diff --git a/internal/server/public_html/api/index.html b/internal/server/public_html/api/index.html index 7d41d83af..e69de29bb 100644 --- a/internal/server/public_html/api/index.html +++ b/internal/server/public_html/api/index.html @@ -1,60 +0,0 @@ - - - - - - Swagger UI - - - - - - - -
- - - - - - diff --git a/internal/server/public_html/api/openapi.yml b/internal/server/public_html/api/openapi.yml index 6bc5cfb79..e69de29bb 100644 --- a/internal/server/public_html/api/openapi.yml +++ b/internal/server/public_html/api/openapi.yml @@ -1,3848 +0,0 @@ ---- -openapi: 3.0.3 -info: - title: Authelia API - description: > - Authelia is an open-source authentication and authorization server providing 2-factor authentication and single - sign-on (SSO) for your applications via a web portal. - contact: - name: Support - url: https://www.authelia.com/contact/ - email: team@authelia.com - license: - name: Apache 2.0 - url: https://www.apache.org/licenses/LICENSE-2.0 - version: 1.0.0 -servers: - - url: "{{ .BaseURL }}" - description: Authelia API -tags: - - name: State - description: Configuration, health and state endpoints - - name: Authentication - description: Authentication endpoints - - name: Authorization - description: Authorization endpoints - {{- if .PasswordReset }} - - name: Password Reset - description: Password reset endpoints - - name: User Information - description: User configuration endpoints - {{- end }} - {{- if (or .TOTP .Webauthn .Duo) }} - - name: Second Factor - description: TOTP, Webauthn and Duo endpoints - externalDocs: - url: https://www.authelia.com/configuration/second-factor/introduction/ - {{- end }} - {{- if .OpenIDConnect }} - - name: OpenID Connect 1.0 - description: OpenID Connect 1.0 and OAuth 2.0 Endpoints - externalDocs: - url: https://www.authelia.com/integration/openid-connect/introduction/ - {{- end }} -paths: - /api/configuration: - get: - tags: - - State - summary: Application Configuration - description: > - The configuration endpoint provides detailed information including available second factor methods, if any - second factor policies exist and the TOTP period configuration. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.configuration.ConfigurationBody' - "403": - description: Forbidden - security: - - authelia_auth: [] - /api/configuration/password-policy: - get: - tags: - - State - summary: Password Policy Configuration - description: > - The password policy configuration endpoint provides a password policy for resetting passwords. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody' - /api/health: - head: - tags: - - State - summary: Application Health - description: The health check endpoint provides information about the health of Authelia. - responses: - "200": - description: Successful Operation - get: - tags: - - State - summary: Application Health - description: The health check endpoint provides information about the health of Authelia. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - /api/state: - get: - tags: - - State - summary: User Application State - description: > - The state endpoint provides detailed information including the user, current authenticate level and Authelia's - configured default redirection URL. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.StateResponse' - {{- $app := "" }}{{ if .Domain }}{{ $app = printf "https://%s/" .Domain }}{{ else if .BaseURL }}{{ $app = .BaseURL }}{{ else }}{{ $app = "https://app.example.com" }}{{ end }} - {{- $redir := printf "%s?rd=%s&rm=GET" (.BaseURL | default "https://auth.example.com/") (urlquery $app) }} - {{- range $name, $config := .EndpointsAuthz }} - {{- $uri := printf "/api/authz/%s" $name }} - {{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }} - {{ $uri }}: - {{- if (eq $config.Implementation "Legacy") }} - {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }} - {{ $method }}: - tags: - - Authorization - summary: Authorization Verification (Legacy) - description: > - The legacy authorization verification endpoint provides the ability to verify if a user has the necessary - permissions to access a specified domain with several proxies. It's generally recommended users use a proxy - specific endpoint instead. - parameters: - - name: X-Original-URL - in: header - description: Redirection URL - required: false - style: simple - explode: true - schema: - type: string - - $ref: '#/components/parameters/forwardedMethodParam' - - name: X-Forwarded-Proto - in: header - description: Redirection URL (Scheme / Protocol) - required: false - style: simple - explode: true - example: 'https' - schema: - type: string - - name: X-Forwarded-Host - in: header - description: Redirection URL (Host) - required: false - style: simple - explode: true - example: '{{ $.Domain | default "example.com" }}' - schema: - type: string - - name: X-Forwarded-Uri - in: header - description: Redirection URL (URI) - required: false - style: simple - explode: true - example: '/path/example' - schema: - type: string - - $ref: '#/components/parameters/forwardedForParam' - - $ref: '#/components/parameters/authParam' - responses: - "200": - description: Successful Operation - headers: - remote-user: - description: Username - schema: - type: string - example: john - remote-name: - description: Name - schema: - type: string - example: John Doe - remote-email: - description: Email - schema: - type: string - example: john.doe@authelia.com - remote-groups: - description: Comma separated list of Groups - schema: - type: string - example: admin,devs - set-cookie: - description: Sets a new cookie value - schema: - type: string - "302": - description: Found - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "303": - description: See Other - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "401": - description: Unauthorized - headers: - set-cookie: - description: Sets a new cookie value - schema: - type: string - security: - - authelia_auth: [] - {{- end }} - {{- else if (eq $config.Implementation "ExtAuthz") }} - {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }} - {{ $method }}: - tags: - - Authorization - summary: Authorization Verification (ExtAuthz) - description: > - The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary - permissions to access a specified resource with the Envoy proxy. - parameters: - - $ref: '#/components/parameters/forwardedMethodParam' - - $ref: '#/components/parameters/forwardedHostParam' - - $ref: '#/components/parameters/forwardedURIParam' - - $ref: '#/components/parameters/forwardedForParam' - - $ref: '#/components/parameters/autheliaURLParam' - responses: - "200": - description: Successful Operation - headers: - remote-user: - description: Username - schema: - type: string - example: john - remote-name: - description: Name - schema: - type: string - example: John Doe - remote-email: - description: Email - schema: - type: string - example: john.doe@authelia.com - remote-groups: - description: Comma separated list of Groups - schema: - type: string - example: admin,devs - set-cookie: - description: Sets a new cookie value - schema: - type: string - "302": - description: Found - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "303": - description: See Other - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "400": - description: Bad Request - "401": - description: Unauthorized - security: - - authelia_auth: [] - {{- end }} - {{- else if (eq $config.Implementation "ForwardAuth") }} - {{- range $method := list "get" "head" }} - {{ $method }}: - tags: - - Authorization - summary: Authorization Verification (ForwardAuth) - description: > - The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary - permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies. - parameters: - - $ref: '#/components/parameters/forwardedMethodParam' - - $ref: '#/components/parameters/forwardedHostParam' - - $ref: '#/components/parameters/forwardedURIParam' - - $ref: '#/components/parameters/forwardedForParam' - responses: - "200": - description: Successful Operation - headers: - remote-user: - description: Username - schema: - type: string - example: john - remote-name: - description: Name - schema: - type: string - example: John Doe - remote-email: - description: Email - schema: - type: string - example: john.doe@authelia.com - remote-groups: - description: Comma separated list of Groups - schema: - type: string - example: admin,devs - set-cookie: - description: Sets a new cookie value - schema: - type: string - "302": - description: Found - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "303": - description: See Other - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - "400": - description: Bad Request - "401": - description: Unauthorized - security: - - authelia_auth: [] - {{- end }} - {{- else if (eq $config.Implementation "AuthRequest") }} - {{- range $method := list "get" "head" }} - {{ $method }}: - tags: - - Authorization - summary: Authorization Verification (AuthRequest) - description: > - The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary - permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies. - parameters: - - $ref: '#/components/parameters/originalMethodParam' - - $ref: '#/components/parameters/originalURLParam' - responses: - "200": - description: Successful Operation - headers: - remote-user: - description: Username - schema: - type: string - example: john - remote-name: - description: Name - schema: - type: string - example: John Doe - remote-email: - description: Email - schema: - type: string - example: john.doe@authelia.com - remote-groups: - description: Comma separated list of Groups - schema: - type: string - example: admin,devs - set-cookie: - description: Sets a new cookie value - schema: - type: string - "400": - description: Bad Request - "401": - description: Unauthorized - headers: - location: - description: Redirect Location for user authorization - example: '{{ $redir }}' - set-cookie: - description: Sets a new cookie value - schema: - type: string - security: - - authelia_auth: [] - {{- end }} - {{- end }} - {{- end }} - /api/firstfactor: - post: - tags: - - Authentication - summary: Login - description: > - The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization. - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.bodyFirstFactorRequest' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.redirectResponse' - "401": - description: Unauthorized - security: - - authelia_auth: [] - /api/checks/safe-redirection: - post: - tags: - - Authentication - summary: Check whether URI is safe to redirect to. - description: > - End users usually needs to be redirected to a target website after authentication. This endpoint aims to check - if target URL is safe to redirect to. This prevents open redirect attacks. - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody' - "401": - description: Unauthorized - security: - - authelia_auth: [] - /api/logout: - post: - tags: - - Authentication - summary: Logout - description: The logout endpoint allows a user to logout and destroy a sesssion. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.logoutRequestBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.logoutResponseBody' - security: - - authelia_auth: [] - {{- if .PasswordReset }} - /api/reset-password/identity/start: - post: - tags: - - Password Reset - summary: Identity Verification Token Creation - description: > - This endpoint is step 1 of 3 in the password reset process. - - It validates the user session and sends the user an email with a token and a link to reset their password. This - step also generates a session cookie for the rest of the process. - - The same session cookie must be used for all steps in this process. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - /api/reset-password/identity/finish: - post: - tags: - - Password Reset - summary: Identity Verification Token Validation - description: > - This endpoint is step 2 of 3 in the password reset process. - - It validates the user session and reset token. - - The same session cookie must be used for all steps in this process. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - /api/reset-password: - post: - tags: - - Password Reset - summary: Password Reset - description: > - This endpoint is step 3 of 3 in the password reset process. - - It validates the user session and changes the password. - - The same session cookie must be used for all steps in this process. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - {{- end }} - /api/user/info: - get: - tags: - - User Information - summary: User Configuration - description: > - The user info endpoint provides detailed information including a users display name, preferred and registered - second factor method(s). - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.UserInfo' - "403": - description: Forbidden - security: - - authelia_auth: [] - post: - tags: - - User Information - summary: User Configuration - description: > - The user info endpoint provides detailed information including a users display name, preferred and registered - second factor method(s). The POST method also ensures the preferred method is configured correctly. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.UserInfo' - "403": - description: Forbidden - security: - - authelia_auth: [] - /api/user/info/2fa_method: - post: - tags: - - User Information - summary: User Configuration - description: The user info 2fa_method endpoint sets the users preferred second factor method. - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.UserInfo.MethodBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - "403": - description: Forbidden - security: - - authelia_auth: [] - {{- if .TOTP }} - /api/user/info/totp: - get: - tags: - - User Information - summary: User TOTP Configuration - description: > - The user TOTP info endpoint provides information necessary to display the TOTP component to validate their - TOTP input such as the period/frequency and number of digits. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.UserInfoTOTP' - "403": - description: Forbidden - security: - - authelia_auth: [] - /api/secondfactor/totp/identity/start: - post: - tags: - - Second Factor - summary: Identity Verification TOTP Token Creation - description: > - This endpoint performs identity verification to begin the TOTP device registration process. - - The session generated from this endpoint must be utilised for the subsequent step in the - `/api/secondfactor/totp/identity/finish` endpoint. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - /api/secondfactor/totp/identity/finish: - post: - tags: - - Second Factor - summary: Identity Verification TOTP Token Validation and Device Creation - description: > - This endpoint performs identity and token verification, upon success also generates TOTP device secret and - registers said device. - - The session cookie generated from the `/api/secondfactor/totp/identity/start` endpoint must be utilised for the - step here. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.TOTPKeyResponse' - security: - - authelia_auth: [] - /api/secondfactor/totp: - post: - tags: - - Second Factor - summary: Second Factor Authentication - TOTP - description: This endpoint performs second factor authentication with a TOTP key. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.bodySignTOTPRequest' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.redirectResponse' - "401": - description: Unauthorized - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.ErrorResponse' - security: - - authelia_auth: [] - {{- end }} - {{- if .Webauthn }} - /api/secondfactor/webauthn/assertion: - get: - tags: - - Second Factor - summary: Second Factor Authentication - Webauthn (Request) - description: This endpoint starts the second factor authentication process with the FIDO2 Webauthn credential. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions' - "401": - description: Unauthorized - security: - - authelia_auth: [] - post: - tags: - - Second Factor - summary: Second Factor Authentication - Webauthn - description: This endpoint completes the second factor authentication process with the FIDO2 Webauthn credential. - requestBody: - required: true - content: - application/json: - schema: - $ref: "#/components/schemas/webauthn.CredentialAssertionResponse" - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.redirectResponse' - "401": - description: Unauthorized - security: - - authelia_auth: [] - /api/secondfactor/webauthn/identity/start: - post: - tags: - - Second Factor - summary: Identity Verification Webauthn Credential Creation - description: > - This endpoint performs identity verification to begin the FIDO2 Webauthn credential attestation process - (registration). - - The session generated from this endpoint must be utilised for the subsequent steps in the - `/api/secondfactor/webauthn/identity/finish` and `/api/secondfactor/webauthn/attestation` endpoints. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - /api/secondfactor/webauthn/identity/finish: - post: - tags: - - Second Factor - summary: Identity Verification FIDO2 Webauthn Credential Validation - description: > - This endpoint performs identity and token verification, upon success generates a FIDO2 Webauthn device - attestation challenge (registration). - - The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised - for the subsequent steps here and in the `/api/secondfactor/webauthn/attestation` endpoint. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions' - security: - - authelia_auth: [] - /api/secondfactor/webauthn/attestation: - post: - tags: - - Second Factor - summary: Webauthn Credential Attestation - description: This endpoint performs Webauthn credential attestation (registration). - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/webauthn.CredentialAttestationResponse' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - security: - - authelia_auth: [] - {{- end }} - {{- if .Duo }} - /api/secondfactor/duo: - post: - tags: - - Second Factor - summary: Second Factor Authentication - Duo Mobile Push - description: This endpoint performs second factor authentication with a Duo Mobile Push. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.bodySignDuoRequest' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.redirectResponse' - "401": - description: Unauthorized - security: - - authelia_auth: [] - /api/secondfactor/duo_devices: - get: - tags: - - Second Factor - summary: Second Factor Authentication - Duo Mobile Push - description: This endpoint retrieves a users available devices and capabilities from Duo. - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.DuoDevicesResponse' - "401": - description: Unauthorized - security: - - authelia_auth: [] - /api/secondfactor/duo_device: - post: - tags: - - Second Factor - summary: Second Factor Authentication - Duo Mobile Push - description: This endpoint updates the users preferred Duo device and method. - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/handlers.DuoDeviceBody' - responses: - "200": - description: Successful Operation - content: - application/json: - schema: - $ref: '#/components/schemas/middlewares.OkResponse' - "401": - description: Unauthorized - security: - - authelia_auth: [] - {{- end }} - {{- if .OpenIDConnect }} - /.well-known/openid-configuration: - get: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect Discovery 1.0 Document - description: > - This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for - an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html. - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration' - "400": - description: Bad Request - "500": - description: Internal Server Error - /.well-known/oauth-authorization-server: - get: - tags: - - OpenID Connect 1.0 - summary: OAuth 2.0 Authorization Server Metadata - description: > - This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to - perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414. - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer' - "400": - description: Bad Request - "500": - description: Internal Server Error - /jwks.json: - get: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 JSON Web Key Set Document - description: > - This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate - information from this OpenID Connect 1.0 Provider. - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/jose.spec.JWKs' - /api/oidc/authorization: - get: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 Authorization Endpoint - description: > - This endpoint performs OpenID Connect 1.0 Authorization. - parameters: - - in: query - name: id - required: false - description: The OpenID Connect 1.0 consent workflow ID. - schema: - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4' - - in: query - name: scope - description: The requested scope. - required: true - schema: - type: string - example: 'openid profile groups' - - in: query - name: response_type - description: The OAuth 2.0 response type. - required: true - schema: - $ref: '#/components/schemas/openid.spec.ResponseType' - - in: query - name: client_id - description: The OAuth 2.0 client identifier. - required: true - schema: - type: string - example: 'app' - - in: query - name: redirect_uri - description: > - Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI - values for the Client pre-registered at the OpenID Provider, with the matching performed as described in - Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use - the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as - defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this - case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback - into a native application. - required: true - schema: - type: string - example: 'https://app.{{ .Domain | default "example.com" }}' - - in: query - name: state - description: > - Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request - Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a - browser cookie. - required: false - schema: - type: string - example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f' - - in: query - name: response_mode - description: > - Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization - Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is - the default mode specified for the Response Type. - required: false - schema: - $ref: '#/components/schemas/openid.spec.ResponseMode' - - in: query - name: nonce - description: > - String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value - is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be - present in the nonce values used to prevent attackers from guessing values. For implementation notes, see - Section 15.5.2. - required: false - schema: - type: string - example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf' - - in: query - name: display - description: > - Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication - and consent user interface pages to the End-User. - required: false - schema: - $ref: '#/components/schemas/openid.spec.DisplayType' - - in: query - name: prompt - description: > - Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the - Authorization Server prompts the End-User for reauthentication and consent. - required: false - schema: - type: string - - in: query - name: max_age - description: > - Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User - was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to - actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE - [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an - auth_time Claim Value. - required: false - schema: - type: integer - example: 3600 - - in: query - name: ui_locales - description: > - Not Supported: End-User's preferred languages and scripts for the user interface, represented as a - space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value - "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region - designation), followed by English (without a region designation). An error SHOULD NOT result if some or all - of the requested locales are not supported by the OpenID Provider. - required: false - schema: - type: string - example: 'en-US' - - in: query - name: claims_locales - description: > - Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a - space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT - result if some or all of the requested locales are not supported by the OpenID Provider. - required: false - schema: - type: string - example: 'en-US' - - in: query - name: id_token_hint - required: false - description: > - Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the - End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token - is logged in or is logged in by the request, then the Authorization Server returns a positive response; - otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be - present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the - server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need - not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token - received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the - signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to - the Authentication Server using a key that enables the server to decrypt the ID Token, and use the - re-encrypted ID