Skip to content

Instantly share code, notes, and snippets.

@wolfeidau

wolfeidau/openid.yaml

Last active July 2, 2020 01:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wolfeidau/b194a5e4c6fde5fe13bfe2c35a5c0a37 to your computer and use it in GitHub Desktop.
Save wolfeidau/b194a5e4c6fde5fe13bfe2c35a5c0a37 to your computer and use it in GitHub Desktop.
Download ZIP
openid JSON openapi specification
Raw
openid.yaml
openapi: 3.0.2
info:
title: OTK Server APIs
version: 4.3.1
description: "All API's available in OAuth Toolkit server"
paths:
/auth/oauth/v2/authorize:
get:
tags:
- Authorization Server APIs
description: 'Initializes an OAuth 2.0 flow using a response_type. See RFC 6749 (https://tools.ietf.org/html/rfc6749) for more details.'
operationId: Get_request_authorization
parameters:
-
name: mag-identifier
in: header
required: false
x-is-map: false
description: "The mag-identifier is used in conjunction with response_type 'code'. This field is required for Mobile clients. It must represent a valid registered mobile device. A client is identified as a mobile client if its registered SCOPE includes 'msso'."
schema:
type: string
-
name: client_id
in: query
required: true
x-is-map: false
description: "This is the 'client_id' of the requesting client. Maximum 255 characters."
schema:
type: string
-
name: response_type
in: query
required: true
x-is-map: false
description: "MUST be one of the listed available values. Any response_type other than 'code' or 'token' is only supported in conjunction with scope=openid. As per the OAuth specification: 'code' is used for authorization code grant type flow, 'token' is used for implicit grant type flow, 'token id_token' is an extension provided by OpenID Connect, and 'code id_token', 'id_token', and 'none' are extensions provided by OpenID Connect Multiple Response Types"
schema:
type: string
enum:
- code
- token
- token id_token
- code id_token
- id_token
- code token
- code id_token token
- none
-
name: response_mode
in: query
required: false
x-is-map: false
description: "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'."
schema:
type: string
enum:
- query
- fragment
- form_post
-
name: redirect_uri
in: query
required: false
x-is-map: false
description: "The 'redirect_uri' that was registered for this client. It is required if multiple redirect_uri's have been registered for this client. If the scope contains openid, this field becomes MANDATORY."
schema:
type: string
-
name: scope
in: query
required: false
x-is-map: false
description: 'Only SCOPE values that were registered for this client will be granted. If only non-matching SCOPE values are requested, the request will fail.'
schema:
type: string
-
name: nonce
in: query
required: false
x-is-map: false
description: "This is required for response_type 'token id_token'. Typically, in an OpenID authorization scheme, the nonce represents a cryptographically strong random string that is used to prevent intercepted responses from being reused."
schema:
type: string
-
name: display
in: query
required: false
x-is-map: false
description: "This is optional and used within the context of OpenID Connect (ie, response_type 'token id_token'). This parameter is not used here but forwarded to the /authorize/login API. Currently only 'page', 'social_login' (MAG only) and 'local' (MAG only) are supported by default. The value 'social_login' will create a JSON message response instead of an HTML page containing a list of social login providers. The value 'local' will prevent the authorization server from displaying the social login buttons. This is the case if a user selected the local enterprise button for logging in."
schema:
type: string
enum:
- ''
- page
- social_login
- local
default: ''
-
name: prompt
in: query
required: false
x-is-map: false
description: "This is used within the context of OpenID Connect. Indicates whether the server should prompt for login/consent. It is a space separated list of different values. The server supports the values 'none', 'login' and 'consent'. 'none' is only respected if 'id_token_hint' is not empty. 'consent' is only respected if the current user has an active OAuth session using the same client and the same SCOPE."
schema:
type: string
default: login consent
-
name: id_token_hint
in: query
required: false
x-is-map: false
description: "This is used within the context of OpenID Connect. Contains a previously issued id_token. This parameter is only respected for 'prompt=none' or 'prompt=none consent'."
schema:
type: string
-
name: acr_values
in: query
required: false
x-is-map: false
description: This is used within the context of OpenID Connect. Indicates which acr (additional cryptography) classes are acceptable for the user authentication. It is a space separated list of different values.
schema:
type: string
-
name: code_challenge
in: query
required: false
x-is-map: false
description: The code_challenge value in the context of PKCE (RFC 7636).
schema:
type: string
-
name: code_challenge_method
in: query
required: false
x-is-map: false
description: The method that was used to create the code_challenge (plain or S256).
schema:
type: string
-
name: state
in: query
required: false
x-is-map: false
description: 'Value opaque to the server, used by the client to track its session. It will be returned as received.'
schema:
type: string
-
name: login_hint
in: query
required: false
x-is-map: false
description: A suggested username. This parameter is described in the OpenID Connect core specification.
schema:
type: string
responses:
'200':
description: OK
headers:
location:
description: "Location (URL) includes these required parameters: action=(display or login depending on 'prompt' and 'id_token_hint') and sessionID and sessionData (a JWT containing a JSON message holding session data)"
schema:
type: string
'302':
$ref: '#/components/responses/auth302'
'400':
description: 'Invalid parameters | Invalid redirect_uri | invalid client type | invalid response type | invalid code_challenge/method'
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3000103 (missing or invalid parameters), 3000112 (code_challenge or code_challenge_method invalid), 3000114 (invalid redirect uri), 3000116 (invalid response type), 3000130 (invalid client type)'
schema:
type: string
default: '3000130'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The client could not be authenticated.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3000201 (client could not be authenticated), 3000306 (The given JWT for client authentication is invalid), 3000307 (Request is a replay attack), 3000308(Replay attack protection could not be applied)'
schema:
type: string
default: '3000201'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3000203 (SSL required)'
schema:
type: string
default: '3000203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: 'GET,POST'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: unknown error
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3000000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/openid/connect/v1/userinfo:
get:
tags:
- Resource Server APIs
description: >-
This API reflects an implementation according to OpenID Connect.
