authelia/api/openapi.yml

3808 lines
147 KiB
YAML
Raw Normal View History

---
openapi: 3.0.3
info:
title: Authelia API
description: >
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single
sign-on (SSO) for your applications via a web portal.
contact:
name: Support
url: https://www.authelia.com/contact/
email: team@authelia.com
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
version: 1.0.0
servers:
- url: "{{ .BaseURL }}"
description: Authelia API
tags:
- name: State
description: Configuration, health and state endpoints
- name: Authentication
description: Authentication endpoints
- name: Authorization
description: Authorization endpoints
{{- if .PasswordReset }}
- name: Password Reset
description: Password reset endpoints
- name: User Information
description: User configuration endpoints
{{- end }}
{{- if (or .TOTP .Webauthn .Duo) }}
- name: Second Factor
description: TOTP, Webauthn and Duo endpoints
externalDocs:
url: https://www.authelia.com/configuration/second-factor/introduction/
{{- end }}
{{- if .OpenIDConnect }}
- name: OpenID Connect 1.0
description: OpenID Connect 1.0 and OAuth 2.0 Endpoints
externalDocs:
url: https://www.authelia.com/integration/openid-connect/introduction/
{{- end }}
paths:
/api/configuration:
get:
tags:
- State
summary: Application Configuration
description: >
The configuration endpoint provides detailed information including available second factor methods, if any
second factor policies exist and the TOTP period configuration.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.configuration.ConfigurationBody'
"403":
description: Forbidden
security:
- authelia_auth: []
/api/configuration/password-policy:
get:
tags:
- State
summary: Password Policy Configuration
description: >
The password policy configuration endpoint provides a password policy for resetting passwords.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody'
/api/health:
head:
tags:
- State
summary: Application Health
description: The health check endpoint provides information about the health of Authelia.
responses:
"200":
description: Successful Operation
get:
tags:
- State
summary: Application Health
description: The health check endpoint provides information about the health of Authelia.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
/api/state:
get:
tags:
- State
summary: User Application State
description: >
The state endpoint provides detailed information including the user, current authenticate level and Authelia's
configured default redirection URL.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.StateResponse'
{{- range $name, $config := .EndpointsAuthz }}
{{- $uri := printf "/api/authz/%s" $name }}
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
{{ $uri }}:
{{- if (eq $config.Implementation "Legacy") }}
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (Legacy)
description: >
The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
specific endpoint instead.
parameters:
- name: X-Original-URL
in: header
description: Redirection URL
required: false
style: simple
explode: true
schema:
type: string
- $ref: '#/components/parameters/forwardedMethodParam'
- name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: false
style: simple
explode: true
example: "https"
schema:
type: string
- name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: false
style: simple
explode: true
example: "example.com"
schema:
type: string
- name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: false
style: simple
explode: true
example: "/path/example"
schema:
type: string
- $ref: '#/components/parameters/forwardedForParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "ExtAuthz") }}
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ExtAuthz)
description: >
The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Envoy proxy.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
- $ref: '#/components/parameters/autheliaURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "ForwardAuth") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ForwardAuth)
description: >
The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "AuthRequest") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (AuthRequest)
description: >
The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
parameters:
- $ref: '#/components/parameters/originalMethodParam'
- $ref: '#/components/parameters/originalURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- end }}
{{- end }}
/api/firstfactor:
post:
tags:
- Authentication
summary: Login
description: >
The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.bodyFirstFactorRequest'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/checks/safe-redirection:
post:
tags:
- Authentication
summary: Check whether URI is safe to redirect to.
description: >
End users usually needs to be redirected to a target website after authentication. This endpoint aims to check
if target URL is safe to redirect to. This prevents open redirect attacks.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/logout:
post:
tags:
- Authentication
summary: Logout
description: The logout endpoint allows a user to logout and destroy a sesssion.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.logoutRequestBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.logoutResponseBody'
security:
- authelia_auth: []
{{- if .PasswordReset }}
/api/reset-password/identity/start:
post:
tags:
- Password Reset
summary: Identity Verification Token Creation
description: >
This endpoint is step 1 of 3 in the password reset process.
It validates the user session and sends the user an email with a token and a link to reset their password. This
step also generates a session cookie for the rest of the process.
The same session cookie must be used for all steps in this process.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/reset-password/identity/finish:
post:
tags:
- Password Reset
summary: Identity Verification Token Validation
description: >
This endpoint is step 2 of 3 in the password reset process.
It validates the user session and reset token.
The same session cookie must be used for all steps in this process.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/reset-password:
post:
tags:
- Password Reset
summary: Password Reset
description: >
This endpoint is step 3 of 3 in the password reset process.
It validates the user session and changes the password.
The same session cookie must be used for all steps in this process.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
{{- end }}
/api/user/info:
get:
tags:
- User Information
summary: User Configuration
description: >
The user info endpoint provides detailed information including a users display name, preferred and registered
second factor method(s).
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo'
"403":
description: Forbidden
security:
- authelia_auth: []
post:
tags:
- User Information
summary: User Configuration
description: >
The user info endpoint provides detailed information including a users display name, preferred and registered
second factor method(s). The POST method also ensures the preferred method is configured correctly.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo'
"403":
description: Forbidden
security:
- authelia_auth: []
/api/user/info/2fa_method:
post:
tags:
- User Information
summary: User Configuration
description: The user info 2fa_method endpoint sets the users preferred second factor method.
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfo.MethodBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
"403":
description: Forbidden
security:
- authelia_auth: []
{{- if .TOTP }}
/api/user/info/totp:
get:
tags:
- User Information
summary: User TOTP Configuration
description: >
The user TOTP info endpoint provides information necessary to display the TOTP component to validate their
TOTP input such as the period/frequency and number of digits.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.UserInfoTOTP'
"403":
description: Forbidden
security:
- authelia_auth: []
/api/secondfactor/totp/identity/start:
post:
tags:
- Second Factor
summary: Identity Verification TOTP Token Creation
description: >
This endpoint performs identity verification to begin the TOTP device registration process.
The session generated from this endpoint must be utilised for the subsequent step in the
`/api/secondfactor/totp/identity/finish` endpoint.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/secondfactor/totp/identity/finish:
post:
tags:
- Second Factor
summary: Identity Verification TOTP Token Validation and Device Creation
description: >
This endpoint performs identity and token verification, upon success also generates TOTP device secret and
registers said device.
