RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: adjust openapi (#5192) 

Misc fixes to OpenAPI Specification that were missed.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
pull/5141/head
James Elliott 2023-04-08 15:25:19 +10:00 committed by GitHub
parent 2dcfc0b04c
commit 0424652940
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 106 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
api/openapi.yml
View File

@ -111,12 +111,8 @@ paths:
application/json: application/json:
schema: schema:
$ref: '#/components/schemas/handlers.StateResponse' $ref: '#/components/schemas/handlers.StateResponse'
{{- $redir := "https://auth.example.com/?rd=https%3A%2F%2Fexample.com&rm=GET" }} {{- $app := "" }}{{ if .Domain }}{{ $app = printf "https://%s/" .Domain }}{{ else if .BaseURL }}{{ $app = .BaseURL }}{{ else }}{{ $app = "https://app.example.com" }}{{ end }}
{{- if .Domain }} {{- $redir := printf "%s?rd=%s&rm=GET" (.BaseURL | default "https://auth.example.com/") (urlquery $app) }}
{{- $redir = printf "%s?rd=%s&rm=GET" .BaseURL (urlquery (printf "https://%s" .Domain)) }}
{{- else if .BaseURL }}
{{- $redir = printf "%s?rd=%s&rm=GET" .BaseURL (urlquery .BaseURL) }}
{{- end }}
{{- range $name, $config := .EndpointsAuthz }} {{- range $name, $config := .EndpointsAuthz }}
{{- $uri := printf "/api/authz/%s" $name }} {{- $uri := printf "/api/authz/%s" $name }}
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }} {{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
@ -147,7 +143,7 @@ paths:
required: false required: false
style: simple style: simple
explode: true explode: true
example: "https" example: 'https'
schema: schema:
type: string type: string
- name: X-Forwarded-Host - name: X-Forwarded-Host
@ -156,7 +152,7 @@ paths:
required: false required: false
style: simple style: simple
explode: true explode: true
example: "example.com" example: '{{ $.Domain | default "example.com" }}'
schema: schema:
type: string type: string
- name: X-Forwarded-Uri - name: X-Forwarded-Uri
@ -165,7 +161,7 @@ paths:
required: false required: false
style: simple style: simple
explode: true explode: true
example: "/path/example" example: '/path/example'
schema: schema:
type: string type: string
- $ref: '#/components/parameters/forwardedForParam' - $ref: '#/components/parameters/forwardedForParam'
@ -203,7 +199,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -213,7 +209,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -276,7 +272,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -286,7 +282,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -345,7 +341,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -355,7 +351,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -414,7 +410,7 @@ paths:
headers: headers:
location: location:
description: Redirect Location for user authorization description: Redirect Location for user authorization
example: {{ $redir }} example: '{{ $redir }}'
set-cookie: set-cookie:
description: Sets a new cookie value description: Sets a new cookie value
schema: schema:
@ -968,14 +964,14 @@ paths:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
- in: query - in: query
name: scope name: scope
description: The requested scope. description: The requested scope.
required: true required: true
schema: schema:
type: string type: string
example: "openid profile groups" example: 'openid profile groups'
- in: query - in: query
name: response_type name: response_type
description: The OAuth 2.0 response type. description: The OAuth 2.0 response type.
