Fields

• unAll :: Bool
   

Fields

• unClient :: Text
   

Fields

• unClientId :: Text
   

Fields

• unCode :: Text
   

Fields

• unConsentChallenge :: Text
   

Fields

• unGrantType :: Text
   

Fields

• unId :: Text
   

Fields

• unKid :: Text
   

Fields

• unLimit :: Integer
   

Fields

• unLoginChallenge :: Text
   

Fields

• unLogoutChallenge :: Text
   

Fields

• unOffset :: Integer
   

Fields

• unRedirectUri :: Text
   

Fields

• unRefreshToken :: Text
   

Fields

• unScope :: Text
   

Fields

• unSet :: Text
   

Fields

• unSubject :: Text
   

Fields

• unToken :: Text
   

Fields

• acceptConsentRequestGrantAccessTokenAudience :: Maybe [Text]

  "grant_access_token_audience"

• acceptConsentRequestGrantScope :: Maybe [Text]

  "grant_scope"

• acceptConsentRequestHandledAt :: Maybe DateTime

  "handled_at"

• acceptConsentRequestRemember :: Maybe Bool

  "remember" - Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope.

• acceptConsentRequestRememberFor :: Maybe Integer

  "remember_for" - RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely.

• acceptConsentRequestSession :: Maybe ConsentRequestSession

  "session"

Fields

• acceptLoginRequestAcr :: Maybe Text

  "acr" - ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication.

• acceptLoginRequestContext :: Maybe Value

  "context"

• acceptLoginRequestForceSubjectIdentifier :: Maybe Text

  "force_subject_identifier" - ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the (Pairwise Identifier Algorithm)[http:/openid.netspecsopenid-connect-core-1_0.html#PairwiseAlg] of the OpenID Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client. Please note that this changes the user ID on endpoint userinfo and sub claim of the ID Token. It does not change the sub claim in the OAuth 2.0 Introspection. Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's configuration). Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies that you have to compute this value on every authentication process (probably depending on the client ID or some other unique value). If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.

• acceptLoginRequestRemember :: Maybe Bool

  "remember" - Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she will not be asked to log in again.

• acceptLoginRequestRememberFor :: Maybe Integer

  "remember_for" - RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the authorization will be remembered for the duration of the browser session (using a session cookie).

• acceptLoginRequestSubject :: Text

  Required "subject" - Subject is the user ID of the end-user that authenticated.

Fields

• completedRequestRedirectTo :: Text

  Required "redirect_to" - RedirectURL is the URL which you should redirect the user to once the authentication process is completed.

Fields

• consentRequestAcr :: Maybe Text

  "acr" - ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication.

• consentRequestChallenge :: Text

  Required "challenge" - ID is the identifier ("authorization challenge") of the consent authorization request. It is used to identify the session.

• consentRequestClient :: Maybe OAuth2Client

  "client"

• consentRequestContext :: Maybe Value

  "context"

• consentRequestLoginChallenge :: Maybe Text

  "login_challenge" - LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app.

• consentRequestLoginSessionId :: Maybe Text

  "login_session_id" - LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user.

• consentRequestOidcContext :: Maybe OpenIDConnectContext

  "oidc_context"

• consentRequestRequestUrl :: Maybe Text

  "request_url" - RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.

• consentRequestRequestedAccessTokenAudience :: Maybe [Text]

  "requested_access_token_audience"

• consentRequestRequestedScope :: Maybe [Text]

  "requested_scope"

• consentRequestSkip :: Maybe Bool

  "skip" - Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the consent request using the usual API call.

• consentRequestSubject :: Maybe Text

  "subject" - Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client.

Fields

• consentRequestSessionAccessToken :: Maybe Value

  "access_token" - AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!

• consentRequestSessionIdToken :: Maybe Value

  "id_token" - IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care!

Fields

• containerWaitOKBodyErrorMessage :: Maybe Text

  Message - Details of an error

Fields

• flushInactiveOAuth2TokensRequestNotAfter :: Maybe DateTime

  "notAfter" - NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history of recently issued tokens for auditing.

Fields

• genericErrorDebug :: Maybe Text

  "debug" - Debug contains debug information. This is usually not available and has to be enabled.

• genericErrorError :: Text

  Required "error" - Name is the error name.

• genericErrorErrorDescription :: Maybe Text

  "error_description" - Description contains further information on the nature of the error.

• genericErrorStatusCode :: Maybe Integer

  "status_code" - Code represents the error status code (404, 403, 401, ...).

Fields

• healthNotReadyStatusErrors :: Maybe (Map String Text)

  "errors" - Errors contains a list of errors that caused the not ready status.

Fields

• healthStatusStatus :: Maybe Text

  "status" - Status always contains "ok".