The session cookie generated from the `/api/secondfactor/totp/identity/start` endpoint must be utilised for the
step here.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.TOTPKeyResponse'
security:
- authelia_auth: []
/api/secondfactor/totp:
post:
tags:
- Second Factor
summary: Second Factor Authentication - TOTP
description: This endpoint performs second factor authentication with a TOTP key.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.bodySignTOTPRequest'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.ErrorResponse'
security:
- authelia_auth: []
{{- end }}
{{- if .Webauthn }}
/api/secondfactor/webauthn/assertion:
get:
tags:
- Second Factor
summary: Second Factor Authentication - Webauthn (Request)
description: This endpoint starts the second factor authentication process with the FIDO2 Webauthn credential.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
"401":
description: Unauthorized
security:
- authelia_auth: []
post:
tags:
- Second Factor
summary: Second Factor Authentication - Webauthn
description: This endpoint completes the second factor authentication process with the FIDO2 Webauthn credential.
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/webauthn.CredentialAssertionResponse"
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/secondfactor/webauthn/identity/start:
post:
tags:
- Second Factor
summary: Identity Verification Webauthn Credential Creation
description: >
This endpoint performs identity verification to begin the FIDO2 Webauthn credential attestation process
(registration).
The session generated from this endpoint must be utilised for the subsequent steps in the
`/api/secondfactor/webauthn/identity/finish` and `/api/secondfactor/webauthn/attestation` endpoints.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/secondfactor/webauthn/identity/finish:
post:
tags:
- Second Factor
summary: Identity Verification FIDO2 Webauthn Credential Validation
description: >
This endpoint performs identity and token verification, upon success generates a FIDO2 Webauthn device
attestation challenge (registration).
The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised
for the subsequent steps here and in the `/api/secondfactor/webauthn/attestation` endpoint.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions'
security:
- authelia_auth: []
/api/secondfactor/webauthn/attestation:
post:
tags:
- Second Factor
summary: Webauthn Credential Attestation
description: This endpoint performs Webauthn credential attestation (registration).
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/webauthn.CredentialAttestationResponse'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
/api/secondfactor/webauthn/devices/{deviceID}:
delete:
tags:
- Second Factor
summary: Webauthn Device Deletion
description: This endpoint deletes the specified Webauthn credential.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
parameters:
- $ref: '#/components/parameters/deviceID'
put:
tags:
- Second Factor
summary: Webauthn Device Update
description: This endpoint updates the description of the specified Webauthn credential.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/webauthn.DeviceUpdateRequest'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
security:
- authelia_auth: []
parameters:
- $ref: '#/components/parameters/deviceID'
{{- end }}
{{- if .Duo }}
/api/secondfactor/duo:
post:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
description: This endpoint performs second factor authentication with a Duo Mobile Push.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.bodySignDuoRequest'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.redirectResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/secondfactor/duo_devices:
get:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
description: This endpoint retrieves a users available devices and capabilities from Duo.
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.DuoDevicesResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/secondfactor/duo_device:
post:
tags:
- Second Factor
summary: Second Factor Authentication - Duo Mobile Push
description: This endpoint updates the users preferred Duo device and method.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/handlers.DuoDeviceBody'
responses:
"200":
description: Successful Operation
content:
application/json:
schema:
$ref: '#/components/schemas/middlewares.OkResponse'
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- if .OpenIDConnect }}
/.well-known/openid-configuration:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect Discovery 1.0 Document
description: >
This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
"400":
description: Bad Request
"500":
description: Internal Server Error
/.well-known/oauth-authorization-server:
get:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Authorization Server Metadata
description: >
This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
"400":
description: Bad Request
"500":
description: Internal Server Error
/jwks.json:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 JSON Web Key Set Document
description: >
This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
information from this OpenID Connect 1.0 Provider.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/jose.spec.JWKs'
/api/oidc/authorization:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Authorization Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Authorization.
parameters:
- in: query
name: id
required: false
description: The OpenID Connect 1.0 consent workflow ID.
schema:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
- in: query
name: scope
description: The requested scope.
required: true
schema:
type: string
example: "openid profile groups"
- in: query
name: response_type
description: The OAuth 2.0 response type.
required: true
schema:
$ref: '#/components/schemas/openid.spec.ResponseType'
- in: query
name: client_id
description: The OAuth 2.0 client identifier.
required: true
schema:
type: string
example: "app"
- in: query
name: redirect_uri
description: >
Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
into a native application.
required: true
schema:
type: string
example: "https://app.example.com"
- in: query
name: state
description: >
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
browser cookie.
required: false
schema:
type: string
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
- in: query
name: response_mode
description: >
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
the default mode specified for the Response Type.
required: false
schema:
$ref: '#/components/schemas/openid.spec.ResponseMode'
- in: query
name: nonce
description: >
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
Section 15.5.2.
required: false
schema:
type: string
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
- in: query
name: display
description: >
Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
and consent user interface pages to the End-User.
required: false
schema:
$ref: '#/components/schemas/openid.spec.DisplayType'
- in: query
name: prompt
description: >
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
Authorization Server prompts the End-User for reauthentication and consent.
required: false
schema:
type: string
- in: query
name: max_age
description: >
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
[OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
auth_time Claim Value.
required: false
schema:
type: integer
example: 3600
- in: query
name: ui_locales
description: >
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
of the requested locales are not supported by the OpenID Provider.
required: false
schema:
type: string
example: "en-US"
- in: query
name: claims_locales
description: >
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
result if some or all of the requested locales are not supported by the OpenID Provider.
required: false
schema:
type: string
example: "en-US"
- in: query
name: id_token_hint
required: false
description: >
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
is logged in or is logged in by the request, then the Authorization Server returns a positive response;
otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
re-encrypted ID token as the id_token_hint value.
schema:
type: string
- in: query
name: login_hint
description: >
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
(if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
(or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
discretion.
required: false
schema:
type: string
- in: query
name: acr_values
description: >
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
specifies the acr values that the Authorization Server is being requested to use for processing this
Authentication Request, with the values appearing in order of preference. The Authentication Context Class
satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
The acr Claim is requested as a Voluntary Claim by this parameter.
required: false
schema:
type: string
- in: query
name: claims
description: >
Not Supported: The claims parameter value, as specified in Section 5.5.
required: false
schema:
type: string
- in: query
name: registration
description: >
Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
required: false
schema:
type: string
- in: query
name: request
description: >
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
required: false
schema:
type: string
- in: query
name: code_challenge
description: >
RFC7636 Code Challenge.
required: false
schema:
type: string
- in: query
name: code_challenge_method
required: false
description: >
RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
Code verifier transformation method is "S256" or "plain".
schema:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
responses:
"200":
description: OK
content:
text/html:
schema:
type: string
description: The Form Post Response Mode content.