@ -988,7 +984,7 @@ paths:
required: true required: true
schema: schema:
type: string type: string
example: "app" example: 'app'
- in: query - in: query
name: redirect_uri name: redirect_uri
description: > description: >
@ -1002,7 +998,7 @@ paths:
required: true required: true
schema: schema:
type: string type: string
example: "https://app.example.com" example: 'https://app.{{ .Domain | default "example.com" }}'
- in: query - in: query
name: state name: state
description: > description: >
@ -1012,7 +1008,7 @@ paths:
required: false required: false
schema: schema:
type: string type: string
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
- in: query - in: query
name: response_mode name: response_mode
description: > description: >
@ -1032,7 +1028,7 @@ paths:
required: false required: false
schema: schema:
type: string type: string
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
- in: query - in: query
name: display name: display
description: > description: >
@ -1072,7 +1068,7 @@ paths:
required: false required: false
schema: schema:
type: string type: string
example: "en-US" example: 'en-US'
- in: query - in: query
name: claims_locales name: claims_locales
description: > description: >
@ -1082,7 +1078,7 @@ paths:
required: false required: false
schema: schema:
type: string type: string
example: "en-US" example: 'en-US'
- in: query - in: query
name: id_token_hint name: id_token_hint
required: false required: false
@ -1320,7 +1316,7 @@ paths:
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema: schema:
type: string type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
responses: responses:
"200": "200":
description: OK description: OK
@ -1349,7 +1345,7 @@ paths:
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
schema: schema:
type: string type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
requestBody: requestBody:
content: content:
application/x-www-form-urlencoded: application/x-www-form-urlencoded:
@ -1359,7 +1355,7 @@ paths:
access_token: access_token:
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
type: string type: string
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
responses: responses:
"200": "200":
description: OK description: OK
@ -1484,7 +1480,7 @@ components:
required: true required: true
style: simple style: simple
explode: true explode: true
example: "https" example: 'https'
schema: schema:
type: string type: string
forwardedHostParam: forwardedHostParam:
@ -1494,7 +1490,7 @@ components:
required: true required: true
style: simple style: simple
explode: true explode: true
example: "example.com" example: '{{ .Domain | default "example.com" }}'
schema: schema:
type: string type: string
forwardedURIParam: forwardedURIParam:
@ -1504,7 +1500,7 @@ components:
required: true required: true
style: simple style: simple
explode: true explode: true
example: "/path/example" example: '/path/example'
schema: schema:
type: string type: string
forwardedForParam: forwardedForParam:
@ -1514,7 +1510,7 @@ components:
required: false required: false
style: simple style: simple
explode: true explode: true
example: "192.168.0.55,192.168.0.20" example: '192.168.0.55,192.168.0.20'
schema: schema:
type: string type: string
autheliaURLParam: autheliaURLParam:
@ -1524,7 +1520,7 @@ components:
required: false required: false
style: simple style: simple
explode: true explode: true
example: "https://auth.example.com" example: '{{ .BaseURL | default "https://auth.example.com" }}'
schema: schema:
type: string type: string
authParam: authParam:
@ -1548,7 +1544,7 @@ components:
properties: properties:
uri: uri:
type: string type: string
example: https://secure.example.com example: 'https://secure.{{ .Domain | default "example.com" }}'
handlers.checkURIWithinDomainResponseBody: handlers.checkURIWithinDomainResponseBody:
type: object type: object
properties: properties:
@ -1665,7 +1661,7 @@ components:
example: password example: password
targetURL: targetURL:
type: string type: string
example: https://home.example.com example: 'https://home.{{ .Domain | default "example.com" }}'
workflow: workflow:
type: string type: string
example: openid_connect example: openid_connect
@ -1673,7 +1669,7 @@ components:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
requestMethod: requestMethod:
type: string type: string
example: GET example: GET
@ -1685,7 +1681,7 @@ components:
properties: properties:
targetURL: targetURL:
type: string type: string
example: https://redirect.example.com example: 'https://redirect.{{ .Domain | default "example.com" }}'
handlers.logoutResponseBody: handlers.logoutResponseBody:
type: object type: object
properties: properties:
@ -1709,7 +1705,7 @@ components:
properties: properties:
redirect: redirect:
type: string type: string
example: https://home.example.com example: 'https://home.{{ .Domain | default "example.com" }}'
{{- if .PasswordReset }} {{- if .PasswordReset }}
handlers.PasswordResetStep1RequestBody: handlers.PasswordResetStep1RequestBody:
required: required:
@ -1734,7 +1730,7 @@ components:
properties: properties:
targetURL: targetURL:
type: string type: string
example: https://secure.example.com example: 'https://secure.{{ .Domain | default "example.com" }}'
passcode: passcode:
type: string type: string
workflow: workflow:
@ -1744,7 +1740,7 @@ components:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
{{- end }} {{- end }}
handlers.StateResponse: handlers.StateResponse:
type: object type: object
@ -1763,7 +1759,7 @@ components:
example: 1 example: 1
