diff --git a/api/openapi.yml b/api/openapi.yml index 15443a24e..f0f991d1d 100644 --- a/api/openapi.yml +++ b/api/openapi.yml @@ -1,5 +1,6 @@ +# yamllint disable rule:line-length --- -openapi: 3.0.0 +openapi: 3.0.3 info: title: Authelia API description: > @@ -7,12 +8,15 @@ info: sign-on (SSO) for your applications via a web portal. contact: name: Authelia Support - url: https://github.com/authelia/authelia#contact-options + url: https://www.authelia.com/contact/ email: team@authelia.com license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0 version: 1.0.0 +servers: + - url: "{{ .BaseURL }}" + description: Authelia API tags: - name: State description: Configuration, health and state endpoints @@ -24,6 +28,12 @@ tags: description: User configuration endpoints - name: Second Factor description: TOTP, Webauthn and Duo endpoints + externalDocs: + url: https://www.authelia.com/configuration/second-factor/introduction/ + - name: OpenID Connect 1.0 + description: OpenID Connect 1.0 and OAuth 2.0 Endpoints + externalDocs: + url: https://www.authelia.com/integration/openid-connect/introduction/ paths: /api/configuration: get: @@ -596,7 +606,7 @@ paths: tags: - Second Factor summary: Second Factor Authentication - Duo Mobile Push - description: This endpoint retreives a users available devices and capabilities from Duo. + description: This endpoint retrieves a users available devices and capabilities from Duo. responses: "200": description: Successful Operation @@ -631,6 +641,520 @@ paths: description: Unauthorized security: - authelia_auth: [] + /.well-known/openid-configuration: + get: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect Discovery 1.0 Document + description: > + This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for + an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html. + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration' + "400": + description: Bad Request + "500": + description: Internal Server Error + /.well-known/oauth-authorization-server: + get: + tags: + - OpenID Connect 1.0 + summary: OAuth 2.0 Authorization Server Metadata + description: > + This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to + perform discovery for an OAuth 2.0 Authorization Server. See https://www.rfc-editor.org/rfc/rfc8414. + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer' + "400": + description: Bad Request + "500": + description: Internal Server Error + /jwks.json: + get: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 JSON Web Key Set Document + description: > + This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate + information from this OpenID Connect 1.0 Provider. + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/jose.spec.JWKs' + /api/oidc/authorization: + get: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 Authorization Endpoint + description: > + This endpoint performs OpenID Connect 1.0 Authorization. + parameters: + - in: query + name: id + required: false + description: The OpenID Connect 1.0 consent workflow ID. + schema: + type: string + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" + - in: query + name: scope + description: The requested scope. + required: true + schema: + type: string + example: "openid profile groups" + - in: query + name: response_type + description: The OAuth 2.0 response type. + required: true + schema: + $ref: '#/components/schemas/openid.spec.ResponseType' + - in: query + name: client_id + description: The OAuth 2.0 client identifier. + required: true + schema: + type: string + example: "app" + - in: query + name: redirect_uri + description: > + Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI + values for the Client pre-registered at the OpenID Provider, with the matching performed as described in + Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use + the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as + defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this + case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback + into a native application. + required: true + schema: + type: string + example: "https://app.example.com" + - in: query + name: state + description: > + Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request + Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a + browser cookie. + required: false + schema: + type: string + example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" + - in: query + name: response_mode + description: > + Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization + Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is + the default mode specified for the Response Type. + required: false + schema: + $ref: '#/components/schemas/openid.spec.ResponseMode' + - in: query + name: nonce + description: > + String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value + is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be + present in the nonce values used to prevent attackers from guessing values. For implementation notes, see + Section 15.5.2. + required: false + schema: + type: string + example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" + - in: query + name: display + description: > + Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication + and consent user interface pages to the End-User. + required: false + schema: + $ref: '#/components/schemas/openid.spec.DisplayType' + - in: query + name: prompt + description: > + Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the + Authorization Server prompts the End-User for reauthentication and consent. + required: false + schema: + type: string + - in: query + name: max_age + description: > + Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User + was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to + actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE + [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an + auth_time Claim Value. + required: false + schema: + type: integer + example: 3600 + - in: query + name: ui_locales + description: > + Not Supported: End-User's preferred languages and scripts for the user interface, represented as a + space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value + "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region + designation), followed by English (without a region designation). An error SHOULD NOT result if some or all + of the requested locales are not supported by the OpenID Provider. + required: false + schema: + type: string + example: "en-US" + - in: query + name: claims_locales + description: > + Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a + space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT + result if some or all of the requested locales are not supported by the OpenID Provider. + required: false + schema: + type: string + example: "en-US" + - in: query + name: id_token_hint + required: false + description: > + Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the + End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token + is logged in or is logged in by the request, then the Authorization Server returns a positive response; + otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be + present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the + server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need + not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token + received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the + signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to + the Authentication Server using a key that enables the server to decrypt the ID Token, and use the + re-encrypted ID token as the id_token_hint value. + schema: + type: string + - in: query + name: login_hint + description: > + Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in + (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address + (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. + It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone + number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's + discretion. + required: false + schema: + type: string + - in: query + name: acr_values + description: > + Not Supported: Requested Authentication Context Class Reference values. Space-separated string that + specifies the acr values that the Authorization Server is being requested to use for processing this + Authentication Request, with the values appearing in order of preference. The Authentication Context Class + satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. + The acr Claim is requested as a Voluntary Claim by this parameter. + required: false + schema: + type: string + - in: query + name: claims + description: > + Not Supported: The claims parameter value, as specified in Section 5.5. + required: false + schema: + type: string + - in: query + name: registration + description: > + Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP + that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1. + required: false + schema: + type: string + - in: query + name: request + description: > + Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to + the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this + Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only + supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5. + required: false + schema: + type: string + - in: query + name: code_challenge + description: > + RFC7636 Code Challenge. + required: false + schema: + type: string + - in: query + name: code_challenge_method + required: false + description: > + RFC7636 Code Challenge Method. defaults to "plain" if not present in the request. + Code verifier transformation method is "S256" or "plain". + schema: + $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' + responses: + "200": + description: OK + content: + text/html: + schema: + type: string + description: The Form Post Response Mode content. + "303": + description: See Other + headers: + Location: + schema: + type: string + description: > + Redirection location for the consent flow, or the authorization response callback location when using + the Query or Fragment Response Modes. + "400": + description: Bad Request + "500": + description: Internal Server Error + post: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 Authorization Endpoint + description: > + This endpoint performs OpenID Connect 1.0 Authorization. + requestBody: + description: Authorize Request Parameters. + required: true + content: + application/x-www-form-urlencoded: + schema: + $ref: '#/components/schemas/openid.spec.AuthorizeRequest' + responses: + "200": + description: OK + content: + text/html: + schema: + type: string + description: The Form Post Response Mode content. + "303": + description: See Other + headers: + Location: + schema: + type: string + description: > + Redirection location for the consent flow, or the authorization response callback location when using + the Query or Fragment Response Modes. + "400": + description: Bad Request + "500": + description: Internal Server Error + security: + - authelia_auth: [] + /api/oidc/token: + post: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 Token Endpoint + description: > + This endpoint performs OpenID Connect 1.0 Token Access Requests. + requestBody: + description: Access Request Parameters. + required: true + content: + application/x-www-form-urlencoded: + schema: + oneOf: + - $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow' + - $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow' + - $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow' + responses: + "200": + description: OK + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/openid.spec.AccessResponse' + "401": + description: Forbidden + "403": + description: Unauthorized + "500": + description: Internal Server Error + security: + - openid: [] + /api/oidc/revocation: + post: + tags: + - OpenID Connect 1.0 + summary: OAuth 2.0 Token Revocation Endpoint + description: > + This endpoint performs OAuth 2.0 Token Revocation Requests. + requestBody: + description: Required OAuth 2.0 revocation parameters. + required: true + content: + application/x-www-form-urlencoded: + schema: + $ref: '#/components/schemas/openid.spec.IntrospectionRequest' + responses: + "200": + description: OK + "401": + description: Forbidden + "403": + description: Unauthorized + "500": + description: Internal Server Error + security: + - openid: [] + /api/oidc/introspection: + post: + tags: + - OpenID Connect 1.0 + summary: OAuth 2.0 Token Introspection Endpoint + description: > + This endpoint performs OAuth 2.0 Token Introspection Requests. + requestBody: + description: Required OAuth 2.0 introspection parameters. + required: true + content: + application/x-www-form-urlencoded: + schema: + $ref: '#/components/schemas/openid.spec.IntrospectionRequest' + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/openid.implementation.Claims.Object' + "401": + description: Forbidden + "403": + description: Unauthorized + "500": + description: Internal Server Error + security: + - openid: [] + /api/oidc/userinfo: + get: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 UserInfo Endpoint + description: > + This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. + parameters: + - in: query + name: access_token + description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. + schema: + type: string + example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" + responses: + "200": + description: OK + content: + application/jwt: {} + application/json: + schema: + $ref: '#/components/schemas/openid.implementation.Claims.Object' + "401": + description: Forbidden + "403": + description: Unauthorized + "500": + description: Internal Server Error + security: + - openid: [] + post: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 UserInfo Endpoint + description: > + This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. + parameters: + - in: query + name: access_token + description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. + schema: + type: string + example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + access_token: + description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. + type: string + example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" + responses: + "200": + description: OK + content: + application/jwt: {} + application/json: + schema: + $ref: '#/components/schemas/openid.implementation.Claims.Object' + "401": + description: Forbidden + "403": + description: Unauthorized + "500": + description: Internal Server Error + security: + - openid: [] + /api/oidc/consent: + get: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 Consent Information + description: > + This endpoint retrieves the consent information about a specific consent ID during the consent workflow. + parameters: + - $ref: '#/components/parameters/idRequiredParam' + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/openid.request.consent' + "403": + description: Forbidden + security: + - authelia_auth: [] + post: + tags: + - OpenID Connect 1.0 + summary: OpenID Connect 1.0 Consent Response + description: > + This endpoint retrieves the consent response for a specific consent ID during the consent workflow. + responses: + "200": + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/openid.response.consent' + "403": + description: Forbidden + security: + - authelia_auth: [] components: parameters: originalURLParam: @@ -676,6 +1200,13 @@ components: schema: type: string enum: ["basic"] + idRequiredParam: + name: id + in: query + description: The ID of what is being requested + required: true + schema: + type: string schemas: handlers.checkURIWithinDomainRequestBody: type: object @@ -805,7 +1336,9 @@ components: example: openid_connect workflowID: type: string - example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" requestMethod: type: string example: GET @@ -871,7 +1404,9 @@ components: example: openid_connect workflowID: type: string - example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" handlers.bodySignTOTPRequest: type: object properties: @@ -886,7 +1421,9 @@ components: example: openid_connect workflowID: type: string - example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" handlers.StateResponse: type: object properties: @@ -919,7 +1456,7 @@ components: example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q otpauth_url: type: string - example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q # yamllint disable-line rule:line-length + example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q handlers.UserInfo: type: object properties: @@ -995,7 +1532,7 @@ components: properties: token: type: string - example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY # yamllint disable-line rule:line-length + example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY middlewares.OkResponse: type: object properties: @@ -1072,7 +1609,9 @@ components: example: openid_connect workflowID: type: string - example: 3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" webauthn.PublicKeyCredentialCreationOptions: type: object properties: @@ -1300,9 +1839,1608 @@ components: written: type: boolean example: false + openid.request.consent: + type: object + properties: + status: + type: string + example: