openapi: 3.0.1 info: description: Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. title: ORY Hydra version: latest servers: - url: / paths: /.well-known/jwks.json: get: description: "This endpoint returns JSON Web Keys to be used as public keys\ \ for verifying OpenID Connect ID Tokens and,\nif enabled, OAuth 2.0 JWT Access\ \ Tokens. This endpoint can be used with client libraries like\n[node-jwks-rsa](https://github.com/auth0/node-jwks-rsa)\ \ among others." operationId: wellKnown responses: "200": content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' description: JSONWebKeySet "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: JSON Web Keys Discovery tags: - public /.well-known/openid-configuration: get: description: "The well known endpoint an be used to retrieve information for\ \ OpenID Connect clients. We encourage you to not roll\nyour own OpenID Connect\ \ client but to use an OpenID Connect client library instead. You can learn\ \ more on this\nflow at https://openid.net/specs/openid-connect-discovery-1_0.html\ \ .\n\nPopular libraries for OpenID Connect clients include oidc-client-js\ \ (JavaScript), go-oidc (Golang), and others.\nFor a full list of clients\ \ go here: https://openid.net/developers/certified/" operationId: discoverOpenIDConfiguration responses: "200": content: application/json: schema: $ref: '#/components/schemas/wellKnown' description: wellKnown "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: OpenID Connect Discovery tags: - public /clients: get: description: "This endpoint lists all clients in the database, and never returns\ \ client secrets. As a default it lists the first 100 clients. The `limit`\ \ parameter can be used to retrieve more clients, but it has an upper bound\ \ at 500 objects. Pagination should be used to retrieve more than 500 objects.\n\ \nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows.\ \ Usually, OAuth 2.0 clients are generated for applications which want to\ \ consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra,\ \ you will need an OAuth 2.0 Client as well. Make sure that this endpoint\ \ is well protected and only callable by first-party components.\nThe \"Link\"\ \ header is also included in successful responses, which contains one or more\ \ links for pagination, formatted like so: ';\ \ rel=\"{page}\"', where page is one of the following applicable pages: 'first',\ \ 'next', 'last', and 'previous'.\nMultiple links can be included in this\ \ header, and will be separated by a comma." operationId: listOAuth2Clients parameters: - description: "The maximum amount of policies returned, upper bound is 500\ \ policies" in: query name: limit schema: format: int64 type: integer - description: The offset from where to start looking. in: query name: offset schema: format: int64 type: integer responses: "200": content: application/json: schema: items: $ref: '#/components/schemas/oAuth2Client' type: array description: A list of clients. "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: List OAuth 2.0 Clients tags: - admin post: description: "Create a new OAuth 2.0 client If you pass `client_secret` the\ \ secret will be used, otherwise a random secret will be generated. The secret\ \ will be returned in the response and you will not be able to retrieve it\ \ later on. Write the secret down and keep it somwhere safe.\n\nOAuth 2.0\ \ clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually,\ \ OAuth 2.0 clients are generated for applications which want to consume your\ \ OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will\ \ need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected\ \ and only callable by first-party components." operationId: createOAuth2Client requestBody: content: application/json: schema: $ref: '#/components/schemas/oAuth2Client' required: true responses: "201": content: application/json: schema: $ref: '#/components/schemas/oAuth2Client' description: oAuth2Client "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "409": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Create an OAuth 2.0 Client tags: - admin x-codegen-request-body-name: Body /clients/{id}: delete: description: "Delete an existing OAuth 2.0 Client by its ID.\n\nOAuth 2.0 clients\ \ are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0\ \ clients are generated for applications which want to consume your OAuth\ \ 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an\ \ OAuth 2.0 Client as well. Make sure that this endpoint is well protected\ \ and only callable by first-party components." operationId: deleteOAuth2Client parameters: - description: The id of the OAuth 2.0 Client. in: path name: id required: true schema: type: string responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Deletes an OAuth 2.0 Client tags: - admin get: description: "Get an OAUth 2.0 client by its ID. This endpoint never returns\ \ passwords.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID\ \ Connect flows. Usually, OAuth 2.0 clients are generated for applications\ \ which want to consume your OAuth 2.0 or OpenID Connect capabilities. To\ \ manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that\ \ this endpoint is well protected and only callable by first-party components." operationId: getOAuth2Client parameters: - description: The id of the OAuth 2.0 Client. in: path name: id required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/oAuth2Client' description: oAuth2Client "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Get an OAuth 2.0 Client. tags: - admin put: description: "Update an existing OAuth 2.0 Client. If you pass `client_secret`\ \ the secret will be updated and returned via the API. This is the only time\ \ you will be able to retrieve the client secret, so write it down and keep\ \ it safe.\n\nOAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect\ \ flows. Usually, OAuth 2.0 clients are generated for applications which want\ \ to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY\ \ Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint\ \ is well protected and only callable by first-party components." operationId: updateOAuth2Client parameters: - in: path name: id required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/oAuth2Client' required: true responses: "200": content: application/json: schema: $ref: '#/components/schemas/oAuth2Client' description: oAuth2Client "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Update an OAuth 2.0 Client tags: - admin x-codegen-request-body-name: Body /health/alive: get: description: "This endpoint returns a 200 status code when the HTTP server is\ \ up running.\nThis status does currently not include checks whether the database\ \ connection is working.\n\nIf the service supports TLS Edge Termination,\ \ this endpoint does not require the\n`X-Forwarded-Proto` header to be set.\n\ \nBe aware that if you are running multiple nodes of this service, the health\ \ status will never\nrefer to the cluster state, only to a single instance." operationId: isInstanceAlive responses: "200": content: application/json: schema: $ref: '#/components/schemas/healthStatus' description: healthStatus "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Check Alive Status tags: - admin /health/ready: get: description: "This endpoint returns a 200 status code when the HTTP server is\ \ up running and the environment dependencies (e.g.\nthe database) are responsive\ \ as well.\n\nIf the service supports TLS Edge Termination, this endpoint\ \ does not require the\n`X-Forwarded-Proto` header to be set.\n\nBe aware\ \ that if you are running multiple nodes of this service, the health status\ \ will never\nrefer to the cluster state, only to a single instance." operationId: isInstanceReady responses: "200": content: application/json: schema: $ref: '#/components/schemas/healthStatus' description: healthStatus "503": content: application/json: schema: $ref: '#/components/schemas/healthNotReadyStatus' description: healthNotReadyStatus summary: Check Readiness Status tags: - public /keys/{set}: delete: description: "Use this endpoint to delete a complete JSON Web Key Set and all\ \ the keys in that set.\n\nA JSON Web Key (JWK) is a JavaScript Object Notation\ \ (JSON) data structure that represents a cryptographic key. A JWK Set is\ \ a JSON data structure that represents a set of JWKs. A JSON Web Key is identified\ \ by its set and key id. ORY Hydra uses this functionality to store cryptographic\ \ keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens),\ \ and allows storing user-defined keys as well." operationId: deleteJsonWebKeySet parameters: - description: The set in: path name: set required: true schema: type: string responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Delete a JSON Web Key Set tags: - admin get: description: "This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.\n\ \nA JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure\ \ that represents a cryptographic key. A JWK Set is a JSON data structure\ \ that represents a set of JWKs. A JSON Web Key is identified by its set and\ \ key id. ORY Hydra uses this functionality to store cryptographic keys used\ \ for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows\ \ storing user-defined keys as well." operationId: getJsonWebKeySet parameters: - description: The set in: path name: set required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' description: JSONWebKeySet "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Retrieve a JSON Web Key Set tags: - admin post: description: "This endpoint is capable of generating JSON Web Key Sets for you.\ \ There a different strategies available, such as symmetric cryptographic\ \ keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If\ \ the specified JSON Web Key Set does not exist, it will be created.\n\nA\ \ JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure\ \ that represents a cryptographic key. A JWK Set is a JSON data structure\ \ that represents a set of JWKs. A JSON Web Key is identified by its set and\ \ key id. ORY Hydra uses this functionality to store cryptographic keys used\ \ for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows\ \ storing user-defined keys as well." operationId: createJsonWebKeySet parameters: - description: The set in: path name: set required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/jsonWebKeySetGeneratorRequest' required: false responses: "201": content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' description: JSONWebKeySet "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Generate a New JSON Web Key tags: - admin x-codegen-request-body-name: Body put: description: "Use this method if you do not want to let Hydra generate the JWKs\ \ for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript\ \ Object Notation (JSON) data structure that represents a cryptographic key.\ \ A JWK Set is a JSON data structure that represents a set of JWKs. A JSON\ \ Web Key is identified by its set and key id. ORY Hydra uses this functionality\ \ to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID\ \ Connect ID tokens), and allows storing user-defined keys as well." operationId: updateJsonWebKeySet parameters: - description: The set in: path name: set required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' description: JSONWebKeySet "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Update a JSON Web Key Set tags: - admin x-codegen-request-body-name: Body /keys/{set}/{kid}: delete: description: "Use this endpoint to delete a single JSON Web Key.