Fields

• jSONWebKeyAlg :: Text

  Required "alg" - The "alg" (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA "JSON Web Signature and Encryption Algorithms" registry established by [JWA] or be a value that contains a Collision- Resistant Name.

• jSONWebKeyCrv :: Maybe Text

  "crv"

• jSONWebKeyD :: Maybe Text

  "d"

• jSONWebKeyDp :: Maybe Text

  "dp"

• jSONWebKeyDq :: Maybe Text

  "dq"

• jSONWebKeyE :: Maybe Text

  "e"

• jSONWebKeyK :: Maybe Text

  "k"

• jSONWebKeyKid :: Text

  Required "kid" - The "kid" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the "kid" value is unspecified. When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.) The "kid" value is a case-sensitive string.

• jSONWebKeyKty :: Text

  Required "kty" - The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC". "kty" values should either be registered in the IANA "JSON Web Key Types" registry established by [JWA] or be a value that contains a Collision- Resistant Name. The "kty" value is a case-sensitive string.

• jSONWebKeyN :: Maybe Text

  "n"

• jSONWebKeyP :: Maybe Text

  "p"

• jSONWebKeyQ :: Maybe Text

  "q"

• jSONWebKeyQi :: Maybe Text

  "qi"

• jSONWebKeyUse :: Text

  Required "use" - Use ("public key use") identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly "sig" (signature) or "enc" (encryption).

• jSONWebKeyX :: Maybe Text

  "x"

• jSONWebKeyX5c :: Maybe [Text]

  "x5c" - The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate.

• jSONWebKeyY :: Maybe Text

  "y"

Fields

• jSONWebKeySetKeys :: Maybe [JSONWebKey]

  "keys" - The value of the "keys" parameter is an array of JWK values. By default, the order of the JWK values within the array does not imply an order of preference among them, although applications of JWK Sets can choose to assign a meaning to the order for their purposes, if desired.

Fields

• jsonWebKeySetGeneratorRequestAlg :: Text

  Required "alg" - The algorithm to be used for creating the key. Supports "RS256", "ES512", "HS512", and "HS256"

• jsonWebKeySetGeneratorRequestKid :: Text

  Required "kid" - The kid of the key to be created

• jsonWebKeySetGeneratorRequestUse :: Text

  Required "use" - The "use" (public key use) parameter identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Valid values are "enc" and "sig".

Fields

• loginRequestChallenge :: Text

  Required "challenge" - ID is the identifier ("login challenge") of the login request. It is used to identify the session.

• loginRequestClient :: OAuth2Client

  Required "client"

• loginRequestOidcContext :: Maybe OpenIDConnectContext

  "oidc_context"

• loginRequestRequestUrl :: Text

  Required "request_url" - RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters.

• loginRequestRequestedAccessTokenAudience :: [Text]

  Required "requested_access_token_audience"

• loginRequestRequestedScope :: [Text]

  Required "requested_scope"

• loginRequestSessionId :: Maybe Text

  "session_id" - SessionID is the login session ID. If the user-agent reuses a login session (via cookie remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user.

• loginRequestSkip :: Bool

  Required "skip" - Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information.

• loginRequestSubject :: Text

  Required "subject" - Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail.

Fields

• logoutRequestRequestUrl :: Maybe Text

  "request_url" - RequestURL is the original Logout URL requested.

• logoutRequestRpInitiated :: Maybe Bool

  "rp_initiated" - RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.

• logoutRequestSid :: Maybe Text

  "sid" - SessionID is the login session ID that was requested to log out.

• logoutRequestSubject :: Maybe Text

  "subject" - Subject is the user for whom the logout was request.

Fields

• oAuth2ClientAllowedCorsOrigins :: Maybe [Text]

  "allowed_cors_origins"

• oAuth2ClientAudience :: Maybe [Text]

  "audience"

• oAuth2ClientBackchannelLogoutSessionRequired :: Maybe Bool

  "backchannel_logout_session_required" - Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.

• oAuth2ClientBackchannelLogoutUri :: Maybe Text

  "backchannel_logout_uri" - RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.

• oAuth2ClientClientId :: Maybe Text

  "client_id" - ID is the id for this client.

• oAuth2ClientClientName :: Maybe Text

  "client_name" - Name is the human-readable string name of the client to be presented to the end-user during authorization.

• oAuth2ClientClientSecret :: Maybe Text

  "client_secret" - Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again.

• oAuth2ClientClientSecretExpiresAt :: Maybe Integer

  "client_secret_expires_at" - SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0.

• oAuth2ClientClientUri :: Maybe Text

  "client_uri" - ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.

• oAuth2ClientContacts :: Maybe [Text]

  "contacts"

• oAuth2ClientCreatedAt :: Maybe DateTime

  "created_at" - CreatedAt returns the timestamp of the client's creation.

