OAuth Server API Endpoints

 The Swagger representation is created from a static JSON file. It does not access the API endpoints of a running Gateway. For further understanding of the OAuth APIs and the responses, access the 
/apidocs
 endpoint on your Gateway. 
otk43
 outputclass="supportedSubmitMethods">none
{ "openapi": "3.0.2", "info": { "title": "OTK Server APIs", "version": "4.3.1", "description": "All API's available in OAuth Toolkit server" }, "paths": { "/auth/oauth/v2/authorize": { "get": { "tags": [ "Authorization Server APIs" ], "description": "Initializes an OAuth 2.0 flow using a response_type. See RFC 6749 (https://tools.ietf.org/html/rfc6749) for more details.", "operationId": "Get_request_authorization", "parameters": [ { "name": "mag-identifier", "in": "header", "required": false, "x-is-map": false, "description": "The mag-identifier is used in conjunction with response_type 'code'. This field is required for Mobile clients. It must represent a valid registered mobile device. A client is identified as a mobile client if its registered SCOPE includes 'msso'.", "schema": { "type": "string" } }, { "name": "client_id", "in": "query", "required": true, "x-is-map": false, "description": "This is the 'client_id' of the requesting client. Maximum 255 characters.", "schema": { "type": "string" } }, { "name": "response_type", "in": "query", "required": true, "x-is-map": false, "description": "MUST be one of the listed available values. Any response_type other than 'code' or 'token' is only supported in conjunction with scope=openid. As per the OAuth specification: 'code' is used for authorization code grant type flow, 'token' is used for implicit grant type flow, 'token id_token' is an extension provided by OpenID Connect, and 'code id_token', 'id_token', and 'none' are extensions provided by OpenID Connect Multiple Response Types", "schema": { "type": "string", "enum": [ "code", "token", "token id_token", "code id_token", "id_token", "code token", "code id_token token", "none" ] } }, { "name": "response_mode", "in": "query", "required": false, "x-is-map": false, "description": "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'.", "schema": { "type": "string", "enum": [ "query", "fragment", "form_post" ] } }, { "name": "redirect_uri", "in": "query", "required": false, "x-is-map": false, "description": "The 'redirect_uri' that was registered for this client. It is required if multiple redirect_uri's have been registered for this client. If the scope contains openid, this field becomes MANDATORY.", "schema": { "type": "string" } }, { "name": "scope", "in": "query", "required": false, "x-is-map": false, "description": "Only SCOPE values that were registered for this client will be granted. If only non-matching SCOPE values are requested, the request will fail.", "schema": { "type": "string" } }, { "name": "nonce", "in": "query", "required": false, "x-is-map": false, "description": "This is required for response_type 'token id_token'. Typically, in an OpenID authorization scheme, the nonce represents a cryptographically strong random string that is used to prevent intercepted responses from being reused.", "schema": { "type": "string" } }, { "name": "display", "in": "query", "required": false, "x-is-map": false, "description": "This is optional and used within the context of OpenID Connect (ie, response_type 'token id_token'). This parameter is not used here but forwarded to the /authorize/login API. Currently only 'page', 'social_login' (MAG only) and 'local' (MAG only) are supported by default. The value 'social_login' will create a JSON message response instead of an HTML page containing a list of social login providers. The value 'local' will prevent the authorization server from displaying the social login buttons. This is the case if a user selected the local enterprise button for logging in.", "schema": { "type": "string", "enum": [ "", "page", "social_login", "local" ], "default": "" } }, { "name": "prompt", "in": "query", "required": false, "x-is-map": false, "description": "This is used within the context of OpenID Connect. Indicates whether the server should prompt for login/consent. It is a space separated list of different values. The server supports the values 'none', 'login' and 'consent'. 'none' is only respected if 'id_token_hint' is not empty. 'consent' is only respected if the current user has an active OAuth session using the same client and the same SCOPE.", "schema": { "type": "string", "default": "login consent" } }, { "name": "id_token_hint", "in": "query", "required": false, "x-is-map": false, "description": "This is used within the context of OpenID Connect. Contains a previously issued id_token. This parameter is only respected for 'prompt=none' or 'prompt=none consent'.", "schema": { "type": "string" } }, { "name": "acr_values", "in": "query", "required": false, "x-is-map": false, "description": "This is used within the context of OpenID Connect. Indicates which acr (additional cryptography) classes are acceptable for the user authentication. It is a space separated list of different values.", "schema": { "type": "string" } }, { "name": "code_challenge", "in": "query", "required": false, "x-is-map": false, "description": "The code_challenge value in the context of PKCE (RFC 7636).", "schema": { "type": "string" } }, { "name": "code_challenge_method", "in": "query", "required": false, "x-is-map": false, "description": "The method that was used to create the code_challenge (plain or S256).", "schema": { "type": "string" } }, { "name": "state", "in": "query", "required": false, "x-is-map": false, "description": "Value opaque to the server, used by the client to track its session. It will be returned as received.", "schema": { "type": "string" } }, { "name": "login_hint", "in": "query", "required": false, "x-is-map": false, "description": "A suggested username. This parameter is described in the OpenID Connect core specification.