\n\nA JSON Web\ \ Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents\ \ a cryptographic key. A JWK Set is a JSON data structure that represents\ \ a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra\ \ uses this functionality to store cryptographic keys used for TLS and JSON\ \ Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined\ \ keys as well." operationId: deleteJsonWebKey parameters: - description: The kid of the desired key in: path name: kid required: true schema: type: string - description: The set in: path name: set required: true schema: type: string responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Delete a JSON Web Key tags: - admin get: description: "This endpoint returns a singular JSON Web Key, identified by the\ \ set and the specific key ID (kid)." operationId: getJsonWebKey parameters: - description: The kid of the desired key in: path name: kid required: true schema: type: string - description: The set in: path name: set required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/JSONWebKeySet' description: JSONWebKeySet "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Fetch a JSON Web Key tags: - admin put: description: "Use this method if you do not want to let Hydra generate the JWKs\ \ for you, but instead save your own.\n\nA JSON Web Key (JWK) is a JavaScript\ \ Object Notation (JSON) data structure that represents a cryptographic key.\ \ A JWK Set is a JSON data structure that represents a set of JWKs. A JSON\ \ Web Key is identified by its set and key id. ORY Hydra uses this functionality\ \ to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID\ \ Connect ID tokens), and allows storing user-defined keys as well." operationId: updateJsonWebKey parameters: - description: The kid of the desired key in: path name: kid required: true schema: type: string - description: The set in: path name: set required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/JSONWebKey' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/JSONWebKey' description: JSONWebKey "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "403": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Update a JSON Web Key tags: - admin x-codegen-request-body-name: Body /metrics/prometheus: get: description: "If you're using k8s, you can then add annotations to your deployment\ \ like so:\n\n```\nmetadata:\nannotations:\nprometheus.io/port: \"4445\"\n\ prometheus.io/path: \"/metrics/prometheus\"\n```\n\nIf the service supports\ \ TLS Edge Termination, this endpoint does not require the\n`X-Forwarded-Proto`\ \ header to be set." operationId: prometheus responses: "200": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." summary: Get Snapshot Metrics from the Hydra Service. tags: - admin /oauth2/auth: get: description: "This endpoint is not documented here because you should never\ \ use your own implementation to perform OAuth2 flows.\nOAuth2 is a very popular\ \ protocol and a library for your programming language will exists.\n\nTo\ \ learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749" operationId: oauthAuth responses: "302": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: The OAuth 2.0 Authorize Endpoint tags: - public /oauth2/auth/requests/consent: get: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\nto authenticate the subject\ \ and then tell ORY Hydra now about it. If the subject authenticated, he/she\ \ must now be asked if\nthe OAuth 2.0 Client which initiated the flow should\ \ be allowed to access the resources on the subject's behalf.\n\nThe consent\ \ provider which handles this request and is a web app implemented and hosted\ \ by you. It shows a subject interface which asks the subject to\ngrant or\ \ deny the client access to the requested scope (\"Application my-dropbox-app\ \ wants write access to all your private files\").\n\nThe consent challenge\ \ is appended to the consent provider's URL to which the subject's user-agent\ \ (browser) is redirected to. The consent\nprovider uses that challenge to\ \ fetch information on the OAuth2 request and then tells ORY Hydra if the\ \ subject accepted\nor rejected the request." operationId: getConsentRequest parameters: - in: query name: consent_challenge required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/consentRequest' description: consentRequest "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "409": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Get Consent Request Information tags: - admin /oauth2/auth/requests/consent/accept: put: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\nto authenticate the subject\ \ and then tell ORY Hydra now about it. If the subject authenticated, he/she\ \ must now be asked if\nthe OAuth 2.0 Client which initiated the flow should\ \ be allowed to access the resources on the subject's behalf.\n\nThe consent\ \ provider which handles this request and is a web app implemented and hosted\ \ by you. It shows a subject interface which asks the subject to\ngrant or\ \ deny the client access to the requested scope (\"Application my-dropbox-app\ \ wants write access to all your private files\").\n\nThe consent challenge\ \ is appended to the consent provider's URL to which the subject's user-agent\ \ (browser) is redirected to. The consent\nprovider uses that challenge to\ \ fetch information on the OAuth2 request and then tells ORY Hydra if the\ \ subject accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra\ \ that the subject has authorized the OAuth 2.0 client to access resources\ \ on his/her behalf.\nThe consent provider includes additional information,\ \ such as session data for access and ID tokens, and if the\nconsent request\ \ should be used as basis for future requests.\n\nThe response contains a\ \ redirect URL which the consent provider should redirect the user-agent to." operationId: acceptConsentRequest parameters: - in: query name: consent_challenge required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/acceptConsentRequest' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/completedRequest' description: completedRequest "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Accept a Consent Request tags: - admin x-codegen-request-body-name: Body /oauth2/auth/requests/consent/reject: put: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\nto authenticate the subject\ \ and then tell ORY Hydra now about it. If the subject authenticated, he/she\ \ must now be asked if\nthe OAuth 2.0 Client which initiated the flow should\ \ be allowed to access the resources on the subject's behalf.\n\nThe consent\ \ provider which handles this request and is a web app implemented and hosted\ \ by you. It shows a subject interface which asks the subject to\ngrant or\ \ deny the client access to the requested scope (\"Application my-dropbox-app\ \ wants write access to all your private files\").\n\nThe consent challenge\ \ is appended to the consent provider's URL to which the subject's user-agent\ \ (browser) is redirected to. The consent\nprovider uses that challenge to\ \ fetch information on the OAuth2 request and then tells ORY Hydra if the\ \ subject accepted\nor rejected the request.\n\nThis endpoint tells ORY Hydra\ \ that the subject has not authorized the OAuth 2.0 client to access resources\ \ on his/her behalf.\nThe consent provider must include a reason why the consent\ \ was not granted.\n\nThe response contains a redirect URL which the consent\ \ provider should redirect the user-agent to." operationId: rejectConsentRequest parameters: - in: query name: consent_challenge required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/rejectRequest' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/completedRequest' description: completedRequest "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Reject a Consent Request tags: - admin x-codegen-request-body-name: Body /oauth2/auth/requests/login: get: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity\ \ provider\") to authenticate the subject and then tell ORY Hydra now about\ \ it. The login\nprovider is an web-app you write and host, and it must be\ \ able to authenticate (\"show the subject a login screen\")\na subject (in\ \ OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication\ \ challenge is appended to the login provider URL to which the subject's user-agent\ \ (browser) is redirected to. The login\nprovider uses that challenge to fetch\ \ information on the OAuth2 request and then accept or reject the requested\ \ authentication process." operationId: getLoginRequest parameters: - in: query name: login_challenge required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/loginRequest' description: loginRequest "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "409": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Get a Login Request tags: - admin /oauth2/auth/requests/login/accept: put: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity\ \ provider\") to authenticate the subject and then tell ORY Hydra now about\ \ it. The login\nprovider is an web-app you write and host, and it must be\ \ able to authenticate (\"show the subject a login screen\")\na subject (in\ \ OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication\ \ challenge is appended to the login provider URL to which the subject's user-agent\ \ (browser) is redirected to. The login\nprovider uses that challenge to fetch\ \ information on the OAuth2 request and then accept or reject the requested\ \ authentication process.\n\nThis endpoint tells ORY Hydra that the subject\ \ has successfully authenticated and includes additional information such\ \ as\nthe subject's ID and if ORY Hydra should remember the subject's subject\ \ agent for future authentication attempts by setting\na cookie.\n\nThe response\ \ contains a redirect URL which the login provider should redirect the user-agent\ \ to." operationId: acceptLoginRequest parameters: - in: query name: login_challenge required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/acceptLoginRequest' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/completedRequest' description: completedRequest "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Accept a Login Request tags: - admin x-codegen-request-body-name: Body /oauth2/auth/requests/login/reject: put: description: "When an authorization code, hybrid, or implicit OAuth 2.0 Flow\ \ is initiated, ORY Hydra asks the login provider\n(sometimes called \"identity\ \ provider\") to authenticate the subject and then tell ORY Hydra now about\ \ it. The login\nprovider is an web-app you write and host, and it must be\ \ able to authenticate (\"show the subject a login screen\")\na subject (in\ \ OAuth2 the proper name for subject is \"resource owner\").\n\nThe authentication\ \ challenge is appended to the login provider URL to which the subject's user-agent\ \ (browser) is redirected to. The login\nprovider uses that challenge to fetch\ \ information on the OAuth2 request and then accept or reject the requested\ \ authentication process.