OK + data: + type: object + properties: + client_id: + type: string + description: The identifier of the client for the user to provide consent for. + example: "app" + client_description: + description: The descriptive name of the client for the user to provide consent for. + type: string + example: "App Platform" + scopes: + description: The list of the requested scopes for the user to provide consent for. + type: array + items: + type: string + enum: + - "openid" + - "offline_access" + - "groups" + - "email" + - "profile" + audience: + description: The list of the requested audiences for the user to provide consent for. + type: array + items: + type: string + pre_configuration: + description: Indicates if this client supports pre-configuration. + type: boolean + example: true + openid.response.consent: + type: object + properties: + status: + type: string + example: OK + data: + type: object + properties: + id: + description: The identifier of the consent session. + type: string + format: uuid + pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' + example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" + client_id: + description: The identifier of the client for the user to provide consent for. + type: string + example: "app" + consent: + description: Indicates if the user consented to the consent request. + type: boolean + example: true + pre_configure: + description: Indicates if the user consented to pre-configuration. + type: boolean + example: true + openid.spec.Metadata.OAuth2AuthorizationServer: + type: object + required: + - issuer + - authorization_endpoint + - subject_types_supported + - response_types_supported + - require_pushed_authorization_requests + properties: + authorization_endpoint: + description: > + URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. + See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: string + example: "{{ .BaseURL }}api/oidc/authorization" + claims_supported: + description: > + JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply + values for. Note that for privacy or other reasons, this might not be an exhaustive list. + type: array + example: + - "amr" + - "aud" + - "azp" + - "client_id" + - "exp" + - "iat" + - "iss" + - "jti" + - "rat" + - "sub" + - "auth_time" + - "nonce" + - "email" + - "email_verified" + - "alt_emails" + - "groups" + - "preferred_username" + - "name" + items: + $ref: '#/components/schemas/openid.implementation.Claims.Array' + code_challenge_methods_supported: + description: > + JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization + server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section + 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code + Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support + PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + type: array + example: ["S256", "none"] + items: + $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' + grant_types_supported: + type: array + description: > + JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID + Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant + Types. If omitted, the default value is ["authorization_code", "implicit"]. + example: ["authorization_code", "implicit"] + items: + $ref: '#/components/schemas/openid.spec.GrantType' + introspection_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token + Introspection: https://datatracker.ietf.org/doc/html/rfc7662 + type: string + example: "{{ .BaseURL }}api/oidc/introspection" + introspection_endpoint_auth_methods_supported: + description: > + JSON array containing a list of client authentication methods supported by this introspection endpoint. The + valid client authentication method values are those registered in the IANA "OAuth Token Endpoint + Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token + Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If + omitted, the set of supported authentication methods MUST be determined by other means. See Also: + IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: + https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 + type: array + example: ["client_secret_post"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + introspection_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection + endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint + for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be + present if either of these authentication methods are specified in the + "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is + omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + issuer: + description: + URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. + If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned + by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. + type: string + example: "{{ .BaseURL }}" + jwks_uri: + description: > + URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate + signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs + to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) + parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. + Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT + RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of + keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. + type: string + example: "{{ .BaseURL }}jwks.json" + op_policy_uri: + description: + URL that the OpenID Provider provides to the person registering the Client to read about the OP's + requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD + display this URL to the person registering the Client if it is given. + type: string + op_tos_uri: + description: > + URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's + terms of service. The registration process SHOULD display this URL to the person registering the Client if + it is given. + type: string + pushed_authorization_request_endpoint: + description: > + The URL of the pushed authorization request endpoint at which a client can post an authorization request to + exchange for a "request_uri" value usable at the authorization server. + type: string + example: "{{ .BaseURL }}api/oidc/par" + registration_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: + OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 + type: string + example: "{{ .BaseURL }}api/oidc/registration" + require_pushed_authorization_requests: + description: > + Boolean parameter indicating whether the authorization server accepts authorization request data only via + PAR. If omitted, the default value is "false". + type: boolean + example: false + response_modes_supported: + description: > + JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in + OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic + OpenID Providers is ["query", "fragment"]. + type: array + example: ["query", "fragment"] + items: + $ref: '#/components/schemas/openid.spec.ResponseMode' + response_types_supported: + description: > + JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. + Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. + type: array + example: ["code", "id_token", "token id_token"] + items: + $ref: '#/components/schemas/openid.spec.ResponseType' + revocation_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. + See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 + type: string + example: "{{ .BaseURL }}api/oidc/revocation" + revocation_endpoint_auth_methods_supported: + description: > + JSON array containing a list of client authentication methods supported by this revocation endpoint. The + valid client authentication method values are those registered in the IANA "OAuth Token Endpoint + Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" + -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: + IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 + type: array + example: ["client_secret_post"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + revocation_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation + endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for + the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if + either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" + entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. + See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + scopes_supported: + description: > + JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server + MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even + when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. + See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: array + example: + - "openid" + - "offline_access" + - "profile" + - "email" + - "groups" + items: + $ref: '#/components/schemas/openid.implementation.Scopes.Object' + service_documentation: + description: > + URL of a page containing human-readable information that developers might want or need to know when using + the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, + then information on how to register Clients needs to be provided in this documentation. + type: string + example: "https://authelia.com" + subject_types_supported: + description: > + JSON array containing a list of the Subject Identifier types that this OP supports. + Valid types include pairwise and public. + type: array + example: ["public", "pairwise"] + items: + $ref: '#/components/schemas/openid.spec.SubjectIdentifier' + token_endpoint: + description: > + URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is + used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: string + example: "{{ .BaseURL }}api/oidc/token" + token_endpoint_auth_methods_supported: + description: > + JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options + are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section + 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If + omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section + 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 + OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication + type: array + example: ["client_secret_post"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + token_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for + the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt + and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. + See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519' + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + ui_locales_supported: + type: array + description: > + Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] + language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 + example: ["en-US"] + items: + type: string + openid.spec.Metadata.OpenIDConfiguration: + type: object + required: + - "issuer" + - "authorization_endpoint" + - "subject_types_supported" + - "response_types_supported" + - "require_pushed_authorization_requests" + - "request_uri_parameter_supported" + - "require_request_uri_registration" + - "claims_parameter_supported" + - "frontchannel_logout_supported" + - "frontchannel_logout_session_supported" + - "backchannel_logout_supported" + - "backchannel_logout_session_supported" + properties: + acr_values_supported: + description: + JSON array containing a list of the Authentication Context Class References that this OP supports. + type: array + items: + type: string + authorization_endpoint: + description: > + URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. + See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: string + example: "{{ .BaseURL }}api/oidc/authorization" + backchannel_logout_session_supported: + description: > + Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify + the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. + If omitted, the default value is false. + type: boolean + example: false + backchannel_logout_supported: + description: > + Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If + omitted, the default value is false. + type: boolean + example: false + claim_types_supported: + description: > + JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are + described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are + normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also: + OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes + type: array + example: ["normal"] + items: + $ref: '#/components/schemas/openid.spec.ClaimType' + claims_locales_supported: + description: > + Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 + [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values. + See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 + type: array + example: ["en-US"] + items: + type: string + claims_parameter_supported: + description: > + Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. + If omitted, the default value is false. + type: boolean + example: false + claims_supported: + description: > + JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply + values for. Note that for privacy or other reasons, this might not be an exhaustive list. + type: array + example: + - "amr" + - "aud" + - "azp" + - "client_id" + - "exp" + - "iat" + - "iss" + - "jti" + - "rat" + - "sub" + - "auth_time" + - "nonce" + - "email" + - "email_verified" + - "alt_emails" + - "groups" + - "preferred_username" + - "name" + items: + $ref: '#/components/schemas/openid.implementation.Claims.Array' + code_challenge_methods_supported: + description: > + JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization + server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section + 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code + Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support + PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: + https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + type: array + example: ["S256", "plain"] + items: + $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' + display_values_supported: + description: > + JSON array containing a list of the display parameter values that the OpenID Provider supports. These values + are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section + 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + type: array + example: ["page"] + items: + $ref: '#/components/schemas/openid.spec.DisplayType' + frontchannel_logout_session_supported: + description: > + Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to + identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is + also included in ID Tokens issued by the OP. If omitted, the default value is false. + type: boolean + example: false + frontchannel_logout_supported: + description: > + Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If + omitted, the default value is false. + type: boolean + example: false + grant_types_supported: + description: > + JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID + Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant + Types. If omitted, the default value is ["authorization_code", "implicit"]. + type: array + example: ["authorization_code", "implicit"] + items: + $ref: '#/components/schemas/openid.spec.GrantType' + id_token_encryption_alg_values_supported: + description: > + JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID + Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: + https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["A256GCMKW"] + items: + $ref: '#/components/schemas/jose.spec.JWE.alg' + id_token_encryption_enc_values_supported: + description: > + JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID + Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 + JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["A256GCM"] + items: + $ref: '#/components/schemas/jose.spec.JWE.enc' + id_token_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token + to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, + but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint + (such as when using the Authorization Code Flow). + See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.JWS.None' + introspection_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 + Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662' + type: string + example: "{{ .BaseURL }}api/oidc/introspection" + introspection_endpoint_auth_methods_supported: + description: > + JSON array containing a list of client authentication methods supported by this introspection endpoint. The + valid client authentication method values are those registered in the IANA "OAuth Token Endpoint + Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access + Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section + 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also: + IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: + https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 + type: array + example: ["client_secret_post"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + introspection_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection + endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint + for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be + present if either of these authentication methods are specified in the + "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is + omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + issuer: + description: > + URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. + If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned + by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. + type: string + example: "{{ .BaseURL }}" + jwks_uri: + description: > + URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate + signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs + to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) + parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. + Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT + RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of + keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. + type: string + example: "{{ .BaseURL }}jwks.json" + op_policy_uri: + description: > + URL that the OpenID Provider provides to the person registering the Client to read about the OP's + requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD + display this URL to the person registering the Client if it is given. + type: string + op_tos_uri: + description: > + URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's + terms of service. The registration process SHOULD display this URL to the person registering the Client + if it is given. + type: string + pushed_authorization_request_endpoint: + description: > + The URL of the pushed authorization request endpoint at which a client can post an authorization request to + exchange for a "request_uri" value usable at the authorization server. + type: string + example: "{{ .BaseURL }}api/oidc/par" + registration_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: + OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 + type: string + example: "{{ .BaseURL }}api/oidc/registration" + request_object_encryption_alg_values_supported: + description: > + JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request + Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by + reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 + type: array + example: ["A256GCMKW"] + items: + $ref: '#/components/schemas/jose.spec.JWE.alg' + request_object_encryption_enc_values_supported: + description: > + JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request + Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by + reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 + JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["A256GCM"] + items: + $ref: '#/components/schemas/jose.spec.JWE.enc' + request_object_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request + Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are + used both when the Request Object is passed by value (using the request parameter) and when it is passed by + reference (using the request_uri parameter). Servers SHOULD support none and RS256. + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.JWS.None' + request_uri_parameter_supported: + description: > + Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating + support. If omitted, the default value is true. + type: boolean + example: true + require_pushed_authorization_requests: + description: > + Boolean parameter indicating whether the authorization server accepts authorization request data only via + PAR. If omitted, the default value is "false". + type: boolean + example: false + require_request_uri_registration: + description: > + Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the + request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the + default value is false. + type: boolean + example: false + response_modes_supported: + description: > + JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in + OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic + OpenID Providers is ["query", "fragment"]. + type: array + example: ["query", "fragment"] + items: + $ref: '#/components/schemas/openid.spec.ResponseMode' + response_types_supported: + description: > + JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID + Providers MUST support the code, id_token, and the token id_token Response Type values. + type: array + example: ["code", "id_token", "token id_token"] + items: + $ref: '#/components/schemas/openid.spec.ResponseType' + revocation_endpoint: + description: > + URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also: + OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 + type: string + example: "{{ .BaseURL }}api/oidc/revocation" + revocation_endpoint_auth_methods_supported: + description: > + JSON array containing a list of client authentication methods supported by this revocation endpoint. The + valid client authentication method values are those registered in the IANA "OAuth Token Endpoint + Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" + -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. + See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml + OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 + type: array + example: ["client_secret_basic"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + revocation_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation + endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for + the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if + either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" + entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. + See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + scopes_supported: + description: > + JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. + The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope + values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if + supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: + https://openid.net/specs/openid-connect-core-1_0.html + type: array + example: + - "openid" + - "offline_access" + - "profile" + - "email" + - "groups" + items: + $ref: '#/components/schemas/openid.implementation.Scopes.Object' + service_documentation: + description: > + URL of a page containing human-readable information that developers might want or need to know when using + the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, + then information on how to register Clients needs to be provided in this documentation. + type: string + example: "https://www.authelia.com" + subject_types_supported: + description: > + JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include + pairwise and public. + type: array + example: ["public", "pairwise"] + items: + $ref: '#/components/schemas/openid.spec.SubjectIdentifier' + token_endpoint: + description: > + URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is + used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: string + example: "{{ .BaseURL }}api/oidc/token" + token_endpoint_auth_methods_supported: + description: > + JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options + are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section + 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If + omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section + 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 + OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication + type: array + example: ["client_secret_post"] + items: + $ref: '#/components/schemas/openid.spec.ClientAuthMethod' + token_endpoint_auth_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint + for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the + private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. + The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["RS256"] + items: + $ref: '#/components/schemas/jose.spec.jws' + ui_locales_supported: + description: > + Languages and scripts supported for the user interface, represented as a JSON array of BCP47 + [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 + type: array + example: ["en-US"] + items: + type: string + userinfo_encryption_alg_values_supported: + description: > + JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the + UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: + https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 + JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["A256GCMKW"] + items: + $ref: '#/components/schemas/jose.spec.JWE.alg' + userinfo_encryption_enc_values_supported: + description: > + JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo + Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 + JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["A256GCM"] + items: + $ref: '#/components/schemas/jose.spec.JWE.enc' + userinfo_endpoint: + description: > + URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, + path, and query parameter components. + See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html + type: string + example: "{{ .BaseURL }}api/oidc/userinfo" + userinfo_signing_alg_values_supported: + description: > + JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the + UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also: + JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: + https://datatracker.ietf.org/doc/html/rfc7519 + type: array + example: ["none", "RS256"] + items: + $ref: '#/components/schemas/jose.spec.JWS.None' + openid.implementation.Claims.Array: + type: array + items: + type: string + enum: + - "amr" + - "aud" + - "azp" + - "client_id" + - "exp" + - "iat" + - "iss" + - "jti" + - "rat" + - "sub" + - "auth_time" + - "nonce" + - "email" + - "email_verified" + - "alt_emails" + - "groups" + - "preferred_username" + - "name" + openid.implementation.Claims.Object: + description: OpenID Connect 1.0 User Claims. + type: object + properties: + amr: + type: array + items: + type: string + enum: + - "mfa" + - "mca" + - "user" + - "pin" + - "pwd" + - "otp" + - "hwk" + - "sms" + aud: + type: array + items: + type: string + azp: + type: string + client_id: + type: string + scope: + type: string + scp: + type: array + items: + type: string + exp: + type: integer + iat: + type: integer + iss: + type: string + jti: + type: string + rat: + type: integer + sub: + type: string + auth_time: + type: integer + nonce: + type: string + email: + type: string + email_verified: + type: boolean + alt_emails: + type: array + items: + type: string + groups: + type: array + items: + type: string + preferred_username: + type: string + name: + type: string + openid.implementation.Scopes.Object: + description: The scope. + type: string + oneOf: + - $ref: '#/components/schemas/openid.spec.Scopes' + - type: string + enum: + - "groups" + openid.spec.Scopes: + type: string + enum: + - "openid" + - "offline_access" + - "profile" + - "email" + - "address" + - "phone" + openid.spec.IntrospectionRequest: + type: object + required: + - "token" + properties: + token: + description: > + The string value of the token. For access tokens, this + is the "access_token" value returned from the token endpoint + defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, + this is the "refresh_token" value returned from the token endpoint + as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types + are outside the scope of this specification. + type: string + example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" + token_type_hint: + description: > + A hint about the type of the token submitted for + introspection. The protected resource MAY pass this parameter to + help the authorization server optimize the token lookup. If the + server is unable to locate the token using the given hint, it MUST + extend its search across all of its supported token types. An + authorization server MAY ignore this parameter, particularly if it + is able to detect the token type automatically. Values for this + field are defined in the "OAuth Token Type Hints" registry defined + in OAuth Token Revocation [RFC7009]. + type: string + example: "access_token" + enum: + - "access_token" + - "refresh_token" + openid.spec.AccessRequest.ClientAuth: + type: object + properties: + client_id: + description: > + REQUIRED if the client is not authenticating with the + authorization server as described in Section 3.2.1. of [RFC6749]. + The client identifier as described in Section 2.2 of [RFC6749]. + type: string + example: "authelia_dc_mn123kjn12kj3123njk" + client_secret: + description: > + REQUIRED. The client secret. The client MAY omit the + parameter if the client secret is an empty string. + type: string + format: password + openid.spec.AccessRequest.AuthorizationCodeFlow: + allOf: + - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' + - type: object + required: + - "code" + - "grant_type" + properties: + grant_type: + description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". + type: string + enum: + - "authorization_code" + code: + description: The Authorization Code. + type: string + example: "authelia_ac_1j2kn3knj12n3kj12n" + code_verifier: + description: The Authorization Code Verifier (PKCE). + type: string + example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3" + redirect_uri: + description: The original Redirect URI used in the Authorization Request. + type: string + example: "https://app.example.com/oidc/callback" + openid.spec.AccessRequest.DeviceCodeFlow: + allOf: + - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' + - type: object + required: + - "grant_type" + - "device_code" + properties: + grant_type: + description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". + type: string + enum: + - "urn:ietf:params:oauth:grant-type:device_code" + device_code: + description: The Device Authorization Code. + type: string + example: "authelia_dc_mn123kjn12kj3123njk" + openid.spec.AccessRequest.RefreshTokenFlow: + allOf: + - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' + - type: object + required: + - "grant_type" + - "device_code" + properties: + grant_type: + description: Value MUST be set to "refresh_token". + type: string + enum: + - "refresh_token" + refresh_token: + description: The Refresh Token. + example: "authelia_rt_1n2j3kihn12kj3n12k" + scope: + description: > + The scope of the access request as described by + Section 3.3. The requested scope MUST NOT include any scope + not originally granted by the resource owner, and if omitted is + treated as equal to the scope originally granted by the + resource owner. + openid.spec.AccessResponse: + type: object + properties: + access_token: + description: The access token issued by the authorization server. + type: string + example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" + refresh_token: + type: string + description: > + The refresh token, which can be used to obtain new access tokens using the + same authorization grant as described in Section 6. + token_type: + type: string + description: > + The access token type provides the client with the information + required to successfully utilize the access token to make a protected + resource request (along with type-specific attributes). The client + MUST NOT use an access token if it does not understand the token + type. + enum: + - "bearer" + expires_in: + type: integer + description: > + The lifetime in seconds of the access token. For + example, the value "3600" denotes that the access token will + expire in one hour from the time the response was generated. + If omitted, the authorization server SHOULD provide the + expiration time via other means or document the default value. + state: + type: string + description: Exactly the state value passed in the authorization request if present. + scope: + type: string + description: > + The scope of the access token as described by Section 3.3 if it differs from the requested scope. + openid.spec.AuthorizeRequest: + type: object + required: + - "scope" + - "response_type" + - "client_id" + - "redirect_uri" + properties: + scope: + description: The requested scope. + type: string + example: "openid profile groups" + response_type: + $ref: '#/components/schemas/openid.spec.ResponseType' + client_id: + description: The OAuth 2.0 client identifier. + type: string + example: "app" + redirect_uri: + description: > + Redirection URI to which the response will be sent. This URI MUST exactly match one of the + Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching + performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this + flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided + that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP + allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate + scheme, such as one that is intended to identify a callback into a native application. + type: string + example: "https://app.example.com" + state: + description: > + Opaque value used to maintain state between the request and the callback. Typically, Cross-Site + Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this + parameter with a browser cookie. + type: string + example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" + response_mode: + $ref: '#/components/schemas/openid.spec.ResponseMode' + nonce: + description: > + String value used to associate a Client session with an ID Token, and to mitigate replay attacks. + The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient + entropy MUST be present in the nonce values used to prevent attackers from guessing values. For + implementation notes, see Section 15.5.2. + type: string + example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" + display: + $ref: '#/components/schemas/openid.spec.DisplayType' + prompt: + description: > + Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether + the Authorization Server prompts the End-User for reauthentication and consent. + type: string + max_age: + description: > + Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the + End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the + OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds + to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID + Token returned MUST include an auth_time Claim Value. + type: integer + ui_locales: + description: > + Not Supported: End-User's preferred languages and scripts for the user interface, represented as a + space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, + the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without + a region designation), followed by English (without a region designation). An error SHOULD NOT + result if some or all of the requested locales are not supported by the OpenID Provider. + type: string + claims_locales: + description: > + Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as + a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error + SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. + type: string + id_token_hint: + description: > + Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about + the End-User's current or past authenticated session with the Client. If the End-User identified by + the ID Token is logged in or is logged in by the request, then the Authorization Server returns a + positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an + id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be + returned if it is not; however, the server SHOULD respond successfully when possible, even if it is + not present. The Authorization Server need not be listed as an audience of the ID Token when it is + used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use + it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted + ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key + that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the + id_token_hint value. + type: string + login_hint: + description: > + Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to + log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail + address (or other identifier) and then wants to pass that value as a hint to the discovered + authorization service. It is RECOMMENDED that the hint value match the value used for discovery. + This value MAY also be a phone number in the format specified for the phone_number Claim. The use + of this parameter is left to the OP's discretion. + type: string + acr_values: + description: > + Not Supported: Requested Authentication Context Class Reference values. Space-separated string that + specifies the acr values that the Authorization Server is being requested to use for processing this + Authentication Request, with the values appearing in order of preference. The Authentication Context + Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in + Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. + type: string + claims: + description: > + Not Supported: The claims parameter value, as specified in Section 5.5. + type: string + registration: + description: > + Not Supported: This parameter is used by the Client to provide information about itself to a + Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as + specified in Section 7.2.1. + type: string + request: + description: > + Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be + encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously + issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to + Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption + algorithm used is RSA1_5. + type: string + openid.spec.SubjectIdentifier: + description: > + A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the + End-User, which is intended to be consumed by the Client. + type: string + enum: + - "public" + - "pairwise" + openid.spec.ClientAuthMethod: + description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method. + type: string + enum: + - "client_secret_basic" + - "client_secret_post" + - "client_secret_jwt" + - "private_key_jwt" + - "none" + openid.spec.DisplayType: + description: > + ASCII string value that specifies how the Authorization Server displays the authentication and consent user + interface pages to the End-User. + type: string + example: "page" + enum: + - "page" + - "popup" + - "touch" + - "wap" + openid.spec.ResponseType: + description: The OAuth 2.0 / OpenID Connect 1.0 Response Type. + type: string + example: "code" + enum: + - "code" + - "id_token" + - "token" + - "code token" + - "code id_token" + - "token id_token" + - "code id_token token" + - "none" + openid.spec.ResponseMode: + description: > + Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization + Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is + the default mode specified for the Response Type. + type: string + example: "query" + enum: + - "query" + - "fragment" + - "form_post" + openid.spec.GrantType: + description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type. + type: string + example: "authorization_code" + enum: + - "authorization_code" + - "refresh_token" + - "implicit" + - "password" + - "client_credentials" + - "urn:ietf:params:oauth:grant-type:device_code" + openid.spec.CodeChallengeMethod: + description: The RFC7636 Code Challenge Verifier Method. + type: string + example: "S256" + enum: + - "plain" + - "S256" + openid.spec.ClaimType: + description: The representation of claims. + type: string + example: "normal" + enum: + - "normal" + - "aggregated" + - "distributed" + jose.spec.None: + description: The JSON Web Signature Algorithm + type: string + enum: + - "none" + jose.spec.JWS.None: + description: The JSON Web Signature Algorithm + type: string + oneOf: + - $ref: '#/components/schemas/jose.spec.None' + - $ref: '#/components/schemas/jose.spec.jws' + jose.spec.jws: + description: The JSON Web Signature Algorithm + type: string + enum: + - "HS256" + - "HS384" + - "HS512" + - "RS256" + - "RS384" + - "RS512" + - "ES256" + - "ES384" + - "ES512" + - "PS256" + - "PS384" + - "PS512" + jose.spec.JWE.alg: + description: The JSON Web Encryption Algorithm (CEK) + type: string + enum: + - "RSA1_5" + - "RSA-OAEP" + - "RSA-OAEP-256" + - "A128KW" + - "A192KW" + - "A256KW" + - "dir" + - "ECDH-ES" + - "ECDH-ES+A128KW" + - "ECDH-ES+A192KW" + - "ECDH-ES+A256KW" + - "A128GCMKW" + - "A192GCMKW" + - "A256GCMKW" + - "PBES2-HS256+A128KW" + - "PBES2-HS384+A192KW" + - "PBES2-HS512+A256KW" + jose.spec.JWE.enc: + description: The JSON Web Encryption Algorithm (Claims) + type: string + enum: + - "A128CBC-HS256" + - "A192CBC-HS384" + - "A256CBC-HS512" + - "A128CBC" + - "A256CBC" + - "A128GCM" + - "A256GCM" + jose.spec.JWK.base: + type: object + properties: + use: + description: > + The "use" (public key use) parameter identifies the intended use of + the public key. The "use" parameter is employed to indicate whether + a public key is used for encrypting data or verifying the signature + on data. + type: string + example: "sig" + enum: + - "sig" + - "enc" + key_ops: + description: > + The "key_ops" (key operations) parameter identifies the operation(s) + for which the key is intended to be used. The "key_ops" parameter is + intended for use cases in which public, private, or symmetric keys + may be present. + type: array + example: ["sign"] + items: + type: string + enum: + - "sign" + - "verify" + - "encrypt" + - "decrypt" + - "wrapKey" + - "unwrapKey" + - "deriveKey" + - "deriveBits" + kid: + description: > + The "kid" (key ID) parameter is used to match a specific key. This + is used, for instance, to choose among a set of keys within a JWK Set + during key rollover. The structure of the "kid" value is + unspecified. When "kid" values are used within a JWK Set, different + keys within the JWK Set SHOULD use distinct "kid" values. (One + example in which different keys might use the same "kid" value is if + they have different "kty" (key type) values but are considered to be + equivalent alternatives by the application using them.) The "kid" + value is a case-sensitive string. Use of this member is OPTIONAL. + When used with JWS or JWE, the "kid" value is used to match a JWS or + JWE "kid" Header Parameter value. + type: string + x5u: + description: > + The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a + resource for an X.509 public key certificate or certificate chain + [RFC5280]. The identified resource MUST provide a representation of + the certificate or certificate chain