"303":
description: See Other
headers:
Location:
schema:
type: string
description: >
Redirection location for the consent flow, or the authorization response callback location when using
the Query or Fragment Response Modes.
"400":
description: Bad Request
"500":
description: Internal Server Error
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Authorization Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Authorization.
requestBody:
description: Authorize Request Parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.AuthorizeRequest'
responses:
"200":
description: OK
content:
text/html:
schema:
type: string
description: The Form Post Response Mode content.
"303":
description: See Other
headers:
Location:
schema:
type: string
description: >
Redirection location for the consent flow, or the authorization response callback location when using
the Query or Fragment Response Modes.
"400":
description: Bad Request
"500":
description: Internal Server Error
security:
- authelia_auth: []
/api/oidc/token:
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Token Endpoint
description: >
This endpoint performs OpenID Connect 1.0 Token Access Requests.
requestBody:
description: Access Request Parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
- $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
- $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
responses:
"200":
description: OK
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessResponse'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/revocation:
post:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Token Revocation Endpoint
description: >
This endpoint performs OAuth 2.0 Token Revocation Requests.
requestBody:
description: Required OAuth 2.0 revocation parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
responses:
"200":
description: OK
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/introspection:
post:
tags:
- OpenID Connect 1.0
summary: OAuth 2.0 Token Introspection Endpoint
description: >
This endpoint performs OAuth 2.0 Token Introspection Requests.
requestBody:
description: Required OAuth 2.0 introspection parameters.
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/userinfo:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 UserInfo Endpoint
description: >
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
parameters:
- in: query
name: access_token
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema:
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
responses:
"200":
description: OK
content:
application/jwt: {}
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 UserInfo Endpoint
description: >
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
parameters:
- in: query
name: access_token
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema:
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
requestBody:
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
access_token:
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
responses:
"200":
description: OK
content:
application/jwt: {}
application/json:
schema:
$ref: '#/components/schemas/openid.implementation.Claims.Object'
"401":
description: Forbidden
"403":
description: Unauthorized
"500":
description: Internal Server Error
security:
- openid: []
/api/oidc/consent:
get:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Consent Information
description: >
This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
parameters:
- $ref: '#/components/parameters/idRequiredParam'
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.request.consent'
"403":
description: Forbidden
security:
- authelia_auth: []
post:
tags:
- OpenID Connect 1.0
summary: OpenID Connect 1.0 Consent Response
description: >
This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
responses:
"200":
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/openid.response.consent'
"403":
description: Forbidden
security:
- authelia_auth: []
{{- end }}
components:
parameters:
deviceID:
in: path
name: deviceID
schema:
type: integer
required: true
description: Numeric Webauthn Device ID
originalMethodParam:
name: X-Original-Method
in: header
description: Request Method
required: true
style: simple
explode: true
schema:
type: string
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
originalURLParam:
name: X-Original-URL
in: header
description: Redirection URL
required: true
style: simple
explode: true
schema:
type: string
forwardedMethodParam:
name: X-Forwarded-Method
in: header
description: Request Method
required: false
style: simple
explode: true
schema:
type: string
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
forwardedProtoParam:
name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: true
style: simple
explode: true
example: "https"
schema:
type: string
forwardedHostParam:
name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: true
style: simple
explode: true
example: "example.com"
schema:
type: string
forwardedURIParam:
name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: true
style: simple
explode: true
example: "/path/example"
schema:
type: string
forwardedForParam:
name: X-Forwarded-For
in: header
description: Clients IP address or IP address chain
required: false
style: simple
explode: true
example: "192.168.0.55,192.168.0.20"
schema:
type: string
autheliaURLParam:
name: X-Authelia-URL
in: header
description: Authelia Portal URL
required: false
style: simple
explode: true
example: "https://auth.example.com"
schema:
type: string
authParam:
name: auth
in: query
description: Switch authorization header and prompt for basic auth
required: false
schema:
type: string
enum: ["basic"]
idRequiredParam:
name: id
in: query
description: The ID of what is being requested
required: true
schema:
type: string
schemas:
handlers.checkURIWithinDomainRequestBody:
type: object
properties:
uri:
type: string
example: https://secure.example.com
handlers.checkURIWithinDomainResponseBody:
type: object
properties:
ok:
type: boolean
example: true
description: If redirection URL is safe.
handlers.configuration.ConfigurationBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
available_methods:
type: array
description: List of available 2FA methods. If no methods exist 2FA is disabled.
items:
enum:
- "totp"
- "webauthn"
- "mobile_push"
example: [totp, webauthn, mobile_push]
handlers.configuration.PasswordPolicyConfigurationBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
mode:
type: string
description: The password policy mode.
enum:
- "disabled"
- "standard"
- "zxcvbn"
min_length:
type: integer
description: The minimum password length when using the standard mode.
max_length:
type: integer
description: The maximum password length when using the standard mode.
min_score:
type: integer
description: The minimum password score when using the zxcvbn mode.
require_uppercase:
type: boolean
description: If uppercase characters are required when using the standard mode.
require_lowercase:
type: boolean
description: If uppercase characters are required when using the standard mode.
require_number:
type: boolean
description: If numeric characters are required when using the standard mode.
require_special:
type: boolean
description: If special characters are required when using the standard mode.
handlers.DuoDeviceBody:
required:
- device
- method
type: object
properties:
device:
type: string
example: ABCDE123456789FGHIJK
method:
type: string
example: push
handlers.DuoDevicesResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
result:
type: string
example: auth
devices:
type: array
items:
type: object
properties:
device:
type: string
example: ABCDE123456789FGHIJK
display_name:
type: string
example: iOS (+XX XXX XXX 123)
capabilities:
type: array
items:
type: string
example: push
handlers.bodyFirstFactorRequest:
required:
- username
- password
type: object
properties:
username:
type: string
example: john
password:
type: string
example: password
targetURL:
type: string
example: https://home.example.com
workflow:
type: string
example: openid_connect
workflowID:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
requestMethod:
type: string
example: GET
keepMeLoggedIn:
type: boolean
example: true
handlers.logoutRequestBody:
type: object
properties:
targetURL:
type: string
example: https://redirect.example.com
handlers.logoutResponseBody:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
safeTargetURL:
type: boolean
example: true
handlers.redirectResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
redirect:
type: string
example: https://home.example.com
{{- if .PasswordReset }}
handlers.PasswordResetStep1RequestBody:
required:
- username
type: object
properties:
username:
type: string
example: john
handlers.PasswordResetStep2RequestBody:
required:
- password
type: object
properties:
password:
type: string
example: password
{{- end }}
{{- if .Duo }}
handlers.bodySignDuoRequest:
type: object
properties:
targetURL:
type: string
example: https://secure.example.com
passcode:
type: string
workflow:
type: string
example: openid_connect
workflowID:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
{{- end }}
handlers.StateResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
username:
type: string
example: john
authentication_level:
type: integer
example: 1
default_redirection_url:
type: string
example: https://home.example.com
middlewares.ErrorResponse:
type: object
properties:
status:
type: string
example: KO
message:
type: string
example: Authentication failed, please retry later.