\n\nThis endpoint tells ORY Hydra that the subject\ \ has not authenticated and includes a reason why the authentication\nwas\ \ be denied.\n\nThe response contains a redirect URL which the login provider\ \ should redirect the user-agent to." operationId: rejectLoginRequest parameters: - in: query name: login_challenge required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/rejectRequest' required: false responses: "200": content: application/json: schema: $ref: '#/components/schemas/completedRequest' description: completedRequest "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Reject a Login Request tags: - admin x-codegen-request-body-name: Body /oauth2/auth/requests/logout: get: description: Use this endpoint to fetch a logout request. operationId: getLogoutRequest parameters: - in: query name: logout_challenge required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/logoutRequest' description: logoutRequest "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Get a Logout Request tags: - admin /oauth2/auth/requests/logout/accept: put: description: "When a user or an application requests ORY Hydra to log out a\ \ user, this endpoint is used to confirm that logout request.\nNo body is\ \ required.\n\nThe response contains a redirect URL which the consent provider\ \ should redirect the user-agent to." operationId: acceptLogoutRequest parameters: - in: query name: logout_challenge required: true schema: type: string responses: "200": content: application/json: schema: $ref: '#/components/schemas/completedRequest' description: completedRequest "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Accept a Logout Request tags: - admin /oauth2/auth/requests/logout/reject: put: description: "When a user or an application requests ORY Hydra to log out a\ \ user, this endpoint is used to deny that logout request.\nNo body is required.\n\ \nThe response is empty as the logout provider has to chose what action to\ \ perform next." operationId: rejectLogoutRequest parameters: - in: query name: logout_challenge required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/rejectRequest' application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/rejectRequest' required: false responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "404": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Reject a Logout Request tags: - admin x-codegen-request-body-name: Body /oauth2/auth/sessions/consent: delete: description: |- This endpoint revokes a subject's granted consent sessions for a specific OAuth 2.0 Client and invalidates all associated OAuth 2.0 Access Tokens. operationId: revokeConsentSessions parameters: - description: The subject (Subject) who's consent sessions should be deleted. in: query name: subject required: true schema: type: string - description: "If set, deletes only those consent sessions by the Subject that\ \ have been granted to the specified OAuth 2.0 Client ID" in: query name: client schema: type: string - description: "If set to `?all=true`, deletes all consent sessions by the Subject\ \ that have been granted." in: query name: all schema: type: boolean responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Revokes Consent Sessions of a Subject for a Specific OAuth 2.0 Client tags: - admin get: description: "This endpoint lists all subject's granted consent sessions, including\ \ client and granted scope.\nIf the subject is unknown or has not granted\ \ any consent sessions yet, the endpoint returns an\nempty JSON array with\ \ status code 200 OK.\n\n\nThe \"Link\" header is also included in successful\ \ responses, which contains one or more links for pagination, formatted like\ \ so: ';\ \ rel=\"{page}\"', where page is one of the following applicable pages: 'first',\ \ 'next', 'last', and 'previous'.\nMultiple links can be included in this\ \ header, and will be separated by a comma." operationId: listSubjectConsentSessions parameters: - in: query name: subject required: true schema: type: string responses: "200": content: application/json: schema: items: $ref: '#/components/schemas/PreviousConsentSession' type: array description: A list of used consent requests. "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Lists All Consent Sessions of a Subject tags: - admin /oauth2/auth/sessions/login: delete: description: "This endpoint invalidates a subject's authentication session.\ \ After revoking the authentication session, the subject\nhas to re-authenticate\ \ at ORY Hydra. This endpoint does not invalidate any tokens and does not\ \ work with OpenID Connect\nFront- or Back-channel logout." operationId: revokeAuthenticationSession parameters: - in: query name: subject required: true schema: type: string responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: |- Invalidates All Login Sessions of a Certain User Invalidates a Subject's Authentication Session tags: - admin /oauth2/flush: post: description: "This endpoint flushes expired OAuth2 access tokens from the database.\ \ You can set a time after which no tokens will be\nnot be touched, in case\ \ you want to keep recent tokens for auditing. Refresh tokens can not be flushed\ \ as they are deleted\nautomatically when performing the refresh flow." operationId: flushInactiveOAuth2Tokens requestBody: content: application/json: schema: $ref: '#/components/schemas/flushInactiveOAuth2TokensRequest' required: false responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Flush Expired OAuth2 Access Tokens tags: - admin x-codegen-request-body-name: Body /oauth2/introspect: post: description: "The introspection endpoint allows to check if a token (both refresh\ \ and access) is active or not. An active token\nis neither expired nor revoked.\ \ If a token is active, additional information on the token will be included.\ \ You can\nset additional data for a token by setting `accessTokenExtra` during\ \ the consent flow.\n\nFor more information [read this blog post](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/)." operationId: introspectOAuth2Token requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/introspectOAuth2Token_request' required: true responses: "200": content: application/json: schema: $ref: '#/components/schemas/oAuth2TokenIntrospection' description: oAuth2TokenIntrospection "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Introspect OAuth2 Tokens tags: - admin /oauth2/revoke: post: description: "Revoking a token (both access and refresh) means that the tokens\ \ will be invalid. A revoked access token can no\nlonger be used to make access\ \ requests, and a revoked refresh token can no longer be used to refresh an\ \ access token.\nRevoking a refresh token also invalidates the access token\ \ that was created with it. A token may only be revoked by\nthe client the\ \ token was generated for." operationId: revokeOAuth2Token requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/revokeOAuth2Token_request' required: true responses: "200": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError security: - basic: [] - oauth2: [] summary: Revoke OAuth2 Tokens tags: - public /oauth2/sessions/logout: get: description: |- This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout: https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html operationId: disconnectUser responses: "302": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." summary: OpenID Connect Front-Backchannel Enabled Logout tags: - public /oauth2/token: post: description: "The client makes a request to the token endpoint by sending the\n\ following parameters using the \"application/x-www-form-urlencoded\" HTTP\n\ request entity-body.\n\n> Do not implement a client for this endpoint yourself.\ \ Use a library. There are many libraries\n> available for any programming\ \ language. You can find a list of libraries here: https://oauth.net/code/\n\ >\n> Do note that Hydra SDK does not implement this endpoint properly. Use\ \ one of the libraries listed above!" operationId: oauth2Token requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/oauth2Token_request' required: true responses: "200": content: application/json: schema: $ref: '#/components/schemas/oauth2TokenResponse' description: oauth2TokenResponse "400": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError security: - basic: [] - oauth2: [] summary: The OAuth 2.0 Token Endpoint tags: - public /oauth2/tokens: delete: description: This endpoint deletes OAuth2 access tokens issued for a client from the database operationId: deleteOAuth2Token parameters: - in: query name: client_id required: true schema: type: string responses: "204": content: {} description: "Empty responses are sent when, for example, resources are\ \ deleted. The HTTP status code for empty responses is\ntypically 201." "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError summary: Delete OAuth2 Access Tokens from a Client tags: - admin /userinfo: get: description: "This endpoint returns the payload of the ID Token, including the\ \ idTokenExtra values, of\nthe provided OAuth 2.0 Access Token.\n\nFor more\ \ information please [refer to the spec](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)." operationId: userinfo responses: "200": content: application/json: schema: $ref: '#/components/schemas/userinfoResponse' description: userinfoResponse "401": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError "500": content: application/json: schema: $ref: '#/components/schemas/genericError' description: genericError security: - oauth2: [] summary: OpenID Connect Userinfo tags: - public /version: get: description: "This endpoint returns the service version typically notated using\ \ semantic versioning.