token as the id_token_hint value. - schema: - type: string - - in: query - name: login_hint - description: > - Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in - (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address - (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. - It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone - number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's - discretion. - required: false - schema: - type: string - - in: query - name: acr_values - description: > - Not Supported: Requested Authentication Context Class Reference values. Space-separated string that - specifies the acr values that the Authorization Server is being requested to use for processing this - Authentication Request, with the values appearing in order of preference. The Authentication Context Class - satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. - The acr Claim is requested as a Voluntary Claim by this parameter. - required: false - schema: - type: string - - in: query - name: claims - description: > - Not Supported: The claims parameter value, as specified in Section 5.5. - required: false - schema: - type: string - - in: query - name: registration - description: > - Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP - that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1. - required: false - schema: - type: string - - in: query - name: request - description: > - Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to - the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this - Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only - supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5. - required: false - schema: - type: string - - in: query - name: code_challenge - description: > - RFC7636 Code Challenge. - required: false - schema: - type: string - - in: query - name: code_challenge_method - required: false - description: > - RFC7636 Code Challenge Method. defaults to "plain" if not present in the request. - Code verifier transformation method is "S256" or "plain". - schema: - $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' - responses: - "200": - description: OK - content: - text/html: - schema: - type: string - description: The Form Post Response Mode content. - "303": - description: See Other - headers: - Location: - schema: - type: string - description: > - Redirection location for the consent flow, or the authorization response callback location when using - the Query or Fragment Response Modes. - "400": - description: Bad Request - "500": - description: Internal Server Error - post: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 Authorization Endpoint - description: > - This endpoint performs OpenID Connect 1.0 Authorization. - requestBody: - description: Authorize Request Parameters. - required: true - content: - application/x-www-form-urlencoded: - schema: - $ref: '#/components/schemas/openid.spec.AuthorizeRequest' - responses: - "200": - description: OK - content: - text/html: - schema: - type: string - description: The Form Post Response Mode content. - "303": - description: See Other - headers: - Location: - schema: - type: string - description: > - Redirection location for the consent flow, or the authorization response callback location when using - the Query or Fragment Response Modes. - "400": - description: Bad Request - "500": - description: Internal Server Error - security: - - authelia_auth: [] - /api/oidc/token: - post: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 Token Endpoint - description: > - This endpoint performs OpenID Connect 1.0 Token Access Requests. - requestBody: - description: Access Request Parameters. - required: true - content: - application/x-www-form-urlencoded: - schema: - oneOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow' - - $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow' - - $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow' - responses: - "200": - description: OK - content: - application/json: - schema: - oneOf: - - $ref: '#/components/schemas/openid.spec.AccessResponse' - "401": - description: Forbidden - "403": - description: Unauthorized - "500": - description: Internal Server Error - security: - - openid: [] - /api/oidc/revocation: - post: - tags: - - OpenID Connect 1.0 - summary: OAuth 2.0 Token Revocation Endpoint - description: > - This endpoint performs OAuth 2.0 Token Revocation Requests. - requestBody: - description: Required OAuth 2.0 revocation parameters. - required: true - content: - application/x-www-form-urlencoded: - schema: - $ref: '#/components/schemas/openid.spec.IntrospectionRequest' - responses: - "200": - description: OK - "401": - description: Forbidden - "403": - description: Unauthorized - "500": - description: Internal Server Error - security: - - openid: [] - /api/oidc/introspection: - post: - tags: - - OpenID Connect 1.0 - summary: OAuth 2.0 Token Introspection Endpoint - description: > - This endpoint performs OAuth 2.0 Token Introspection Requests. - requestBody: - description: Required OAuth 2.0 introspection parameters. - required: true - content: - application/x-www-form-urlencoded: - schema: - $ref: '#/components/schemas/openid.spec.IntrospectionRequest' - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/openid.implementation.Claims.Object' - "401": - description: Forbidden - "403": - description: Unauthorized - "500": - description: Internal Server Error - security: - - openid: [] - /api/oidc/userinfo: - get: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 UserInfo Endpoint - description: > - This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. - parameters: - - in: query - name: access_token - description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. - schema: - type: string - example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn' - responses: - "200": - description: OK - content: - application/jwt: {} - application/json: - schema: - $ref: '#/components/schemas/openid.implementation.Claims.Object' - "401": - description: Forbidden - "403": - description: Unauthorized - "500": - description: Internal Server Error - security: - - openid: [] - post: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 UserInfo Endpoint - description: > - This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. - parameters: - - in: query - name: access_token - description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. - schema: - type: string - example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn' - requestBody: - content: - application/x-www-form-urlencoded: - schema: - type: object - properties: - access_token: - description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. - type: string - example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn' - responses: - "200": - description: OK - content: - application/jwt: {} - application/json: - schema: - $ref: '#/components/schemas/openid.implementation.Claims.Object' - "401": - description: Forbidden - "403": - description: Unauthorized - "500": - description: Internal Server Error - security: - - openid: [] - /api/oidc/consent: - get: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 Consent Information - description: > - This endpoint retrieves the consent information about a specific consent ID during the consent workflow. - parameters: - - $ref: '#/components/parameters/idRequiredParam' - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/openid.request.consent' - "403": - description: Forbidden - security: - - authelia_auth: [] - post: - tags: - - OpenID Connect 1.0 - summary: OpenID Connect 1.0 Consent Response - description: > - This endpoint retrieves the consent response for a specific consent ID during the consent workflow. - responses: - "200": - description: OK - content: - application/json: - schema: - $ref: '#/components/schemas/openid.response.consent' - "403": - description: Forbidden - security: - - authelia_auth: [] - {{- end }} -components: - parameters: - originalMethodParam: - name: X-Original-Method - in: header - description: Request Method - required: true - style: simple - explode: true - schema: - type: string - enum: - - "GET" - - "HEAD" - - "POST" - - "PUT" - - "PATCH" - - "DELETE" - - "TRACE" - - "CONNECT" - - "OPTIONS" - - "COPY" - - "LOCK" - - "MKCOL" - - "MOVE" - - "PROPFIND" - - "PROPPATCH" - - "UNLOCK" - originalURLParam: - name: X-Original-URL - in: header - description: Redirection URL - required: true - style: simple - explode: true - schema: - type: string - forwardedMethodParam: - name: X-Forwarded-Method - in: header - description: Request Method - required: false - style: simple - explode: true - schema: - type: string - enum: - - "GET" - - "HEAD" - - "POST" - - "PUT" - - "PATCH" - - "DELETE" - - "TRACE" - - "CONNECT" - - "OPTIONS" - - "COPY" - - "LOCK" - - "MKCOL" - - "MOVE" - - "PROPFIND" - - "PROPPATCH" - - "UNLOCK" - forwardedProtoParam: - name: X-Forwarded-Proto - in: header - description: Redirection URL (Scheme / Protocol) - required: true - style: simple - explode: true - example: 'https' - schema: - type: string - forwardedHostParam: - name: X-Forwarded-Host - in: header - description: Redirection URL (Host) - required: true - style: simple - explode: true - example: '{{ .Domain | default "example.com" }}' - schema: - type: string - forwardedURIParam: - name: X-Forwarded-Uri - in: header - description: Redirection URL (URI) - required: true - style: simple - explode: true - example: '/path/example' - schema: - type: string - forwardedForParam: - name: X-Forwarded-For - in: header - description: Clients IP address or IP address chain - required: false - style: simple - explode: true - example: '192.168.0.55,192.168.0.20' - schema: - type: string - autheliaURLParam: - name: X-Authelia-URL - in: header - description: Authelia Portal URL - required: false - style: simple - explode: true - example: '{{ .BaseURL | default "https://auth.example.com" }}' - schema: - type: string - authParam: - name: auth - in: query - description: Switch authorization header and prompt for basic auth - required: false - schema: - type: string - enum: ["basic"] - idRequiredParam: - name: id - in: query - description: The ID of what is being requested - required: true - schema: - type: string - schemas: - handlers.checkURIWithinDomainRequestBody: - type: object - properties: - uri: - type: string - example: 'https://secure.{{ .Domain | default "example.com" }}' - handlers.checkURIWithinDomainResponseBody: - type: object - properties: - ok: - type: boolean - example: true - description: If redirection URL is safe. - handlers.configuration.ConfigurationBody: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - available_methods: - type: array - description: List of available 2FA methods. If no methods exist 2FA is disabled. - items: - enum: - - "totp" - - "webauthn" - - "mobile_push" - example: [totp, webauthn, mobile_push] - handlers.configuration.PasswordPolicyConfigurationBody: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - mode: - type: string - description: The password policy mode. - enum: - - "disabled" - - "standard" - - "zxcvbn" - min_length: - type: integer - description: The minimum password length when using the standard mode. - max_length: - type: integer - description: The maximum password length when using the standard mode. - min_score: - type: integer - description: The minimum password score when using the zxcvbn mode. - require_uppercase: - type: boolean - description: If uppercase characters are required when using the standard mode. - require_lowercase: - type: boolean - description: If uppercase characters are required when using the standard mode. - require_number: - type: boolean - description: If numeric characters are required when using the standard mode. - require_special: - type: boolean - description: If special characters are required when using the standard mode. - handlers.DuoDeviceBody: - required: - - device - - method - type: object - properties: - device: - type: string - example: ABCDE123456789FGHIJK - method: - type: string - example: push - handlers.DuoDevicesResponse: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - result: - type: string - example: auth - devices: - type: array - items: - type: object - properties: - device: - type: string - example: ABCDE123456789FGHIJK - display_name: - type: string - example: iOS (+XX XXX XXX 123) - capabilities: - type: array - items: - type: string - example: push - handlers.bodyFirstFactorRequest: - required: - - username - - password - type: object - properties: - username: - type: string - example: john - password: - type: string - example: password - targetURL: - type: string - example: 'https://home.