default_redirection_url: default_redirection_url:
type: string type: string
example: https://home.example.com example: 'https://home.{{ .Domain | default "example.com" }}'
middlewares.ErrorResponse: middlewares.ErrorResponse:
type: object type: object
properties: properties:
@ -1854,10 +1850,10 @@ components:
properties: properties:
token: token:
type: string type: string
example: "123456" example: '123456'
targetURL: targetURL:
type: string type: string
example: https://secure.example.com example: 'https://secure.{{ .Domain | default "example.com" }}'
workflow: workflow:
type: string type: string
example: openid_connect example: openid_connect
@ -1865,7 +1861,7 @@ components:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
handlers.TOTPKeyResponse: handlers.TOTPKeyResponse:
type: object type: object
properties: properties:
@ -1880,7 +1876,7 @@ components:
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
otpauth_url: otpauth_url:
type: string type: string
example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q example: 'otpauth://totp/{{ .Domain | default "example.com" }}:john?algorithm=SHA1&digits=6&issuer=auth.{{ .Domain | default "example.com" }}&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q'
{{- end }} {{- end }}
{{- if .Webauthn }} {{- if .Webauthn }}
webauthn.PublicKeyCredential: webauthn.PublicKeyCredential:
@ -1953,7 +1949,7 @@ components:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
webauthn.PublicKeyCredentialCreationOptions: webauthn.PublicKeyCredentialCreationOptions:
type: object type: object
properties: properties:
@ -2005,7 +2001,7 @@ components:
properties: properties:
appidExclude: appidExclude:
type: string type: string
example: {{ .BaseURL }} example: '{{ .BaseURL }}'
webauthn.PublicKeyCredentialRequestOptions: webauthn.PublicKeyCredentialRequestOptions:
type: object type: object
properties: properties:
@ -2029,7 +2025,7 @@ components:
example: 60000 example: 60000
rpId: rpId:
type: string type: string
example: auth.example.com example: 'auth.{{ .Domain | default "example.com" }}'
allowCredentials: allowCredentials:
type: array type: array
items: items:
@ -2040,7 +2036,7 @@ components:
properties: properties:
appid: appid:
type: string type: string
example: {{ .BaseURL }} example: '{{ .BaseURL }}'
webauthn.Transports: webauthn.Transports:
type: object type: object
properties: properties:
@ -2195,11 +2191,11 @@ components:
client_id: client_id:
type: string type: string
description: The identifier of the client for the user to provide consent for. description: The identifier of the client for the user to provide consent for.
example: "app" example: 'app'
client_description: client_description:
description: The descriptive name of the client for the user to provide consent for. description: The descriptive name of the client for the user to provide consent for.
type: string type: string
example: "App Platform" example: 'App Platform'
scopes: scopes:
description: The list of the requested scopes for the user to provide consent for. description: The list of the requested scopes for the user to provide consent for.
type: array type: array
@ -2234,11 +2230,11 @@ components:
type: string type: string
format: uuid format: uuid
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
client_id: client_id:
description: The identifier of the client for the user to provide consent for. description: The identifier of the client for the user to provide consent for.
type: string type: string
example: "app" example: 'app'
consent: consent:
description: Indicates if the user consented to the consent request. description: Indicates if the user consented to the consent request.
type: boolean type: boolean
@ -2261,7 +2257,7 @@ components:
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string type: string
example: "{{ .BaseURL }}api/oidc/authorization" example: '{{ .BaseURL }}api/oidc/authorization'
claims_supported: claims_supported:
description: > description: >
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
@ -2313,7 +2309,7 @@ components:
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
Introspection: https://datatracker.ietf.org/doc/html/rfc7662 Introspection: https://datatracker.ietf.org/doc/html/rfc7662
type: string type: string
example: "{{ .BaseURL }}api/oidc/introspection" example: '{{ .BaseURL }}api/oidc/introspection'
introspection_endpoint_auth_methods_supported: introspection_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The JSON array containing a list of client authentication methods supported by this introspection endpoint. The
@ -2346,7 +2342,7 @@ components:
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string type: string
example: "{{ .BaseURL }}" example: '{{ .BaseURL }}'
jwks_uri: jwks_uri:
description: > description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
@ -2357,7 +2353,7 @@ components:
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string type: string
example: "{{ .BaseURL }}jwks.json" example: '{{ .BaseURL }}jwks.json'
op_policy_uri: op_policy_uri:
description: description:
URL that the OpenID Provider provides to the person registering the Client to read about the OP's URL that the OpenID Provider provides to the person registering the Client to read about the OP's
@ -2375,13 +2371,13 @@ components:
The URL of the pushed authorization request endpoint at which a client can post an authorization request to The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server. exchange for a "request_uri" value usable at the authorization server.