This endpoint returns a message with user details. The content
depends on the SCOPE associated with the given access_token.
IMPORTANT: The API will fail if no active id_token is available
for the associated user.
For more information refer to this website:
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
operationId: Get_userinfo
parameters:
-
name: authorization
in: header
required: true
description: "A valid access_token (e.g.: authorization: Bearer access-token-value). The access_token must have the 'openid' scope. Other valid scope values are 'email', 'address', 'phone', and 'profile'. In addition to those scope values, 'user_role' is supported. The 'user_role' scope is an extension for OTK/MAG and returns the role of the user."
schema:
type: string
responses:
'200':
description: A JSON message containing details about the user. The content depends on the scope associated with the access_token.
content:
application/json:
schema:
properties:
sub:
type: string
example: '248289761001'
name:
type: string
example: Jane Doe
given_name:
type: string
example: Jane
family_name:
type: string
example: Doe
preferred_username:
type: string
example: j.doe
email:
type: string
example: janedoe@example.com
picture:
type: string
example: 'http://example.com/janedoe/me.jpg'
'400':
description: A CORS request failed.
headers:
x-ca-err:
description: 'Custom error header. Possible value: 134'
schema:
type: string
default: '134'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
content:
application/json:
schema:
properties:
error:
type: string
example: invalid_request
error_description:
type: string
example: The request did not match CORS requirements
'401':
description: 'The given token is not valid. The error code may be 990, 991, 992, 993.'
headers:
x-ca-err:
description: 'Custom error header. Possible value: 990'
schema:
type: string
default: '990'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
content:
application/json:
schema:
properties:
error:
type: string
example: invalid_request
error_description:
type: string
example: Validation error
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error header. Possible value: 203'
schema:
type: string
default: '203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
content:
application/json:
schema:
properties:
error:
type: string
example: invalid_request
error_description:
type: string
example: SSL is required
'405':
description: 'HTTP method is not valid. The Allow header is required by [RFC 2616](https://tools.ietf.org/html/rfc2616).'
headers:
Allow:
description: Comma-separated list of allowed HTTP methods.
schema:
type: string
default: 'POST,GET'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: 'Unknown error. This also occurs if the user does not have an active session, id_token, on the server.'
headers:
x-ca-err:
description: 'Custom error header. Possible value: 000'
schema:
type: string
default: '000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/auth/oauth/health:
get:
tags:
- Authorization Server APIs
description: An endpoint that can be used to verify your OAuth authentication flow is working correctly. Is only usable if the Gateway cluster property otk.health.apikey is defined. The Gateway cluster property otk.port.health should also be set if it does not match the default 8443.
operationId: Get_request_health_check
parameters:
-
name: apikey
in: query
required: true
description: Key that needs to be used to perform health check.
schema:
type: string
default: Empty
responses:
'200':
description: Responds with no content
'500':
description: 'Responds with "error". This can be due to missing or incorrect API key. Check audit log messages for more information.'
'503':
description: 'Responds with "error". Returned on health check failure. This can be returned due to bad database configuration, bad certification configuration, etc. Check the audit log messages for more information.'
/auth/oauth/v2/authorize/login:
get:
tags:
- Authorization Server APIs
description: Receives a request as the result of a redirect from the /auth/oauth/v2/authorize endpoint. Creates a login page or forwards a request to the consent screen.
operationId: Get_request_authorize_login
parameters:
-
name: action
in: query
required: true
x-is-map: false
description: ''
schema:
type: string
default: display
-
name: sessionID
in: query
required: true
x-is-map: false
description: The current session which was initiated at the initial authorization request.
schema:
type: string
-
name: sessionData
in: query
required: true
x-is-map: false
description: A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.
schema:
type: string
responses:
'200':
description: Responds with authentication form
'400':
description: 'invalid parameters | The session has expired or already been granted'
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001110 (session expired)'
schema:
type: string
default: '3001103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3001203 (SSL required)'
schema:
type: string
default: '3001203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3001000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
post:
tags:
- Authorization Server APIs
description: Authenticates a user during the OAuth 2.0 response_type flow OR Authenticates a user during the OAuth 2.0 response_type using a social platform.
operationId: Post_request_authorize_login
parameters:
-
name: action
in: query
required: true
x-is-map: false
description: 'Display the login screen, Authenticate the user (login), Cancel the login process or Reset'
schema:
type: string
enum:
- reset
- display
- login
- cancel
default: login
-
name: username
in: query
required: false
x-is-map: false
description: The username of the user to authenticate.
schema:
type: string
-
name: password
in: query
required: false
x-is-map: false
description: The password for user authentication.
schema:
type: string
format: password
-
name: sessionID
in: query
required: true
x-is-map: false
description: The current session which was initiated at the initial authorization request.
schema:
type: string
-
name: sessionData
in: query
required: true
x-is-map: false
description: A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.
schema:
type: string
-
name: code
in: query
required: false
x-is-map: false
description: An OAuth 2.0 authorization_code issued by a social login provider.
schema:
type: string
-
name: provider
in: query
required: false
x-is-map: false
description: "The social login provider that issued the 'code'. This value is specified as part of the redirect_uri configured with each social login provider."
schema:
type: string
-
name: response_mode
in: query
required: false
x-is-map: false
description: "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'."
schema:
type: string
enum:
- query
- fragment
- form_post
-
name: oauth_token
in: query
required: false
x-is-map: false
description: OAuth 1.0 token when the social login provider is used with OAuth 1.0.
schema:
type: string
-
name: oauth_verifier
in: query
required: false
x-is-map: false
description: OAuth 1.0 verifier when the social login provider is used with OAuth 1.0.