\n\nIf the service supports TLS Edge Termination, this\ \ endpoint does not require the\n`X-Forwarded-Proto` header to be set." operationId: getVersion responses: "200": content: application/json: schema: $ref: '#/components/schemas/version' description: version summary: Get Service Version tags: - admin components: schemas: ContainerWaitOKBodyError: description: "ContainerWaitOKBodyError container waiting error, if any" properties: Message: description: Details of an error type: string type: object JSONRawMessage: title: "JSONRawMessage represents a json.RawMessage that works well with JSON,\ \ SQL, and Swagger." type: object JSONWebKey: description: |- It is important that this model object is named JSONWebKey for "swagger generate spec" to generate only on definition of a JSONWebKey. example: d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE e: AQAB crv: P-256 use: sig kid: 1603dfe0af8f4596 x5c: - x5c - x5c k: GawgguFyGrWKav7AX4VKUg dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0 dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0 p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ kty: RSA q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0 alg: RS256 properties: alg: description: "The \"alg\" (algorithm) parameter identifies the algorithm\ \ intended for\nuse with the key. The values used should either be registered\ \ in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\n\ established by [JWA] or be a value that contains a Collision-\nResistant\ \ Name." example: RS256 type: string crv: example: P-256 type: string d: example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE type: string dp: example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0 type: string dq: example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk type: string e: example: AQAB type: string k: example: GawgguFyGrWKav7AX4VKUg type: string kid: description: "The \"kid\" (key ID) parameter is used to match a specific\ \ key. This\nis used, for instance, to choose among a set of keys within\ \ a JWK Set\nduring key rollover. The structure of the \"kid\" value\ \ is\nunspecified. When \"kid\" values are used within a JWK Set, different\n\ keys within the JWK Set SHOULD use distinct \"kid\" values. (One\nexample\ \ in which different keys might use the same \"kid\" value is if\nthey\ \ have different \"kty\" (key type) values but are considered to be\n\ equivalent alternatives by the application using them.) The \"kid\"\n\ value is a case-sensitive string." example: 1603dfe0af8f4596 type: string kty: description: "The \"kty\" (key type) parameter identifies the cryptographic\ \ algorithm\nfamily used with the key, such as \"RSA\" or \"EC\". \"kty\"\ \ values should\neither be registered in the IANA \"JSON Web Key Types\"\ \ registry\nestablished by [JWA] or be a value that contains a Collision-\n\ Resistant Name. The \"kty\" value is a case-sensitive string." example: RSA type: string "n": example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0 type: string p: example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ type: string q: example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ type: string qi: example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU type: string use: description: |- Use ("public key use") identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly "sig" (signature) or "enc" (encryption). example: sig type: string x: example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU type: string x5c: description: "The \"x5c\" (X.509 certificate chain) parameter contains a\ \ chain of one\nor more PKIX certificates [RFC5280]. The certificate\ \ chain is\nrepresented as a JSON array of certificate value strings.\ \ Each\nstring in the array is a base64-encoded (Section 4 of [RFC4648]\ \ --\nnot base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.\n\ The PKIX certificate containing the key value MUST be the first\ncertificate." items: type: string type: array "y": example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0 type: string required: - alg - kid - kty - use type: object JSONWebKeySet: description: "It is important that this model object is named JSONWebKeySet\ \ for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKeySet.\ \ Since one with the same name is previously defined as\nclient.Client.JSONWebKeys\ \ and this one is last, this one will be\neffectively written in the swagger\ \ spec." example: keys: - d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE e: AQAB crv: P-256 use: sig kid: 1603dfe0af8f4596 x5c: - x5c - x5c k: GawgguFyGrWKav7AX4VKUg dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0 dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0 p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ kty: RSA q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0 alg: RS256 - d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE e: AQAB crv: P-256 use: sig kid: 1603dfe0af8f4596 x5c: - x5c - x5c k: GawgguFyGrWKav7AX4VKUg dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0 dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0 p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ kty: RSA q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0 alg: RS256 properties: keys: description: "The value of the \"keys\" parameter is an array of JWK values.\ \ By\ndefault, the order of the JWK values within the array does not\ \ imply\nan order of preference among them, although applications of JWK\ \ Sets\ncan choose to assign a meaning to the order for their purposes,\ \ if\ndesired." items: $ref: '#/components/schemas/JSONWebKey' type: array type: object JoseJSONWebKeySet: type: object NullTime: format: date-time title: NullTime implements sql.NullTime functionality. type: string PluginConfig: properties: Args: $ref: '#/components/schemas/PluginConfigArgs' Description: description: description type: string DockerVersion: description: Docker Version used to create the plugin type: string Documentation: description: documentation type: string Entrypoint: description: entrypoint items: type: string type: array Env: description: env items: $ref: '#/components/schemas/PluginEnv' type: array Interface: $ref: '#/components/schemas/PluginConfigInterface' IpcHost: description: ipc host type: boolean Linux: $ref: '#/components/schemas/PluginConfigLinux' Mounts: description: mounts items: $ref: '#/components/schemas/PluginMount' type: array Network: $ref: '#/components/schemas/PluginConfigNetwork' PidHost: description: pid host type: boolean PropagatedMount: description: propagated mount type: string User: $ref: '#/components/schemas/PluginConfigUser' WorkDir: description: work dir type: string rootfs: $ref: '#/components/schemas/PluginConfigRootfs' required: - Args - Description - Documentation - Entrypoint - Env - Interface - IpcHost - Linux - Mounts - Network - PidHost - PropagatedMount - WorkDir title: PluginConfig The config of a plugin. type: object PluginConfigArgs: description: PluginConfigArgs plugin config args properties: Description: description: description type: string Name: description: name type: string Settable: description: settable items: type: string type: array Value: description: value items: type: string type: array required: - Description - Name - Settable - Value type: object PluginConfigInterface: description: PluginConfigInterface The interface between Docker and the plugin properties: ProtocolScheme: description: Protocol to use for clients connecting to the plugin. type: string Socket: description: socket type: string Types: description: types items: $ref: '#/components/schemas/PluginInterfaceType' type: array required: - Socket - Types type: object PluginConfigLinux: description: PluginConfigLinux plugin config linux properties: AllowAllDevices: description: allow all devices type: boolean Capabilities: description: capabilities items: type: string type: array Devices: description: devices items: $ref: '#/components/schemas/PluginDevice' type: array required: - AllowAllDevices - Capabilities - Devices type: object PluginConfigNetwork: description: PluginConfigNetwork plugin config network properties: Type: description: type type: string required: - Type type: object PluginConfigRootfs: description: PluginConfigRootfs plugin config rootfs properties: diff_ids: description: diff ids items: type: string type: array type: description: type type: string type: object PluginConfigUser: description: PluginConfigUser plugin config user properties: GID: description: g ID format: uint32 type: integer UID: description: UID format: uint32 type: integer type: object PluginDevice: description: PluginDevice plugin device properties: Description: description: description type: string Name: description: name type: string Path: description: path type: string Settable: description: settable items: type: string type: array required: - Description - Name - Path - Settable type: object PluginEnv: description: PluginEnv plugin env properties: Description: description: description type: string Name: description: name type: string Settable: description: settable items: type: string type: array Value: description: value type: string required: - Description - Name - Settable - Value type: object PluginInterfaceType: description: PluginInterfaceType plugin interface type properties: Capability: description: capability type: string Prefix: description: prefix type: string Version: description: version type: string required: - Capability - Prefix - Version type: object PluginMount: description: PluginMount plugin mount properties: Description: description: description type: string Destination: description: destination type: string Name: description: name type: string Options: description: options items: type: string type: array Settable: description: settable items: type: string type: array Source: description: source type: string Type: description: type type: string required: - Description - Destination - Name - Options - Settable - Source - Type type: object PluginSettings: properties: Args: description: args items: type: string type: array Devices: description: devices items: $ref: '#/components/schemas/PluginDevice' type: array Env: description: env items: type: string type: array Mounts: description: mounts items: $ref: '#/components/schemas/PluginMount' type: array required: - Args - Devices - Env - Mounts title: PluginSettings Settings that can be modified by users. type: object PreviousConsentSession: description: "The response used to return used consent requests\nsame as HandledLoginRequest,\ \ just with consent_request exposed as json" example: remember: true consent_request: requested_access_token_audience: - requested_access_token_audience - requested_access_token_audience acr: acr login_challenge: login_challenge subject: subject context: "{}" oidc_context: login_hint: login_hint ui_locales: - ui_locales - ui_locales id_token_hint_claims: "{}" acr_values: - acr_values - acr_values display: display challenge: challenge client: metadata: "{}" token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg client_uri: client_uri jwks: "{}" logo_uri: logo_uri created_at: 2000-01-23T04:56:07.000+00:00 allowed_cors_origins: - allowed_cors_origins - allowed_cors_origins client_id: client_id token_endpoint_auth_method: token_endpoint_auth_method userinfo_signed_response_alg: userinfo_signed_response_alg updated_at: 2000-01-23T04:56:07.000+00:00 scope: scope request_uris: - request_uris - request_uris client_secret: client_secret backchannel_logout_session_required: true backchannel_logout_uri: backchannel_logout_uri client_name: client_name policy_uri: policy_uri owner: owner audience: - audience - audience post_logout_redirect_uris: - post_logout_redirect_uris - post_logout_redirect_uris grant_types: - grant_types - grant_types subject_type: subject_type redirect_uris: - redirect_uris - redirect_uris sector_identifier_uri: sector_identifier_uri frontchannel_logout_session_required: true frontchannel_logout_uri: frontchannel_logout_uri client_secret_expires_at: 0 jwks_uri: jwks_uri request_object_signing_alg: request_object_signing_alg tos_uri: tos_uri contacts: - contacts - contacts response_types: - response_types - response_types skip: true login_session_id: login_session_id request_url: request_url requested_scope: - requested_scope - requested_scope session: access_token: "{}" id_token: "{}" grant_access_token_audience: - grant_access_token_audience - grant_access_token_audience handled_at: 2000-01-23T04:56:07.000+00:00 grant_scope: - grant_scope - grant_scope remember_for: 0 properties: consent_request: $ref: '#/components/schemas/consentRequest' grant_access_token_audience: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array grant_scope: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array handled_at: format: date-time title: NullTime implements sql.NullTime functionality. type: string remember: description: "Remember, if set to true, tells ORY Hydra to remember this\ \ consent authorization and reuse it if the same\nclient asks the same\ \ user for the same, or a subset of, scope." type: boolean remember_for: description: "RememberFor sets how long the consent authorization should\ \ be remembered for in seconds. If set to `0`, the\nauthorization will\ \ be remembered indefinitely." format: int64 type: integer session: $ref: '#/components/schemas/consentRequestSession' type: object StringSlicePipeDelimiter: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array Volume: description: Volume volume properties: CreatedAt: description: Date/Time the volume was created. type: string Driver: description: Name of the volume driver used by the volume. type: string Labels: additionalProperties: type: string description: User-defined key/value metadata. type: object Mountpoint: description: Mount path of the volume on the host. type: string Name: description: Name of the volume. type: string Options: additionalProperties: type: string description: The driver specific options used when creating the volume. type: object Scope: description: "The level at which the volume exists. Either `global` for\ \ cluster-wide, or `local` for machine level." type: string Status: description: "Low-level details about the volume, provided by the volume\ \ driver.