type: string type: string
example: "{{ .BaseURL }}api/oidc/par" example: '{{ .BaseURL }}api/oidc/par'
registration_endpoint: registration_endpoint:
description: > description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string type: string
example: "{{ .BaseURL }}api/oidc/registration" example: '{{ .BaseURL }}api/oidc/registration'
require_pushed_authorization_requests: require_pushed_authorization_requests:
description: > description: >
Boolean parameter indicating whether the authorization server accepts authorization request data only via Boolean parameter indicating whether the authorization server accepts authorization request data only via
@ -2410,7 +2406,7 @@ components:
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string type: string
example: "{{ .BaseURL }}api/oidc/revocation" example: '{{ .BaseURL }}api/oidc/revocation'
revocation_endpoint_auth_methods_supported: revocation_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The JSON array containing a list of client authentication methods supported by this revocation endpoint. The
@ -2456,7 +2452,7 @@ components:
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation. then information on how to register Clients needs to be provided in this documentation.
type: string type: string
example: "https://authelia.com" example: 'https://authelia.com'
subject_types_supported: subject_types_supported:
description: > description: >
JSON array containing a list of the Subject Identifier types that this OP supports. JSON array containing a list of the Subject Identifier types that this OP supports.
@ -2470,7 +2466,7 @@ components:
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string type: string
example: "{{ .BaseURL }}api/oidc/token" example: '{{ .BaseURL }}api/oidc/token'
token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
@ -2528,7 +2524,7 @@ components:
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string type: string
example: "{{ .BaseURL }}api/oidc/authorization" example: '{{ .BaseURL }}api/oidc/authorization'
backchannel_logout_session_supported: backchannel_logout_session_supported:
description: > description: >
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
@ -2670,7 +2666,7 @@ components:
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662' Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
type: string type: string
example: "{{ .BaseURL }}api/oidc/introspection" example: '{{ .BaseURL }}api/oidc/introspection'
introspection_endpoint_auth_methods_supported: introspection_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of client authentication methods supported by this introspection endpoint. The JSON array containing a list of client authentication methods supported by this introspection endpoint. The
@ -2703,7 +2699,7 @@ components:
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
type: string type: string
example: "{{ .BaseURL }}" example: '{{ .BaseURL }}'
jwks_uri: jwks_uri:
description: > description: >
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
@ -2714,7 +2710,7 @@ components:
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
type: string type: string
example: "{{ .BaseURL }}jwks.json" example: '{{ .BaseURL }}jwks.json'
op_policy_uri: op_policy_uri:
description: > description: >
URL that the OpenID Provider provides to the person registering the Client to read about the OP's URL that the OpenID Provider provides to the person registering the Client to read about the OP's
@ -2732,13 +2728,13 @@ components:
The URL of the pushed authorization request endpoint at which a client can post an authorization request to The URL of the pushed authorization request endpoint at which a client can post an authorization request to
exchange for a "request_uri" value usable at the authorization server. exchange for a "request_uri" value usable at the authorization server.
type: string type: string
example: "{{ .BaseURL }}api/oidc/par" example: '{{ .BaseURL }}api/oidc/par'
registration_endpoint: registration_endpoint:
description: > description: >
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
type: string type: string
example: "{{ .BaseURL }}api/oidc/registration" example: '{{ .BaseURL }}api/oidc/registration'
request_object_encryption_alg_values_supported: request_object_encryption_alg_values_supported:
description: > description: >
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
@ -2809,7 +2805,7 @@ components:
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also: URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
type: string type: string
example: "{{ .BaseURL }}api/oidc/revocation" example: '{{ .BaseURL }}api/oidc/revocation'
revocation_endpoint_auth_methods_supported: revocation_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of client authentication methods supported by this revocation endpoint. The JSON array containing a list of client authentication methods supported by this revocation endpoint. The
@ -2856,7 +2852,7 @@ components:
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
then information on how to register Clients needs to be provided in this documentation. then information on how to register Clients needs to be provided in this documentation.
type: string type: string
example: "https://www.authelia.com" example: 'https://www.authelia.com'
subject_types_supported: subject_types_supported:
description: > description: >
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
@ -2870,7 +2866,7 @@ components:
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string type: string
example: "{{ .BaseURL }}api/oidc/token" example: '{{ .BaseURL }}api/oidc/token'
token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported:
description: > description: >
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
@ -2926,7 +2922,7 @@ components:
path, and query parameter components. path, and query parameter components.