schema:
type: string
responses:
'200':
description: 'Authenticates a user during the OAuth 2.0 response_type flow OR if authentication was successful the API auto-form posts to the API that handles the consent screen, /authorize/consent (login via social provider)'
headers:
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'302':
description: "Authentication Denied, If the redirect_uri is not available, the server displays an HTML page showing the error and error_description. The HTTP status will be '400'"
headers:
location:
description: "Location (URL) has the 'error', 'error_description' and 'state' (if provided) parameters attached."
schema:
type: string
x-ca-err:
description: 'Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001116 (invalid response type)'
schema:
type: string
default: '3001103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'400':
description: 'Invalid parameters | The session has expired or already been granted | invalid response type '
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001116 (invalid response type)'
schema:
type: string
default: '3001103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The resource owner could not be authenticated. An HTML page displaying an authentication error will be returned.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3001202'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3001203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3001000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/auth/oauth/v2/authorize/consent:
post:
tags:
- Authorization Server APIs
description: "Handles the 'deny' and 'grant' result of a resource owner's decision at the consent page when 'action' is: 'consent', the API returns an HTML page for the user to grant or deny the request. 'grant', the API handles the 'grant' result of the owner's decision at the consent page. 'deny', the API handles the 'deny' result of the owner's decision at the consent page."
operationId: Post_request_authorize_consent
parameters:
-
name: response_mode
in: query
required: false
x-is-map: false
description: "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'."
schema:
type: string
enum:
- query
- fragment
- form_post
responses:
'200':
description: 'Success, redirect to client redirect url'
headers:
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'302':
description: 'Access was denied, redirect to client redirect with error'
headers:
location:
description: "If 'action' is 'grant': the redirect location will include the query parameters: state(if provided) and code. In the 'implicit' response flow, the query parameters include: redirect_uri, access_token, expires_in, token_type, scope, id_token, id_token_type and state. \r\nIf 'action' is 'deny': the redirect will location include the 'x-ca-err', 'error', 'error_description' and 'state' (if provided) parameters. In such a case the 'error' is 'access_denied'"
schema:
type: string
x-ca-err:
description: 'Custom error extension. Possible values: 3002116 (invalid response type)'
schema:
type: string
default: '3002116'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'400':
description: Invalid parameters
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3002103 (missing or duplicate parameters), 3002110 (session expired), 3002116 (invalid response type), 3002135 (token limit reached)'
schema:
type: string
default: '3002103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The resource owner could not be authenticated. An HTML page displaying an authentication error will be returned.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3002202 (resource owner could not be authenticated)'
schema:
type: string
default: '3002202'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3002203 (SSL required)'
schema:
type: string
default: '3002203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3002203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
requestBody:
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
action:
description: Deny or Grant the resource with scope requested.
type: string
enum:
- deny
- grant
default: grant
sessionID:
type: string
sessionData:
description: A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.
type: string
required:
- action
- sessionID
- sessionData
/auth/oauth/v2/token:
post:
tags:
- Token Server APIs
description: 'Request access_token or refresh_token using OAuth 2.0 grant_type: password authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:jwt-bearer urn:ietf:params:oauth:grant-type:saml2-bearer. See RFC 6749 for more details.'
operationId: Create_request_token
parameters:
-
name: mag-identifier
in: header
required: false
x-is-map: false
description: "[MAG]\r\n[MAG]: mobile clients MUST use this header. It must represent a valid registered device. This grant_type, however, is not supported by MAG"
schema:
type: string
-
name: authorization
in: header
required: false
x-is-map: false
description: "The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)). This can only be used INSTEAD of the parameters 'client_id', 'client_secret'."
schema:
type: string
-
name: client_id
in: query
required: false
x-is-map: false
description: The client_id. This can only be used INSTEAD of using the authorization header. Maximum 255 characters.
schema:
type: string
-
name: client_secret
in: query
required: false
x-is-map: false
description: The client_secret. This can only be used INSTEAD of using the authorization header.
schema:
type: string
-
name: grant_type
in: query
required: true
x-is-map: false
description: 'For grant_type=password either authorization or client_id AND client_secret, username and password must be provided. For grant_type=client_credentials, either authorization or client_id AND client_secret must be provided. For grant_type=authorization_code: client_id, client_secret, code, and redirect_uri are required. For grant_type=refresh_token: client_id and refresh_token are required. For grant_type=jwt or saml2-bearer: client_id and assertion are required'
schema:
type: string
enum:
- password
- refresh_token
- authorization_code
- client_credentials
- 'urn:ietf:params:oauth:grant-type:jwt-bearer'
- 'urn:ietf:params:oauth:grant-type:saml2-bearer'
default: password
-
name: code
in: query
required: false
x-is-map: false
description: Required if grant_type is authorization_code
schema:
type: string
-
name: redirect_uri
in: query
required: false
x-is-map: false
description: Required if grant_type is authorization_code. Must contain a valid auth code
schema:
type: string
-
name: scope
in: query
required: false
x-is-map: false
description: 'Only SCOPE values that were registered for this client will be granted. If only non-matching SCOPE values are requested, the request will fail.'
schema:
type: string
-
name: username
in: query
required: false
x-is-map: false
description: 'If grant_type is password or client_credentials, this parameter must contain a valid username '
schema:
type: string
-
name: password
in: query
required: false
x-is-map: false
description: 'If grant_type is password or client_credentials, this parameter must contain a valid password'
schema:
type: string
format: password
-
name: assertion
in: query
required: false
x-is-map: false
description: 'If grant_type is saml2-bearer or jwt, this parameter must contain a base64 encoded SAML or JWT token that represents an authenticated resource owner.'
schema:
type: string
-
name: refresh_token
in: query
required: false
x-is-map: false
description: 'If grant_type is refresh_token, this parameter must contain a valid refresh_token.'
schema:
type: string
-
name: code_verifier
in: query
required: false
x-is-map: false
description: 'A random value of 43-256 characters. See https://tools.ietf.org/html/rfc7636#section-4 for details. This parameter is required only when a code_challenge is provided with the authorization request for this session.'
schema:
type: string
responses:
'200':
$ref: '#/components/responses/authToken200'
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST'
schema:
type: string
default: POST
'400':
description: 'Bad Request, see x-ca-err for possible error codes'
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3003103 (missing or duplicate parameters), 3003107 (invalid mag-identifier), 3003113 (invalid grant), 3003115 (no registered scope value for client), 3003119 (grant type not supported), 3003134 (request did not match CORS requirements), 3003135 (token limit reached), 3003201 (client credentials not valid),'
schema:
type: string
default: '3003107'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The client could not be authenticated.