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "headers": { "location": { "description": "Location (URL) includes these required parameters: action=(display or login depending on 'prompt' and 'id_token_hint') and sessionID and sessionData (a JWT containing a JSON message holding session data)", "schema": { "type": "string" } } } }, "302": { "$ref": "#/components/responses/auth302" }, "400": { "description": "Invalid parameters | Invalid redirect_uri | invalid client type | invalid response type | invalid code_challenge/method", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3000103 (missing or invalid parameters), 3000112 (code_challenge or code_challenge_method invalid), 3000114 (invalid redirect uri), 3000116 (invalid response type), 3000130 (invalid client type)", "schema": { "type": "string", "default": "3000130" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The client could not be authenticated.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3000201 (client could not be authenticated), 3000306 (The given JWT for client authentication is invalid), 3000307 (Request is a replay attack), 3000308(Replay attack protection could not be applied)", "schema": { "type": "string", "default": "3000201" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3000203 (SSL required)", "schema": { "type": "string", "default": "3000203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "GET,POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "unknown error", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3000000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/openid/connect/v1/userinfo": { "get": { "tags": [ "Resource Server APIs" ], "description": "This API reflects an implementation according to OpenID Connect. This endpoint returns a message with user details. The content depends on the SCOPE associated with the given access_token.\nIMPORTANT: The API will fail if no active id_token is available for the associated user.\nFor more information refer to this website: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo", "operationId": "Get_userinfo", "parameters": [ { "name": "authorization", "in": "header", "required": true, "description": "A valid access_token (e.g.: authorization: Bearer access-token-value). The access_token must have the 'openid' scope. Other valid scope values are 'email', 'address', 'phone', and 'profile'. In addition to those scope values, 'user_role' is supported. The 'user_role' scope is an extension for OTK/MAG and returns the role of the user.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "A JSON message containing details about the user. The content depends on the scope associated with the access_token.", "content": { "application/json": { "schema": { "properties": { "sub": { "type": "string", "example": "248289761001" }, "name": { "type": "string", "example": "Jane Doe" }, "given_name": { "type": "string", "example": "Jane" }, "family_name": { "type": "string", "example": "Doe" }, "preferred_username": { "type": "string", "example": "j.doe" }, "email": { "type": "string", "example": "[email protected]" }, "picture": { "type": "string", "example": "http://example.com/janedoe/me.jpg" } } } } } }, "400": { "description": "A CORS request failed.", "headers": { "x-ca-err": { "description": "Custom error header. Possible value: 134", "schema": { "type": "string", "default": "134" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } }, "content": { "application/json": { "schema": { "properties": { "error": { "type": "string", "example": "invalid_request" }, "error_description": { "type": "string", "example": "The request did not match CORS requirements" } } } } } }, "401": { "description": "The given token is not valid. The error code may be 990, 991, 992, 993.", "headers": { "x-ca-err": { "description": "Custom error header. Possible value: 990", "schema": { "type": "string", "default": "990" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } }, "content": { "application/json": { "schema": { "properties": { "error": { "type": "string", "example": "invalid_request" }, "error_description": { "type": "string", "example": "Validation error" } } } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error header. Possible value: 203", "schema": { "type": "string", "default": "203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } }, "content": { "application/json": { "schema": { "properties": { "error": { "type": "string", "example": "invalid_request" }, "error_description": { "type": "string", "example": "SSL is required" } } } } } }, "405": { "description": "HTTP method is not valid. The Allow header is required by [RFC 2616](https://tools.ietf.org/html/rfc2616).", "headers": { "Allow": { "description": "Comma-separated list of allowed HTTP methods.", "schema": { "type": "string", "default": "POST,GET" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error. This also occurs if the user does not have an active session, id_token, on the server.", "headers": { "x-ca-err": { "description": "Custom error header. Possible value: 000", "schema": { "type": "string", "default": "000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/auth/oauth/health": { "get": { "tags": [ "Authorization