\nDetails are returned as a map with key/value pairs:\n`{\"key\"\ :\"value\",\"key2\":\"value2\"}`.\n\nThe `Status` field is optional, and\ \ is omitted if the volume driver\ndoes not support this feature." properties: {} type: object UsageData: $ref: '#/components/schemas/VolumeUsageData' required: - Driver - Labels - Mountpoint - Name - Options - Scope type: object VolumeUsageData: description: "VolumeUsageData Usage details about the volume. This information\ \ is used by the\n`GET /system/df` endpoint, and omitted in other endpoints." properties: RefCount: description: |- The number of containers referencing this volume. This field is set to `-1` if the reference-count is not available. format: int64 type: integer Size: description: "Amount of disk space used by the volume (in bytes). This information\n\ is only available for volumes created with the `\"local\"` volume\ndriver.\ \ For volumes created with other volume drivers, this field\nis set to\ \ `-1` (\"not available\")" format: int64 type: integer required: - RefCount - Size type: object acceptConsentRequest: properties: grant_access_token_audience: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array grant_scope: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array handled_at: format: date-time title: NullTime implements sql.NullTime functionality. type: string remember: description: "Remember, if set to true, tells ORY Hydra to remember this\ \ consent authorization and reuse it if the same\nclient asks the same\ \ user for the same, or a subset of, scope." type: boolean remember_for: description: "RememberFor sets how long the consent authorization should\ \ be remembered for in seconds. If set to `0`, the\nauthorization will\ \ be remembered indefinitely." format: int64 type: integer session: $ref: '#/components/schemas/consentRequestSession' title: The request payload used to accept a consent request. type: object acceptLoginRequest: properties: acr: description: "ACR sets the Authentication AuthorizationContext Class Reference\ \ value for this authentication session. You can use it\nto express that,\ \ for example, a user authenticated using two factor authentication." type: string context: title: "JSONRawMessage represents a json.RawMessage that works well with\ \ JSON, SQL, and Swagger." type: object force_subject_identifier: description: "ForceSubjectIdentifier forces the \"pairwise\" user ID of\ \ the end-user that authenticated. The \"pairwise\" user ID refers to\ \ the\n(Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg]\ \ of the OpenID\nConnect specification. It allows you to set an obfuscated\ \ subject (\"user\") identifier that is unique to the client.\n\nPlease\ \ note that this changes the user ID on endpoint /userinfo and sub claim\ \ of the ID Token. It does not change the\nsub claim in the OAuth 2.0\ \ Introspection.\n\nPer default, ORY Hydra handles this value with its\ \ own algorithm. In case you want to set this yourself\nyou can use this\ \ field. Please note that setting this field has no effect if `pairwise`\ \ is not configured in\nORY Hydra or the OAuth 2.0 Client does not expect\ \ a pairwise identifier (set via `subject_type` key in the client's\n\ configuration).\n\nPlease also be aware that ORY Hydra is unable to properly\ \ compute this value during authentication. This implies\nthat you have\ \ to compute this value on every authentication process (probably depending\ \ on the client ID or some\nother unique value).\n\nIf you fail to compute\ \ the proper value, then authentication processes which have id_token_hint\ \ set might fail." type: string remember: description: "Remember, if set to true, tells ORY Hydra to remember this\ \ user by telling the user agent (browser) to store\na cookie with authentication\ \ data. If the same user performs another OAuth 2.0 Authorization Request,\ \ he/she\nwill not be asked to log in again." type: boolean remember_for: description: "RememberFor sets how long the authentication should be remembered\ \ for in seconds. If set to `0`, the\nauthorization will be remembered\ \ for the duration of the browser session (using a session cookie)." format: int64 type: integer subject: description: Subject is the user ID of the end-user that authenticated. type: string required: - subject title: HandledLoginRequest is the request payload used to accept a login request. type: object completedRequest: example: redirect_to: redirect_to properties: redirect_to: description: RedirectURL is the URL which you should redirect the user to once the authentication process is completed. type: string required: - redirect_to title: The response payload sent when accepting or rejecting a login or consent request. type: object consentRequest: example: requested_access_token_audience: - requested_access_token_audience - requested_access_token_audience acr: acr login_challenge: login_challenge subject: subject context: "{}" oidc_context: login_hint: login_hint ui_locales: - ui_locales - ui_locales id_token_hint_claims: "{}" acr_values: - acr_values - acr_values display: display challenge: challenge client: metadata: "{}" token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg client_uri: client_uri jwks: "{}" logo_uri: logo_uri created_at: 2000-01-23T04:56:07.000+00:00 allowed_cors_origins: - allowed_cors_origins - allowed_cors_origins client_id: client_id token_endpoint_auth_method: token_endpoint_auth_method userinfo_signed_response_alg: userinfo_signed_response_alg updated_at: 2000-01-23T04:56:07.000+00:00 scope: scope request_uris: - request_uris - request_uris client_secret: client_secret backchannel_logout_session_required: true backchannel_logout_uri: backchannel_logout_uri client_name: client_name policy_uri: policy_uri owner: owner audience: - audience - audience post_logout_redirect_uris: - post_logout_redirect_uris - post_logout_redirect_uris grant_types: - grant_types - grant_types subject_type: subject_type redirect_uris: - redirect_uris - redirect_uris sector_identifier_uri: sector_identifier_uri frontchannel_logout_session_required: true frontchannel_logout_uri: frontchannel_logout_uri client_secret_expires_at: 0 jwks_uri: jwks_uri request_object_signing_alg: request_object_signing_alg tos_uri: tos_uri contacts: - contacts - contacts response_types: - response_types - response_types skip: true login_session_id: login_session_id request_url: request_url requested_scope: - requested_scope - requested_scope properties: acr: description: "ACR represents the Authentication AuthorizationContext Class\ \ Reference value for this authentication session. You can use it\nto\ \ express that, for example, a user authenticated using two factor authentication." type: string challenge: description: |- ID is the identifier ("authorization challenge") of the consent authorization request. It is used to identify the session. type: string client: $ref: '#/components/schemas/oAuth2Client' context: title: "JSONRawMessage represents a json.RawMessage that works well with\ \ JSON, SQL, and Swagger." type: object login_challenge: description: |- LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. type: string login_session_id: description: |- LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. type: string oidc_context: $ref: '#/components/schemas/openIDConnectContext' request_url: description: "RequestURL is the original OAuth 2.0 Authorization URL requested\ \ by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0\ \ Authorization Code or OAuth 2.0 Implicit flow. This URL is typically\ \ not needed, but\nmight come in handy if you want to deal with additional\ \ request parameters." type: string requested_access_token_audience: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array requested_scope: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array skip: description: "Skip, if true, implies that the client has requested the same\ \ scopes from the same user previously.\nIf true, you must not ask the\ \ user to grant the requested scopes. You must however either allow or\ \ deny the\nconsent request using the usual API call." type: boolean subject: description: "Subject is the user ID of the end-user that authenticated.\ \ Now, that end user needs to grant or deny the scope\nrequested by the\ \ OAuth 2.0 client." type: string required: - challenge title: Contains information on an ongoing consent request. type: object consentRequestSession: example: access_token: "{}" id_token: "{}" properties: access_token: description: "AccessToken sets session data for the access and refresh token,\ \ as well as any future tokens issued by the\nrefresh grant. Keep in mind\ \ that this data will be available to anyone performing OAuth 2.0 Challenge\ \ Introspection.\nIf only your services can perform OAuth 2.0 Challenge\ \ Introspection, this is usually fine. But if third parties\ncan access\ \ that endpoint as well, sensitive data from the session might be exposed\ \ to them. Use with care!" properties: {} type: object id_token: description: |- IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! properties: {} type: object title: Used to pass session data to a consent request. type: object flushInactiveOAuth2TokensRequest: properties: notAfter: description: |- NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history of recently issued tokens for auditing. format: date-time type: string type: object genericError: description: "Error responses are sent when an error (e.g. unauthorized, bad\ \ request, ...) occurred." properties: debug: description: Debug contains debug information. This is usually not available and has to be enabled. example: The database adapter was unable to find the element type: string error: description: Name is the error name. example: The requested resource could not be found type: string error_description: description: Description contains further information on the nature of the error. example: Object with ID 12345 does not exist type: string status_code: description: "Code represents the error status code (404, 403, 401, ...)