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3003201 (Invalid or Missing credentials), 3003202 (Resource owner could not be authenticated)'
schema:
type: string
default: '3003202'
WWW-Authenticate:
description: This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.
schema:
type: string
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3003203 (SSL is required)'
schema:
type: string
default: '3003203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3003000 (Request failed due to unknown reason)'
schema:
type: string
default: '3003000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/auth/oauth/v2/token/revoke:
post:
tags:
- Token Server APIs
description: Revoke an access_token or refresh_token. See RFC 7009 for more details. Section 2.3 of that RFC is not supported.
operationId: revoke_token
parameters:
-
name: authorization
in: header
required: false
x-is-map: false
description: "The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)). For public clients the 'client_id' parameter can be used. This header is required if no client parameters are used."
schema:
type: string
-
name: client_id
in: query
required: false
x-is-map: false
description: "This parameter can be used with 'client_secret' instead of the authorization header. Maximum 255 characters."
schema:
type: string
-
name: client_secret
in: query
required: false
x-is-map: false
description: "This parameter is required when 'client_id' is used. Optional for public clients."
schema:
type: string
-
name: token
in: query
required: true
x-is-map: false
description: The token as it was issued.
schema:
type: string
-
name: token_type_hint
in: query
required: true
x-is-map: false
description: "Valid values are 'access_token' and 'refresh_token'."
schema:
type: string
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
properties:
result:
type: string
example: revoked
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST, DELETE'
schema:
type: string
default: POST
'400':
description: Bad request
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3004103 (Missing or duplicate parameters), 3004117 (Client lacks authorization for request), 3003134 (request did not match CORS requirements)'
schema:
type: string
default: '3004103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The client could not be authenticated.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3004201 (Invalid or missing credentials)'
schema:
type: string
default: '3004103'
WWW-Authenticate:
description: This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.
schema:
type: string
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3004203 (SSL is required)'
schema:
type: string
default: '3004203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'503':
description: unsupported token type
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3002203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/auth/oauth/v2/client/export:
get:
tags:
- Token Server APIs
description: 'The endpoint returns details about a registered OAuth client. This endpoint is disabled by default. If requests fail due to an unknown endpoint, contact the system administrator.'
operationId: Get_client_details_export_
parameters:
-
name: authorization
in: header
required: true
description: 'The HTTP basic authorization header containing resource_owner credentials as base64 encoded string (authorization: Basic base64(username:password)). Depending on the server configuration this header may not be required.'
schema:
type: string
-
name: client_id
in: query
required: true
x-is-map: false
description: The client_id for which details are requested.
schema:
type: string
responses:
'200':
$ref: '#/components/responses/export200'
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST, GET'
schema:
type: string
default: POST
'400':
description: Bad Request
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3005103 (missing or invalid parameters), 3005132 (invalid server configuration), 3005134 (request does not match CORS requirements), '
schema:
type: string
default: '3005103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: 'The client is invalid | The resource owner could not be authenticated'
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3005201 (client is unknown or invalid), 3005202 (resource owner could not be authenticated)'
schema:
type: string
default: '3005201'
WWW-Authenticate:
description: This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.
schema:
type: string
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3005203 (SSL required)'
schema:
type: string
default: '3005203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: 'GET | POST'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3005000 (unknown error)'
schema:
type: string
default: '3002203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/connect/session/status:
get:
tags:
- Resource Server APIs
description: The client requests the session status by passing in the id_token of the authenticated user. This informs the client if the resource owner is logged in and has a valid session. The session may be active or not existing.
operationId: Get_resource_owner_session_status_
parameters:
-
name: authorization
in: header
required: true
description: 'A valid access_token (e.g.: authorization: Bearer access-token-value)'
schema:
type: string
-
name: id_token
in: query
required: true
description: The id_token of the resource owner
schema:
type: string
-
name: id_token_type
in: query
required: false
description: The id_token_type to be invalidated. Required if not default type.
schema:
type: string
default: 'urn:ietf:params:oauth:grant-type:jwt-bearer'
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
properties:
session:
type: string
description: Session is active
example: active
session_status:
type: string
description: Session does not exist
example: none
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST or GET'
schema:
type: string
default: GET
'400':
description: Bad Request
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3007103 (missing or duplicate parameters), 3007134 (request did not match CORS requirements)'
schema:
type: string
default: '3007103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: 'The given token is not valid. The error code may be 1003990, 1003991, 1003992, 1003993'
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3007990 (validation error), '
schema:
type: string
default: '3007990'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3007203 (SSL required)'
schema:
type: string
default: '3007203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3002203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/connect/session/logout:
post:
tags:
- Authorization Server APIs
description: The resource owner deletes his active session on the OAuth server.
operationId: Create_resource_owner_logout_
parameters:
-
name: mag-identifier
in: header
required: false
description: '[MAG]: mobile clients MUST use this header. It must represent a valid registered device.'
schema:
type: string
-
name: logout_apps
in: query
required: false
description: '[MAG]: mobile clients MAY use this parameter to invalidate all related oauth token.'
schema:
type: string
default: 'true'
-
name: authorization
in: header
required: true
description: 'The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)).'