{{ .Domain | default "example.com" }}' - workflow: - type: string - example: openid_connect - workflowID: - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c' - requestMethod: - type: string - example: GET - keepMeLoggedIn: - type: boolean - example: true - handlers.logoutRequestBody: - type: object - properties: - targetURL: - type: string - example: 'https://redirect.{{ .Domain | default "example.com" }}' - handlers.logoutResponseBody: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - safeTargetURL: - type: boolean - example: true - handlers.redirectResponse: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - redirect: - type: string - example: 'https://home.{{ .Domain | default "example.com" }}' - {{- if .PasswordReset }} - handlers.PasswordResetStep1RequestBody: - required: - - username - type: object - properties: - username: - type: string - example: john - handlers.PasswordResetStep2RequestBody: - required: - - password - type: object - properties: - password: - type: string - example: password - {{- end }} - {{- if .Duo }} - handlers.bodySignDuoRequest: - type: object - properties: - targetURL: - type: string - example: 'https://secure.{{ .Domain | default "example.com" }}' - passcode: - type: string - workflow: - type: string - example: openid_connect - workflowID: - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c' - {{- end }} - handlers.StateResponse: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - username: - type: string - example: john - authentication_level: - type: integer - example: 1 - default_redirection_url: - type: string - example: 'https://home.{{ .Domain | default "example.com" }}' - middlewares.ErrorResponse: - type: object - properties: - status: - type: string - example: KO - message: - type: string - example: Authentication failed, please retry later. - middlewares.IdentityVerificationFinishBody: - required: - - token - type: object - properties: - token: - type: string - example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY - middlewares.OkResponse: - type: object - properties: - status: - type: string - example: OK - data: - type: object - handlers.UserInfo: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - display_name: - type: string - example: John Doe - method: - type: string - enum: - - "totp" - - "webauthn" - - "mobile_push" - example: totp - has_webauthn: - type: boolean - example: false - has_totp: - type: boolean - example: true - has_duo: - type: boolean - example: true - handlers.UserInfo.MethodBody: - required: - - method - type: object - properties: - method: - type: string - enum: - - "totp" - - "webauthn" - - "mobile_push" - example: totp - {{- if .TOTP }} - handlers.UserInfoTOTP: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - period: - default: 30 - description: The period defined in the users TOTP configuration - type: integer - example: 30 - digits: - default: 6 - description: The number of digits defined in the users TOTP configuration - type: integer - example: 6 - handlers.bodySignTOTPRequest: - type: object - properties: - token: - type: string - example: '123456' - targetURL: - type: string - example: 'https://secure.{{ .Domain | default "example.com" }}' - workflow: - type: string - example: openid_connect - workflowID: - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c' - handlers.TOTPKeyResponse: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - base32_secret: - type: string - example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q - otpauth_url: - type: string - example: 'otpauth://totp/{{ .Domain | default "example.com" }}:john?algorithm=SHA1&digits=6&issuer=auth.{{ .Domain | default "example.com" }}&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q' - {{- end }} - {{- if .Webauthn }} - webauthn.PublicKeyCredential: - type: object - properties: - rawId: - type: string - format: byte - id: - type: string - type: - type: string - webauthn.AuthenticatorResponse: - type: object - properties: - clientDataJSON: - type: string - format: byte - webauthn.CredentialAttestationResponse: - allOf: - - $ref: '#/components/schemas/webauthn.PublicKeyCredential' - - type: object - properties: - clientExtensionResults: - type: object - properties: - appidExclude: - type: boolean - response: - allOf: - - $ref: '#/components/schemas/webauthn.AuthenticatorResponse' - - type: object - properties: - attestationObject: - type: string - format: byte - webauthn.CredentialAssertionResponse: - allOf: - - $ref: '#/components/schemas/webauthn.PublicKeyCredential' - - type: object - properties: - response: - allOf: - - $ref: '#/components/schemas/webauthn.AuthenticatorResponse' - - type: object - required: [authenticatorData, clientDataJSON, signature] - properties: - authenticatorData: - type: string - format: byte - clientDataJSON: - type: string - format: byte - clientExtensionResults: - type: object - properties: - appid: - type: boolean - example: false - signature: - type: string - format: byte - userHandle: - type: string - format: byte - workflow: - type: string - example: openid_connect - workflowID: - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c' - webauthn.PublicKeyCredentialCreationOptions: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - publicKey: - allOf: - - $ref: '#/components/schemas/webauthn.AttestationType' - - $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria' - - $ref: '#/components/schemas/webauthn.CredentialUserEntity' - - $ref: '#/components/schemas/webauthn.CredentialRPEntity' - - type: object - required: - - "challenge" - - "pubKeyCredParams" - properties: - challenge: - type: string - format: byte - pubKeyCredParams: - type: array - items: - type: object - required: - - "alg" - - "type" - properties: - alg: - type: integer - type: - type: string - example: public-key - enum: - - "public-key" - timeout: - type: integer - example: 60000 - excludeCredentials: - type: array - items: - allOf: - - $ref: '#/components/schemas/webauthn.CredentialDescriptor' - extensions: - type: object - properties: - appidExclude: - type: string - example: '{{ .BaseURL }}' - webauthn.PublicKeyCredentialRequestOptions: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - publicKey: - allOf: - - $ref: '#/components/schemas/webauthn.UserVerification' - - type: object - required: - - "challenge" - properties: - challenge: - type: string - timeout: - type: integer - example: 60000 - rpId: - type: string - example: 'auth.{{ .Domain | default "example.com" }}' - allowCredentials: - type: array - items: - allOf: - - $ref: '#/components/schemas/webauthn.CredentialDescriptor' - extensions: - type: object - properties: - appid: - type: string - example: '{{ .BaseURL }}' - webauthn.Transports: - type: object - properties: - transports: - type: array - items: - type: string - example: - - "usb" - - "nfc" - enum: - - "usb" - - "nfc" - - "ble" - - "internal" - webauthn.UserVerification: - type: object - properties: - userVerification: - type: string - example: preferred - enum: - - "required" - - "preferred" - - "discouraged" - webauthn.AttestationType: - type: object - properties: - attestation: - type: string - example: direct - enum: - - "none" - - "indirect" - - "direct" - webauthn.AuthenticatorSelectionCriteria: - type: object - properties: - authenticatorSelection: - type: object - properties: - authenticatorAttachment: - type: string - example: cross-platform - enum: - - "platform" - - "cross-platform" - residentKey: - type: string - example: discouraged - enum: - - "discouraged" - - "preferred" - - "required" - requireResidentKey: - type: boolean - webauthn.CredentialDescriptor: - allOf: - - $ref: '#/components/schemas/webauthn.Transports' - - type: object - required: - - "id" - - "type" - properties: - id: - type: string - format: byte - type: - type: string - example: public-key - enum: - - "public-key" - webauthn.CredentialEntity: - type: object - required: - - "id" - - "name" - properties: - id: - type: string - name: - type: string - icon: - type: string - webauthn.CredentialRPEntity: - type: object - required: - - "rp" - properties: - rp: - allOf: - - $ref: '#/components/schemas/webauthn.CredentialEntity' - webauthn.CredentialUserEntity: - type: object - required: - - "user" - properties: - user: - allOf: - - $ref: '#/components/schemas/webauthn.CredentialEntity' - - type: object - required: - - "displayName" - properties: - displayName: - type: string - webauthn.AuthenticationExtensionsClientOutputs: - type: object - properties: - clientExtensionResults: - type: object - properties: - appid: - type: boolean - example: true - appidExclude: - type: boolean - example: false - uvm: - type: array - items: - type: string - format: byte - credProps: - type: object - properties: - rk: - type: boolean - example: false - largeBlob: - type: object - properties: - supported: - type: boolean - example: false - blob: - type: string - written: - type: boolean - example: false - {{- end }} - {{- if .OpenIDConnect }} - openid.request.consent: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - client_id: - type: string - description: The identifier of the client for the user to provide consent for. - example: 'app' - client_description: - description: The descriptive name of the client for the user to provide consent for. - type: string - example: 'App Platform' - scopes: - description: The list of the requested scopes for the user to provide consent for. - type: array - items: - type: string - enum: - - "openid" - - "offline_access" - - "groups" - - "email" - - "profile" - audience: - description: The list of the requested audiences for the user to provide consent for. - type: array - items: - type: string - pre_configuration: - description: Indicates if this client supports pre-configuration. - type: boolean - example: true - openid.response.consent: - type: object - properties: - status: - type: string - example: OK - data: - type: object - properties: - id: - description: The identifier of the consent session. - type: string - format: uuid - pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' - example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4' - client_id: - description: The identifier of the client for the user to provide consent for. - type: string - example: 'app' - consent: - description: Indicates if the user consented to the consent request. - type: boolean - example: true - pre_configure: - description: Indicates if the user consented to pre-configuration. - type: boolean - example: true - openid.spec.Metadata.OAuth2AuthorizationServer: - type: object - required: - - issuer - - authorization_endpoint - - subject_types_supported - - response_types_supported - - require_pushed_authorization_requests - properties: - authorization_endpoint: - description: > - URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. - See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: string - example: '{{ .BaseURL }}api/oidc/authorization' - claims_supported: - description: > - JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply - values for. Note that for privacy or other reasons, this might not be an exhaustive list. - type: array - example: - - "amr" - - "aud" - - "azp" - - "client_id" - - "exp" - - "iat" - - "iss" - - "jti" - - "rat" - - "sub" - - "auth_time" - - "nonce" - - "email" - - "email_verified" - - "alt_emails" - - "groups" - - "preferred_username" - - "name" - items: - $ref: '#/components/schemas/openid.implementation.Claims.Array' - code_challenge_methods_supported: - description: > - JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization - server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section - 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code - Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support - PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - type: array - example: ["S256", "none"] - items: - $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' - grant_types_supported: - type: array - description: > - JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID - Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant - Types. If omitted, the default value is ["authorization_code", "implicit"]. - example: ["authorization_code", "implicit"] - items: - $ref: '#/components/schemas/openid.spec.GrantType' - introspection_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token - Introspection: https://datatracker.ietf.org/doc/html/rfc7662 - type: string - example: '{{ .BaseURL }}api/oidc/introspection' - introspection_endpoint_auth_methods_supported: - description: > - JSON array containing a list