." example: 404 format: int64 type: integer required: - error title: Error response type: object healthNotReadyStatus: properties: errors: additionalProperties: type: string description: Errors contains a list of errors that caused the not ready status. type: object type: object healthStatus: example: status: status properties: status: description: Status always contains "ok". type: string type: object jsonWebKeySetGeneratorRequest: properties: alg: description: "The algorithm to be used for creating the key. Supports \"\ RS256\", \"ES512\", \"HS512\", and \"HS256\"" type: string kid: description: The kid of the key to be created type: string use: description: |- The "use" (public key use) parameter identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Valid values are "enc" and "sig". type: string required: - alg - kid - use type: object loginRequest: example: requested_access_token_audience: - requested_access_token_audience - requested_access_token_audience subject: subject oidc_context: login_hint: login_hint ui_locales: - ui_locales - ui_locales id_token_hint_claims: "{}" acr_values: - acr_values - acr_values display: display challenge: challenge client: metadata: "{}" token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg client_uri: client_uri jwks: "{}" logo_uri: logo_uri created_at: 2000-01-23T04:56:07.000+00:00 allowed_cors_origins: - allowed_cors_origins - allowed_cors_origins client_id: client_id token_endpoint_auth_method: token_endpoint_auth_method userinfo_signed_response_alg: userinfo_signed_response_alg updated_at: 2000-01-23T04:56:07.000+00:00 scope: scope request_uris: - request_uris - request_uris client_secret: client_secret backchannel_logout_session_required: true backchannel_logout_uri: backchannel_logout_uri client_name: client_name policy_uri: policy_uri owner: owner audience: - audience - audience post_logout_redirect_uris: - post_logout_redirect_uris - post_logout_redirect_uris grant_types: - grant_types - grant_types subject_type: subject_type redirect_uris: - redirect_uris - redirect_uris sector_identifier_uri: sector_identifier_uri frontchannel_logout_session_required: true frontchannel_logout_uri: frontchannel_logout_uri client_secret_expires_at: 0 jwks_uri: jwks_uri request_object_signing_alg: request_object_signing_alg tos_uri: tos_uri contacts: - contacts - contacts response_types: - response_types - response_types session_id: session_id skip: true request_url: request_url requested_scope: - requested_scope - requested_scope properties: challenge: description: |- ID is the identifier ("login challenge") of the login request. It is used to identify the session. type: string client: $ref: '#/components/schemas/oAuth2Client' oidc_context: $ref: '#/components/schemas/openIDConnectContext' request_url: description: "RequestURL is the original OAuth 2.0 Authorization URL requested\ \ by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0\ \ Authorization Code or OAuth 2.0 Implicit flow. This URL is typically\ \ not needed, but\nmight come in handy if you want to deal with additional\ \ request parameters." type: string requested_access_token_audience: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array requested_scope: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array session_id: description: |- SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. type: string skip: description: "Skip, if true, implies that the client has requested the same\ \ scopes from the same user previously.\nIf true, you can skip asking\ \ the user to grant the requested scopes, and simply forward the user\ \ to the redirect URL.\n\nThis feature allows you to update / set session\ \ information." type: boolean subject: description: "Subject is the user ID of the end-user that authenticated.\ \ Now, that end user needs to grant or deny the scope\nrequested by the\ \ OAuth 2.0 client. If this value is set and `skip` is true, you MUST\ \ include this subject type\nwhen accepting the login request, or the\ \ request will fail." type: string required: - challenge - client - request_url - requested_access_token_audience - requested_scope - skip - subject title: Contains information on an ongoing login request. type: object logoutRequest: example: subject: subject rp_initiated: true request_url: request_url sid: sid properties: request_url: description: RequestURL is the original Logout URL requested. type: string rp_initiated: description: "RPInitiated is set to true if the request was initiated by\ \ a Relying Party (RP), also known as an OAuth 2.0 Client." type: boolean sid: description: SessionID is the login session ID that was requested to log out. type: string subject: description: Subject is the user for whom the logout was request. type: string title: Contains information about an ongoing logout request. type: object oAuth2Client: example: metadata: "{}" token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg client_uri: client_uri jwks: "{}" logo_uri: logo_uri created_at: 2000-01-23T04:56:07.000+00:00 allowed_cors_origins: - allowed_cors_origins - allowed_cors_origins client_id: client_id token_endpoint_auth_method: token_endpoint_auth_method userinfo_signed_response_alg: userinfo_signed_response_alg updated_at: 2000-01-23T04:56:07.000+00:00 scope: scope request_uris: - request_uris - request_uris client_secret: client_secret backchannel_logout_session_required: true backchannel_logout_uri: backchannel_logout_uri client_name: client_name policy_uri: policy_uri owner: owner audience: - audience - audience post_logout_redirect_uris: - post_logout_redirect_uris - post_logout_redirect_uris grant_types: - grant_types - grant_types subject_type: subject_type redirect_uris: - redirect_uris - redirect_uris sector_identifier_uri: sector_identifier_uri frontchannel_logout_session_required: true frontchannel_logout_uri: frontchannel_logout_uri client_secret_expires_at: 0 jwks_uri: jwks_uri request_object_signing_alg: request_object_signing_alg tos_uri: tos_uri contacts: - contacts - contacts response_types: - response_types - response_types properties: allowed_cors_origins: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array audience: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array backchannel_logout_session_required: description: "Boolean value specifying whether the RP requires that a sid\ \ (session ID) Claim be included in the Logout\nToken to identify the\ \ RP session with the OP when the backchannel_logout_uri is used.\nIf\ \ omitted, the default value is false." type: boolean backchannel_logout_uri: description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. type: string client_id: description: ID is the id for this client. type: string client_name: description: |- Name is the human-readable string name of the client to be presented to the end-user during authorization. type: string client_secret: description: "Secret is the client's secret. The secret will be included\ \ in the create request as cleartext, and then\nnever again. The secret\ \ is stored using BCrypt so it is impossible to recover it. Tell your\ \ users\nthat they need to write the secret down as it will not be made\ \ available again." type: string client_secret_expires_at: description: |- SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. format: int64 type: integer client_uri: description: "ClientURI is an URL string of a web page providing information\ \ about the client.\nIf present, the server SHOULD display this URL to\ \ the end-user in\na clickable fashion." type: string contacts: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array created_at: description: CreatedAt returns the timestamp of the client's creation. format: date-time type: string frontchannel_logout_session_required: description: "Boolean value specifying whether the RP requires that iss\ \ (issuer) and sid (session ID) query parameters be\nincluded to identify\ \ the RP session with the OP when the frontchannel_logout_uri is used.\n\ If omitted, the default value is false." type: boolean frontchannel_logout_uri: description: "RP URL that will cause the RP to log itself out when rendered\ \ in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session\ \ ID) query parameter MAY be included by the OP to enable the RP to validate\ \ the\nrequest and to determine which of the potentially multiple sessions\ \ is to be logged out; if either is\nincluded, both MUST be." type: string grant_types: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array jwks: type: object jwks_uri: description: "URL for the Client's JSON Web Key Set [JWK] document. If the\ \ Client signs requests to the Server, it contains\nthe signing key(s)\ \ the Server uses to validate signatures from the Client. The JWK Set\ \ MAY also contain the\nClient's encryption keys(s), which are used by\ \ the Server to encrypt responses to the Client. When both signing\nand\ \ encryption keys are made available, a use (Key Use) parameter value\ \ is REQUIRED for all keys in the referenced\nJWK Set to indicate each\ \ key's intended usage. Although some algorithms allow the same key to\ \ be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED,\ \ as it is less secure. The JWK x5c parameter MAY be used\nto provide\ \ X.509 representations of keys provided. When used, the bare key values\ \ MUST still be present and MUST\nmatch those in the certificate." type: string logo_uri: description: LogoURI is an URL string that references a logo for the client. type: string metadata: title: "JSONRawMessage represents a json.RawMessage that works well with\ \ JSON, SQL, and Swagger." type: object owner: description: Owner is a string identifying the owner of the OAuth 2.0 Client. type: string policy_uri: description: "PolicyURI is a URL string that points to a human-readable\ \ privacy policy document\nthat describes how the deployment organization\ \ collects, uses,\nretains, and discloses personal data." type: string post_logout_redirect_uris: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array redirect_uris: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array request_object_signing_alg: description: "JWS [JWS] alg algorithm [JWA] that MUST be used for signing\ \ Request Objects sent to the OP. All Request Objects\nfrom this Client\ \ MUST be rejected, if not signed with this algorithm." type: string request_uris: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array response_types: items: type: string title: StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. type: array scope: description: "Scope is a string containing a space-separated list of scope\ \ values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the\ \ client\ncan use when requesting access tokens." pattern: "([a-zA-Z0-9\\.\\*]+\\s?)+" type: string sector_identifier_uri: description: |- URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. type: string subject_type: description: |- SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. type: string token_endpoint_auth_method: description: "Requested Client Authentication method for the Token Endpoint.