Server APIs" ], "description": "An endpoint that can be used to verify your OAuth authentication flow is working correctly. Is only usable if the Gateway cluster property otk.health.apikey is defined. The Gateway cluster property otk.port.health should also be set if it does not match the default 8443.", "operationId": "Get_request_health_check", "parameters": [ { "name": "apikey", "in": "query", "required": true, "description": "Key that needs to be used to perform health check.", "schema": { "type": "string", "default": "Empty" } } ], "responses": { "200": { "description": "Responds with no content" }, "500": { "description": "Responds with \"error\". This can be due to missing or incorrect API key. Check audit log messages for more information." }, "503": { "description": "Responds with \"error\". Returned on health check failure. This can be returned due to bad database configuration, bad certification configuration, etc. Check the audit log messages for more information." } } } }, "/auth/oauth/v2/authorize/login": { "get": { "tags": [ "Authorization Server APIs" ], "description": "Receives a request as the result of a redirect from the /auth/oauth/v2/authorize endpoint. Creates a login page or forwards a request to the consent screen.", "operationId": "Get_request_authorize_login", "parameters": [ { "name": "action", "in": "query", "required": true, "x-is-map": false, "description": "", "schema": { "type": "string", "default": "display" } }, { "name": "sessionID", "in": "query", "required": true, "x-is-map": false, "description": "The current session which was initiated at the initial authorization request.", "schema": { "type": "string" } }, { "name": "sessionData", "in": "query", "required": true, "x-is-map": false, "description": "A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Responds with authentication form" }, "400": { "description": "invalid parameters | The session has expired or already been granted", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001110 (session expired)", "schema": { "type": "string", "default": "3001103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3001203 (SSL required)", "schema": { "type": "string", "default": "3001203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3001000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } }, "post": { "tags": [ "Authorization Server APIs" ], "description": "Authenticates a user during the OAuth 2.0 response_type flow OR Authenticates a user during the OAuth 2.0 response_type using a social platform.", "operationId": "Post_request_authorize_login", "parameters": [ { "name": "action", "in": "query", "required": true, "x-is-map": false, "description": "Display the login screen, Authenticate the user (login), Cancel the login process or Reset", "schema": { "type": "string", "enum": [ "reset", "display", "login", "cancel" ], "default": "login" } }, { "name": "username", "in": "query", "required": false, "x-is-map": false, "description": "The username of the user to authenticate.", "schema": { "type": "string" } }, { "name": "password", "in": "query", "required": false, "x-is-map": false, "description": "The password for user authentication.", "schema": { "type": "string", "format": "password" } }, { "name": "sessionID", "in": "query", "required": true, "x-is-map": false, "description": "The current session which was initiated at the initial authorization request.", "schema": { "type": "string" } }, { "name": "sessionData", "in": "query", "required": true, "x-is-map": false, "description": "A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.", "schema": { "type": "string" } }, { "name": "code", "in": "query", "required": false, "x-is-map": false, "description": "An OAuth 2.0 authorization_code issued by a social login provider.", "schema": { "type": "string" } }, { "name": "provider", "in": "query", "required": false, "x-is-map": false, "description": "The social login provider that issued the 'code'. This value is specified as part of the redirect_uri configured with each social login provider.", "schema": { "type": "string" } }, { "name": "response_mode", "in": "query", "required": false, "x-is-map": false, "description": "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'.", "schema": { "type": "string", "enum": [ "query", "fragment", "form_post" ] } }, { "name": "oauth_token", "in": "query", "required": false, "x-is-map": false, "description": "OAuth 1.0 token when the social login provider is used with OAuth 1.0.", "schema": { "type": "string" } }, { "name": "oauth_verifier", "in": "query", "required": false, "x-is-map": false, "description": "OAuth 1.0 verifier when the social login provider is used with OAuth 1.0.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Authenticates a user during the OAuth 2.0 response_type flow OR if authentication was successful the API auto-form posts to the API that handles the consent screen, /authorize/consent (login via social provider)", "headers": { "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "302": { "description": "Authentication Denied, If the redirect_uri is not available, the server displays an HTML page showing the error and error_description. The HTTP status will be '400'", "headers": { "location": { "description": "Location (URL) has the 'error', 'error_description' and 'state' (if provided) parameters attached.", "schema": { "type": "string" } }, "x-ca-err": { "description": "Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001116 (invalid response type)", "schema": { "type": "string", "default": "3001103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "400": { "description": "Invalid parameters | The session has expired or already been granted | invalid response type ", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3001103 (missing or duplicate parameters), 3001116 (invalid response type)", "schema": { "type": "string", "default": "3001103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The resource owner could not be authenticated. An HTML page displaying an authentication error will be returned.