of client authentication methods supported by this introspection endpoint. The - valid client authentication method values are those registered in the IANA "OAuth Token Endpoint - Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token - Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If - omitted, the set of supported authentication methods MUST be determined by other means. See Also: - IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 - type: array - example: ["client_secret_post"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - introspection_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection - endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint - for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be - present if either of these authentication methods are specified in the - "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is - omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - issuer: - description: - URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. - If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned - by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. - type: string - example: '{{ .BaseURL }}' - jwks_uri: - description: > - URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate - signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs - to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) - parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. - Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT - RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of - keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. - type: string - example: '{{ .BaseURL }}jwks.json' - op_policy_uri: - description: - URL that the OpenID Provider provides to the person registering the Client to read about the OP's - requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD - display this URL to the person registering the Client if it is given. - type: string - op_tos_uri: - description: > - URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's - terms of service. The registration process SHOULD display this URL to the person registering the Client if - it is given. - type: string - pushed_authorization_request_endpoint: - description: > - The URL of the pushed authorization request endpoint at which a client can post an authorization request to - exchange for a "request_uri" value usable at the authorization server. - type: string - example: '{{ .BaseURL }}api/oidc/par' - registration_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: - OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 - type: string - example: '{{ .BaseURL }}api/oidc/registration' - require_pushed_authorization_requests: - description: > - Boolean parameter indicating whether the authorization server accepts authorization request data only via - PAR. If omitted, the default value is "false". - type: boolean - example: false - response_modes_supported: - description: > - JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in - OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic - OpenID Providers is ["query", "fragment"]. - type: array - example: ["query", "fragment"] - items: - $ref: '#/components/schemas/openid.spec.ResponseMode' - response_types_supported: - description: > - JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. - Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. - type: array - example: ["code", "id_token", "token id_token"] - items: - $ref: '#/components/schemas/openid.spec.ResponseType' - revocation_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. - See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 - type: string - example: '{{ .BaseURL }}api/oidc/revocation' - revocation_endpoint_auth_methods_supported: - description: > - JSON array containing a list of client authentication methods supported by this revocation endpoint. The - valid client authentication method values are those registered in the IANA "OAuth Token Endpoint - Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" - -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: - IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 - type: array - example: ["client_secret_post"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - revocation_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation - endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for - the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if - either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" - entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. - See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - scopes_supported: - description: > - JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server - MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even - when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. - See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: array - example: - - "openid" - - "offline_access" - - "profile" - - "email" - - "groups" - items: - $ref: '#/components/schemas/openid.implementation.Scopes.Object' - service_documentation: - description: > - URL of a page containing human-readable information that developers might want or need to know when using - the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, - then information on how to register Clients needs to be provided in this documentation. - type: string - example: 'https://authelia.com' - subject_types_supported: - description: > - JSON array containing a list of the Subject Identifier types that this OP supports. - Valid types include pairwise and public. - type: array - example: ["public", "pairwise"] - items: - $ref: '#/components/schemas/openid.spec.SubjectIdentifier' - token_endpoint: - description: > - URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is - used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: string - example: '{{ .BaseURL }}api/oidc/token' - token_endpoint_auth_methods_supported: - description: > - JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options - are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section - 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If - omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section - 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 - OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication - type: array - example: ["client_secret_post"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - token_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for - the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt - and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. - See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519' - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - ui_locales_supported: - type: array - description: > - Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] - language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 - example: ["en-US"] - items: - type: string - openid.spec.Metadata.OpenIDConfiguration: - type: object - required: - - "issuer" - - "authorization_endpoint" - - "subject_types_supported" - - "response_types_supported" - - "require_pushed_authorization_requests" - - "request_uri_parameter_supported" - - "require_request_uri_registration" - - "claims_parameter_supported" - - "frontchannel_logout_supported" - - "frontchannel_logout_session_supported" - - "backchannel_logout_supported" - - "backchannel_logout_session_supported" - properties: - acr_values_supported: - description: - JSON array containing a list of the Authentication Context Class References that this OP supports. - type: array - items: - type: string - authorization_endpoint: - description: > - URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. - See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: string - example: '{{ .BaseURL }}api/oidc/authorization' - backchannel_logout_session_supported: - description: > - Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify - the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. - If omitted, the default value is false. - type: boolean - example: false - backchannel_logout_supported: - description: > - Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If - omitted, the default value is false. - type: boolean - example: false - claim_types_supported: - description: > - JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are - described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are - normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also: - OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes - type: array - example: ["normal"] - items: - $ref: '#/components/schemas/openid.spec.ClaimType' - claims_locales_supported: - description: > - Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 - [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values. - See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 - type: array - example: ["en-US"] - items: - type: string - claims_parameter_supported: - description: > - Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. - If omitted, the default value is false. - type: boolean - example: false - claims_supported: - description: > - JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply - values for. Note that for privacy or other reasons, this might not be an exhaustive list. - type: array - example: - - "amr" - - "aud" - - "azp" - - "client_id" - - "exp" - - "iat" - - "iss" - - "jti" - - "rat" - - "sub" - - "auth_time" - - "nonce" - - "email" - - "email_verified" - - "alt_emails" - - "groups" - - "preferred_username" - - "name" - items: - $ref: '#/components/schemas/openid.implementation.Claims.Array' - code_challenge_methods_supported: - description: > - JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization - server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section - 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code - Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support - PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: - https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - type: array - example: ["S256", "plain"] - items: - $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' - display_values_supported: - description: > - JSON array containing a list of the display parameter values that the OpenID Provider supports. These values - are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section - 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest - type: array - example: ["page"] - items: - $ref: '#/components/schemas/openid.spec.DisplayType' - frontchannel_logout_session_supported: - description: > - Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to - identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is - also included in ID Tokens issued by the OP. If omitted, the default value is false. - type: boolean - example: false - frontchannel_logout_supported: - description: > - Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If - omitted, the default value is false. - type: boolean - example: false - grant_types_supported: - description: > - JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID - Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant - Types. If omitted, the default value is ["authorization_code", "implicit"]. - type: array - example: ["authorization_code", "implicit"] - items: - $ref: '#/components/schemas/openid.spec.GrantType' - id_token_encryption_alg_values_supported: - description: > - JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID - Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: - https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["A256GCMKW"] - items: - $ref: '#/components/schemas/jose.spec.JWE.alg' - id_token_encryption_enc_values_supported: - description: > - JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID - Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 - JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["A256GCM"] - items: - $ref: '#/components/schemas/jose.spec.JWE.enc' - id_token_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token - to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, - but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint - (such as when using the Authorization Code Flow). - See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.JWS.None' - introspection_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 - Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662' - type: string - example: '{{ .BaseURL }}api/oidc/introspection' - introspection_endpoint_auth_methods_supported: - description: > - JSON array containing a list of client authentication methods