middlewares.IdentityVerificationFinishBody:
required:
- token
type: object
properties:
token:
type: string
example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
middlewares.OkResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
handlers.UserInfo:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
display_name:
type: string
example: John Doe
method:
type: string
enum:
- "totp"
- "webauthn"
- "mobile_push"
example: totp
has_webauthn:
type: boolean
example: false
has_totp:
type: boolean
example: true
has_duo:
type: boolean
example: true
handlers.UserInfo.MethodBody:
required:
- method
type: object
properties:
method:
type: string
enum:
- "totp"
- "webauthn"
- "mobile_push"
example: totp
{{- if .TOTP }}
handlers.UserInfoTOTP:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
period:
default: 30
description: The period defined in the users TOTP configuration
type: integer
example: 30
digits:
default: 6
description: The number of digits defined in the users TOTP configuration
type: integer
example: 6
handlers.bodySignTOTPRequest:
type: object
properties:
token:
type: string
example: "123456"
targetURL:
type: string
example: https://secure.example.com
workflow:
type: string
example: openid_connect
workflowID:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
handlers.TOTPKeyResponse:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
base32_secret:
type: string
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
otpauth_url:
type: string
example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
{{- end }}
{{- if .Webauthn }}
webauthn.PublicKeyCredential:
type: object
properties:
rawId:
type: string
format: byte
id:
type: string
type:
type: string
webauthn.AuthenticatorResponse:
type: object
properties:
clientDataJSON:
type: string
format: byte
webauthn.CredentialAttestationResponse:
type: object
properties:
credential:
allOf:
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
- type: object
properties:
clientExtensionResults:
type: object
properties:
appidExclude:
type: boolean
response:
allOf:
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
- type: object
properties:
attestationObject:
type: string
format: byte
description:
type: string
webauthn.CredentialAssertionResponse:
allOf:
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
- type: object
properties:
response:
allOf:
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
- type: object
required: [authenticatorData, clientDataJSON, signature]
properties:
authenticatorData:
type: string
format: byte
clientDataJSON:
type: string
format: byte
clientExtensionResults:
type: object
properties:
appid:
type: boolean
example: false
signature:
type: string
format: byte
userHandle:
type: string
format: byte
workflow:
type: string
example: openid_connect
workflowID:
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c"
webauthn.DeviceUpdateRequest:
type: object
properties:
description:
type: string
webauthn.PublicKeyCredentialCreationOptions:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
publicKey:
allOf:
- $ref: '#/components/schemas/webauthn.AttestationType'
- $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria'
- $ref: '#/components/schemas/webauthn.CredentialUserEntity'
- $ref: '#/components/schemas/webauthn.CredentialRPEntity'
- type: object
required:
- "challenge"
- "pubKeyCredParams"
properties:
challenge:
type: string
format: byte
pubKeyCredParams:
type: array
items:
type: object
required:
- "alg"
- "type"
properties:
alg:
type: integer
type:
type: string
example: public-key
enum:
- "public-key"
timeout:
type: integer
example: 60000
excludeCredentials:
type: array
items:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
extensions:
type: object
properties:
appidExclude:
type: string
example: https://auth.example.com
webauthn.PublicKeyCredentialRequestOptions:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
publicKey:
allOf:
- $ref: '#/components/schemas/webauthn.UserVerification'
- type: object
required:
- "challenge"
properties:
challenge:
type: string
timeout:
type: integer
example: 60000
rpId:
type: string
example: auth.example.com
allowCredentials:
type: array
items:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
extensions:
type: object
properties:
appid:
type: string
example: https://auth.example.com
webauthn.Transports:
type: object
properties:
transports:
type: array
items:
type: string
example:
- "usb"
- "nfc"
enum:
- "usb"
- "nfc"
- "ble"
- "internal"
webauthn.UserVerification:
type: object
properties:
userVerification:
type: string
example: preferred
enum:
- "required"
- "preferred"
- "discouraged"
webauthn.AttestationType:
type: object
properties:
attestation:
type: string
example: direct
enum:
- "none"
- "indirect"
- "direct"
webauthn.AuthenticatorSelectionCriteria:
type: object
properties:
authenticatorSelection:
type: object
properties:
authenticatorAttachment:
type: string
example: cross-platform
enum:
- "platform"
- "cross-platform"
residentKey:
type: string
example: discouraged
enum:
- "discouraged"
- "preferred"
- "required"
requireResidentKey:
type: boolean
webauthn.CredentialDescriptor:
allOf:
- $ref: '#/components/schemas/webauthn.Transports'
- type: object
required:
- "id"
- "type"
properties:
id:
type: string
format: byte
type:
type: string
example: public-key
enum:
- "public-key"
webauthn.CredentialEntity:
type: object
required:
- "id"
- "name"
properties:
id:
type: string
name:
type: string
icon:
type: string
webauthn.CredentialRPEntity:
type: object
required:
- "rp"
properties:
rp:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialEntity'
webauthn.CredentialUserEntity:
type: object
required:
- "user"
properties:
user:
allOf:
- $ref: '#/components/schemas/webauthn.CredentialEntity'
- type: object
required:
- "displayName"
properties:
displayName:
type: string
webauthn.AuthenticationExtensionsClientOutputs:
type: object
properties:
clientExtensionResults:
type: object
properties:
appid:
type: boolean
example: true
appidExclude:
type: boolean
example: false
uvm:
type: array
items:
type: string
format: byte
credProps:
type: object
properties:
rk:
type: boolean
example: false
largeBlob:
type: object
properties:
supported:
type: boolean
example: false
blob:
type: string
written:
type: boolean
example: false
{{- end }}
{{- if .OpenIDConnect }}
openid.request.consent:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
client_id:
type: string
description: The identifier of the client for the user to provide consent for.
example: "app"
client_description:
description: The descriptive name of the client for the user to provide consent for.
type: string
example: "App Platform"
scopes:
description: The list of the requested scopes for the user to provide consent for.
type: array
items:
type: string
enum:
- "openid"
- "offline_access"
- "groups"
- "email"
- "profile"
audience:
description: The list of the requested audiences for the user to provide consent for.