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
type: string type: string
example: "{{ .BaseURL }}api/oidc/userinfo" example: '{{ .BaseURL }}api/oidc/userinfo'
userinfo_signing_alg_values_supported: userinfo_signing_alg_values_supported:
description: > description: >
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
@ -3053,7 +3049,7 @@ components:
this is the "refresh_token" value returned from the token endpoint this is the "refresh_token" value returned from the token endpoint
as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
are outside the scope of this specification. are outside the scope of this specification.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
type: string type: string
token_type_hint: token_type_hint:
description: > description: >
@ -3069,7 +3065,7 @@ components:
enum: enum:
- "access_token" - "access_token"
- "refresh_token" - "refresh_token"
example: "access_token" example: 'access_token'
type: string type: string
openid.spec.AccessRequest.ClientAuth: openid.spec.AccessRequest.ClientAuth:
oneOf: oneOf:
@ -3085,7 +3081,7 @@ components:
description: > description: >
REQUIRED if the client is not authenticating with the authorization server as described in REQUIRED if the client is not authenticating with the authorization server as described in
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749]. Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
example: "my_client" example: 'my_client'
type: string type: string
openid.spec.AccessRequest.ClientAuth.Secret: openid.spec.AccessRequest.ClientAuth.Secret:
required: required:
@ -3112,7 +3108,7 @@ components:
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer" "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
enum: enum:
- "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
example: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" example: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
type: string type: string
client_assertion_type: client_assertion_type:
description: > description: >
@ -3136,15 +3132,15 @@ components:
type: string type: string
code: code:
description: The Authorization Code. description: The Authorization Code.
example: "authelia_ac_1j2kn3knj12n3kj12n" example: 'authelia_ac_1j2kn3knj12n3kj12n'
type: string type: string
code_verifier: code_verifier:
description: The Authorization Code Verifier (PKCE). description: The Authorization Code Verifier (PKCE).
example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3" example: '88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3'
type: string type: string
redirect_uri: redirect_uri:
description: The original Redirect URI used in the Authorization Request. description: The original Redirect URI used in the Authorization Request.
example: "https://app.example.com/oidc/callback" example: 'https://app.{{ .Domain | default "example.com" }}/oidc/callback'
type: string type: string
openid.spec.AccessRequest.DeviceCodeFlow: openid.spec.AccessRequest.DeviceCodeFlow:
allOf: allOf:
@ -3161,7 +3157,7 @@ components:
type: string type: string
device_code: device_code:
description: The Device Authorization Code. description: The Device Authorization Code.
example: "authelia_dc_mn123kjn12kj3123njk" example: 'authelia_dc_mn123kjn12kj3123njk'
type: string type: string
openid.spec.AccessRequest.RefreshTokenFlow: openid.spec.AccessRequest.RefreshTokenFlow:
allOf: allOf:
@ -3178,7 +3174,7 @@ components:
type: string type: string
refresh_token: refresh_token:
description: The Refresh Token. description: The Refresh Token.
example: "authelia_rt_1n2j3kihn12kj3n12k" example: 'authelia_rt_1n2j3kihn12kj3n12k'
type: string type: string
scope: scope:
description: > description: >
@ -3187,7 +3183,7 @@ components:
not originally granted by the resource owner, and if omitted is not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the treated as equal to the scope originally granted by the
resource owner. resource owner.
example: "openid profile groups" example: 'openid profile groups'
type: string type: string
openid.spec.AccessResponse: openid.spec.AccessResponse:
type: object type: object
@ -3198,17 +3194,17 @@ components:
properties: properties:
access_token: access_token:
description: The access token issued by the authorization server. description: The access token issued by the authorization server.
example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
type: string type: string
id_token: id_token:
description: The id token issued by the authorization server. description: The id token issued by the authorization server.