supported by this introspection endpoint. The - valid client authentication method values are those registered in the IANA "OAuth Token Endpoint - Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access - Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section - 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also: - IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 - type: array - example: ["client_secret_post"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - introspection_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection - endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint - for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be - present if either of these authentication methods are specified in the - "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is - omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - issuer: - description: > - URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. - If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned - by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. - type: string - example: '{{ .BaseURL }}' - jwks_uri: - description: > - URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate - signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs - to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) - parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. - Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT - RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of - keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. - type: string - example: '{{ .BaseURL }}jwks.json' - op_policy_uri: - description: > - URL that the OpenID Provider provides to the person registering the Client to read about the OP's - requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD - display this URL to the person registering the Client if it is given. - type: string - op_tos_uri: - description: > - URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's - terms of service. The registration process SHOULD display this URL to the person registering the Client - if it is given. - type: string - pushed_authorization_request_endpoint: - description: > - The URL of the pushed authorization request endpoint at which a client can post an authorization request to - exchange for a "request_uri" value usable at the authorization server. - type: string - example: '{{ .BaseURL }}api/oidc/par' - registration_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: - OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 - type: string - example: '{{ .BaseURL }}api/oidc/registration' - request_object_encryption_alg_values_supported: - description: > - JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request - Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by - reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 - type: array - example: ["A256GCMKW"] - items: - $ref: '#/components/schemas/jose.spec.JWE.alg' - request_object_encryption_enc_values_supported: - description: > - JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request - Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by - reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 - JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["A256GCM"] - items: - $ref: '#/components/schemas/jose.spec.JWE.enc' - request_object_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request - Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are - used both when the Request Object is passed by value (using the request parameter) and when it is passed by - reference (using the request_uri parameter). Servers SHOULD support none and RS256. - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.JWS.None' - request_uri_parameter_supported: - description: > - Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating - support. If omitted, the default value is true. - type: boolean - example: true - require_pushed_authorization_requests: - description: > - Boolean parameter indicating whether the authorization server accepts authorization request data only via - PAR. If omitted, the default value is "false". - type: boolean - example: false - require_request_uri_registration: - description: > - Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the - request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the - default value is false. - type: boolean - example: false - response_modes_supported: - description: > - JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in - OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic - OpenID Providers is ["query", "fragment"]. - type: array - example: ["query", "fragment"] - items: - $ref: '#/components/schemas/openid.spec.ResponseMode' - response_types_supported: - description: > - JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID - Providers MUST support the code, id_token, and the token id_token Response Type values. - type: array - example: ["code", "id_token", "token id_token"] - items: - $ref: '#/components/schemas/openid.spec.ResponseType' - revocation_endpoint: - description: > - URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also: - OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 - type: string - example: '{{ .BaseURL }}api/oidc/revocation' - revocation_endpoint_auth_methods_supported: - description: > - JSON array containing a list of client authentication methods supported by this revocation endpoint. The - valid client authentication method values are those registered in the IANA "OAuth Token Endpoint - Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" - -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. - See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml - OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 - type: array - example: ["client_secret_basic"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - revocation_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation - endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for - the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if - either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" - entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. - See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - scopes_supported: - description: > - JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. - The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope - values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if - supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: - https://openid.net/specs/openid-connect-core-1_0.html - type: array - example: - - "openid" - - "offline_access" - - "profile" - - "email" - - "groups" - items: - $ref: '#/components/schemas/openid.implementation.Scopes.Object' - service_documentation: - description: > - URL of a page containing human-readable information that developers might want or need to know when using - the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, - then information on how to register Clients needs to be provided in this documentation. - type: string - example: 'https://www.authelia.com' - subject_types_supported: - description: > - JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include - pairwise and public. - type: array - example: ["public", "pairwise"] - items: - $ref: '#/components/schemas/openid.spec.SubjectIdentifier' - token_endpoint: - description: > - URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is - used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: string - example: '{{ .BaseURL }}api/oidc/token' - token_endpoint_auth_methods_supported: - description: > - JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options - are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section - 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If - omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section - 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 - OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication - type: array - example: ["client_secret_post"] - items: - $ref: '#/components/schemas/openid.spec.ClientAuthMethod' - token_endpoint_auth_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint - for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the - private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. - The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["RS256"] - items: - $ref: '#/components/schemas/jose.spec.jws' - ui_locales_supported: - description: > - Languages and scripts supported for the user interface, represented as a JSON array of BCP47 - [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 - type: array - example: ["en-US"] - items: - type: string - userinfo_encryption_alg_values_supported: - description: > - JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the - UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: - https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 - JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["A256GCMKW"] - items: - $ref: '#/components/schemas/jose.spec.JWE.alg' - userinfo_encryption_enc_values_supported: - description: > - JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo - Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 - JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["A256GCM"] - items: - $ref: '#/components/schemas/jose.spec.JWE.enc' - userinfo_endpoint: - description: > - URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, - path, and query parameter components. - See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html - type: string - example: '{{ .BaseURL }}api/oidc/userinfo' - userinfo_signing_alg_values_supported: - description: > - JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the - UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also: - JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 - JWT: https://datatracker.ietf.org/doc/html/rfc7519 - type: array - example: ["none", "RS256"] - items: - $ref: '#/components/schemas/jose.spec.JWS.None' - openid.implementation.Claims.Array: - type: array - items: - type: string - enum: - - "amr" - - "aud" - - "azp" - - "client_id" - - "exp" - - "iat" - - "iss" - - "jti" - - "rat" - - "sub" - - "auth_time" - - "nonce" - - "email" - - "email_verified" - - "alt_emails" - - "groups" - - "preferred_username" - - "name" - openid.implementation.Claims.Object: - description: OpenID Connect 1.0 User Claims. - type: object - properties: - amr: - type: array - items: - type: string - enum: - - "mfa" - - "mca" - - "user" - - "pin" - - "pwd" - - "otp" - - "hwk" - - "sms" - aud: - type: array - items: - type: string - azp: - type: string - client_id: - type: string - scope: - type: string - scp: - type: array - items: - type: string - exp: - type: integer - iat: - type: integer - iss: - type: string - jti: - type: string - rat: - type: integer - sub: - type: string - auth_time: - type: integer - nonce: - type: string - email: - type: string - email_verified: - type: boolean - alt_emails: - type: array - items: - type: string - groups: - type: array - items: - type: string - preferred_username: - type: string - name: - type: string - openid.implementation.Scopes.Object: - description: The scope. - type: string - oneOf: - - $ref: '#/components/schemas/openid.spec.Scopes' - - type: string - enum: - - "groups" - openid.spec.Scopes: - type: string - enum: - - "openid" - - "offline_access" - - "profile" - - "email" - - "address" - - "phone" - openid.spec.IntrospectionRequest: - required: - - "token" - type: object - properties: - token: - description: > - The string value of the token. For access tokens, this - is the "access_token" value returned from the token endpoint - defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, - this is the "refresh_token" value returned from the token endpoint - as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types - are outside the scope of this specification. - example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn' - type: string - token_type_hint: - description: > - A hint about the type of the token submitted for - introspection. The protected resource MAY pass this parameter to - help the authorization server optimize the token lookup. If the - server is unable to locate the token using the given hint, it MUST - extend its search across all of its supported token types. An - authorization server MAY ignore this parameter, particularly if it - is able to detect the token type automatically. Values for this - field are defined in the "OAuth Token Type Hints" registry defined - in OAuth Token Revocation [RFC7009]. - enum: - - "access_token" - - "refresh_token" - example: 