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3001202" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3001203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3001000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/auth/oauth/v2/authorize/consent": { "post": { "tags": [ "Authorization Server APIs" ], "description": "Handles the 'deny' and 'grant' result of a resource owner's decision at the consent page when 'action' is: 'consent', the API returns an HTML page for the user to grant or deny the request. 'grant', the API handles the 'grant' result of the owner's decision at the consent page. 'deny', the API handles the 'deny' result of the owner's decision at the consent page.", "operationId": "Post_request_authorize_consent", "parameters": [ { "name": "response_mode", "in": "query", "required": false, "x-is-map": false, "description": "Specify the method of returning the authorization response. As per the OpenID specification, use of this parameter is NOT RECOMMENDED if you are using the same response mode as the default response mode for the given response type. It MUST be one of the listed values in order to be accepted: 'query', 'fragment', 'form_post'.", "schema": { "type": "string", "enum": [ "query", "fragment", "form_post" ] } } ], "responses": { "200": { "description": "Success, redirect to client redirect url", "headers": { "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "302": { "description": "Access was denied, redirect to client redirect with error", "headers": { "location": { "description": "If 'action' is 'grant': the redirect location will include the query parameters: state(if provided) and code. In the 'implicit' response flow, the query parameters include: redirect_uri, access_token, expires_in, token_type, scope, id_token, id_token_type and state. \r\nIf 'action' is 'deny': the redirect will location include the 'x-ca-err', 'error', 'error_description' and 'state' (if provided) parameters. In such a case the 'error' is 'access_denied'", "schema": { "type": "string" } }, "x-ca-err": { "description": "Custom error extension. Possible values: 3002116 (invalid response type)", "schema": { "type": "string", "default": "3002116" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "400": { "description": "Invalid parameters", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3002103 (missing or duplicate parameters), 3002110 (session expired), 3002116 (invalid response type), 3002135 (token limit reached)", "schema": { "type": "string", "default": "3002103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The resource owner could not be authenticated. An HTML page displaying an authentication error will be returned.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3002202 (resource owner could not be authenticated)", "schema": { "type": "string", "default": "3002202" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3002203 (SSL required)", "schema": { "type": "string", "default": "3002203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3002203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "requestBody": { "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "properties": { "action": { "description": "Deny or Grant the resource with scope requested.", "type": "string", "enum": [ "deny", "grant" ], "default": "grant" }, "sessionID": { "type": "string" }, "sessionData": { "description": "A signed JSON Web Token (JWT) which contains a JSON structure holding values initially received and validated at authorize.", "type": "string" } }, "required": [ "action", "sessionID", "sessionData" ] } } } } } }, "/auth/oauth/v2/token": { "post": { "tags": [ "Token Server APIs" ], "description": "Request access_token or refresh_token using OAuth 2.0 grant_type: password authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:jwt-bearer urn:ietf:params:oauth:grant-type:saml2-bearer. See RFC 6749 for more details.", "operationId": "Create_request_token", "parameters": [ { "name": "mag-identifier", "in": "header", "required": false, "x-is-map": false, "description": "[MAG]\r\n[MAG]: mobile clients MUST use this header. It must represent a valid registered device. This grant_type, however, is not supported by MAG", "schema": { "type": "string" } }, { "name": "authorization", "in": "header", "required": false, "x-is-map": false, "description": "The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)). This can only be used INSTEAD of the parameters 'client_id', 'client_secret'.", "schema": { "type": "string" } }, { "name": "client_id", "in": "query", "required": false, "x-is-map": false, "description": "The client_id. This can only be used INSTEAD of using the authorization header. Maximum 255 characters.", "schema": { "type": "string" } }, { "name": "client_secret", "in": "query", "required": false, "x-is-map": false, "description": "The client_secret. This can only be used INSTEAD of using the authorization header.", "schema": { "type": "string" } }, { "name": "grant_type", "in": "query", "required": true, "x-is-map": false, "description": "For grant_type=password either