type: array
items:
type: string
pre_configuration:
description: Indicates if this client supports pre-configuration.
type: boolean
example: true
openid.response.consent:
type: object
properties:
status:
type: string
example: OK
data:
type: object
properties:
id:
description: The identifier of the consent session.
type: string
format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4"
client_id:
description: The identifier of the client for the user to provide consent for.
type: string
example: "app"
consent:
description: Indicates if the user consented to the consent request.
type: boolean
example: true
pre_configure:
description: Indicates if the user consented to pre-configuration.
type: boolean
example: true
openid.spec.Metadata.OAuth2AuthorizationServer:
type: object
required:
- issuer
- authorization_endpoint
- subject_types_supported
- response_types_supported
- require_pushed_authorization_requests
properties:
authorization_endpoint:
description: >
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/authorization"
claims_supported:
description: >
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
type: array
example:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
items:
$ref: '#/components/schemas/openid.implementation.Claims.Array'
code_challenge_methods_supported:
description: >
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
type: array
example: ["S256", "none"]
items:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
grant_types_supported:
type: array
description: >
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
Types. If omitted, the default value is ["authorization_code", "implicit"].
example: ["authorization_code", "implicit"]
items:
$ref: '#/components/schemas/openid.spec.GrantType'
introspection_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
Introspection: https://datatracker.ietf.org/doc/html/rfc7662
type: string
example: "{{ .BaseURL }}api/oidc/introspection"
introspection_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
omitted, the set of supported authentication methods MUST be determined by other means. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
introspection_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
present if either of these authentication methods are specified in the
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
issuer:
description:
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string
example: "{{ .BaseURL }}"
jwks_uri:
description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string
example: "{{ .BaseURL }}jwks.json"
op_policy_uri:
description:
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
display this URL to the person registering the Client if it is given.
type: string
op_tos_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
terms of service. The registration process SHOULD display this URL to the person registering the Client if
it is given.
type: string
pushed_authorization_request_endpoint:
description: >
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server.
type: string
example: "{{ .BaseURL }}api/oidc/par"
registration_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string
example: "{{ .BaseURL }}api/oidc/registration"
require_pushed_authorization_requests:
description: >
Boolean parameter indicating whether the authorization server accepts authorization request data only via
PAR. If omitted, the default value is "false".
type: boolean
example: false
response_modes_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
OpenID Providers is ["query", "fragment"].
type: array
example: ["query", "fragment"]
items:
$ref: '#/components/schemas/openid.spec.ResponseMode'
response_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
type: array
example: ["code", "id_token", "token id_token"]
items:
$ref: '#/components/schemas/openid.spec.ResponseType'
revocation_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string
example: "{{ .BaseURL }}api/oidc/revocation"
revocation_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
revocation_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
scopes_supported:
description: >
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: array
example:
- "openid"
- "offline_access"
- "profile"
- "email"
- "groups"
items:
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
service_documentation:
description: >
URL of a page containing human-readable information that developers might want or need to know when using
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation.
type: string
example: "https://authelia.com"
subject_types_supported:
description: >
JSON array containing a list of the Subject Identifier types that this OP supports.
Valid types include pairwise and public.
type: array
example: ["public", "pairwise"]
items:
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
token_endpoint:
description: >
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/token"
token_endpoint_auth_methods_supported:
description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
token_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
ui_locales_supported:
type: array
description: >
Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
example: ["en-US"]
items:
type: string
openid.spec.Metadata.OpenIDConfiguration:
type: object
required:
- "issuer"
- "authorization_endpoint"
- "subject_types_supported"
- "response_types_supported"
- "require_pushed_authorization_requests"
- "request_uri_parameter_supported"
- "require_request_uri_registration"
- "claims_parameter_supported"
- "frontchannel_logout_supported"
- "frontchannel_logout_session_supported"
- "backchannel_logout_supported"
- "backchannel_logout_session_supported"
properties:
acr_values_supported:
description:
JSON array containing a list of the Authentication Context Class References that this OP supports.
type: array
items:
type: string
authorization_endpoint:
description: >
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/authorization"
backchannel_logout_session_supported:
description: >
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
If omitted, the default value is false.
type: boolean
example: false
backchannel_logout_supported:
description: >
Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
omitted, the default value is false.
type: boolean
example: false
claim_types_supported:
description: >
JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
type: array
example: ["normal"]
items:
$ref: '#/components/schemas/openid.spec.ClaimType'
claims_locales_supported:
description: >
Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
[RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
type: array
example: ["en-US"]
items:
type: string
claims_parameter_supported:
description: >
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
If omitted, the default value is false.
type: boolean
example: false
claims_supported:
description: >
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
type: array
example:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
items:
$ref: '#/components/schemas/openid.implementation.Claims.Array'
code_challenge_methods_supported:
description: >
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
type: array
example: ["S256", "plain"]
items:
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
display_values_supported:
description: >
JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type: array
example: ["page"]
items:
$ref: '#/components/schemas/openid.spec.DisplayType'
frontchannel_logout_session_supported:
description: >
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
also included in ID Tokens issued by the OP. If omitted, the default value is false.
type: boolean
example: false
frontchannel_logout_supported:
description: >
Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
omitted, the default value is false.
type: boolean
example: false
grant_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
Types. If omitted, the default value is ["authorization_code", "implicit"].
type: array
example: ["authorization_code", "implicit"]
items:
$ref: '#/components/schemas/openid.spec.GrantType'
id_token_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
id_token_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
id_token_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
(such as when using the Authorization Code Flow).
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
introspection_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
type: string
example: "{{ .BaseURL }}api/oidc/introspection"
introspection_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
introspection_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
present if either of these authentication methods are specified in the
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
issuer:
description: >
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string
example: "{{ .BaseURL }}"
jwks_uri:
description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string
example: "{{ .BaseURL }}jwks.json"
op_policy_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
display this URL to the person registering the Client if it is given.
type: string
op_tos_uri:
description: >
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
terms of service. The registration process SHOULD display this URL to the person registering the Client
if it is given.
type: string
pushed_authorization_request_endpoint:
description: >
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server.
type: string
example: "{{ .BaseURL }}api/oidc/par"
registration_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string
example: "{{ .BaseURL }}api/oidc/registration"
request_object_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
request_object_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
request_object_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
used both when the Request Object is passed by value (using the request parameter) and when it is passed by
reference (using the request_uri parameter). Servers SHOULD support none and RS256.