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
type: string type: string
refresh_token: refresh_token:
description: > description: >
The refresh token, which can be used to obtain new access tokens using the The refresh token, which can be used to obtain new access tokens using the
same authorization grant as described in Section 6. same authorization grant as described in Section 6.
example: "authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i" example: 'authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i'
type: string type: string
token_type: token_type:
description: > description: >
@ -3219,7 +3215,7 @@ components:
type. type.
enum: enum:
- "bearer" - "bearer"
example: "bearer" example: 'bearer'
type: string type: string
expires_in: expires_in:
description: > description: >
@ -3232,12 +3228,12 @@ components:
type: integer type: integer
state: state:
description: Exactly the state value passed in the authorization request if present. description: Exactly the state value passed in the authorization request if present.
example: "5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB" example: '5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB'
type: string type: string
scope: scope:
description: > description: >
The scope of the access token as described by Section 3.3 if it differs from the requested scope. The scope of the access token as described by Section 3.3 if it differs from the requested scope.
example: "openid profile groups" example: 'openid profile groups'
type: string type: string
openid.spec.AuthorizeRequest: openid.spec.AuthorizeRequest:
type: object type: object
@ -3249,13 +3245,13 @@ components:
properties: properties:
scope: scope:
description: The requested scope. description: The requested scope.
example: "openid profile groups" example: 'openid profile groups'
type: string type: string
response_type: response_type:
$ref: '#/components/schemas/openid.spec.ResponseType' $ref: '#/components/schemas/openid.spec.ResponseType'
client_id: client_id:
description: The OAuth 2.0 client identifier. description: The OAuth 2.0 client identifier.
example: "app" example: 'app'
type: string type: string
redirect_uri: redirect_uri:
description: > description: >
@ -3266,14 +3262,14 @@ components:
that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
scheme, such as one that is intended to identify a callback into a native application. scheme, such as one that is intended to identify a callback into a native application.
example: "https://app.example.com" example: 'https://app.{{ .Domain | default "example.com" }}'
type: string type: string
state: state:
description: > description: >
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
parameter with a browser cookie. parameter with a browser cookie.
example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
type: string type: string
response_mode: response_mode:
$ref: '#/components/schemas/openid.spec.ResponseMode' $ref: '#/components/schemas/openid.spec.ResponseMode'
@ -3283,7 +3279,7 @@ components:
The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
entropy MUST be present in the nonce values used to prevent attackers from guessing values. For entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
implementation notes, see Section 15.5.2. implementation notes, see Section 15.5.2.
example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
type: string type: string
display: display:
$ref: '#/components/schemas/openid.spec.DisplayType' $ref: '#/components/schemas/openid.spec.DisplayType'
@ -3299,7 +3295,7 @@ components:
- "login consent" - "login consent"
- "login select_account" - "login select_account"
- "consent select_account" - "consent select_account"
example: "consent" example: 'consent'
type: string type: string
max_age: max_age:
description: > description: >
@ -3399,7 +3395,7 @@ components:
- "popup" - "popup"
- "touch" - "touch"
- "wap" - "wap"
example: "page" example: 'page'
type: string type: string
openid.spec.ResponseType: openid.spec.ResponseType:
description: The OAuth 2.0 / OpenID Connect 1.0 Response Type. description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
@ -3412,7 +3408,7 @@ components:
- "token id_token" - "token id_token"
- "code id_token token" - "code id_token token"
- "none" - "none"
example: "code" example: 'code'
type: string type: string
openid.spec.ResponseMode: openid.spec.ResponseMode:
description: > description: >
@ -3423,7 +3419,7 @@ components:
- "query" - "query"
- "fragment" - "fragment"
- "form_post" - "form_post"
example: "query" example: 'query'
type: string type: string
openid.spec.GrantType: openid.spec.GrantType:
description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type. description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
@ -3434,14 +3430,14 @@ components:
- "password" - "password"
- "client_credentials" - "client_credentials"
- "urn:ietf:params:oauth:grant-type:device_code" - "urn:ietf:params:oauth:grant-type:device_code"
example: "authorization_code" example: 'authorization_code'
type: string type: string
openid.spec.CodeChallengeMethod: openid.spec.CodeChallengeMethod:
description: The RFC7636 Code Challenge Verifier Method. description: The RFC7636 Code Challenge Verifier Method.
enum: enum:
- "plain" - "plain"
- "S256" - "S256"
example: "S256" example: 'S256'
type: string type: string
openid.spec.ClaimType: openid.spec.ClaimType:
description: The representation of claims. description: The representation of claims.