\ \ The options are client_secret_post,\nclient_secret_basic, private_key_jwt,\ \ and none." type: string token_endpoint_auth_signing_alg: description: Requested Client Authentication signing algorithm for the Token Endpoint. type: string tos_uri: description: |- TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. type: string updated_at: description: UpdatedAt returns the timestamp of the last update. format: date-time type: string userinfo_signed_response_alg: description: "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses.\ \ If this is specified, the response will be JWT\n[JWT] serialized, and\ \ signed using JWS. The default, if omitted, is for the UserInfo Response\ \ to return the Claims\nas a UTF-8 encoded JSON object using the application/json\ \ content-type." type: string title: Client represents an OAuth 2.0 Client. type: object oAuth2TokenIntrospection: description: https://tools.ietf.org/html/rfc7662 example: ext: "{}" sub: sub iss: iss active: true obfuscated_subject: obfuscated_subject token_type: token_type client_id: client_id aud: - aud - aud nbf: 1 token_use: token_use scope: scope exp: 0 iat: 6 username: username properties: active: description: "Active is a boolean indicator of whether or not the presented\ \ token\nis currently active. The specifics of a token's \"active\" state\n\ will vary depending on the implementation of the authorization\nserver\ \ and the information it keeps about its tokens, but a \"true\"\nvalue\ \ return for the \"active\" property will generally indicate\nthat a given\ \ token has been issued by this authorization server,\nhas not been revoked\ \ by the resource owner, and is within its\ngiven time window of validity\ \ (e.g., after its issuance time and\nbefore its expiration time)." type: boolean aud: description: Audience contains a list of the token's intended audiences. items: type: string type: array client_id: description: |- ID is aclient identifier for the OAuth 2.0 client that requested this token. type: string exp: description: "Expires at is an integer timestamp, measured in the number\ \ of seconds\nsince January 1 1970 UTC, indicating when this token will\ \ expire." format: int64 type: integer ext: description: Extra is arbitrary data set by the session. properties: {} type: object iat: description: "Issued at is an integer timestamp, measured in the number\ \ of seconds\nsince January 1 1970 UTC, indicating when this token was\n\ originally issued." format: int64 type: integer iss: description: IssuerURL is a string representing the issuer of this token type: string nbf: description: "NotBefore is an integer timestamp, measured in the number\ \ of seconds\nsince January 1 1970 UTC, indicating when this token is\ \ not to be\nused before." format: int64 type: integer obfuscated_subject: description: |- ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization. It is the `sub` value of the ID Token that was issued. type: string scope: description: |- Scope is a JSON string containing a space-separated list of scopes associated with this token. type: string sub: description: "Subject of the token, as defined in JWT [RFC7519].\nUsually\ \ a machine-readable identifier of the resource owner who\nauthorized\ \ this token." type: string token_type: description: "TokenType is the introspected token's type, typically `Bearer`." type: string token_use: description: "TokenUse is the introspected token's use, for example `access_token`\ \ or `refresh_token`." type: string username: description: |- Username is a human-readable identifier for the resource owner who authorized this token. type: string required: - active title: "Introspection contains an access token's session data as specified by\ \ IETF RFC 7662, see:" type: object oauth2TokenResponse: description: The Access Token Response example: access_token: access_token refresh_token: refresh_token scope: scope id_token: id_token token_type: token_type expires_in: 0 properties: access_token: type: string expires_in: format: int64 type: integer id_token: type: string refresh_token: type: string scope: type: string token_type: type: string type: object openIDConnectContext: example: login_hint: login_hint ui_locales: - ui_locales - ui_locales id_token_hint_claims: "{}" acr_values: - acr_values - acr_values display: display properties: acr_values: description: "ACRValues is the Authentication AuthorizationContext Class\ \ Reference requested in the OAuth 2.0 Authorization request.\nIt is a\ \ parameter defined by OpenID Connect and expresses which level of authentication\ \ (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n>\ \ Requested Authentication AuthorizationContext Class Reference values.\ \ Space-separated string that specifies the acr values\nthat the Authorization\ \ Server is being requested to use for processing this Authentication\ \ Request, with the\nvalues appearing in order of preference. The Authentication\ \ AuthorizationContext Class satisfied by the authentication\nperformed\ \ is returned as the acr Claim Value, as specified in Section 2. The acr\ \ Claim is requested as a\nVoluntary Claim by this parameter." items: type: string type: array display: description: "Display is a string value that specifies how the Authorization\ \ Server displays the authentication and consent user interface pages\ \ to the End-User.\nThe defined values are:\npage: The Authorization Server\ \ SHOULD display the authentication and consent UI consistent with a full\ \ User Agent page view. If the display parameter is not specified, this\ \ is the default display mode.\npopup: The Authorization Server SHOULD\ \ display the authentication and consent UI consistent with a popup User\ \ Agent window. The popup User Agent window should be of an appropriate\ \ size for a login-focused dialog and should not obscure the entire window\ \ that it is popping up over.\ntouch: The Authorization Server SHOULD\ \ display the authentication and consent UI consistent with a device that\ \ leverages a touch interface.\nwap: The Authorization Server SHOULD display\ \ the authentication and consent UI consistent with a \"feature phone\"\ \ type display.\n\nThe Authorization Server MAY also attempt to detect\ \ the capabilities of the User Agent and present an appropriate display." type: string id_token_hint_claims: description: |- IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. properties: {} type: object login_hint: description: |- LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. type: string ui_locales: description: "UILocales is the End-User'id preferred languages and scripts\ \ for the user interface, represented as a\nspace-separated list of BCP47\ \ [RFC5646] language tag values, ordered by preference. For instance,\ \ the value\n\"fr-CA fr en\" represents a preference for French as spoken\ \ in Canada, then French (without a region designation),\nfollowed by\ \ English (without a region designation). An error SHOULD NOT result if\ \ some or all of the requested\nlocales are not supported by the OpenID\ \ Provider." items: type: string type: array title: Contains optional information about the OpenID Connect request. type: object rejectRequest: properties: error: description: "The error should follow the OAuth2 error format (e.g. `invalid_request`,\ \ `login_required`).\n\nDefaults to `request_denied`." type: string error_debug: description: |- Debug contains information to help resolve the problem as a developer. Usually not exposed to the public but only in the server logs. type: string error_description: description: Description of the error in a human readable format. type: string error_hint: description: Hint to help resolve the error. type: string status_code: description: |- Represents the HTTP status code of the error (e.g. 401 or 403) Defaults to 400 format: int64 type: integer title: The request payload used to accept a login or consent request. type: object userinfoResponse: description: The userinfo response example: sub: sub website: website zoneinfo: zoneinfo birthdate: birthdate email_verified: true gender: gender profile: profile phone_number_verified: true preferred_username: preferred_username given_name: given_name locale: locale middle_name: middle_name picture: picture updated_at: 0 name: name nickname: nickname phone_number: phone_number family_name: family_name email: email properties: birthdate: description: "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑\ 2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.\ \ To represent only the year, YYYY format is allowed. Note that depending\ \ on the underlying platform's date related function, providing just year\ \ can result in varying month and day, so the implementers need to take\ \ this factor into account to correctly process the dates." type: string email: description: "End-User's preferred e-mail address. Its value MUST conform\ \ to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon\ \ this value being unique, as discussed in Section 5.7." type: string email_verified: description: "True if the End-User's e-mail address has been verified; otherwise\ \ false. When this Claim Value is true, this means that the OP took affirmative\ \ steps to ensure that this e-mail address was controlled by the End-User\ \ at the time the verification was performed. The means by which an e-mail\ \ address is verified is context-specific, and dependent upon the trust\ \ framework or contractual agreements within which the parties are operating." type: boolean family_name: description: "Surname(s) or last name(s) of the End-User. Note that in some\ \ cultures, people can have multiple family names or no family name; all\ \ can be present, with the names being separated by space characters." type: string gender: description: End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. type: string given_name: description: "Given name(s) or first name(s) of the End-User. Note that\ \ in some cultures, people can have multiple given names; all can be present,\ \ with the names being separated by space characters." type: string locale: description: "End-User's locale, represented as a BCP47 [RFC5646] language\ \ tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code\ \ in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase,\ \ separated by a dash. For example, en-US or fr-CA. As a compatibility\ \ note, some implementations have used an underscore as the separator\ \ rather than a dash, for example, en_US; Relying Parties MAY choose to\ \ accept this locale syntax as well." type: string middle_name: description: "Middle name(s) of the End-User. Note that in some cultures,\ \ people can have multiple middle names; all can be present, with the\ \ names being separated by space characters. Also note that in some cultures,\ \ middle names are not used." type: string name: description: "End-User's full name in displayable form including all name\ \ parts, possibly including titles and suffixes, ordered according to\ \ the End-User's locale and preferences." type: string nickname: description: "Casual name of the End-User that may or may not be the same\ \ as the given_name. For instance, a nickname value of Mike might be returned\ \ alongside a given_name value of Michael." type: string phone_number: description: "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED\ \ as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2)\ \ 687 2400. If the phone number contains an extension, it is RECOMMENDED\ \ that the extension be represented using the RFC 3966 [RFC3966] extension\ \ syntax, for example, +1 (604) 555-1234;ext=5678." type: string phone_number_verified: description: "True if the End-User's phone number has been verified; otherwise\ \ false. When this Claim Value is true, this means that the OP took affirmative\ \ steps to ensure that this phone number was controlled by the End-User\ \ at the time the verification was performed. The means by which a phone\ \ number is verified is context-specific, and dependent upon the trust\ \ framework or contractual agreements within which the parties are operating.\ \ When true, the phone_number Claim MUST be in E.164 format and any extensions\ \ MUST be represented in RFC 3966 format." type: boolean picture: description: "URL of the End-User's profile picture. This URL MUST refer\ \ to an image file (for example, a PNG, JPEG, or GIF image file), rather\ \ than to a Web page containing an image. Note that this URL SHOULD specifically\ \ reference a profile photo of the End-User suitable for displaying when\ \ describing the End-User, rather than an arbitrary photo taken by the\ \ End-User." type: string preferred_username: description: "Non-unique shorthand name by which the End-User wishes to\ \ be referred to at the RP, such as janedoe or j.doe. This value MAY be\ \ any valid JSON string including special characters such as @, /, or\ \ whitespace." type: string profile: description: URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. type: string sub: description: Subject - Identifier for the End-User at the IssuerURL. type: string updated_at: description: Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. format: int64 type: integer website: description: URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. type: string zoneinfo: description: "String from zoneinfo [zoneinfo] time zone database representing\ \ the End-User's time zone. For example, Europe/Paris or America/Los_Angeles." type: string type: object version: example: version: version properties: version: description: Version is the service's version. type: string type: object wellKnown: description: |- It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms among others. example: request_parameter_supported: true claims_parameter_supported: true backchannel_logout_supported: true scopes_supported: - scopes_supported - scopes_supported issuer: https://playground.ory.sh/ory-hydra/public/ authorization_endpoint: https://playground.ory.sh/ory-hydra/public/oauth2/auth claims_supported: - claims_supported - claims_supported userinfo_signing_alg_values_supported: - userinfo_signing_alg_values_supported - userinfo_signing_alg_values_supported token_endpoint_auth_methods_supported: - token_endpoint_auth_methods_supported - token_endpoint_auth_methods_supported backchannel_logout_session_supported: true response_modes_supported: - response_modes_supported - response_modes_supported token_endpoint: https://playground.ory.sh/ory-hydra/public/oauth2/token response_types_supported: - response_types_supported - response_types_supported request_uri_parameter_supported: true grant_types_supported: - grant_types_supported - grant_types_supported end_session_endpoint: end_session_endpoint revocation_endpoint: revocation_endpoint userinfo_endpoint: userinfo_endpoint frontchannel_logout_supported: true require_request_uri_registration: true frontchannel_logout_session_supported: true jwks_uri: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json subject_types_supported: - subject_types_supported - subject_types_supported id_token_signing_alg_values_supported: - id_token_signing_alg_values_supported - id_token_signing_alg_values_supported registration_endpoint: https://playground.ory.sh/ory-hydra/admin/client request_object_signing_alg_values_supported: - request_object_signing_alg_values_supported - request_object_signing_alg_values_supported properties: authorization_endpoint: description: URL of the OP's OAuth 2.0 Authorization Endpoint. example: https://playground.ory.sh/ory-hydra/public/oauth2/auth type: string backchannel_logout_session_supported: description: "Boolean value specifying whether the OP can pass a sid (session\ \ ID) Claim in the Logout Token to identify the RP\nsession with the OP.\ \ If supported, the sid Claim is also included in ID Tokens issued by\ \ the OP" type: boolean backchannel_logout_supported: description: "Boolean value specifying whether the OP supports back-channel\ \ logout, with true indicating support." type: boolean claims_parameter_supported: description: "Boolean value specifying whether the OP supports use of the\ \ claims parameter, with true indicating support." type: boolean claims_supported: description: "JSON array containing a list of the Claim Names of the Claims\ \ that the OpenID Provider MAY be able to supply\nvalues for. Note that\ \ for privacy or other reasons, this might not be an exhaustive list." items: type: string type: array end_session_endpoint: description: URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. type: string frontchannel_logout_session_supported: description: "Boolean value specifying whether the OP can pass iss (issuer)\ \ and sid (session ID) query parameters to identify\nthe RP session with\ \ the OP when the frontchannel_logout_uri is used. If supported, the sid\ \ Claim is also\nincluded in ID Tokens issued by the OP." type: boolean frontchannel_logout_supported: description: "Boolean value specifying whether the OP supports HTTP-based\ \ logout, with true indicating support." type: boolean grant_types_supported: description: JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. items: type: string type: array id_token_signing_alg_values_supported: description: |- JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. items: type: string type: array issuer: description: "URL using the https scheme with no query or fragment component\ \ that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery\ \ is supported , this value MUST be identical to the issuer value returned\n\ by WebFinger. This also MUST be identical to the iss Claim value in ID\ \ Tokens issued from this IssuerURL." example: https://playground.ory.sh/ory-hydra/public/ type: string jwks_uri: description: "URL of the OP's JSON Web Key Set [JWK] document. This contains\ \ the signing key(s) the RP uses to validate\nsignatures from the OP.\ \ The JWK Set MAY also contain the Server's encryption key(s), which are\ \ used by RPs\nto encrypt requests to the Server. When both signing and\ \ encryption keys are made available, a use (Key Use)\nparameter value\ \ is REQUIRED for all keys in the referenced JWK Set to indicate each\ \ key's intended usage.\nAlthough some algorithms allow the same key to\ \ be used for both signatures and encryption, doing so is\nNOT RECOMMENDED,\ \ as it is less secure. The JWK x5c parameter MAY be used to provide X.509\ \ representations of\nkeys provided. When used, the bare key values MUST\ \ still be present and MUST match those in the certificate." example: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json type: string registration_endpoint: description: URL of the OP's Dynamic Client Registration Endpoint. example: https://playground.ory.sh/ory-hydra/admin/client type: string request_object_signing_alg_values_supported: description: "JSON array containing a list of the JWS signing algorithms\ \ (alg values) supported by the OP for Request Objects,\nwhich are described\ \ in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms\ \ are used both when\nthe Request Object is passed by value (using the\ \ request parameter) and when it is passed by reference\n(using the request_uri\ \ parameter)." items: type: string type: array request_parameter_supported: description: "Boolean value specifying whether the OP supports use of the\ \ request parameter, with true indicating support." type: boolean request_uri_parameter_supported: description: "Boolean value specifying whether the OP supports use of the\ \ request_uri parameter, with true indicating support." type: boolean require_request_uri_registration: description: |- Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. type: boolean response_modes_supported: description: JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports. items: type: string type: array response_types_supported: description: "JSON array containing a list of the OAuth 2.0 response_type\ \ values that this OP supports. Dynamic OpenID\nProviders MUST support\ \ the code, id_token, and the token id_token Response Type values." items: type: string type: array revocation_endpoint: description: URL of the authorization server's OAuth 2.0 revocation endpoint. type: string scopes_supported: description: "SON array containing a list of the OAuth 2.0 [RFC6749] scope\ \ values that this server supports. The server MUST\nsupport the openid\ \ scope value. Servers MAY choose not to advertise some supported scope\ \ values even when this parameter is used" items: type: string type: array subject_types_supported: description: |- JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. items: type: string type: array token_endpoint: description: URL of the OP's OAuth 2.0 Token Endpoint example: https://playground.ory.sh/ory-hydra/public/oauth2/token type: string token_endpoint_auth_methods_supported: description: "JSON array containing a list of Client Authentication methods\ \ supported by this Token Endpoint. The options are\nclient_secret_post,\ \ client_secret_basic, client_secret_jwt, and private_key_jwt, as described\ \ in Section 9 of OpenID Connect Core 1.0" items: type: string type: array userinfo_endpoint: description: URL of the OP's UserInfo Endpoint. type: string userinfo_signing_alg_values_supported: description: "JSON array containing a list of the JWS [JWS] signing algorithms\ \ (alg values) [JWA] supported by the UserInfo Endpoint to encode the\ \ Claims in a JWT [JWT]." items: type: string type: array required: - authorization_endpoint - id_token_signing_alg_values_supported - issuer - jwks_uri - response_types_supported - subject_types_supported - token_endpoint title: WellKnown represents important OpenID Connect discovery metadata type: object introspectOAuth2Token_request: properties: token: description: "The string value of the token. For access tokens, this\nis\ \ the \"access_token\" value returned from the token endpoint\ndefined\ \ in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue\ \ returned." type: string scope: description: "An optional, space separated list of required scopes. If the\ \ access token was not granted one of the\nscopes, the result of active\ \ will be false." type: string required: - token revokeOAuth2Token_request: properties: token: type: string required: - token oauth2Token_request: properties: grant_type: type: string code: type: string refresh_token: type: string redirect_uri: type: string client_id: type: string required: - grant_type securitySchemes: basic: scheme: basic type: http oauth2: flows: authorizationCode: authorizationUrl: https://hydra.demo.ory.sh/oauth2/auth scopes: offline: A scope required when requesting refresh tokens (alias for `offline_access`) offline_access: A scope required when requesting refresh tokens openid: Request an OpenID Connect ID Token tokenUrl: https://hydra.demo.ory.sh/oauth2/token type: oauth2 x-forwarded-proto: string x-request-id: string x-original-swagger-version: "2.0"