schema:
type: string
-
name: id_token
in: query
required: true
description: "The id_token that represents the authenticated user.\r\n[MAG]: Mobile clients may omit this parameter; mag-identifier will be used instead."
schema:
type: string
-
name: id_token_type
in: query
required: false
description: The id_token_type to be invalidated. Currently ignored.
schema:
type: string
default: 'urn:ietf:params:oauth:grant-type:jwt-bearer'
responses:
'200':
description: Resource owner successfully logged out
content:
application/json:
schema:
type: object
properties:
session_status:
type: string
example: logged out
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST'
schema:
type: string
default: POST
'400':
description: Bad Request
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3006103 (missing or duplicate parameters), 3006107 (mag-identifier invalid), 3006134 (request did not match CORS requirements) '
schema:
type: string
default: '3006103'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: The client could not be authenticated.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3006201 (client credentials invalid)'
schema:
type: string
default: '3006201'
WWW-Authenticate:
description: This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.
schema:
type: string
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3006203 (SSL required)'
schema:
type: string
default: '3004203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: Unknown error.
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3006000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
/.well-known/openid-configuration:
options:
tags:
- Authorization Server APIs
operationId: Options_getOpenIDDiscovery
description: CORS preflight request
parameters:
-
name: Access-Control-Request-Headers
in: header
required: true
description: The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
schema:
type: string
-
name: Access-Control-Request-Method
in: header
required: true
description: The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.
schema:
type: string
-
name: Origin
in: header
required: true
description: The Origin request header indicates where a fetch originates from.
schema:
type: string
responses:
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, GET'
schema:
type: string
default: GET
'400':
description: Bad request
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3008134 (request did not match CORS requirements)'
schema:
type: string
default: '3008134'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Discovery endpoint
get:
tags:
- Authorization Server APIs
operationId: Get_OpenIDDiscovery
responses:
'200':
description: OpenID Discovery Configuration
content:
application/json:
schema:
$ref: '#/components/schemas/OpenIDDiscovery'
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3008203 (SSL required)'
schema:
type: string
default: '3008203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: GET
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: unknown error
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3008000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Discovery endpoint
description: "This endpoint follows the specification defined at http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. It provides a mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations."
/openid/connect/register:
options:
tags:
- Authorization Server APIs
operationId: Options_oidc_register
description: CORS preflight request
parameters:
-
name: Access-Control-Request-Headers
in: header
required: true
description: The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
schema:
type: string
-
name: Access-Control-Request-Method
in: header
required: true
description: The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.
schema:
type: string
-
name: Origin
in: header
required: true
description: The Origin request header indicates where a fetch originates from.
schema:
type: string
responses:
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, POST'
schema:
type: string
default: POST
'400':
description: Bad request
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3009134 (request did not match CORS requirements), 3009305 (jwks and jwks_uri must not be used together)'
schema:
type: string
default: '3009134'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Dynamic Registration Configuration endpoint
post:
tags:
- Authorization Server APIs
description: 'This endpoint follows the specification defined at http://openid.net/specs/openid-connect-registration-1_0.html. It enables a client to dynamically register itself as an OAuth 2.0 client.'
operationId: Post_oidc_register
responses:
'201':
description: Successful registration including details about the registered values.
content:
application/json:
schema:
type: object
properties:
client_id:
type: string
example: 47231c87-74f3-4990-99ad-31e8a801e3b5
description: The registered client_id
client_secret_expires_at:
type: integer
example: 0
description: The timestamp in seconds indicating the time of expiration for this value. 0 indicates no expiration
client_secret:
type: string
example: e4cccd81-1d19-41e7-b4b0-488aa28af77b
description: The registered client_secret
registration_access_token:
type: string
example: db4b7554-e359-43ed-bbf6-1a50909ceeef
description: 'An access_token to be used at {registration_client_uri} to retrieve the registered information'
registration_client_uri:
type: string
example: 'https://mas.ca.com:8443/openid/connect/register/47231c87-74f3-4990-99ad-31e8a801e3b5'
description: The URI to retrieved the registered values
client_id_issued_at:
type: integer
example: 1497455914
description: The timestamp in seconds indicating the time of registration
token_endpoint_auth_method:
type: string
example: client_secret_basic
description: 'The requested client authentication method for the token endpoint. Supports: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, none'
application_type:
type: string
example: web
description: The kind of application
redirect_uris:
type: array
items:
type: string
example:
- 'https://client.example.org/callback'
- 'https://client.example.org/callback2'
description: The array of redirection URI values used by this client
client_name:
type: string
example: 'https://whatever.com'
description: The name of the client to be presented to the end-user
subject_type:
type: string
example: pairwise
description: The subject type requested for responses to this client
contacts:
type: array
items:
type: string
example:
- user1@ca.com
- user2@ca.com
description: The array of e-mail addresses of people responsible for this client
response_types:
type: array
items:
type: string
example:
- code
- token_id_token
description: The array containing a list of the OAuth 2.0 response_type values that this client is declaring that it will restrict itself to using
grant_types:
type: array
items:
type: string
example:
- authorization_code
- implicit
description: The array containing a list of the OAuth 2.0 grant types that this client is declaring that it will restrict itself to using
id_token_signed_response_alg:
type: string
example: RS256
description: The algorithm requried for signing the ID token issued to this client
environment:
type: string
example: ALL
description: 'The development environment of the client e.g., IOS'
organization:
type: string
example: 'https://organization.com'
description: The organization of the requestor
master:
type: boolean
example: false
description: The value identifies the client as being used as a master-key
description:
type: string
example: Registered via OpenID Connect Dynamic Registration
description: A description for this client
scope:
type: string
example: openid email profile openid_client_registration
description: A custom scope
'400':
description: Missing or invalid parameters.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3009114 (invalid or missing redirect_uri(s)), 3009133 (invalid json)'
schema:
type: string
default: '3009114'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3009203 (SSL required)'
schema:
type: string
default: '3009203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: POST
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'429':
description: Too many requests
headers:
x-ca-err:
description: 3009111 (too many requests)
schema:
type: string
default: '3009111'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: unknown error
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3009000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Dynamic Registration endpoint
requestBody:
content:
application/json:
schema:
type: object
properties:
redirect_uris:
type: array
items:
type: string
example:
- 'https://client.example.org/callback'
- 'https://client.example.org/callback2'
response_types:
type: array
items:
type: string
example:
- code
- token_id_token
grant_types:
type: array
items:
type: string
example:
- authorization_code
- implicit
application_type:
type: string
example: web
contacts:
type: array
items:
type: string
example:
- user1@ca.com
- user2@ca.com
client_name:
type: string
example: 'https://whatever.com'
subject_type:
type: string
example: pairwise
id_token_signed_response_alg:
type: string
example: RS256
token_endpoint_auth_method:
type: string
example: client_secret_basic
scope:
type: string
example: openid email profile openid_client_registration
organization:
type: string
example: 'https://organization.com'
description:
type: string
example: Registered via OpenID Connect Dynamic Registration
environment:
type: string
example: ALL
master:
type: boolean
example: false
description: Request body
required: true
'/openid/connect/register/{client_id}':
options:
tags:
- Authorization Server APIs
operationId: Options_oidc_register_config
description: CORS preflight request
parameters:
-
name: Access-Control-Request-Headers
in: header
required: true
description: The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
schema:
type: string
-
name: Access-Control-Request-Method
in: header
required: true
description: The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.