@ -3449,7 +3445,7 @@ components:
- "normal" - "normal"
- "aggregated" - "aggregated"
- "distributed" - "distributed"
example: "normal" example: 'normal'
type: string type: string
jose.spec.None: jose.spec.None:
description: The JSON Web Signature Algorithm description: The JSON Web Signature Algorithm
@ -3522,7 +3518,7 @@ components:
enum: enum:
- "sig" - "sig"
- "enc" - "enc"
example: "sig" example: 'sig'
type: string type: string
key_ops: key_ops:
description: > description: >
@ -3624,13 +3620,13 @@ components:
The "kty" (key type) parameter identifies the cryptographic algorithm The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key. family used with the key.
type: string type: string
example: "RSA" example: 'RSA'
enum: enum:
- "RSA" - "RSA"
alg: alg:
description: The JSON Web Signature Algorithm description: The JSON Web Signature Algorithm
type: string type: string
example: "RS256" example: 'RS256'
enum: enum:
- "RS256" - "RS256"
- "RS384" - "RS384"
@ -3741,13 +3737,13 @@ components:
The "kty" (key type) parameter identifies the cryptographic algorithm The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key. family used with the key.
type: string type: string
example: "EC" example: 'EC'
enum: enum:
- "EC" - "EC"
alg: alg:
description: The JSON Web Signature Algorithm description: The JSON Web Signature Algorithm
type: string type: string
example: "ES256" example: 'ES256'
enum: enum:
- "ES256" - "ES256"
- "ES384" - "ES384"
@ -3771,7 +3767,7 @@ components:
The curve parameter identifies the cryptographic curve used with the key. Curve The curve parameter identifies the cryptographic curve used with the key. Curve
values from [DSS] used by this specification. values from [DSS] used by this specification.
type: string type: string
example: "P-521" example: 'P-521'
enum: enum:
- "P-256" - "P-256"
- "P-384" - "P-384"
@ -3811,7 +3807,7 @@ components:
The "kty" (key type) parameter identifies the cryptographic algorithm The "kty" (key type) parameter identifies the cryptographic algorithm
family used with the key. family used with the key.
type: string type: string
example: "oct" example: 'oct'
enum: enum:
- "oct" - "oct"
k: k:

7
internal/server/server_test.go
View File

@ -9,7 +9,6 @@ import (
"io" "io"
"net/http" "net/http"
"os" "os"
"path"
"strconv" "strconv"
"strings" "strings"
"testing" "testing"
@ -26,12 +25,6 @@ import (
"github.com/authelia/authelia/v4/internal/utils" "github.com/authelia/authelia/v4/internal/utils"
) )
func Test(t *testing.T) {
fmt.Println(path.Join("/api/authz/", "abc"))
fmt.Println(path.Join("/api/authz/", "abc/123/", "{path:*}"))
fmt.Println(path.Join("/api/authz/", "abc/123/"))
}
// TemporaryCertificate contains the FD of 2 temporary files containing the PEM format of the certificate and private key. // TemporaryCertificate contains the FD of 2 temporary files containing the PEM format of the certificate and private key.
type TemporaryCertificate struct { type TemporaryCertificate struct {
CertFile *os.File CertFile *os.File

6
internal/server/template_test.go
View File

@ -76,7 +76,9 @@ func TestShouldTemplateOpenAPI(t *testing.T) {
handler(mock.Ctx) handler(mock.Ctx)
assert.Equal(t, fasthttp.StatusOK, mock.Ctx.Response.StatusCode()) assert.Equal(t, fasthttp.StatusOK, mock.Ctx.Response.StatusCode())
assert.NotEqual(t, "", string(mock.Ctx.Response.Body()))
assert.Contains(t, string(mock.Ctx.Response.Body()), "example: https://auth.example.com/?rd=https%3A%2F%2Fexample.com&rm=GET") body := string(mock.Ctx.Response.Body())
assert.NotEqual(t, "", body)
assert.Contains(t, body, "example: 'https://auth.example.com/?rd=https%3A%2F%2Fexample.com%2F&rm=GET'")
} }