authorization or client_id AND client_secret, username and password must be provided. For grant_type=client_credentials, either authorization or client_id AND client_secret must be provided. For grant_type=authorization_code: client_id, client_secret, code, and redirect_uri are required. For grant_type=refresh_token: client_id and refresh_token are required. For grant_type=jwt or saml2-bearer: client_id and assertion are required", "schema": { "type": "string", "enum": [ "password", "refresh_token", "authorization_code", "client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:saml2-bearer" ], "default": "password" } }, { "name": "code", "in": "query", "required": false, "x-is-map": false, "description": "Required if grant_type is authorization_code", "schema": { "type": "string" } }, { "name": "redirect_uri", "in": "query", "required": false, "x-is-map": false, "description": "Required if grant_type is authorization_code. Must contain a valid auth code", "schema": { "type": "string" } }, { "name": "scope", "in": "query", "required": false, "x-is-map": false, "description": "Only SCOPE values that were registered for this client will be granted. If only non-matching SCOPE values are requested, the request will fail.", "schema": { "type": "string" } }, { "name": "username", "in": "query", "required": false, "x-is-map": false, "description": "If grant_type is password or client_credentials, this parameter must contain a valid username ", "schema": { "type": "string" } }, { "name": "password", "in": "query", "required": false, "x-is-map": false, "description": "If grant_type is password or client_credentials, this parameter must contain a valid password", "schema": { "type": "string", "format": "password" } }, { "name": "assertion", "in": "query", "required": false, "x-is-map": false, "description": "If grant_type is saml2-bearer or jwt, this parameter must contain a base64 encoded SAML or JWT token that represents an authenticated resource owner.", "schema": { "type": "string" } }, { "name": "refresh_token", "in": "query", "required": false, "x-is-map": false, "description": "If grant_type is refresh_token, this parameter must contain a valid refresh_token.", "schema": { "type": "string" } }, { "name": "code_verifier", "in": "query", "required": false, "x-is-map": false, "description": "A random value of 43-256 characters. See https://tools.ietf.org/html/rfc7636#section-4 for details. This parameter is required only when a code_challenge is provided with the authorization request for this session.", "schema": { "type": "string" } } ], "responses": { "200": { "$ref": "#/components/responses/authToken200" }, "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST", "schema": { "type": "string", "default": "POST" } } } }, "400": { "description": "Bad Request, see x-ca-err for possible error codes", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3003103 (missing or duplicate parameters), 3003107 (invalid mag-identifier), 3003113 (invalid grant), 3003115 (no registered scope value for client), 3003119 (grant type not supported), 3003134 (request did not match CORS requirements), 3003135 (token limit reached), 3003201 (client credentials not valid),", "schema": { "type": "string", "default": "3003107" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The client could not be authenticated.", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3003201 (Invalid or Missing credentials), 3003202 (Resource owner could not be authenticated)", "schema": { "type": "string", "default": "3003202" } }, "WWW-Authenticate": { "description": "This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.", "schema": { "type": "string" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3003203 (SSL is required)", "schema": { "type": "string", "default": "3003203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3003000 (Request failed due to unknown reason)", "schema": { "type": "string", "default": "3003000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/auth/oauth/v2/token/revoke": { "post": { "tags": [ "Token Server APIs" ], "description": "Revoke an access_token or refresh_token. See RFC 7009 for more details. Section 2.3 of that RFC is not supported.", "operationId": "revoke_token", "parameters": [ { "name": "authorization", "in": "header", "required": false, "x-is-map": false, "description": "The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)). For public clients the 'client_id' parameter can be used. This header is required if no client parameters are used.", "schema": { "type": "string" } }, { "name": "client_id", "in": "query", "required": false, "x-is-map": false, "description": "This parameter can be used with 'client_secret' instead of the authorization header. Maximum 255 characters.", "schema": { "type": "string" } }, { "name": "client_secret", "in": "query", "required": false, "x-is-map": false, "description": "This parameter is required when 'client_id' is used. Optional for public clients.", "schema": { "type": "string" } }, { "name": "token", "in": "query", "required": true, "x-is-map": false, "description": "The token as it was issued.", "schema": { "type": "string" } }, { "name": "token_type_hint", "in": "query", "required": true, "x-is-map": false, "description": "Valid values are 'access_token' and 'refresh_token'.