schema:
type: string
-
name: Origin
in: header
required: true
description: The Origin request header indicates where a fetch originates from.
schema:
type: string
-
in: path
name: client_id
description: client_id that was returned in the client registration response
required: true
schema:
type: string
responses:
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, GET'
schema:
type: string
default: GET
'400':
description: Bad request
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3009134 (request did not match CORS requirements)'
schema:
type: string
default: '3009134'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Dynamic Registration Configuration endpoint
get:
tags:
- Authorization Server APIs
description: "This endpoint follows the specification defined at http://openid.net/specs/openid-connect-registration-1_0.html. It implements the 'registration_client_uri'."
operationId: Get_oidc_register_config
parameters:
-
in: header
name: authorization
description: "MUST be 'Bearer the-access_token'. The access_token was issued as part of the client registration and is SCOPE'd to 'openid_client_registration'"
required: true
schema:
type: string
-
in: path
name: client_id
description: client_id that was returned in the client registration response
required: true
schema:
type: string
responses:
'200':
description: Successful response including details about the client registration. Additional details may also be included
content:
application/json:
schema:
type: object
properties:
client_id:
type: string
example: 47231c87-74f3-4990-99ad-31e8a801e3b5
description: The registered client_id
client_secret_expires_at:
type: integer
example: 0
description: The timestamp in seconds indicating the time of expiration for this value. 0 indicates no expiration
client_secret:
type: string
example: e4cccd81-1d19-41e7-b4b0-488aa28af77b
description: The registered client_secret
registration_client_uri:
type: string
example: 'https://mas.ca.com:8443/openid/connect/register/47231c87-74f3-4990-99ad-31e8a801e3b5'
description: The URI to retrieved the registered values
client_id_issued_at:
type: integer
example: 1497455914
description: The timestamp in seconds indicating the time of registration
token_endpoint_auth_method:
type: string
example: client_secret_basic
description: 'The requested client authentication method for the token endpoint. Supports: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, none'
application_type:
type: string
example: web
description: The kind of application
redirect_uris:
type: array
items:
type: string
example:
- 'https://client.example.org/callback'
- 'https://client.example.org/callback2'
description: The array of redirection URI values used by this client
client_name:
type: string
example: 'https://whatever.com'
description: The name of the client to be presented to the end-user
subject_type:
type: string
example: pairwise
description: The subject type requested for responses to this client
contacts:
type: array
items:
type: string
example:
- user1@ca.com
- user2@ca.com
description: The array of e-mail addresses of people responsible for this client
response_types:
type: array
items:
type: string
example:
- code
- token_id_token
description: The array containing a list of the OAuth 2.0 response_type values that this client is declaring that it will restrict itself to using
grant_types:
type: array
items:
type: string
example:
- authorization_code
- implicit
description: The array containing a list of the OAuth 2.0 grant types that this client is declaring that it will restrict itself to using
id_token_signed_response_alg:
type: string
example: RS256
description: The algorithm requried for signing the ID token issued to this client
environment:
type: string
example: ALL
description: 'The development environment of the client e.g., IOS'
organization:
type: string
example: 'https://organization.com'
description: The organization of the requestor
master:
type: boolean
example: false
description: The value identifies the client as being used as a master-key
description:
type: string
example: Registered via OpenID Connect Dynamic Registration
description: A description for this client
scope:
type: string
example: openid email profile openid_client_registration
description: A custom scope
'400':
description: Missing or invalid parameters.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3009117 (unauthorized client)'
schema:
type: string
default: '3009117'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'401':
description: Authentication - Authorization.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3009201 (unknown client), 3009990 - 3009993 (invalid access_token)'
schema:
type: string
default: '3009201'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3009203 (SSL required)'
schema:
type: string
default: '3009203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: GET
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: unknown error
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3009000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect Dynamic Registration Configuration endpoint
/openid/connect/jwks.json:
options:
tags:
- Authorization Server APIs
operationId: Options_jwk_set_
description: CORS preflight request
parameters:
-
name: Access-Control-Request-Headers
in: header
required: true
description: The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
schema:
type: string
-
name: Access-Control-Request-Method
in: header
required: true
description: The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.
schema:
type: string
-
name: Origin
in: header
required: true
description: The Origin request header indicates where a fetch originates from.