that conforms to RFC 5280 + [RFC5280] in PEM-encoded form, with each certificate delimited as + specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first + certificate MUST match the public key represented by other members of + the JWK. The protocol used to acquire the resource MUST provide + integrity protection; an HTTP GET request to retrieve the certificate + MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be + validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this + member is OPTIONAL. + type: string + x5c: + description: > + The "x5c" (X.509 certificate chain) parameter contains a chain of one + or more PKIX certificates [RFC5280]. The certificate chain is + represented as a JSON array of certificate value strings. Each + string in the array is a base64-encoded (Section 4 of [RFC4648] -- + not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. + The PKIX certificate containing the key value MUST be the first + certificate. This MAY be followed by additional certificates, with + each subsequent certificate being the one used to certify the + previous one. The key in the first certificate MUST match the public + key represented by other members of the JWK. Use of this member is + OPTIONAL. + type: array + items: + type: string + format: byte + x5t: + description: > + The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a + base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER + encoding of an X.509 certificate [RFC5280]. Note that certificate + thumbprints are also sometimes known as certificate fingerprints. + The key in the certificate MUST match the public key represented by + other members of the JWK. Use of this member is OPTIONAL. + type: string + format: byte + x5t#S256: + description: > + The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a + base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER + encoding of an X.509 certificate [RFC5280]. Note that certificate + thumbprints are also sometimes known as certificate fingerprints. + The key in the certificate MUST match the public key represented by + other members of the JWK. Use of this member is OPTIONAL. + type: string + format: byte + jose.spec.JWK.RSA: + description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. + allOf: + - $ref: '#/components/schemas/jose.spec.JWK.base' + - type: object + required: + - "kty" + - "n" + - "e" + properties: + kty: + description: > + The "kty" (key type) parameter identifies the cryptographic algorithm + family used with the key. + type: string + example: "RSA" + enum: + - "RSA" + alg: + description: The JSON Web Signature Algorithm + type: string + example: "RS256" + enum: + - "RS256" + - "RS384" + - "RS512" + - "PS256" + - "PS384" + - "PS512" + n: + description: > + RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is + represented as a Base64urlUInt-encoded value. + type: string + format: byte + e: + description: > + RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key. + It is represented as a Base64urlUInt-encoded value. + type: string + format: byte + jose.spec.JWK.RSA.Private: + description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. + allOf: + - $ref: '#/components/schemas/jose.spec.JWK.base' + - $ref: '#/components/schemas/jose.spec.JWK.RSA' + - type: object + required: + - "d" + properties: + d: + description: > + RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA + private key. It is represented as a Base64urlUInt-encoded value. + type: string + format: byte + p: + description: > + RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor. + It is represented as a Base64urlUInt-encoded value. + type: string + format: byte + q: + description: > + RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is + represented as a Base64urlUInt-encoded value. + type: string + format: byte + dp: + description: > + RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem + (CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value. + type: string + dq: + description: > + RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the + second factor. It is represented as a Base64urlUInt-encoded value. + type: string + qi: + description: > + RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second + factor. It is represented as a Base64urlUInt-encoded value. + type: string + format: byte + oth: + description: > + The "oth" (other primes info) parameter contains an array of + information about any third and subsequent primes, should they exist. + type: array + items: + type: object + required: + - "r" + - "d" + - "t" + properties: + r: + description: > + The "r" (prime factor) parameter within an "oth" array member + represents the value of a subsequent prime factor. It is represented + as a Base64urlUInt-encoded value. + type: string + format: byte + d: + description: > + The "d" (factor CRT exponent) parameter within an "oth" array member + represents the CRT exponent of the corresponding prime factor. It is + represented as a Base64urlUInt-encoded value. + type: string + format: byte + t: + description: > + The "t" (factor CRT coefficient) parameter within an "oth" array + member represents the CRT coefficient of the corresponding prime + factor. It is represented as a Base64urlUInt-encoded value. + type: string + format: byte + jose.spec.JWK.EC: + description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. + allOf: + - $ref: '#/components/schemas/jose.spec.JWK.base' + - type: object + required: + - "kty" + - "crv" + - "x" + properties: + kty: + description: > + The "kty" (key type) parameter identifies the cryptographic algorithm + family used with the key. + type: string + example: "EC" + enum: + - "EC" + alg: + description: The JSON Web Signature Algorithm + type: string + example: "ES256" + enum: + - "ES256" + - "ES384" + - "ES512" + x: + description: > + EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point. + It is represented as the base64url encoding of the octet string representation of the coordinate, as + defined in Section 2.3.5 of SEC1 [SEC1]. + type: string + format: byte + y: + description: > + EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point. + It is represented as the base64url encoding of the octet string representation of the coordinate, as + defined in Section 2.3.5 of SEC1 [SEC1]. + type: string + format: byte + crv: + description: > + The curve parameter identifies the cryptographic curve used with the key. Curve + values from [DSS] used by this specification. + type: string + example: "P-521" + enum: + - "P-256" + - "P-384" + - "P-521" + - "Ed25519" + - "Ed448" + - "X25519" + - "X448" + - "secp256k1" + jose.spec.JWK.EC.Private: + description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. + allOf: + - $ref: '#/components/schemas/jose.spec.JWK.base' + - $ref: '#/components/schemas/jose.spec.JWK.EC' + - type: object + required: + - "d" + properties: + d: + description: > + ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It + is represented as the base64url encoding of the octet string representation of the private key value, + as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be + ceiling(log-base-2(n)/8) octets (where n is the order of the curve). + type: string + format: byte + jose.spec.JWK.Symmetric: + description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518. + allOf: + - $ref: '#/components/schemas/jose.spec.JWK.base' + - type: object + required: + - "k" + properties: + kty: + description: > + The "kty" (key type) parameter identifies the cryptographic algorithm + family used with the key. + type: string + example: "oct" + enum: + - "oct" + k: + description: > + The "k" (key value) parameter contains the value of the symmetric (or + other single-valued) key. It is represented as the base64url + encoding of the octet sequence containing the key value. + type: string + format: byte + jose.spec.JWK: + type: string + anyOf: + - $ref: '#/components/schemas/jose.spec.JWK.RSA' + - $ref: '#/components/schemas/jose.spec.JWK.RSA.Private' + - $ref: '#/components/schemas/jose.spec.JWK.EC' + - $ref: '#/components/schemas/jose.spec.JWK.EC.Private' + - $ref: '#/components/schemas/jose.spec.JWK.Symmetric' + jose.spec.JWKs: + type: object + description: The JSON Web Key Sets Document as defined by RFC7517. + properties: + keys: + description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517. + type: array + items: + $ref: '#/components/schemas/jose.spec.JWK' securitySchemes: authelia_auth: type: apiKey - name: "{{.Session}}" + name: "{{ .Session }}" in: cookie + openid: + type: openIdConnect + openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration" ...