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
request_uri_parameter_supported:
description: >
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
support. If omitted, the default value is true.
type: boolean
example: true
require_pushed_authorization_requests:
description: >
Boolean parameter indicating whether the authorization server accepts authorization request data only via
PAR. If omitted, the default value is "false".
type: boolean
example: false
require_request_uri_registration:
description: >
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
default value is false.
type: boolean
example: false
response_modes_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
OpenID Providers is ["query", "fragment"].
type: array
example: ["query", "fragment"]
items:
$ref: '#/components/schemas/openid.spec.ResponseMode'
response_types_supported:
description: >
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
Providers MUST support the code, id_token, and the token id_token Response Type values.
type: array
example: ["code", "id_token", "token id_token"]
items:
$ref: '#/components/schemas/openid.spec.ResponseType'
revocation_endpoint:
description: >
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string
example: "{{ .BaseURL }}api/oidc/revocation"
revocation_endpoint_auth_methods_supported:
description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
type: array
example: ["client_secret_basic"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
revocation_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
scopes_supported:
description: >
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
https://openid.net/specs/openid-connect-core-1_0.html
type: array
example:
- "openid"
- "offline_access"
- "profile"
- "email"
- "groups"
items:
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
service_documentation:
description: >
URL of a page containing human-readable information that developers might want or need to know when using
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation.
type: string
example: "https://www.authelia.com"
subject_types_supported:
description: >
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
pairwise and public.
type: array
example: ["public", "pairwise"]
items:
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
token_endpoint:
description: >
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/token"
token_endpoint_auth_methods_supported:
description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
type: array
example: ["client_secret_post"]
items:
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
token_endpoint_auth_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["RS256"]
items:
$ref: '#/components/schemas/jose.spec.jws'
ui_locales_supported:
description: >
Languages and scripts supported for the user interface, represented as a JSON array of BCP47
[RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
type: array
example: ["en-US"]
items:
type: string
userinfo_encryption_alg_values_supported:
description: >
JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCMKW"]
items:
$ref: '#/components/schemas/jose.spec.JWE.alg'
userinfo_encryption_enc_values_supported:
description: >
JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["A256GCM"]
items:
$ref: '#/components/schemas/jose.spec.JWE.enc'
userinfo_endpoint:
description: >
URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
path, and query parameter components.
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string
example: "{{ .BaseURL }}api/oidc/userinfo"
userinfo_signing_alg_values_supported:
description: >
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["none", "RS256"]
items:
$ref: '#/components/schemas/jose.spec.JWS.None'
openid.implementation.Claims.Array:
type: array
items:
type: string
enum:
- "amr"
- "aud"
- "azp"
- "client_id"
- "exp"
- "iat"
- "iss"
- "jti"
- "rat"
- "sub"
- "auth_time"
- "nonce"
- "email"
- "email_verified"
- "alt_emails"
- "groups"
- "preferred_username"
- "name"
openid.implementation.Claims.Object:
description: OpenID Connect 1.0 User Claims.
type: object
properties:
amr:
type: array
items:
type: string
enum:
- "mfa"
- "mca"
- "user"
- "pin"
- "pwd"
- "otp"
- "hwk"
- "sms"
aud:
type: array
items:
type: string
azp:
type: string
client_id:
type: string
scope:
type: string
scp:
type: array
items:
type: string
exp:
type: integer
iat:
type: integer
iss:
type: string
jti:
type: string
rat:
type: integer
sub:
type: string
auth_time:
type: integer
nonce:
type: string
email:
type: string
email_verified:
type: boolean
alt_emails:
type: array
items:
type: string
groups:
type: array
items:
type: string
preferred_username:
type: string
name:
type: string
openid.implementation.Scopes.Object:
description: The scope.
type: string
oneOf:
- $ref: '#/components/schemas/openid.spec.Scopes'
- type: string
enum:
- "groups"
openid.spec.Scopes:
type: string
enum:
- "openid"
- "offline_access"
- "profile"
- "email"
- "address"
- "phone"
openid.spec.IntrospectionRequest:
required:
- "token"
type: object
properties:
token:
description: >
The string value of the token. For access tokens, this
is the "access_token" value returned from the token endpoint
defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
this is the "refresh_token" value returned from the token endpoint
as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
are outside the scope of this specification.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
type: string
token_type_hint:
description: >
A hint about the type of the token submitted for
introspection. The protected resource MAY pass this parameter to
help the authorization server optimize the token lookup. If the
server is unable to locate the token using the given hint, it MUST
extend its search across all of its supported token types. An
authorization server MAY ignore this parameter, particularly if it
is able to detect the token type automatically. Values for this
field are defined in the "OAuth Token Type Hints" registry defined
in OAuth Token Revocation [RFC7009].
enum:
- "access_token"
- "refresh_token"
example: "access_token"
type: string
openid.spec.AccessRequest.ClientAuth:
oneOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret'
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT'
openid.spec.AccessRequest.ClientAuth.Base:
required:
- "client_id"
type: object
properties:
client_id:
description: >
REQUIRED if the client is not authenticating with the authorization server as described in
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
example: "my_client"
type: string
openid.spec.AccessRequest.ClientAuth.Secret:
required:
- "client_secret"
type: object
properties:
client_secret:
description: >
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.
format: password
type: string
openid.spec.AccessRequest.ClientAuth.JWT:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
- type: object
required:
- "client_assertion"
- "client_assertion_type"
properties:
client_assertion:
description: >
The value of the client_assertion_type parameter MUST be
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
enum:
- "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
example: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
type: string
client_assertion_type:
description: >
A JWT signed with HS256 using the client secret value or RS256 using a registered public key.
Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should
work but this has not been tested.
format: password
type: string
openid.spec.AccessRequest.AuthorizationCodeFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "code"
- "grant_type"
properties:
grant_type:
description: Value MUST be set to "code".
enum:
- "authorization_code"
type: string
code:
description: The Authorization Code.
example: "authelia_ac_1j2kn3knj12n3kj12n"
type: string
code_verifier:
description: The Authorization Code Verifier (PKCE).
example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3"
type: string
redirect_uri:
description: The original Redirect URI used in the Authorization Request.
example: "https://app.example.com/oidc/callback"
type: string
openid.spec.AccessRequest.DeviceCodeFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "grant_type"
- "device_code"
properties:
grant_type:
description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
enum:
- "urn:ietf:params:oauth:grant-type:device_code"
type: string
device_code:
description: The Device Authorization Code.
example: "authelia_dc_mn123kjn12kj3123njk"
type: string
openid.spec.AccessRequest.RefreshTokenFlow:
allOf:
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
- type: object
required:
- "grant_type"
- "device_code"
properties:
grant_type:
description: Value MUST be set to "refresh_token".
enum:
- "refresh_token"
type: string
refresh_token:
description: The Refresh Token.
example: "authelia_rt_1n2j3kihn12kj3n12k"
type: string
scope:
description: >
The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.
example: "openid profile groups"
type: string
openid.spec.AccessResponse:
type: object
required:
- "access_token"
- "token_type"
- "expires_in"
properties:
access_token:
description: The access token issued by the authorization server.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn"
type: string
id_token:
description: The id token issued by the authorization server.
