docs and swagger-ui (#1544) * [FEATURE] Add API docs and swagger-ui This change will serve out swagger-ui at the `/api/` root path. * Update descriptions and summaries in API spec * Utilise frontend assets from unit testing for Docker build steps * Fix tag for /api/user/* endpoints * Fix response schema for /api/user/info/2fa_method * Template and inject the session name during runtime into swagger-ui This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file. * Fix integration tests * Add U2F endpoints * Change swagger directory to api This change is to more closely conform to the golang-standards project layout. * Add authentication for u2f endpoints * Modify u2f endpoint descriptions * Rename and fix u2f 2fa sign endpoints * Fix request body for /api/secondfactor/u2f/sign endpoint Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 04:28:46 +00:00
securitySchemes:
authelia_auth:
type: apiKey
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
name: "{{ .Session }}"
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
in: cookie
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- if .OpenIDConnect }}
docs(api): update openapi.yml with oidc endpoints (#4572)
2022-12-14 05:18:34 +00:00
openid:
type: openIdConnect
openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration"
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required.
2023-01-03 03:49:02 +00:00
{{- end }}
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-10 20:51:00 +00:00
...