• oAuth2ClientFrontchannelLogoutSessionRequired :: Maybe Bool

  "frontchannel_logout_session_required" - Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false.

• oAuth2ClientFrontchannelLogoutUri :: Maybe Text

  "frontchannel_logout_uri" - RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.

• oAuth2ClientGrantTypes :: Maybe [Text]

  "grant_types"

• oAuth2ClientJwks :: Maybe Value

  "jwks"

• oAuth2ClientJwksUri :: Maybe Text

  "jwks_uri" - URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.

• oAuth2ClientLogoUri :: Maybe Text

  "logo_uri" - LogoURI is an URL string that references a logo for the client.

• oAuth2ClientMetadata :: Maybe Value

  "metadata"

• oAuth2ClientOwner :: Maybe Text

  "owner" - Owner is a string identifying the owner of the OAuth 2.0 Client.

• oAuth2ClientPolicyUri :: Maybe Text

  "policy_uri" - PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data.

• oAuth2ClientPostLogoutRedirectUris :: Maybe [Text]

  "post_logout_redirect_uris"

• oAuth2ClientRedirectUris :: Maybe [Text]

  "redirect_uris"

• oAuth2ClientRequestObjectSigningAlg :: Maybe Text

  "request_object_signing_alg" - JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm.

• oAuth2ClientRequestUris :: Maybe [Text]

  "request_uris"

• oAuth2ClientResponseTypes :: Maybe [Text]

  "response_types"

• oAuth2ClientScope :: Maybe Text

  "scope" - Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.

• oAuth2ClientSectorIdentifierUri :: Maybe Text

  "sector_identifier_uri" - URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.

• oAuth2ClientSubjectType :: Maybe Text

  "subject_type" - SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.

• oAuth2ClientTokenEndpointAuthMethod :: Maybe Text

  "token_endpoint_auth_method" - Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none.

• oAuth2ClientTokenEndpointAuthSigningAlg :: Maybe Text

  "token_endpoint_auth_signing_alg" - Requested Client Authentication signing algorithm for the Token Endpoint.

• oAuth2ClientTosUri :: Maybe Text

  "tos_uri" - TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client.

• oAuth2ClientUpdatedAt :: Maybe DateTime

  "updated_at" - UpdatedAt returns the timestamp of the last update.

• oAuth2ClientUserinfoSignedResponseAlg :: Maybe Text

  "userinfo_signed_response_alg" - JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type.

Fields

• oAuth2TokenIntrospectionActive :: Bool

  Required "active" - Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).

• oAuth2TokenIntrospectionAud :: Maybe [Text]

  "aud" - Audience contains a list of the token's intended audiences.

• oAuth2TokenIntrospectionClientId :: Maybe Text

  "client_id" - ID is aclient identifier for the OAuth 2.0 client that requested this token.

• oAuth2TokenIntrospectionExp :: Maybe Integer

  "exp" - Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire.

• oAuth2TokenIntrospectionExt :: Maybe Value

  "ext" - Extra is arbitrary data set by the session.

• oAuth2TokenIntrospectionIat :: Maybe Integer

  "iat" - Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued.

• oAuth2TokenIntrospectionIss :: Maybe Text

  "iss" - IssuerURL is a string representing the issuer of this token

• oAuth2TokenIntrospectionNbf :: Maybe Integer

  "nbf" - NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before.

• oAuth2TokenIntrospectionObfuscatedSubject :: Maybe Text

  "obfuscated_subject" - ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization. It is the `sub` value of the ID Token that was issued.

• oAuth2TokenIntrospectionScope :: Maybe Text

  "scope" - Scope is a JSON string containing a space-separated list of scopes associated with this token.

• oAuth2TokenIntrospectionSub :: Maybe Text

  "sub" - Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token.

• oAuth2TokenIntrospectionTokenType :: Maybe Text

  "token_type" - TokenType is the introspected token's type, typically `Bearer`.

• oAuth2TokenIntrospectionTokenUse :: Maybe Text

  "token_use" - TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.

• oAuth2TokenIntrospectionUsername :: Maybe Text

  "username" - Username is a human-readable identifier for the resource owner who authorized this token.

Fields

• oauth2TokenResponseAccessToken :: Maybe Text

  "access_token"

• oauth2TokenResponseExpiresIn :: Maybe Integer

  "expires_in"

• oauth2TokenResponseIdToken :: Maybe Text

  "id_token"

• oauth2TokenResponseRefreshToken :: Maybe Text

  "refresh_token"

• oauth2TokenResponseScope :: Maybe Text

  "scope"

• oauth2TokenResponseTokenType :: Maybe Text

  "token_type"