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
type: string
refresh_token:
description: >
The refresh token, which can be used to obtain new access tokens using the
same authorization grant as described in Section 6.
example: "authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i"
type: string
token_type:
description: >
The access token type provides the client with the information
required to successfully utilize the access token to make a protected
resource request (along with type-specific attributes). The client
MUST NOT use an access token if it does not understand the token
type.
enum:
- "bearer"
example: "bearer"
type: string
expires_in:
description: >
The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
example: 3600
type: integer
state:
description: Exactly the state value passed in the authorization request if present.
example: "5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB"
type: string
scope:
description: >
The scope of the access token as described by Section 3.3 if it differs from the requested scope.
example: "openid profile groups"
type: string
openid.spec.AuthorizeRequest:
type: object
required:
- "scope"
- "response_type"
- "client_id"
- "redirect_uri"
properties:
scope:
description: The requested scope.
example: "openid profile groups"
type: string
response_type:
$ref: '#/components/schemas/openid.spec.ResponseType'
client_id:
description: The OAuth 2.0 client identifier.
example: "app"
type: string
redirect_uri:
description: >
Redirection URI to which the response will be sent. This URI MUST exactly match one of the
Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
scheme, such as one that is intended to identify a callback into a native application.
example: "https://app.example.com"
type: string
state:
description: >
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
parameter with a browser cookie.
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f"
type: string
response_mode:
$ref: '#/components/schemas/openid.spec.ResponseMode'
nonce:
description: >
String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
implementation notes, see Section 15.5.2.
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf"
type: string
display:
$ref: '#/components/schemas/openid.spec.DisplayType'
prompt:
description: >
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether
the Authorization Server prompts the End-User for reauthentication and consent.
enum:
- "none"
- "login"
- "consent"
- "select_account"
- "login consent"
- "login select_account"
- "consent select_account"
example: "consent"
type: string
max_age:
description: >
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
Token returned MUST include an auth_time Claim Value.
type: integer
ui_locales:
description: >
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
a region designation), followed by English (without a region designation). An error SHOULD NOT
result if some or all of the requested locales are not supported by the OpenID Provider.
type: string
claims_locales:
description: >
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
type: string
id_token_hint:
description: >
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
the End-User's current or past authenticated session with the Client. If the End-User identified by
the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
not present. The Authorization Server need not be listed as an audience of the ID Token when it is
used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
id_token_hint value.
type: string
login_hint:
description: >
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
address (or other identifier) and then wants to pass that value as a hint to the discovered
authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
This value MAY also be a phone number in the format specified for the phone_number Claim. The use
of this parameter is left to the OP's discretion.
type: string
acr_values:
description: >
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
specifies the acr values that the Authorization Server is being requested to use for processing this
Authentication Request, with the values appearing in order of preference. The Authentication Context
Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
type: string
claims:
description: >
Not Supported: The claims parameter value, as specified in Section 5.5.
type: string
registration:
description: >
Not Supported: This parameter is used by the Client to provide information about itself to a
Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
specified in Section 7.2.1.
type: string
request:
description: >
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be
encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
algorithm used is RSA1_5.
type: string
openid.spec.SubjectIdentifier:
description: >
A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
End-User, which is intended to be consumed by the Client.
enum:
- "public"
- "pairwise"
type: string
openid.spec.ClientAuthMethod:
description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
enum:
- "client_secret_basic"
- "client_secret_post"
- "client_secret_jwt"
- "private_key_jwt"
- "none"
type: string
openid.spec.DisplayType:
description: >
ASCII string value that specifies how the Authorization Server displays the authentication and consent user
interface pages to the End-User.
enum:
- "page"
- "popup"
- "touch"
- "wap"
example: "page"
type: string
openid.spec.ResponseType:
description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
enum:
- "code"
- "id_token"
- "token"
- "code token"
- "code id_token"
- "token id_token"
- "code id_token token"
- "none"
example: "code"
type: string
openid.spec.ResponseMode:
description: >
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
the default mode specified for the Response Type.
enum:
- "query"
- "fragment"
- "form_post"
example: "query"
type: string
openid.spec.GrantType:
description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
enum:
- "authorization_code"
- "refresh_token"
- "implicit"
- "password"
- "client_credentials"
- "urn:ietf:params:oauth:grant-type:device_code"
example: "authorization_code"
type: string
openid.spec.CodeChallengeMethod:
description: The RFC7636 Code Challenge Verifier Method.
enum:
- "plain"
- "S256"
example: "S256"
type: string
openid.spec.ClaimType:
description: The representation of claims.
enum:
- "normal"
- "aggregated"
- "distributed"
example: "normal"
type: string
jose.spec.None:
description: The JSON Web Signature Algorithm
type: string
enum:
- "none"
jose.spec.JWS.None:
description: The JSON Web Signature Algorithm
oneOf:
- $ref: '#/components/schemas/jose.spec.None'
- $ref: '#/components/schemas/jose.spec.jws'
type: string
jose.spec.jws:
description: The JSON Web Signature Algorithm
enum:
- "HS256"
- "HS384"
- "HS512"
- "RS256"
- "RS384"
- "RS512"
- "ES256"
- "ES384"
- "ES512"
- "PS256"
- "PS384"
- "PS512"
type: string
jose.spec.JWE.alg:
description: The JSON Web Encryption Algorithm (CEK)
enum:
- "RSA1_5"
- "RSA-OAEP"
- "RSA-OAEP-256"
- "A128KW"
- "A192KW"
- "A256KW"
- "dir"
- "ECDH-ES"
- "ECDH-ES+A128KW"
- "ECDH-ES+A192KW"
- "ECDH-ES+A256KW"
- "A128GCMKW"
- "A192GCMKW"
- "A256GCMKW"
- "PBES2-HS256+A128KW"
- "PBES2-HS384+A192KW"
- "PBES2-HS512+A256KW"
type: string
jose.spec.JWE.enc:
description: The JSON Web Encryption Algorithm (Claims)
enum:
- "A128CBC-HS256"
- "A192CBC-HS384"
- "A256CBC-HS512"
- "A128CBC"
- "A256CBC"
- "A128GCM"
- "A256GCM"
type: string
jose.spec.JWK.base:
type: object
properties:
use:
description: >
The "use" (public key use) parameter identifies the intended use of
the public key. The "use" parameter is employed to indicate whether
a public key is used for encrypting data or verifying the signature
on data.