schema:
type: string
responses:
'204':
description: 'No Content, applicable to OPTIONS request with preflight configuration'
headers:
Access-Control-Allow-Methods:
description: 'Allowable Methods, GET'
schema:
type: string
default: GET
'400':
description: Bad request
headers:
x-ca-err:
description: 'Custom error extension, possible values: 3010134 (request did not match CORS requirements)'
schema:
type: string
default: '3010134'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect jwks endpoint
get:
tags:
- Authorization Server APIs
operationId: Get_jwk_set_
description: 'This endpoint implements the JWKS_URI as specified at http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata'
responses:
'200':
description: JWK set containing public keys that enable clients to validate a JSON Web Token (JWT) issued by this OpenID Connect Provider
content:
application/json:
schema:
type: object
properties:
keys:
type: array
items:
type: string
example:
-
kty: RSA
kid: default_ssl_key
use: sig
'n': 58BezRBeYOM3rOo1vcllcLc8QAwz6AmQj4EvGUqATMUz4bfYJ9Lf2wb9xCQhSLSkndfFAF5V754G0mRelBGK7yIja-M-EBXoJeT3nvwA46g7MkZGf11uP2dz2k4CkLdFHnlGzvuLQVBQpqbz-O_hFfEDxBk9zV4shR8O_iGv4fDi0dNHZfXzxkr_iH8Oj2qQeZFvv61I4RffeNmx04lYea2KFsF_8rWDlENWAr8RbqpY_y5lbxgC_xyBunTkoIEommqz55ZFIcklYerJUVSeIA90KMyM60wZh0JF_T5kuXEs-3AWh8Bkx-sVE2hu5S5x4_lADsPojLwWTT7or_sw9Q
e: AQAB
description: JWK set in JSON array format
'403':
description: Forbidden.
headers:
x-ca-err:
description: 'Custom error extension. Possible values: 3010203 (SSL required)'
schema:
type: string
default: '3010203'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'405':
description: The HTTP method is not valid
headers:
Allow:
description: This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.
schema:
type: string
default: GET
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
'500':
description: unknown error
headers:
x-ca-err:
description: Custom error extension
schema:
type: string
default: '3010000'
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
summary: OpenID Connect jwks endpoint
servers:
-
url: 'https://${request.url.host}:${request.url.port}/'
variables:
request.url.host:
default: unknown
request.url.port:
default: unknown
components:
responses:
export200:
description: A JSON message including details about a client in order to configure it. The client_secret may or may not be included depending on the OAuth server configuration.
content:
application/json:
schema:
$ref: '#/components/schemas/ExportData'
auth302:
description: "Will contain either: A success response including the redirect location header to the server that handles the authentication. The redirect parameter 'sessionData's structure looks like the model schema shown OR 'invalid mag-identifier' OR 'invalid scope' OR 'unsupported response type' OR 'unauthorized client'. The non-successful conditions may include redirect query params as follows: 'error', string with default value: invalid_request 'error_description', string with description of error 'state', string with no default value. It is opaque to the server and returned as received. 'x-ca-err', string with default 3000108"
headers:
location:
description: "Location (URL) includes these required parameters: action=(display or login depending on 'prompt' and 'id_token_hint') and sessionID and sessionData (a JWT containing a JSON message holding session data)"
schema:
type: string
Pragma:
description: Pragma directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache control directive
schema:
type: string
default: no-store
content:
application/json:
schema:
$ref: '#/components/schemas/SessionData'
authToken200:
description: 'A success response that includes the issued token, expire and other details from the OAuth Server'
headers:
Pragma:
description: Pragma browser directive
schema:
type: string
default: no-cache
Cache-Control:
description: Cache-Control browser directive
schema:
type: string
default: no-store
content:
application/json:
schema:
$ref: '#/components/schemas/TokenData'
securitySchemes:
OAuth2:
type: oauth2
flows:
implicit:
authorizationUrl: '${host_oauth2_auth_server}${oauth2_auth_path}'
scopes:
openid: For access to OpenId endpoints
email: Example data access
profile: Example data access
phone: Example data access
address: Example data access
schemas:
TokenData:
type: object
properties:
access_token:
type: string
description: The Access Token for the given token request
token_type:
type: string
description: The Token Type issued
example: Bearer
expires_in:
type: string
description: 'The expiry time, in seconds'
example: '3600'
refresh_token:
type: string
description: 'The refresh token, if applicable'
scope:
type: string
description: The issued scope
example: oob
id_token:
type: string
description: "If the requested SCOPE included 'msso' or 'openid', response includes an id_token"
id_token_type:
type: string
description: "If the requested SCOPE included 'msso' or 'openid', response includes an id_token_type"
title: TokenData
SessionData:
required:
- session
- request_consent
- request_parameters
type: object
properties:
session:
$ref: '#/components/schemas/SessionObject'
request_consent:
$ref: '#/components/schemas/RequestConsentObject'
request_parameters:
$ref: '#/components/schemas/RequestParametersObject'
title: ServiceProviderConfigurationData
ExportData:
type: object
properties:
server:
$ref: '#/components/schemas/ServerObject'
oauth:
$ref: '#/components/schemas/OAuthObject'
custom:
$ref: '#/components/schemas/CustomObject'
title: ExportData
CustomObject:
type: object
properties:
mag_demo_products_endpoint_path:
type: string
description: MAG API demo endpoint
example: /protected/resource/products
oauth_demo_protected_api_endpoint_path:
type: string
description: OAuth API demo endpoint
example: /oauth/v2/protectedapi/foo
title: CustomObject
ServerObject:
type: object
properties:
hostname:
type: string
description: The hostname of the server
port:
type: string
description: The port of the server
prefix:
type: string
description: URL prefix
example: /urlprefix
server_certs:
type: string
description: The server certificate(s)
title: ServerObject
OAuthObject:
type: object
properties:
client:
$ref: '#/components/schemas/ClientObject'
system_endpoints:
$ref: '#/components/schemas/SystemEndpointsObject'
oauth_protected_endpoints:
$ref: '#/components/schemas/OAuthProtectedEndpointsObject'
title: OAuthObject
SystemEndpointsObject:
type: object