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "object", "properties": { "result": { "type": "string", "example": "revoked" } } } } } }, "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST, DELETE", "schema": { "type": "string", "default": "POST" } } } }, "400": { "description": "Bad request", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3004103 (Missing or duplicate parameters), 3004117 (Client lacks authorization for request), 3003134 (request did not match CORS requirements)", "schema": { "type": "string", "default": "3004103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The client could not be authenticated.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3004201 (Invalid or missing credentials)", "schema": { "type": "string", "default": "3004103" } }, "WWW-Authenticate": { "description": "This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.", "schema": { "type": "string" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3004203 (SSL is required)", "schema": { "type": "string", "default": "3004203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "503": { "description": "unsupported token type", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3002203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/auth/oauth/v2/client/export": { "get": { "tags": [ "Token Server APIs" ], "description": "The endpoint returns details about a registered OAuth client. This endpoint is disabled by default. If requests fail due to an unknown endpoint, contact the system administrator.", "operationId": "Get_client_details_export_", "parameters": [ { "name": "authorization", "in": "header", "required": true, "description": "The HTTP basic authorization header containing resource_owner credentials as base64 encoded string (authorization: Basic base64(username:password)). Depending on the server configuration this header may not be required.", "schema": { "type": "string" } }, { "name": "client_id", "in": "query", "required": true, "x-is-map": false, "description": "The client_id for which details are requested.", "schema": { "type": "string" } } ], "responses": { "200": { "$ref": "#/components/responses/export200" }, "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST, GET", "schema": { "type": "string", "default": "POST" } } } }, "400": { "description": "Bad Request", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3005103 (missing or invalid parameters), 3005132 (invalid server configuration), 3005134 (request does not match CORS requirements), ", "schema": { "type": "string", "default": "3005103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The client is invalid | The resource owner could not be authenticated", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3005201 (client is unknown or invalid), 3005202 (resource owner could not be authenticated)", "schema": { "type": "string", "default": "3005201" } }, "WWW-Authenticate": { "description": "This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.", "schema": { "type": "string" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3005203 (SSL required)", "schema": { "type": "string", "default": "3005203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "GET | POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3005000 (unknown error)", "schema": { "type": "string", "default": "3002203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/connect/session/status": { "get": { "tags": [ "Resource Server APIs" ], "description": "The client requests the session status by passing in the id_token of the authenticated user. This informs the client if the resource owner is logged in and has a valid session. The session may be active or not existing.", "operationId": "Get_resource_owner_session_status_", "parameters": [ { "name": "authorization", "in": "header", "required": true, "description": "A valid access_token (e.g.: authorization: Bearer access-token-value)", "schema": { "type": "string" } }, { "name": "id_token", "in": "query", "required": true, "description": "The id_token of the resource owner", "schema": { "type": "string" } }, { "name": "id_token_type", "in": "query", "required": false, "description": "The id_token_type to be invalidated. Required if not default type.", "schema": { "type": "string", "default": "urn:ietf:params:oauth:grant-type:jwt-bearer" } } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "object", "properties": { "session": { "type": "string", "description": "Session is active", "example": "active" }, "session_status": { "type": "string", "description": "Session does not exist", "example": "none" } } } } } }, "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST or GET", "schema": { "type": "string", "default": "GET" } } } }, "400": { "description": "Bad Request", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3007103 (missing or duplicate parameters), 3007134 (request did not match CORS requirements)", "schema": { "type": "string", "default": "3007103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The given token is not valid. The error code may be 1003990, 1003991, 1003992, 1003993", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3007990 (validation error), ", "schema": { "type": "string", "default": "3007990" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3007203 (SSL required)", "schema": { "type": "string", "default": "3007203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3002203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/connect/session/logout": { "post": { "tags": [ "Authorization Server APIs" ], "description": "The resource owner deletes his active session on the OAuth server.", "operationId": "Create_resource_owner_logout_", "parameters": [ { "name": "mag-identifier", "in": "header", "required": false, "description": "[MAG]: mobile clients MUST use this header. It must represent a valid registered device.", "schema": { "type": "string" } }, { "name": "logout_apps", "in": "query", "required": false, "description": "[MAG]: mobile clients MAY use this parameter to invalidate all related oauth token.", "schema": { "type": "string", "default": "true" } }, { "name": "authorization", "in": "header", "required": true, "description": "The HTTP basic authorization header containing the client credentials as base64 encoded string (authorization: Basic base64(client_id:client_secret)).", "schema": { "type": "string" } }, { "name": "id_token", "in": "query", "required": true, "description": "The id_token that represents the authenticated user.