enum:
- "sig"
- "enc"
example: "sig"
type: string
key_ops:
description: >
The "key_ops" (key operations) parameter identifies the operation(s)
for which the key is intended to be used. The "key_ops" parameter is
intended for use cases in which public, private, or symmetric keys
may be present.
example: ["sign"]
type: array
items:
enum:
- "sign"
- "verify"
- "encrypt"
- "decrypt"
- "wrapKey"
- "unwrapKey"
- "deriveKey"
- "deriveBits"
type: string
kid:
description: >
The "kid" (key ID) parameter is used to match a specific key. This
is used, for instance, to choose among a set of keys within a JWK Set
during key rollover. The structure of the "kid" value is
unspecified. When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values. (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.) The "kid"
value is a case-sensitive string. Use of this member is OPTIONAL.
When used with JWS or JWE, the "kid" value is used to match a JWS or
JWE "kid" Header Parameter value.
type: string
x5u:
description: >
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
resource for an X.509 public key certificate or certificate chain
[RFC5280]. The identified resource MUST provide a representation of
the certificate or certificate chain that conforms to RFC 5280
[RFC5280] in PEM-encoded form, with each certificate delimited as
specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
certificate MUST match the public key represented by other members of
the JWK. The protocol used to acquire the resource MUST provide
integrity protection; an HTTP GET request to retrieve the certificate
MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
member is OPTIONAL.
type: string
x5c:
description: >
The "x5c" (X.509 certificate chain) parameter contains a chain of one
or more PKIX certificates [RFC5280]. The certificate chain is
represented as a JSON array of certificate value strings. Each
string in the array is a base64-encoded (Section 4 of [RFC4648] --
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
The PKIX certificate containing the key value MUST be the first
certificate. This MAY be followed by additional certificates, with
each subsequent certificate being the one used to certify the
previous one. The key in the first certificate MUST match the public
key represented by other members of the JWK. Use of this member is
OPTIONAL.
type: array
items:
format: byte
type: string
x5t:
description: >
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
encoding of an X.509 certificate [RFC5280]. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.
The key in the certificate MUST match the public key represented by
other members of the JWK. Use of this member is OPTIONAL.
format: byte
type: string
x5t#S256:
description: >
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
encoding of an X.509 certificate [RFC5280]. Note that certificate
thumbprints are also sometimes known as certificate fingerprints.
The key in the certificate MUST match the public key represented by
other members of the JWK. Use of this member is OPTIONAL.
format: byte
type: string
jose.spec.JWK.RSA:
description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- required:
- "kty"
- "n"
- "e"
type: object
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "RSA"
enum:
- "RSA"
alg:
description: The JSON Web Signature Algorithm
type: string
example: "RS256"
enum:
- "RS256"
- "RS384"
- "RS512"
- "PS256"
- "PS384"
- "PS512"
n:
description: >
RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
e:
description: >
RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
jose.spec.JWK.RSA.Private:
description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
- type: object
required:
- "d"
properties:
d:
description: >
RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
private key. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
p:
description: >
RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
q:
description: >
RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
dp:
description: >
RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
(CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
type: string
dq:
description: >
RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
second factor. It is represented as a Base64urlUInt-encoded value.
type: string
qi:
description: >
RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
factor. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
oth:
description: >
The "oth" (other primes info) parameter contains an array of
information about any third and subsequent primes, should they exist.
type: array
items:
type: object
required:
- "r"
- "d"
- "t"
properties:
r:
description: >
The "r" (prime factor) parameter within an "oth" array member
represents the value of a subsequent prime factor. It is represented
as a Base64urlUInt-encoded value.
type: string
format: byte
d:
description: >
The "d" (factor CRT exponent) parameter within an "oth" array member
represents the CRT exponent of the corresponding prime factor. It is
represented as a Base64urlUInt-encoded value.
type: string
format: byte
t:
description: >
The "t" (factor CRT coefficient) parameter within an "oth" array
member represents the CRT coefficient of the corresponding prime
factor. It is represented as a Base64urlUInt-encoded value.
type: string
format: byte
jose.spec.JWK.EC:
description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- type: object
required:
- "kty"
- "crv"
- "x"
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "EC"
enum:
- "EC"
alg:
description: The JSON Web Signature Algorithm
type: string
example: "ES256"
enum:
- "ES256"
- "ES384"
- "ES512"
x:
description: >
EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
It is represented as the base64url encoding of the octet string representation of the coordinate, as
defined in Section 2.3.5 of SEC1 [SEC1].
type: string
format: byte
y:
description: >
EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
It is represented as the base64url encoding of the octet string representation of the coordinate, as
defined in Section 2.3.5 of SEC1 [SEC1].
type: string
format: byte
crv:
description: >
The curve parameter identifies the cryptographic curve used with the key. Curve
values from [DSS] used by this specification.
type: string
example: "P-521"
enum:
- "P-256"
- "P-384"
- "P-521"
- "Ed25519"
- "Ed448"
- "X25519"
- "X448"
- "secp256k1"
jose.spec.JWK.EC.Private:
description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- $ref: '#/components/schemas/jose.spec.JWK.EC'
- type: object
required:
- "d"
properties:
d:
description: >
ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
is represented as the base64url encoding of the octet string representation of the private key value,
as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
type: string
format: byte
jose.spec.JWK.Symmetric:
description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
allOf:
- $ref: '#/components/schemas/jose.spec.JWK.base'
- type: object
required:
- "k"
properties:
kty:
description: >
The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key.
type: string
example: "oct"
enum:
- "oct"
k:
description: >
The "k" (key value) parameter contains the value of the symmetric (or
other single-valued) key. It is represented as the base64url
encoding of the octet sequence containing the key value.
type: string
format: byte
jose.spec.JWK:
type: string
anyOf:
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
- $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
- $ref: '#/components/schemas/jose.spec.JWK.EC'
- $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
- $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
jose.spec.JWKs:
type: object
description: The JSON Web Key Sets Document as defined by RFC7517.
properties:
keys:
description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
type: array
items:
$ref: '#/components/schemas/jose.spec.JWK'
{{- end }}
securitySchemes:
authelia_auth:
type: apiKey
name: "{{ .Session }}"
in: cookie
{{- if .OpenIDConnect }}
openid:
type: openIdConnect
openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration"
{{- end }}
...