'access_token' - type: string - openid.spec.AccessRequest.ClientAuth: - oneOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base' - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret' - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT' - openid.spec.AccessRequest.ClientAuth.Base: - required: - - "client_id" - type: object - properties: - client_id: - description: > - REQUIRED if the client is not authenticating with the authorization server as described in - Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749]. - example: 'my_client' - type: string - openid.spec.AccessRequest.ClientAuth.Secret: - required: - - "client_secret" - type: object - properties: - client_secret: - description: > - REQUIRED. The client secret. The client MAY omit the - parameter if the client secret is an empty string. - format: password - type: string - openid.spec.AccessRequest.ClientAuth.JWT: - allOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base' - - type: object - required: - - "client_assertion" - - "client_assertion_type" - properties: - client_assertion: - description: > - The value of the client_assertion_type parameter MUST be - "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - enum: - - "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" - example: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' - type: string - client_assertion_type: - description: > - A JWT signed with HS256 using the client secret value or RS256 using a registered public key. - Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should - work but this has not been tested. - format: password - type: string - openid.spec.AccessRequest.AuthorizationCodeFlow: - allOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - - type: object - required: - - "code" - - "grant_type" - properties: - grant_type: - description: Value MUST be set to "code". - enum: - - "authorization_code" - type: string - code: - description: The Authorization Code. - example: 'authelia_ac_1j2kn3knj12n3kj12n' - type: string - code_verifier: - description: The Authorization Code Verifier (PKCE). - example: '88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3' - type: string - redirect_uri: - description: The original Redirect URI used in the Authorization Request. - example: 'https://app.{{ .Domain | default "example.com" }}/oidc/callback' - type: string - openid.spec.AccessRequest.DeviceCodeFlow: - allOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - - type: object - required: - - "grant_type" - - "device_code" - properties: - grant_type: - description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". - enum: - - "urn:ietf:params:oauth:grant-type:device_code" - type: string - device_code: - description: The Device Authorization Code. - example: 'authelia_dc_mn123kjn12kj3123njk' - type: string - openid.spec.AccessRequest.RefreshTokenFlow: - allOf: - - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - - type: object - required: - - "grant_type" - - "device_code" - properties: - grant_type: - description: Value MUST be set to "refresh_token". - enum: - - "refresh_token" - type: string - refresh_token: - description: The Refresh Token. - example: 'authelia_rt_1n2j3kihn12kj3n12k' - type: string - scope: - description: > - The scope of the access request as described by - Section 3.3. The requested scope MUST NOT include any scope - not originally granted by the resource owner, and if omitted is - treated as equal to the scope originally granted by the - resource owner. - example: 'openid profile groups' - type: string - openid.spec.AccessResponse: - type: object - required: - - "access_token" - - "token_type" - - "expires_in" - properties: - access_token: - description: The access token issued by the authorization server. - example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn' - type: string - id_token: - description: The id token issued by the authorization server. - example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' - type: string - refresh_token: - description: > - The refresh token, which can be used to obtain new access tokens using the - same authorization grant as described in Section 6. - example: 'authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i' - type: string - token_type: - description: > - The access token type provides the client with the information - required to successfully utilize the access token to make a protected - resource request (along with type-specific attributes). The client - MUST NOT use an access token if it does not understand the token - type. - enum: - - "bearer" - example: 'bearer' - type: string - expires_in: - description: > - The lifetime in seconds of the access token. For - example, the value "3600" denotes that the access token will - expire in one hour from the time the response was generated. - If omitted, the authorization server SHOULD provide the - expiration time via other means or document the default value. - example: 3600 - type: integer - state: - description: Exactly the state value passed in the authorization request if present. - example: '5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB' - type: string - scope: - description: > - The scope of the access token as described by Section 3.3 if it differs from the requested scope. - example: 'openid profile groups' - type: string - openid.spec.AuthorizeRequest: - type: object - required: - - "scope" - - "response_type" - - "client_id" - - "redirect_uri" - properties: - scope: - description: The requested scope. - example: 'openid profile groups' - type: string - response_type: - $ref: '#/components/schemas/openid.spec.ResponseType' - client_id: - description: The OAuth 2.0 client identifier. - example: 'app' - type: string - redirect_uri: - description: > - Redirection URI to which the response will be sent. This URI MUST exactly match one of the - Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching - performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this - flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided - that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP - allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate - scheme, such as one that is intended to identify a callback into a native application. - example: 'https://app.{{ .Domain | default "example.com" }}' - type: string - state: - description: > - Opaque value used to maintain state between the request and the callback. Typically, Cross-Site - Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this - parameter with a browser cookie. - example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f' - type: string - response_mode: - $ref: '#/components/schemas/openid.spec.ResponseMode' - nonce: - description: > - String value used to associate a Client session with an ID Token, and to mitigate replay attacks. - The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient - entropy MUST be present in the nonce values used to prevent attackers from guessing values. For - implementation notes, see Section 15.5.2. - example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf' - type: string - display: - $ref: '#/components/schemas/openid.spec.DisplayType' - prompt: - description: > - Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether - the Authorization Server prompts the End-User for reauthentication and consent. - enum: - - "none" - - "login" - - "consent" - - "select_account" - - "login consent" - - "login select_account" - - "consent select_account" - example: 'consent' - type: string - max_age: - description: > - Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the - End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the - OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds - to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID - Token returned MUST include an auth_time Claim Value. - type: integer - ui_locales: - description: > - Not Supported: End-User's preferred languages and scripts for the user interface, represented as a - space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, - the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without - a region designation), followed by English (without a region designation). An error SHOULD NOT - result if some or all of the requested locales are not supported by the OpenID Provider. - type: string - claims_locales: - description: > - Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as - a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error - SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. - type: string - id_token_hint: - description: > - Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about - the End-User's current or past authenticated session with the Client. If the End-User identified by - the ID Token is logged in or is logged in by the request, then the Authorization Server returns a - positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an - id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be - returned if it is not; however, the server SHOULD respond successfully when possible, even if it is - not present. The Authorization Server need not be listed as an audience of the ID Token when it is - used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use - it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted - ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key - that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the - id_token_hint value. - type: string - login_hint: - description: > - Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to - log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail - address (or other identifier) and then wants to pass that value as a hint to the discovered - authorization service. It is RECOMMENDED that the hint value match the value used for discovery. - This value MAY also be a phone number in the format specified for the phone_number Claim. The use - of this parameter is left to the OP's discretion. - type: string - acr_values: - description: > - Not Supported: Requested Authentication Context Class Reference values. Space-separated string that - specifies the acr values that the Authorization Server is being requested to use for processing this - Authentication Request, with the values appearing in order of preference. The Authentication Context - Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in - Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. - type: string - claims: - description: > - Not Supported: The claims parameter value, as specified in Section 5.5. - type: string - registration: - description: > - Not Supported: This parameter is used by the Client to provide information about itself to a - Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as - specified in Section 7.2.1. - type: string - request: - description: > - Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be - encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously - issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to - Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption - algorithm used is RSA1_5. - type: string - openid.spec.SubjectIdentifier: - description: > - A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the - End-User, which is intended to be consumed by the Client. - enum: - - "public" - - "pairwise" - type: string - openid.spec.ClientAuthMethod: - description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method. - enum: - - "client_secret_basic" - - "client_secret_post" - - "client_secret_jwt" - - "private_key_jwt" - - "none" - type: string - openid.spec.DisplayType: - description: > - ASCII string value that specifies how the Authorization Server displays the authentication and consent user - interface pages to the End-User. - enum: - - "page" - - "popup" - - "touch" - - "wap" - example: 'page' - type: string - openid.spec.ResponseType: - description: The OAuth 2.0 / OpenID Connect 1.0 Response Type. - enum: - - "code" - - "id_token" - - "token" - - "code token" - - "code id_token" - - "token id_token" - - "code id_token token" - - "none" - example: 'code' - type: string - openid.spec.ResponseMode: - description: > - Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization - Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is - the default mode specified for the Response Type. - enum: - - "query" - - "fragment" - - "form_post" - example: 'query' - type: string - openid.spec.GrantType: - description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type. - enum: - - "authorization_code" - - "refresh_token" - - "implicit" - - "password" - - "client_credentials" - - "urn:ietf:params:oauth:grant-type:device_code" - example: 