properties:
authorization_endpoint_path:
type: string
description: Authorization endpoint
example: /auth/oauth/v2/authorize
token_endpoint_path:
type: string
description: Token endpoint
example: /auth/oauth/v2/token
token_revocation_endpoint_path:
type: string
description: Token revocation endpoint
example: /auth/oauth/v2/token/revoke
usersession_logout_endpoint_path:
type: string
description: User logout endpoint
example: /connect/session/logout
title: SystemEndpointsObject
OAuthProtectedEndpointsObject:
type: object
properties:
userinfo_endpoint_path:
type: string
description: UserInfo endpoint
example: /openid/connect/v1/userinfo
usersession_status_endpoint_path:
type: string
description: User Session status endpoint
example: /connect/session/status
title: OAuthProtectedEndpointsObject
ClientObject:
type: object
properties:
organization:
type: string
description: 'A session ID, matching the sessionID'
description:
type: string
description: expiry
client_name:
type: string
description: current_username
client_type:
type: string
description: current_user_consent
registered_by:
type: string
description: current_user_role
client_ids:
type: array
items:
$ref: '#/components/schemas/ClientIdObject'
title: ClientObject
ClientIdObject:
type: object
properties:
client_id:
type: string
description: A client id
example: 84695 ... b39770c3d
client_secret:
type: string
description: A client secret
example: abcde ... ldjjakkC
scope:
type: string
description: The scopes available for the client
example: openid email profile
redirect_uri:
type: string
description: The registered redirect_uri for the client
example: 'https://example.com/client/consent?state=23n23n...13k1j4'
environment:
type: string
description: ''
example: ALL
status:
type: string
description: ''
example: ENABLED
registered_by:
type: string
description: The id of the entity that registered the client
title: ClientIdObject
SessionObject:
type: object
properties:
sessionID:
type: string
description: 'A session ID, matching the sessionID'
exp:
type: string
description: expiry
current_username:
type: string
description: current_username
current_user_consent:
type: string
description: current_user_consent
current_user_role:
type: string
description: current_user_role
current_user_acr:
type: string
description: current_user_acr
current_user_authTime:
type: string
description: current_user_authTime
salt:
type: string
description: salt
third_party_sso_token:
type: string
description: third_party_sso_token
third_party_sso_token_type:
type: string
description: third_party_sso_token_type
title: SessionObject
RequestConsentObject:
type: object
properties:
client_name:
type: string
description: Client Name
scope_verified:
type: string
description: Valid scope for this client
title: RequestConsentObject
RequestParametersObject:
type: object
properties:
display:
type: string
description: Display Value
prompt:
type: string
description: Prompt Value
id_token_hint:
type: string
description: Id Token For Authenticated User
acr_values:
type: string
description: A List of ACR Values
client_id:
type: string
description: A Client ID
nonce:
type: string
description: A nonce
scope:
type: string
description: Requested Scope
title: RequestParametersObject
OpenIDDiscovery:
required:
- authorization_endpoint
- id_token_signing_alg_values_supported
- issuer
- jwks_uri
- response_types_supported
- subject_types_supported
- token_endpoint
type: object
properties:
userinfo_endpoint:
type: string
example: 'https://example.com:8443/openid/connect/v1/userinfo'
description: URL of the user info endpoint
jwks_uri:
type: string
example: 'https://example.com/openid/connect/jwks.json'
description: URL of JSON Web Key Set document
scopes_supported:
items:
type: string
type: array
example:
- openid
description: list of the OAuth 2.0 scope values that this server supports
subject_types_supported:
items:
type: string
type: array
example:
- pairwise
description: list of the Subject Identifier types that this OP supports
token_endpoint:
type: string
example: 'https://example.com:8443/auth/oauth/v2/token'
description: URL of the OAuth 2.0 token endpoint
id_token_signing_alg_values_supported:
items:
type: string
type: array
example:
- RS256
- HS256
description: list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
response_types_supported:
items:
type: string
type: array
example:
- code
- token_id_token
description: ist of the OAuth 2.0 response_type values that this OP supports
claims_supported:
items:
type: string
type: array
example:
- sub
- iss
- auth_time
- acr
description: list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for
authorization_endpoint:
type: string
example: 'https://example.com:8443/auth/oauth/v2/authorize'
description: URL of the OAuth 2.0 authorization endpoint
issuer:
type: string
example: 'https://example.com'
description: "the identifier of the token's issuer. This is identical to the 'iss' Claim value in ID Tokens"
grant_types_supported:
items:
type: string
type: array
example:
- authorization_code
- implicit
description: list of the OAuth 2.0 Grant Type values that this OP supports
acr_values_supported:
items:
type: string
type: array
example:
- 'urn:mace:incommon:iap:silver'
description: list of the Authentication Context Class References that this OP supports
token_endpoint_auth_methods_supported:
items:
type: string
type: array
example:
- client_secret_basic
description: list of Client Authentication methods supported by this Token Endpoint
token_endpoint_auth_signing_alg_values_supported:
items:
type: string
type: array
example:
- RS256
description: list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
display_values_supported:
items:
type: string
type: array
example:
- page
- popup
description: list of the display parameter values that the OpenID Provider supports
claim_types_supported:
items:
type: string
type: array
example:
- normal
description: list of the Claim Types that the OpenID Provider supports
service_documentation:
type: string
example: 'http://masdemo12.dev.ca.com:8443/openid/connect/v1/service_documentation.html'
description: URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider
ui_locales_supported:
items:
type: string
type: array
example:
- en-US
- en-GB
description: Languages and scripts supported for the user interface
description: 'The OpenID configuration document as defined by the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment