--- openapi: 3.0.3 info: title: Authelia API description: > Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. contact: name: Authelia Support url: https://www.authelia.com/contact/ email: team@authelia.com license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0 version: 1.0.0 servers: - url: "{{ .BaseURL }}" description: Authelia API tags: - name: State description: Configuration, health and state endpoints - name: Authentication description: Authentication endpoints - name: Authorization description: Authorization endpoints {{- if .PasswordReset }} - name: Password Reset description: Password reset endpoints - name: User Information description: User configuration endpoints {{- end }} {{- if (or .TOTP .Webauthn .Duo) }} - name: Second Factor description: TOTP, Webauthn and Duo endpoints externalDocs: url: https://www.authelia.com/configuration/second-factor/introduction/ {{- end }} {{- if .OpenIDConnect }} - name: OpenID Connect 1.0 description: OpenID Connect 1.0 and OAuth 2.0 Endpoints externalDocs: url: https://www.authelia.com/integration/openid-connect/introduction/ {{- end }} paths: /api/configuration: get: tags: - State summary: Application Configuration description: > The configuration endpoint provides detailed information including available second factor methods, if any second factor policies exist and the TOTP period configuration. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.configuration.ConfigurationBody' "403": description: Forbidden security: - authelia_auth: [] /api/configuration/password-policy: get: tags: - State summary: Password Policy Configuration description: > The password policy configuration endpoint provides a password policy for resetting passwords. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody' /api/health: get: tags: - State summary: Application Health description: The health check endpoint provides information about the health of Authelia. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' /api/state: get: tags: - State summary: User Application State description: > The state endpoint provides detailed information including the user, current authenticate level and Authelia's configured default redirection URL. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.StateResponse' {{- range $name, $config := .EndpointsAuthz }} {{- $uri := printf "/api/authz/%s" $name }} {{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }} {{ $uri }}: {{- if (eq $config.Implementation "Legacy") }} {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }} {{ $method }}: tags: - Authorization summary: Authorization Verification (Legacy) description: > The legacy authorization verification endpoint provides the ability to verify if a user has the necessary permissions to access a specified domain with several proxies. It's generally recommended users use a proxy specific endpoint instead. parameters: - name: X-Original-URL in: header description: Redirection URL required: false style: simple explode: true schema: type: string - $ref: '#/components/parameters/forwardedMethodParam' - name: X-Forwarded-Proto in: header description: Redirection URL (Scheme / Protocol) required: false style: simple explode: true example: "https" schema: type: string - name: X-Forwarded-Host in: header description: Redirection URL (Host) required: false style: simple explode: true example: "example.com" schema: type: string - name: X-Forwarded-Uri in: header description: Redirection URL (URI) required: false style: simple explode: true example: "/path/example" schema: type: string - $ref: '#/components/parameters/forwardedForParam' - $ref: '#/components/parameters/authParam' responses: "200": description: Successful Operation headers: remote-user: description: Username schema: type: string example: john remote-name: description: Name schema: type: string example: John Doe remote-email: description: Email schema: type: string example: john.doe@authelia.com remote-groups: description: Comma separated list of Groups schema: type: string example: admin,devs "401": description: Unauthorized security: - authelia_auth: [] {{- end }} {{- else if (eq $config.Implementation "ExtAuthz") }} {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }} {{ $method }}: tags: - Authorization summary: Authorization Verification (ExtAuthz) description: > The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary permissions to access a specified resource with the Envoy proxy. parameters: - $ref: '#/components/parameters/forwardedMethodParam' - $ref: '#/components/parameters/forwardedHostParam' - $ref: '#/components/parameters/forwardedURIParam' - $ref: '#/components/parameters/forwardedForParam' - $ref: '#/components/parameters/autheliaURLParam' responses: "200": description: Successful Operation headers: remote-user: description: Username schema: type: string example: john remote-name: description: Name schema: type: string example: John Doe remote-email: description: Email schema: type: string example: john.doe@authelia.com remote-groups: description: Comma separated list of Groups schema: type: string example: admin,devs "401": description: Unauthorized security: - authelia_auth: [] {{- end }} {{- else if (eq $config.Implementation "ForwardAuth") }} {{- range $method := list "get" "head" }} {{ $method }}: tags: - Authorization summary: Authorization Verification (ForwardAuth) description: > The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies. parameters: - $ref: '#/components/parameters/forwardedMethodParam' - $ref: '#/components/parameters/forwardedHostParam' - $ref: '#/components/parameters/forwardedURIParam' - $ref: '#/components/parameters/forwardedForParam' responses: "200": description: Successful Operation headers: remote-user: description: Username schema: type: string example: john remote-name: description: Name schema: type: string example: John Doe remote-email: description: Email schema: type: string example: john.doe@authelia.com remote-groups: description: Comma separated list of Groups schema: type: string example: admin,devs "401": description: Unauthorized security: - authelia_auth: [] {{- end }} {{- else if (eq $config.Implementation "AuthRequest") }} {{- range $method := list "get" "head" }} {{ $method }}: tags: - Authorization summary: Authorization Verification (AuthRequest) description: > The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies. parameters: - $ref: '#/components/parameters/originalMethodParam' - $ref: '#/components/parameters/originalURLParam' responses: "200": description: Successful Operation headers: remote-user: description: Username schema: type: string example: john remote-name: description: Name schema: type: string example: John Doe remote-email: description: Email schema: type: string example: john.doe@authelia.com remote-groups: description: Comma separated list of Groups schema: type: string example: admin,devs "401": description: Unauthorized security: - authelia_auth: [] {{- end }} {{- end }} {{- end }} /api/firstfactor: post: tags: - Authentication summary: Login description: > The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization. requestBody: content: application/json: schema: $ref: '#/components/schemas/handlers.bodyFirstFactorRequest' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.redirectResponse' "401": description: Unauthorized security: - authelia_auth: [] /api/checks/safe-redirection: post: tags: - Authentication summary: Check whether URI is safe to redirect to. description: > End users usually needs to be redirected to a target website after authentication. This endpoint aims to check if target URL is safe to redirect to. This prevents open redirect attacks. requestBody: content: application/json: schema: $ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody' "401": description: Unauthorized security: - authelia_auth: [] /api/logout: post: tags: - Authentication summary: Logout description: The logout endpoint allows a user to logout and destroy a sesssion. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.logoutRequestBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.logoutResponseBody' security: - authelia_auth: [] {{- if .PasswordReset }} /api/reset-password/identity/start: post: tags: - Password Reset summary: Identity Verification Token Creation description: > This endpoint is step 1 of 3 in the password reset process. It validates the user session and sends the user an email with a token and a link to reset their password. This step also generates a session cookie for the rest of the process. The same session cookie must be used for all steps in this process. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] /api/reset-password/identity/finish: post: tags: - Password Reset summary: Identity Verification Token Validation description: > This endpoint is step 2 of 3 in the password reset process. It validates the user session and reset token. The same session cookie must be used for all steps in this process. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] /api/reset-password: post: tags: - Password Reset summary: Password Reset description: > This endpoint is step 3 of 3 in the password reset process. It validates the user session and changes the password. The same session cookie must be used for all steps in this process. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] {{- end }} /api/user/info: get: tags: - User Information summary: User Configuration description: > The user info endpoint provides detailed information including a users display name, preferred and registered second factor method(s). responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.UserInfo' "403": description: Forbidden security: - authelia_auth: [] post: tags: - User Information summary: User Configuration description: > The user info endpoint provides detailed information including a users display name, preferred and registered second factor method(s). The POST method also ensures the preferred method is configured correctly. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.UserInfo' "403": description: Forbidden security: - authelia_auth: [] /api/user/info/2fa_method: post: tags: - User Information summary: User Configuration description: The user info 2fa_method endpoint sets the users preferred second factor method. requestBody: content: application/json: schema: $ref: '#/components/schemas/handlers.UserInfo.MethodBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' "403": description: Forbidden security: - authelia_auth: [] {{- if .TOTP }} /api/user/info/totp: get: tags: - User Information summary: User TOTP Configuration description: > The user TOTP info endpoint provides information necessary to display the TOTP component to validate their TOTP input such as the period/frequency and number of digits. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.UserInfoTOTP' "403": description: Forbidden security: - authelia_auth: [] /api/secondfactor/totp/identity/start: post: tags: - Second Factor summary: Identity Verification TOTP Token Creation description: > This endpoint performs identity verification to begin the TOTP device registration process. The session generated from this endpoint must be utilised for the subsequent step in the `/api/secondfactor/totp/identity/finish` endpoint. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] /api/secondfactor/totp/identity/finish: post: tags: - Second Factor summary: Identity Verification TOTP Token Validation and Device Creation description: > This endpoint performs identity and token verification, upon success also generates TOTP device secret and registers said device. The session cookie generated from the `/api/secondfactor/totp/identity/start` endpoint must be utilised for the step here. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.TOTPKeyResponse' security: - authelia_auth: [] /api/secondfactor/totp: post: tags: - Second Factor summary: Second Factor Authentication - TOTP description: This endpoint performs second factor authentication with a TOTP key. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.bodySignTOTPRequest' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.redirectResponse' "401": description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/middlewares.ErrorResponse' security: - authelia_auth: [] {{- end }} {{- if .Webauthn }} /api/secondfactor/webauthn/assertion: get: tags: - Second Factor summary: Second Factor Authentication - Webauthn (Request) description: This endpoint starts the second factor authentication process with the FIDO2 Webauthn credential. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions' "401": description: Unauthorized security: - authelia_auth: [] post: tags: - Second Factor summary: Second Factor Authentication - Webauthn description: This endpoint completes the second factor authentication process with the FIDO2 Webauthn credential. requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/webauthn.CredentialAssertionResponse" responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.redirectResponse' "401": description: Unauthorized security: - authelia_auth: [] /api/secondfactor/webauthn/identity/start: post: tags: - Second Factor summary: Identity Verification Webauthn Credential Creation description: > This endpoint performs identity verification to begin the FIDO2 Webauthn credential attestation process (registration). The session generated from this endpoint must be utilised for the subsequent steps in the `/api/secondfactor/webauthn/identity/finish` and `/api/secondfactor/webauthn/attestation` endpoints. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] /api/secondfactor/webauthn/identity/finish: post: tags: - Second Factor summary: Identity Verification FIDO2 Webauthn Credential Validation description: > This endpoint performs identity and token verification, upon success generates a FIDO2 Webauthn device attestation challenge (registration). The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised for the subsequent steps here and in the `/api/secondfactor/webauthn/attestation` endpoint. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions' security: - authelia_auth: [] /api/secondfactor/webauthn/attestation: post: tags: - Second Factor summary: Webauthn Credential Attestation description: This endpoint performs Webauthn credential attestation (registration). requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/webauthn.CredentialAttestationResponse' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] /api/secondfactor/webauthn/devices/{deviceID}: delete: tags: - Second Factor summary: Webauthn Device Deletion description: This endpoint deletes the specified Webauthn credential. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] parameters: - $ref: '#/components/parameters/deviceID' put: tags: - Second Factor summary: Webauthn Device Update description: This endpoint updates the description of the specified Webauthn credential. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/webauthn.DeviceUpdateRequest' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' security: - authelia_auth: [] parameters: - $ref: '#/components/parameters/deviceID' {{- end }} {{- if .Duo }} /api/secondfactor/duo: post: tags: - Second Factor summary: Second Factor Authentication - Duo Mobile Push description: This endpoint performs second factor authentication with a Duo Mobile Push. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.bodySignDuoRequest' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.redirectResponse' "401": description: Unauthorized security: - authelia_auth: [] /api/secondfactor/duo_devices: get: tags: - Second Factor summary: Second Factor Authentication - Duo Mobile Push description: This endpoint retrieves a users available devices and capabilities from Duo. responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/handlers.DuoDevicesResponse' "401": description: Unauthorized security: - authelia_auth: [] /api/secondfactor/duo_device: post: tags: - Second Factor summary: Second Factor Authentication - Duo Mobile Push description: This endpoint updates the users preferred Duo device and method. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/handlers.DuoDeviceBody' responses: "200": description: Successful Operation content: application/json: schema: $ref: '#/components/schemas/middlewares.OkResponse' "401": description: Unauthorized security: - authelia_auth: [] {{- end }} {{- if .OpenIDConnect }} /.well-known/openid-configuration: get: tags: - OpenID Connect 1.0 summary: OpenID Connect Discovery 1.0 Document description: > This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html. responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration' "400": description: Bad Request "500": description: Internal Server Error /.well-known/oauth-authorization-server: get: tags: - OpenID Connect 1.0 summary: OAuth 2.0 Authorization Server Metadata description: > This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414. responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer' "400": description: Bad Request "500": description: Internal Server Error /jwks.json: get: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 JSON Web Key Set Document description: > This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate information from this OpenID Connect 1.0 Provider. responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/jose.spec.JWKs' /api/oidc/authorization: get: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 Authorization Endpoint description: > This endpoint performs OpenID Connect 1.0 Authorization. parameters: - in: query name: id required: false description: The OpenID Connect 1.0 consent workflow ID. schema: type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" - in: query name: scope description: The requested scope. required: true schema: type: string example: "openid profile groups" - in: query name: response_type description: The OAuth 2.0 response type. required: true schema: $ref: '#/components/schemas/openid.spec.ResponseType' - in: query name: client_id description: The OAuth 2.0 client identifier. required: true schema: type: string example: "app" - in: query name: redirect_uri description: > Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application. required: true schema: type: string example: "https://app.example.com" - in: query name: state description: > Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. required: false schema: type: string example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" - in: query name: response_mode description: > Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type. required: false schema: $ref: '#/components/schemas/openid.spec.ResponseMode' - in: query name: nonce description: > String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2. required: false schema: type: string example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" - in: query name: display description: > Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. required: false schema: $ref: '#/components/schemas/openid.spec.DisplayType' - in: query name: prompt description: > Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. required: false schema: type: string - in: query name: max_age description: > Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value. required: false schema: type: integer example: 3600 - in: query name: ui_locales description: > Not Supported: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. required: false schema: type: string example: "en-US" - in: query name: claims_locales description: > Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. required: false schema: type: string example: "en-US" - in: query name: id_token_hint required: false description: > Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value. schema: type: string - in: query name: login_hint description: > Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion. required: false schema: type: string - in: query name: acr_values description: > Not Supported: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. required: false schema: type: string - in: query name: claims description: > Not Supported: The claims parameter value, as specified in Section 5.5. required: false schema: type: string - in: query name: registration description: > Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1. required: false schema: type: string - in: query name: request description: > Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5. required: false schema: type: string - in: query name: code_challenge description: > RFC7636 Code Challenge. required: false schema: type: string - in: query name: code_challenge_method required: false description: > RFC7636 Code Challenge Method. defaults to "plain" if not present in the request. Code verifier transformation method is "S256" or "plain". schema: $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' responses: "200": description: OK content: text/html: schema: type: string description: The Form Post Response Mode content. "303": description: See Other headers: Location: schema: type: string description: > Redirection location for the consent flow, or the authorization response callback location when using the Query or Fragment Response Modes. "400": description: Bad Request "500": description: Internal Server Error post: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 Authorization Endpoint description: > This endpoint performs OpenID Connect 1.0 Authorization. requestBody: description: Authorize Request Parameters. required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/openid.spec.AuthorizeRequest' responses: "200": description: OK content: text/html: schema: type: string description: The Form Post Response Mode content. "303": description: See Other headers: Location: schema: type: string description: > Redirection location for the consent flow, or the authorization response callback location when using the Query or Fragment Response Modes. "400": description: Bad Request "500": description: Internal Server Error security: - authelia_auth: [] /api/oidc/token: post: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 Token Endpoint description: > This endpoint performs OpenID Connect 1.0 Token Access Requests. requestBody: description: Access Request Parameters. required: true content: application/x-www-form-urlencoded: schema: oneOf: - $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow' - $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow' - $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow' responses: "200": description: OK content: application/json: schema: oneOf: - $ref: '#/components/schemas/openid.spec.AccessResponse' "401": description: Forbidden "403": description: Unauthorized "500": description: Internal Server Error security: - openid: [] /api/oidc/revocation: post: tags: - OpenID Connect 1.0 summary: OAuth 2.0 Token Revocation Endpoint description: > This endpoint performs OAuth 2.0 Token Revocation Requests. requestBody: description: Required OAuth 2.0 revocation parameters. required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/openid.spec.IntrospectionRequest' responses: "200": description: OK "401": description: Forbidden "403": description: Unauthorized "500": description: Internal Server Error security: - openid: [] /api/oidc/introspection: post: tags: - OpenID Connect 1.0 summary: OAuth 2.0 Token Introspection Endpoint description: > This endpoint performs OAuth 2.0 Token Introspection Requests. requestBody: description: Required OAuth 2.0 introspection parameters. required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/openid.spec.IntrospectionRequest' responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/openid.implementation.Claims.Object' "401": description: Forbidden "403": description: Unauthorized "500": description: Internal Server Error security: - openid: [] /api/oidc/userinfo: get: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 UserInfo Endpoint description: > This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. parameters: - in: query name: access_token description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. schema: type: string example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" responses: "200": description: OK content: application/jwt: {} application/json: schema: $ref: '#/components/schemas/openid.implementation.Claims.Object' "401": description: Forbidden "403": description: Unauthorized "500": description: Internal Server Error security: - openid: [] post: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 UserInfo Endpoint description: > This endpoint performs OpenID Connect 1.0 UserInfo Access Requests. parameters: - in: query name: access_token description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. schema: type: string example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" requestBody: content: application/x-www-form-urlencoded: schema: type: object properties: access_token: description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider. type: string example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" responses: "200": description: OK content: application/jwt: {} application/json: schema: $ref: '#/components/schemas/openid.implementation.Claims.Object' "401": description: Forbidden "403": description: Unauthorized "500": description: Internal Server Error security: - openid: [] /api/oidc/consent: get: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 Consent Information description: > This endpoint retrieves the consent information about a specific consent ID during the consent workflow. parameters: - $ref: '#/components/parameters/idRequiredParam' responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/openid.request.consent' "403": description: Forbidden security: - authelia_auth: [] post: tags: - OpenID Connect 1.0 summary: OpenID Connect 1.0 Consent Response description: > This endpoint retrieves the consent response for a specific consent ID during the consent workflow. responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/openid.response.consent' "403": description: Forbidden security: - authelia_auth: [] {{- end }} components: parameters: deviceID: in: path name: deviceID schema: type: integer required: true description: Numeric Webauthn Device ID originalMethodParam: name: X-Original-Method in: header description: Request Method required: true style: simple explode: true schema: type: string enum: - "GET" - "HEAD" - "POST" - "PUT" - "PATCH" - "DELETE" - "TRACE" - "CONNECT" - "OPTIONS" - "COPY" - "LOCK" - "MKCOL" - "MOVE" - "PROPFIND" - "PROPPATCH" - "UNLOCK" originalURLParam: name: X-Original-URL in: header description: Redirection URL required: true style: simple explode: true schema: type: string forwardedMethodParam: name: X-Forwarded-Method in: header description: Request Method required: false style: simple explode: true schema: type: string enum: - "GET" - "HEAD" - "POST" - "PUT" - "PATCH" - "DELETE" - "TRACE" - "CONNECT" - "OPTIONS" - "COPY" - "LOCK" - "MKCOL" - "MOVE" - "PROPFIND" - "PROPPATCH" - "UNLOCK" forwardedProtoParam: name: X-Forwarded-Proto in: header description: Redirection URL (Scheme / Protocol) required: true style: simple explode: true example: "https" schema: type: string forwardedHostParam: name: X-Forwarded-Host in: header description: Redirection URL (Host) required: true style: simple explode: true example: "example.com" schema: type: string forwardedURIParam: name: X-Forwarded-Uri in: header description: Redirection URL (URI) required: true style: simple explode: true example: "/path/example" schema: type: string forwardedForParam: name: X-Forwarded-For in: header description: Clients IP address or IP address chain required: false style: simple explode: true example: "192.168.0.55,192.168.0.20" schema: type: string autheliaURLParam: name: X-Authelia-URL in: header description: Authelia Portal URL required: false style: simple explode: true example: "https://auth.example.com" schema: type: string authParam: name: auth in: query description: Switch authorization header and prompt for basic auth required: false schema: type: string enum: ["basic"] idRequiredParam: name: id in: query description: The ID of what is being requested required: true schema: type: string schemas: handlers.checkURIWithinDomainRequestBody: type: object properties: uri: type: string example: https://secure.example.com handlers.checkURIWithinDomainResponseBody: type: object properties: ok: type: boolean example: true description: If redirection URL is safe. handlers.configuration.ConfigurationBody: type: object properties: status: type: string example: OK data: type: object properties: available_methods: type: array description: List of available 2FA methods. If no methods exist 2FA is disabled. items: enum: - "totp" - "webauthn" - "mobile_push" example: [totp, webauthn, mobile_push] handlers.configuration.PasswordPolicyConfigurationBody: type: object properties: status: type: string example: OK data: type: object properties: mode: type: string description: The password policy mode. enum: - "disabled" - "standard" - "zxcvbn" min_length: type: integer description: The minimum password length when using the standard mode. max_length: type: integer description: The maximum password length when using the standard mode. min_score: type: integer description: The minimum password score when using the zxcvbn mode. require_uppercase: type: boolean description: If uppercase characters are required when using the standard mode. require_lowercase: type: boolean description: If uppercase characters are required when using the standard mode. require_number: type: boolean description: If numeric characters are required when using the standard mode. require_special: type: boolean description: If special characters are required when using the standard mode. handlers.DuoDeviceBody: required: - device - method type: object properties: device: type: string example: ABCDE123456789FGHIJK method: type: string example: push handlers.DuoDevicesResponse: type: object properties: status: type: string example: OK data: type: object properties: result: type: string example: auth devices: type: array items: type: object properties: device: type: string example: ABCDE123456789FGHIJK display_name: type: string example: iOS (+XX XXX XXX 123) capabilities: type: array items: type: string example: push handlers.bodyFirstFactorRequest: required: - username - password type: object properties: username: type: string example: john password: type: string example: password targetURL: type: string example: https://home.example.com workflow: type: string example: openid_connect workflowID: type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" requestMethod: type: string example: GET keepMeLoggedIn: type: boolean example: true handlers.logoutRequestBody: type: object properties: targetURL: type: string example: https://redirect.example.com handlers.logoutResponseBody: type: object properties: status: type: string example: OK data: type: object properties: safeTargetURL: type: boolean example: true handlers.redirectResponse: type: object properties: status: type: string example: OK data: type: object properties: redirect: type: string example: https://home.example.com {{- if .PasswordReset }} handlers.PasswordResetStep1RequestBody: required: - username type: object properties: username: type: string example: john handlers.PasswordResetStep2RequestBody: required: - password type: object properties: password: type: string example: password {{- end }} {{- if .Duo }} handlers.bodySignDuoRequest: type: object properties: targetURL: type: string example: https://secure.example.com passcode: type: string workflow: type: string example: openid_connect workflowID: type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" {{- end }} handlers.StateResponse: type: object properties: status: type: string example: OK data: type: object properties: username: type: string example: john authentication_level: type: integer example: 1 default_redirection_url: type: string example: https://home.example.com middlewares.ErrorResponse: type: object properties: status: type: string example: KO message: type: string example: Authentication failed, please retry later. middlewares.IdentityVerificationFinishBody: required: - token type: object properties: token: type: string example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY middlewares.OkResponse: type: object properties: status: type: string example: OK data: type: object handlers.UserInfo: type: object properties: status: type: string example: OK data: type: object properties: display_name: type: string example: John Doe method: type: string enum: - "totp" - "webauthn" - "mobile_push" example: totp has_webauthn: type: boolean example: false has_totp: type: boolean example: true has_duo: type: boolean example: true handlers.UserInfo.MethodBody: required: - method type: object properties: method: type: string enum: - "totp" - "webauthn" - "mobile_push" example: totp {{- if .TOTP }} handlers.UserInfoTOTP: type: object properties: status: type: string example: OK data: type: object properties: period: default: 30 description: The period defined in the users TOTP configuration type: integer example: 30 digits: default: 6 description: The number of digits defined in the users TOTP configuration type: integer example: 6 handlers.bodySignTOTPRequest: type: object properties: token: type: string example: "123456" targetURL: type: string example: https://secure.example.com workflow: type: string example: openid_connect workflowID: type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" handlers.TOTPKeyResponse: type: object properties: status: type: string example: OK data: type: object properties: base32_secret: type: string example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q otpauth_url: type: string example: otpauth://totp/auth.example.com:john?algorithm=SHA1&digits=6&issuer=auth.example.com&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q {{- end }} {{- if .Webauthn }} webauthn.PublicKeyCredential: type: object properties: rawId: type: string format: byte id: type: string type: type: string webauthn.AuthenticatorResponse: type: object properties: clientDataJSON: type: string format: byte webauthn.CredentialAttestationResponse: type: object properties: credential: allOf: - $ref: '#/components/schemas/webauthn.PublicKeyCredential' - type: object properties: clientExtensionResults: type: object properties: appidExclude: type: boolean response: allOf: - $ref: '#/components/schemas/webauthn.AuthenticatorResponse' - type: object properties: attestationObject: type: string format: byte description: type: string webauthn.CredentialAssertionResponse: allOf: - $ref: '#/components/schemas/webauthn.PublicKeyCredential' - type: object properties: response: allOf: - $ref: '#/components/schemas/webauthn.AuthenticatorResponse' - type: object required: [authenticatorData, clientDataJSON, signature] properties: authenticatorData: type: string format: byte clientDataJSON: type: string format: byte clientExtensionResults: type: object properties: appid: type: boolean example: false signature: type: string format: byte userHandle: type: string format: byte workflow: type: string example: openid_connect workflowID: type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c" webauthn.DeviceUpdateRequest: type: object properties: description: type: string webauthn.PublicKeyCredentialCreationOptions: type: object properties: status: type: string example: OK data: type: object properties: publicKey: allOf: - $ref: '#/components/schemas/webauthn.AttestationType' - $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria' - $ref: '#/components/schemas/webauthn.CredentialUserEntity' - $ref: '#/components/schemas/webauthn.CredentialRPEntity' - type: object required: - "challenge" - "pubKeyCredParams" properties: challenge: type: string format: byte pubKeyCredParams: type: array items: type: object required: - "alg" - "type" properties: alg: type: integer type: type: string example: public-key enum: - "public-key" timeout: type: integer example: 60000 excludeCredentials: type: array items: allOf: - $ref: '#/components/schemas/webauthn.CredentialDescriptor' extensions: type: object properties: appidExclude: type: string example: https://auth.example.com webauthn.PublicKeyCredentialRequestOptions: type: object properties: status: type: string example: OK data: type: object properties: publicKey: allOf: - $ref: '#/components/schemas/webauthn.UserVerification' - type: object required: - "challenge" properties: challenge: type: string timeout: type: integer example: 60000 rpId: type: string example: auth.example.com allowCredentials: type: array items: allOf: - $ref: '#/components/schemas/webauthn.CredentialDescriptor' extensions: type: object properties: appid: type: string example: https://auth.example.com webauthn.Transports: type: object properties: transports: type: array items: type: string example: - "usb" - "nfc" enum: - "usb" - "nfc" - "ble" - "internal" webauthn.UserVerification: type: object properties: userVerification: type: string example: preferred enum: - "required" - "preferred" - "discouraged" webauthn.AttestationType: type: object properties: attestation: type: string example: direct enum: - "none" - "indirect" - "direct" webauthn.AuthenticatorSelectionCriteria: type: object properties: authenticatorSelection: type: object properties: authenticatorAttachment: type: string example: cross-platform enum: - "platform" - "cross-platform" residentKey: type: string example: discouraged enum: - "discouraged" - "preferred" - "required" requireResidentKey: type: boolean webauthn.CredentialDescriptor: allOf: - $ref: '#/components/schemas/webauthn.Transports' - type: object required: - "id" - "type" properties: id: type: string format: byte type: type: string example: public-key enum: - "public-key" webauthn.CredentialEntity: type: object required: - "id" - "name" properties: id: type: string name: type: string icon: type: string webauthn.CredentialRPEntity: type: object required: - "rp" properties: rp: allOf: - $ref: '#/components/schemas/webauthn.CredentialEntity' webauthn.CredentialUserEntity: type: object required: - "user" properties: user: allOf: - $ref: '#/components/schemas/webauthn.CredentialEntity' - type: object required: - "displayName" properties: displayName: type: string webauthn.AuthenticationExtensionsClientOutputs: type: object properties: clientExtensionResults: type: object properties: appid: type: boolean example: true appidExclude: type: boolean example: false uvm: type: array items: type: string format: byte credProps: type: object properties: rk: type: boolean example: false largeBlob: type: object properties: supported: type: boolean example: false blob: type: string written: type: boolean example: false {{- end }} {{- if .OpenIDConnect }} openid.request.consent: type: object properties: status: type: string example: OK data: type: object properties: client_id: type: string description: The identifier of the client for the user to provide consent for. example: "app" client_description: description: The descriptive name of the client for the user to provide consent for. type: string example: "App Platform" scopes: description: The list of the requested scopes for the user to provide consent for. type: array items: type: string enum: - "openid" - "offline_access" - "groups" - "email" - "profile" audience: description: The list of the requested audiences for the user to provide consent for. type: array items: type: string pre_configuration: description: Indicates if this client supports pre-configuration. type: boolean example: true openid.response.consent: type: object properties: status: type: string example: OK data: type: object properties: id: description: The identifier of the consent session. type: string format: uuid pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$' example: "713ef767-81bc-4a27-9b83-5fe2e101b2b4" client_id: description: The identifier of the client for the user to provide consent for. type: string example: "app" consent: description: Indicates if the user consented to the consent request. type: boolean example: true pre_configure: description: Indicates if the user consented to pre-configuration. type: boolean example: true openid.spec.Metadata.OAuth2AuthorizationServer: type: object required: - issuer - authorization_endpoint - subject_types_supported - response_types_supported - require_pushed_authorization_requests properties: authorization_endpoint: description: > URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: string example: "{{ .BaseURL }}api/oidc/authorization" claims_supported: description: > JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. type: array example: - "amr" - "aud" - "azp" - "client_id" - "exp" - "iat" - "iss" - "jti" - "rat" - "sub" - "auth_time" - "nonce" - "email" - "email_verified" - "alt_emails" - "groups" - "preferred_username" - "name" items: $ref: '#/components/schemas/openid.implementation.Claims.Array' code_challenge_methods_supported: description: > JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml type: array example: ["S256", "none"] items: $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' grant_types_supported: type: array description: > JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. example: ["authorization_code", "implicit"] items: $ref: '#/components/schemas/openid.spec.GrantType' introspection_endpoint: description: > URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662 type: string example: "{{ .BaseURL }}api/oidc/introspection" introspection_endpoint_auth_methods_supported: description: > JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 type: array example: ["client_secret_post"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' introspection_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' issuer: description: URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. type: string example: "{{ .BaseURL }}" jwks_uri: description: > URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. type: string example: "{{ .BaseURL }}jwks.json" op_policy_uri: description: URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given. type: string op_tos_uri: description: > URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given. type: string pushed_authorization_request_endpoint: description: > The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a "request_uri" value usable at the authorization server. type: string example: "{{ .BaseURL }}api/oidc/par" registration_endpoint: description: > URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 type: string example: "{{ .BaseURL }}api/oidc/registration" require_pushed_authorization_requests: description: > Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is "false". type: boolean example: false response_modes_supported: description: > JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"]. type: array example: ["query", "fragment"] items: $ref: '#/components/schemas/openid.spec.ResponseMode' response_types_supported: description: > JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. type: array example: ["code", "id_token", "token id_token"] items: $ref: '#/components/schemas/openid.spec.ResponseType' revocation_endpoint: description: > URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 type: string example: "{{ .BaseURL }}api/oidc/revocation" revocation_endpoint_auth_methods_supported: description: > JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 type: array example: ["client_secret_post"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' revocation_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' scopes_supported: description: > JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: array example: - "openid" - "offline_access" - "profile" - "email" - "groups" items: $ref: '#/components/schemas/openid.implementation.Scopes.Object' service_documentation: description: > URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation. type: string example: "https://authelia.com" subject_types_supported: description: > JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. type: array example: ["public", "pairwise"] items: $ref: '#/components/schemas/openid.spec.SubjectIdentifier' token_endpoint: description: > URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: string example: "{{ .BaseURL }}api/oidc/token" token_endpoint_auth_methods_supported: description: > JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication type: array example: ["client_secret_post"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' token_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519' type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' ui_locales_supported: type: array description: > Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 example: ["en-US"] items: type: string openid.spec.Metadata.OpenIDConfiguration: type: object required: - "issuer" - "authorization_endpoint" - "subject_types_supported" - "response_types_supported" - "require_pushed_authorization_requests" - "request_uri_parameter_supported" - "require_request_uri_registration" - "claims_parameter_supported" - "frontchannel_logout_supported" - "frontchannel_logout_session_supported" - "backchannel_logout_supported" - "backchannel_logout_session_supported" properties: acr_values_supported: description: JSON array containing a list of the Authentication Context Class References that this OP supports. type: array items: type: string authorization_endpoint: description: > URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core]. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: string example: "{{ .BaseURL }}api/oidc/authorization" backchannel_logout_session_supported: description: > Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. type: boolean example: false backchannel_logout_supported: description: > Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If omitted, the default value is false. type: boolean example: false claim_types_supported: description: > JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also: OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes type: array example: ["normal"] items: $ref: '#/components/schemas/openid.spec.ClaimType' claims_locales_supported: description: > Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 type: array example: ["en-US"] items: type: string claims_parameter_supported: description: > Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false. type: boolean example: false claims_supported: description: > JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. type: array example: - "amr" - "aud" - "azp" - "client_id" - "exp" - "iat" - "iss" - "jti" - "rat" - "sub" - "auth_time" - "nonce" - "email" - "email_verified" - "alt_emails" - "groups" - "preferred_username" - "name" items: $ref: '#/components/schemas/openid.implementation.Claims.Array' code_challenge_methods_supported: description: > JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml type: array example: ["S256", "plain"] items: $ref: '#/components/schemas/openid.spec.CodeChallengeMethod' display_values_supported: description: > JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section 3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest type: array example: ["page"] items: $ref: '#/components/schemas/openid.spec.DisplayType' frontchannel_logout_session_supported: description: > Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. type: boolean example: false frontchannel_logout_supported: description: > Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If omitted, the default value is false. type: boolean example: false grant_types_supported: description: > JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. type: array example: ["authorization_code", "implicit"] items: $ref: '#/components/schemas/openid.spec.GrantType' id_token_encryption_alg_values_supported: description: > JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["A256GCMKW"] items: $ref: '#/components/schemas/jose.spec.JWE.alg' id_token_encryption_enc_values_supported: description: > JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["A256GCM"] items: $ref: '#/components/schemas/jose.spec.JWE.enc' id_token_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow). See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.JWS.None' introspection_endpoint: description: > URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662' type: string example: "{{ .BaseURL }}api/oidc/introspection" introspection_endpoint_auth_methods_supported: description: > JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2 type: array example: ["client_secret_post"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' introspection_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' issuer: description: > URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. type: string example: "{{ .BaseURL }}" jwks_uri: description: > URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. type: string example: "{{ .BaseURL }}jwks.json" op_policy_uri: description: > URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given. type: string op_tos_uri: description: > URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given. type: string pushed_authorization_request_endpoint: description: > The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a "request_uri" value usable at the authorization server. type: string example: "{{ .BaseURL }}api/oidc/par" registration_endpoint: description: > URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also: OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591 type: string example: "{{ .BaseURL }}api/oidc/registration" request_object_encryption_alg_values_supported: description: > JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 type: array example: ["A256GCMKW"] items: $ref: '#/components/schemas/jose.spec.JWE.alg' request_object_encryption_enc_values_supported: description: > JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["A256GCM"] items: $ref: '#/components/schemas/jose.spec.JWE.enc' request_object_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256. type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.JWS.None' request_uri_parameter_supported: description: > Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true. type: boolean example: true require_pushed_authorization_requests: description: > Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR. If omitted, the default value is "false". type: boolean example: false require_request_uri_registration: description: > Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false. type: boolean example: false response_modes_supported: description: > JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"]. type: array example: ["query", "fragment"] items: $ref: '#/components/schemas/openid.spec.ResponseMode' response_types_supported: description: > JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. type: array example: ["code", "id_token", "token id_token"] items: $ref: '#/components/schemas/openid.spec.ResponseType' revocation_endpoint: description: > URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009 type: string example: "{{ .BaseURL }}api/oidc/revocation" revocation_endpoint_auth_methods_supported: description: > JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 type: array example: ["client_secret_basic"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' revocation_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' scopes_supported: description: > JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: array example: - "openid" - "offline_access" - "profile" - "email" - "groups" items: $ref: '#/components/schemas/openid.implementation.Scopes.Object' service_documentation: description: > URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation. type: string example: "https://www.authelia.com" subject_types_supported: description: > JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. type: array example: ["public", "pairwise"] items: $ref: '#/components/schemas/openid.spec.SubjectIdentifier' token_endpoint: description: > URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: string example: "{{ .BaseURL }}api/oidc/token" token_endpoint_auth_methods_supported: description: > JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication type: array example: ["client_secret_post"] items: $ref: '#/components/schemas/openid.spec.ClientAuthMethod' token_endpoint_auth_signing_alg_values_supported: description: > JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["RS256"] items: $ref: '#/components/schemas/jose.spec.jws' ui_locales_supported: description: > Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646 type: array example: ["en-US"] items: type: string userinfo_encryption_alg_values_supported: description: > JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["A256GCMKW"] items: $ref: '#/components/schemas/jose.spec.JWE.alg' userinfo_encryption_enc_values_supported: description: > JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["A256GCM"] items: $ref: '#/components/schemas/jose.spec.JWE.enc' userinfo_endpoint: description: > URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html type: string example: "{{ .BaseURL }}api/oidc/userinfo" userinfo_signing_alg_values_supported: description: > JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also: JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["none", "RS256"] items: $ref: '#/components/schemas/jose.spec.JWS.None' openid.implementation.Claims.Array: type: array items: type: string enum: - "amr" - "aud" - "azp" - "client_id" - "exp" - "iat" - "iss" - "jti" - "rat" - "sub" - "auth_time" - "nonce" - "email" - "email_verified" - "alt_emails" - "groups" - "preferred_username" - "name" openid.implementation.Claims.Object: description: OpenID Connect 1.0 User Claims. type: object properties: amr: type: array items: type: string enum: - "mfa" - "mca" - "user" - "pin" - "pwd" - "otp" - "hwk" - "sms" aud: type: array items: type: string azp: type: string client_id: type: string scope: type: string scp: type: array items: type: string exp: type: integer iat: type: integer iss: type: string jti: type: string rat: type: integer sub: type: string auth_time: type: integer nonce: type: string email: type: string email_verified: type: boolean alt_emails: type: array items: type: string groups: type: array items: type: string preferred_username: type: string name: type: string openid.implementation.Scopes.Object: description: The scope. type: string oneOf: - $ref: '#/components/schemas/openid.spec.Scopes' - type: string enum: - "groups" openid.spec.Scopes: type: string enum: - "openid" - "offline_access" - "profile" - "email" - "address" - "phone" openid.spec.IntrospectionRequest: type: object required: - "token" properties: token: description: > The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, this is the "refresh_token" value returned from the token endpoint as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types are outside the scope of this specification. type: string example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" token_type_hint: description: > A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. Values for this field are defined in the "OAuth Token Type Hints" registry defined in OAuth Token Revocation [RFC7009]. type: string example: "access_token" enum: - "access_token" - "refresh_token" openid.spec.AccessRequest.ClientAuth: type: object properties: client_id: description: > REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749]. type: string example: "authelia_dc_mn123kjn12kj3123njk" client_secret: description: > REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty string. type: string format: password openid.spec.AccessRequest.AuthorizationCodeFlow: allOf: - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - type: object required: - "code" - "grant_type" properties: grant_type: description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". type: string enum: - "authorization_code" code: description: The Authorization Code. type: string example: "authelia_ac_1j2kn3knj12n3kj12n" code_verifier: description: The Authorization Code Verifier (PKCE). type: string example: "88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3" redirect_uri: description: The original Redirect URI used in the Authorization Request. type: string example: "https://app.example.com/oidc/callback" openid.spec.AccessRequest.DeviceCodeFlow: allOf: - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - type: object required: - "grant_type" - "device_code" properties: grant_type: description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". type: string enum: - "urn:ietf:params:oauth:grant-type:device_code" device_code: description: The Device Authorization Code. type: string example: "authelia_dc_mn123kjn12kj3123njk" openid.spec.AccessRequest.RefreshTokenFlow: allOf: - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth' - type: object required: - "grant_type" - "device_code" properties: grant_type: description: Value MUST be set to "refresh_token". type: string enum: - "refresh_token" refresh_token: description: The Refresh Token. example: "authelia_rt_1n2j3kihn12kj3n12k" scope: description: > The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. openid.spec.AccessResponse: type: object properties: access_token: description: The access token issued by the authorization server. type: string example: "authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn" refresh_token: type: string description: > The refresh token, which can be used to obtain new access tokens using the same authorization grant as described in Section 6. token_type: type: string description: > The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). The client MUST NOT use an access token if it does not understand the token type. enum: - "bearer" expires_in: type: integer description: > The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. state: type: string description: Exactly the state value passed in the authorization request if present. scope: type: string description: > The scope of the access token as described by Section 3.3 if it differs from the requested scope. openid.spec.AuthorizeRequest: type: object required: - "scope" - "response_type" - "client_id" - "redirect_uri" properties: scope: description: The requested scope. type: string example: "openid profile groups" response_type: $ref: '#/components/schemas/openid.spec.ResponseType' client_id: description: The OAuth 2.0 client identifier. type: string example: "app" redirect_uri: description: > Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application. type: string example: "https://app.example.com" state: description: > Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. type: string example: "oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f" response_mode: $ref: '#/components/schemas/openid.spec.ResponseMode' nonce: description: > String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2. type: string example: "TRMLqchoKGQNcooXvBvUy9PtmLdJGf" display: $ref: '#/components/schemas/openid.spec.DisplayType' prompt: description: > Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. type: string max_age: description: > Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value. type: integer ui_locales: description: > Not Supported: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. type: string claims_locales: description: > Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. type: string id_token_hint: description: > Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value. type: string login_hint: description: > Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion. type: string acr_values: description: > Not Supported: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. type: string claims: description: > Not Supported: The claims parameter value, as specified in Section 5.5. type: string registration: description: > Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1. type: string request: description: > Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5. type: string openid.spec.SubjectIdentifier: description: > A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client. type: string enum: - "public" - "pairwise" openid.spec.ClientAuthMethod: description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method. type: string enum: - "client_secret_basic" - "client_secret_post" - "client_secret_jwt" - "private_key_jwt" - "none" openid.spec.DisplayType: description: > ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. type: string example: "page" enum: - "page" - "popup" - "touch" - "wap" openid.spec.ResponseType: description: The OAuth 2.0 / OpenID Connect 1.0 Response Type. type: string example: "code" enum: - "code" - "id_token" - "token" - "code token" - "code id_token" - "token id_token" - "code id_token token" - "none" openid.spec.ResponseMode: description: > Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type. type: string example: "query" enum: - "query" - "fragment" - "form_post" openid.spec.GrantType: description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type. type: string example: "authorization_code" enum: - "authorization_code" - "refresh_token" - "implicit" - "password" - "client_credentials" - "urn:ietf:params:oauth:grant-type:device_code" openid.spec.CodeChallengeMethod: description: The RFC7636 Code Challenge Verifier Method. type: string example: "S256" enum: - "plain" - "S256" openid.spec.ClaimType: description: The representation of claims. type: string example: "normal" enum: - "normal" - "aggregated" - "distributed" jose.spec.None: description: The JSON Web Signature Algorithm type: string enum: - "none" jose.spec.JWS.None: description: The JSON Web Signature Algorithm type: string oneOf: - $ref: '#/components/schemas/jose.spec.None' - $ref: '#/components/schemas/jose.spec.jws' jose.spec.jws: description: The JSON Web Signature Algorithm type: string enum: - "HS256" - "HS384" - "HS512" - "RS256" - "RS384" - "RS512" - "ES256" - "ES384" - "ES512" - "PS256" - "PS384" - "PS512" jose.spec.JWE.alg: description: The JSON Web Encryption Algorithm (CEK) type: string enum: - "RSA1_5" - "RSA-OAEP" - "RSA-OAEP-256" - "A128KW" - "A192KW" - "A256KW" - "dir" - "ECDH-ES" - "ECDH-ES+A128KW" - "ECDH-ES+A192KW" - "ECDH-ES+A256KW" - "A128GCMKW" - "A192GCMKW" - "A256GCMKW" - "PBES2-HS256+A128KW" - "PBES2-HS384+A192KW" - "PBES2-HS512+A256KW" jose.spec.JWE.enc: description: The JSON Web Encryption Algorithm (Claims) type: string enum: - "A128CBC-HS256" - "A192CBC-HS384" - "A256CBC-HS512" - "A128CBC" - "A256CBC" - "A128GCM" - "A256GCM" jose.spec.JWK.base: type: object properties: use: description: > The "use" (public key use) parameter identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. type: string example: "sig" enum: - "sig" - "enc" key_ops: description: > The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used. The "key_ops" parameter is intended for use cases in which public, private, or symmetric keys may be present. type: array example: ["sign"] items: type: string enum: - "sign" - "verify" - "encrypt" - "decrypt" - "wrapKey" - "unwrapKey" - "deriveKey" - "deriveBits" kid: description: > The "kid" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the "kid" value is unspecified. When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.) The "kid" value is a case-sensitive string. Use of this member is OPTIONAL. When used with JWS or JWE, the "kid" value is used to match a JWS or JWE "kid" Header Parameter value. type: string x5u: description: > The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]. The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [RFC5280] in PEM-encoded form, with each certificate delimited as specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first certificate MUST match the public key represented by other members of the JWK. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this member is OPTIONAL. type: string x5c: description: > The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL. type: array items: type: string format: byte x5t: description: > The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL. type: string format: byte x5t#S256: description: > The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL. type: string format: byte jose.spec.JWK.RSA: description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. allOf: - $ref: '#/components/schemas/jose.spec.JWK.base' - type: object required: - "kty" - "n" - "e" properties: kty: description: > The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key. type: string example: "RSA" enum: - "RSA" alg: description: The JSON Web Signature Algorithm type: string example: "RS256" enum: - "RS256" - "RS384" - "RS512" - "PS256" - "PS384" - "PS512" n: description: > RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is represented as a Base64urlUInt-encoded value. type: string format: byte e: description: > RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key. It is represented as a Base64urlUInt-encoded value. type: string format: byte jose.spec.JWK.RSA.Private: description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. allOf: - $ref: '#/components/schemas/jose.spec.JWK.base' - $ref: '#/components/schemas/jose.spec.JWK.RSA' - type: object required: - "d" properties: d: description: > RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA private key. It is represented as a Base64urlUInt-encoded value. type: string format: byte p: description: > RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte q: description: > RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte dp: description: > RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem (CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value. type: string dq: description: > RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the second factor. It is represented as a Base64urlUInt-encoded value. type: string qi: description: > RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte oth: description: > The "oth" (other primes info) parameter contains an array of information about any third and subsequent primes, should they exist. type: array items: type: object required: - "r" - "d" - "t" properties: r: description: > The "r" (prime factor) parameter within an "oth" array member represents the value of a subsequent prime factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte d: description: > The "d" (factor CRT exponent) parameter within an "oth" array member represents the CRT exponent of the corresponding prime factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte t: description: > The "t" (factor CRT coefficient) parameter within an "oth" array member represents the CRT coefficient of the corresponding prime factor. It is represented as a Base64urlUInt-encoded value. type: string format: byte jose.spec.JWK.EC: description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518. allOf: - $ref: '#/components/schemas/jose.spec.JWK.base' - type: object required: - "kty" - "crv" - "x" properties: kty: description: > The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key. type: string example: "EC" enum: - "EC" alg: description: The JSON Web Signature Algorithm type: string example: "ES256" enum: - "ES256" - "ES384" - "ES512" x: description: > EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point. It is represented as the base64url encoding of the octet string representation of the coordinate, as defined in Section 2.3.5 of SEC1 [SEC1]. type: string format: byte y: description: > EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point. It is represented as the base64url encoding of the octet string representation of the coordinate, as defined in Section 2.3.5 of SEC1 [SEC1]. type: string format: byte crv: description: > The curve parameter identifies the cryptographic curve used with the key. Curve values from [DSS] used by this specification. type: string example: "P-521" enum: - "P-256" - "P-384" - "P-521" - "Ed25519" - "Ed448" - "X25519" - "X448" - "secp256k1" jose.spec.JWK.EC.Private: description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518. allOf: - $ref: '#/components/schemas/jose.spec.JWK.base' - $ref: '#/components/schemas/jose.spec.JWK.EC' - type: object required: - "d" properties: d: description: > ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It is represented as the base64url encoding of the octet string representation of the private key value, as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be ceiling(log-base-2(n)/8) octets (where n is the order of the curve). type: string format: byte jose.spec.JWK.Symmetric: description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518. allOf: - $ref: '#/components/schemas/jose.spec.JWK.base' - type: object required: - "k" properties: kty: description: > The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key. type: string example: "oct" enum: - "oct" k: description: > The "k" (key value) parameter contains the value of the symmetric (or other single-valued) key. It is represented as the base64url encoding of the octet sequence containing the key value. type: string format: byte jose.spec.JWK: type: string anyOf: - $ref: '#/components/schemas/jose.spec.JWK.RSA' - $ref: '#/components/schemas/jose.spec.JWK.RSA.Private' - $ref: '#/components/schemas/jose.spec.JWK.EC' - $ref: '#/components/schemas/jose.spec.JWK.EC.Private' - $ref: '#/components/schemas/jose.spec.JWK.Symmetric' jose.spec.JWKs: type: object description: The JSON Web Key Sets Document as defined by RFC7517. properties: keys: description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517. type: array items: $ref: '#/components/schemas/jose.spec.JWK' {{- end }} securitySchemes: authelia_auth: type: apiKey name: "{{ .Session }}" in: cookie {{- if .OpenIDConnect }} openid: type: openIdConnect openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration" {{- end }} ...