'authorization_code' - type: string - openid.spec.CodeChallengeMethod: - description: The RFC7636 Code Challenge Verifier Method. - enum: - - "plain" - - "S256" - example: 'S256' - type: string - openid.spec.ClaimType: - description: The representation of claims. - enum: - - "normal" - - "aggregated" - - "distributed" - example: 'normal' - type: string - jose.spec.None: - description: The JSON Web Signature Algorithm - type: string - enum: - - "none" - jose.spec.JWS.None: - description: The JSON Web Signature Algorithm - oneOf: - - $ref: '#/components/schemas/jose.spec.None' - - $ref: '#/components/schemas/jose.spec.jws' - type: string - jose.spec.jws: - description: The JSON Web Signature Algorithm - enum: - - "HS256" - - "HS384" - - "HS512" - - "RS256" - - "RS384" - - "RS512" - - "ES256" - - "ES384" - - "ES512" - - "PS256" - - "PS384" - - "PS512" - type: string - jose.spec.JWE.alg: - description: The JSON Web Encryption Algorithm (CEK) - enum: - - "RSA1_5" - - "RSA-OAEP" - - "RSA-OAEP-256" - - "A128KW" - - "A192KW" - - "A256KW" - - "dir" - - "ECDH-ES" - - "ECDH-ES+A128KW" - - "ECDH-ES+A192KW" - - "ECDH-ES+A256KW" - - "A128GCMKW" - - "A192GCMKW" - - "A256GCMKW" - - "PBES2-HS256+A128KW" - - "PBES2-HS384+A192KW" - - "PBES2-HS512+A256KW" - type: string - jose.spec.JWE.enc: - description: The JSON Web Encryption Algorithm (Claims) - enum: - - "A128CBC-HS256" - - "A192CBC-HS384" - - "A256CBC-HS512" - - "A128CBC" - - "A256CBC" - - "A128GCM" - - "A256GCM" - type: string - jose.spec.JWK.base: - type: object - properties: - use: - description: > - The "use" (public key use) parameter identifies the intended use of - the public key. The "use" parameter is employed to indicate whether - a public key is used for encrypting data or verifying the signature - on data. - enum: - - "sig" - - "enc" - example: 'sig' - type: string - key_ops: - description: > - The "key_ops" (key operations) parameter identifies the operation(s) - for which the key is intended to be used. The "key_ops" parameter is - intended for use cases in which public, private, or symmetric keys - may be present. - example: ["sign"] - type: array - items: - enum: - - "sign" - - "verify" - - "encrypt" - - "decrypt" - - "wrapKey" - - "unwrapKey" - - "deriveKey" - - "deriveBits" - type: string - kid: - description: > - The "kid" (key ID) parameter is used to match a specific key. This - is used, for instance, to choose among a set of keys within a JWK Set - during key rollover. The structure of the "kid" value is - unspecified. When "kid" values are used within a JWK Set, different - keys within the JWK Set SHOULD use distinct "kid" values. (One - example in which different keys might use the same "kid" value is if - they have different "kty" (key type) values but are considered to be - equivalent alternatives by the application using them.) The "kid" - value is a case-sensitive string. Use of this member is OPTIONAL. - When used with JWS or JWE, the "kid" value is used to match a JWS or - JWE "kid" Header Parameter value. - type: string - x5u: - description: > - The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a - resource for an X.509 public key certificate or certificate chain - [RFC5280]. The identified resource MUST provide a representation of - the certificate or certificate chain that conforms to RFC 5280 - [RFC5280] in PEM-encoded form, with each certificate delimited as - specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first - certificate MUST match the public key represented by other members of - the JWK. The protocol used to acquire the resource MUST provide - integrity protection; an HTTP GET request to retrieve the certificate - MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be - validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this - member is OPTIONAL. - type: string - x5c: - description: > - The "x5c" (X.509 certificate chain) parameter contains a chain of one - or more PKIX certificates [RFC5280]. The certificate chain is - represented as a JSON array of certificate value strings. Each - string in the array is a base64-encoded (Section 4 of [RFC4648] -- - not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. - The PKIX certificate containing the key value MUST be the first - certificate. This MAY be followed by additional certificates, with - each subsequent certificate being the one used to certify the - previous one. The key in the first certificate MUST match the public - key represented by other members of the JWK. Use of this member is - OPTIONAL. - type: array - items: - format: byte - type: string - x5t: - description: > - The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a - base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER - encoding of an X.509 certificate [RFC5280]. Note that certificate - thumbprints are also sometimes known as certificate fingerprints. - The key in the certificate MUST match the public key represented by - other members of the JWK. Use of this member is OPTIONAL. - format: byte - type: string - x5t#S256: - description: > - The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a - base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER - encoding of an X.509 certificate [RFC5280]. Note that certificate - thumbprints are also sometimes known as certificate fingerprints. - The key in the certificate MUST match the public key represented by - other members of the JWK. Use of this member is OPTIONAL. - format: byte - type: string - jose.spec.JWK.RSA: - description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. - allOf: - - $ref: '#/components/schemas/jose.spec.JWK.base' - - required: - - "kty" - - "n" - - "e" - type: object - properties: - kty: - description: > - The "kty" (key type) parameter identifies the cryptographic algorithm - family used with the key. - type: string - example: 'RSA' - enum: - - "RSA" - alg: - description: The JSON Web Signature Algorithm - type: string - example: 'RS256' - enum: - - "RS256" - - "RS384" - - "RS512" - - "PS256" - - "PS384" - - "PS512" - n: - description: > - RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is - represented as a Base64urlUInt-encoded value. - type: string - format: byte - e: - description: > - RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key. - It is represented as a Base64urlUInt-encoded value. - type: string - format: byte - jose.spec.JWK.RSA.Private: - description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. - allOf: - - $ref: '#/components/schemas/jose.spec.JWK.base' - - $ref: '#/components/schemas/jose.spec.JWK.RSA' - - type: object - required: - - "d" - properties: - d: - description: > - RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA - private key. It is represented as a Base64urlUInt-encoded value. - type: string - format: byte - p: - description: > - RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor. - It is represented as a Base64urlUInt-encoded value. - type: string - format: byte - q: - description: > - RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is - represented as a Base64urlUInt-encoded value. - type: string - format: byte - dp: - description: > - RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem - (CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value. - type: string - dq: - description: > - RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the - second factor. It is represented as a Base64urlUInt-encoded value. - type: string - qi: - description: > - RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second - factor. It is represented as a Base64urlUInt-encoded value. - type: string - format: byte - oth: - description: > - The "oth" (other primes info) parameter contains an array of - information about any third and subsequent primes, should they exist. - type: array - items: - type: object - required: - - "r" - - "d" - - "t" - properties: - r: - description: > - The "r" (prime factor) parameter within an "oth" array member - represents the value of a subsequent prime factor. It is represented - as a Base64urlUInt-encoded value. - type: string - format: byte - d: - description: > - The "d" (factor CRT exponent) parameter within an "oth" array member - represents the CRT exponent of the corresponding prime factor. It is - represented as a Base64urlUInt-encoded value. - type: string - format: byte - t: - description: > - The "t" (factor CRT coefficient) parameter within an "oth" array - member represents the CRT coefficient of the corresponding prime - factor. It is represented as a Base64urlUInt-encoded value. - type: string - format: byte - jose.spec.JWK.EC: - description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. - allOf: - - $ref: '#/components/schemas/jose.spec.JWK.base' - - type: object - required: - - "kty" - - "crv" - - "x" - properties: - kty: - description: > - The "kty" (key type) parameter identifies the cryptographic algorithm - family used with the key. - type: string - example: 'EC' - enum: - - "EC" - alg: - description: The JSON Web Signature Algorithm - type: string - example: 'ES256' - enum: - - "ES256" - - "ES384" - - "ES512" - x: - description: > - EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point. - It is represented as the base64url encoding of the octet string representation of the coordinate, as - defined in Section 2.3.5 of SEC1 [SEC1]. - type: string - format: byte - y: - description: > - EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point. - It is represented as the base64url encoding of the octet string representation of the coordinate, as - defined in Section 2.3.5 of SEC1 [SEC1]. - type: string - format: byte - crv: - description: > - The curve parameter identifies the cryptographic curve used with the key. Curve - values from [DSS] used by this specification. - type: string - example: 'P-521' - enum: - - "P-256" - - "P-384" - - "P-521" - - "Ed25519" - - "Ed448" - - "X25519" - - "X448" - - "secp256k1" - jose.spec.JWK.EC.Private: - description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. - allOf: - - $ref: '#/components/schemas/jose.spec.JWK.base' - - $ref: '#/components/schemas/jose.spec.JWK.EC' - - type: object - required: - - "d" - properties: - d: - description: > - ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It - is represented as the base64url encoding of the octet string representation of the private key value, - as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be - ceiling(log-base-2(n)/8) octets (where n is the order of the curve). - type: string - format: byte - jose.spec.JWK.Symmetric: - description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518. - allOf: - - $ref: '#/components/schemas/jose.spec.JWK.base' - - type: object - required: - - "k" - properties: - kty: - description: > - The "kty" (key type) parameter identifies the cryptographic algorithm - family used with the key. - type: string - example: 'oct' - enum: - - "oct" - k: - description: > - The "k" (key value) parameter contains the value of the symmetric (or - other single-valued) key. It is represented as the base64url - encoding of the octet sequence containing the key value. - type: string - format: byte - jose.spec.JWK: - type: string - anyOf: - - $ref: '#/components/schemas/jose.spec.JWK.RSA' - - $ref: '#/components/schemas/jose.spec.JWK.RSA.Private' - - $ref: '#/components/schemas/jose.spec.JWK.EC' - - $ref: '#/components/schemas/jose.spec.JWK.EC.Private' - - $ref: '#/components/schemas/jose.spec.JWK.Symmetric' - jose.spec.JWKs: - type: object - description: The JSON Web Key Sets Document as defined by RFC7517. - properties: - keys: - description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517. - type: array - items: - $ref: '#/components/schemas/jose.spec.JWK' - {{- end }} - securitySchemes: - authelia_auth: - type: apiKey - name: "{{ .Session }}" - in: cookie - {{- if .OpenIDConnect }} - openid: - type: openIdConnect - openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration" - {{- end }} -... diff --git a/internal/server/public_html/index.html b/internal/server/public_html/index.html index 0659f1872..ca923626d 100644 --- a/internal/server/public_html/index.html +++ b/internal/server/public_html/index.html @@ -1,32 +1,11 @@ - - - - - - - - - - - - Login - Authelia - - - - - - -
- - - +{ + "Base":"{{ .Base }}", + "DuoSelfEnrollment":"{{ .DuoSelfEnrollment }}", + "LogoOverride":"{{ .LogoOverride }}", + "RememberMe":"{{ .RememberMe }}", + "ResetPassword":"{{ .ResetPassword }}", + "ResetPasswordCustomURL":"{{ .ResetPasswordCustomURL }}", + "PrivacyPolicyURL":"{{ .PrivacyPolicyURL }}", + "PrivacyPolicyAccept":"{{ .PrivacyPolicyAccept }}", + "Theme":"{{ .Theme }}" +}