\r\n[MAG]: Mobile clients may omit this parameter; mag-identifier will be used instead.", "schema": { "type": "string" } }, { "name": "id_token_type", "in": "query", "required": false, "description": "The id_token_type to be invalidated. Currently ignored.", "schema": { "type": "string", "default": "urn:ietf:params:oauth:grant-type:jwt-bearer" } } ], "responses": { "200": { "description": "Resource owner successfully logged out", "content": { "application/json": { "schema": { "type": "object", "properties": { "session_status": { "type": "string", "example": "logged out" } } } } } }, "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST", "schema": { "type": "string", "default": "POST" } } } }, "400": { "description": "Bad Request", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3006103 (missing or duplicate parameters), 3006107 (mag-identifier invalid), 3006134 (request did not match CORS requirements) ", "schema": { "type": "string", "default": "3006103" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "The client could not be authenticated.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3006201 (client credentials invalid)", "schema": { "type": "string", "default": "3006201" } }, "WWW-Authenticate": { "description": "This header is required by RFC 7235 if an authentication scheme has been used. It contains the used authentication scheme and an error message.", "schema": { "type": "string" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3006203 (SSL required)", "schema": { "type": "string", "default": "3004203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "Unknown error.", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3006000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } } } }, "/.well-known/openid-configuration": { "options": { "tags": [ "Authorization Server APIs" ], "operationId": "Options_getOpenIDDiscovery", "description": "CORS preflight request", "parameters": [ { "name": "Access-Control-Request-Headers", "in": "header", "required": true, "description": "The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Access-Control-Request-Method", "in": "header", "required": true, "description": "The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Origin", "in": "header", "required": true, "description": "The Origin request header indicates where a fetch originates from.", "schema": { "type": "string" } } ], "responses": { "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, GET", "schema": { "type": "string", "default": "GET" } } } }, "400": { "description": "Bad request", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3008134 (request did not match CORS requirements)", "schema": { "type": "string", "default": "3008134" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Discovery endpoint" }, "get": { "tags": [ "Authorization Server APIs" ], "operationId": "Get_OpenIDDiscovery", "responses": { "200": { "description": "OpenID Discovery Configuration", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OpenIDDiscovery" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3008203 (SSL required)", "schema": { "type": "string", "default": "3008203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "GET" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "unknown error", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3008000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Discovery endpoint", "description": "This endpoint follows the specification defined at http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. It provides a mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations." } }, "/openid/connect/register": { "options": { "tags": [ "Authorization Server APIs" ], "operationId": "Options_oidc_register", "description": "CORS preflight request", "parameters": [ { "name": "Access-Control-Request-Headers", "in": "header", "required": true, "description": "The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Access-Control-Request-Method", "in": "header", "required": true, "description": "The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Origin", "in": "header", "required": true, "description": "The Origin request header indicates where a fetch originates from.", "schema": { "type": "string" } } ], "responses": { "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, POST", "schema": { "type": "string", "default": "POST" } } } }, "400": { "description": "Bad request", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3009134 (request did not match CORS requirements), 3009305 (jwks and jwks_uri must not be used together)", "schema": { "type": "string", "default": "3009134" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Dynamic Registration Configuration endpoint" }, "post": { "tags": [ "Authorization Server APIs" ], "description": "This endpoint follows the specification defined at http://openid.net/specs/openid-connect-registration-1_0.html. It enables a client to dynamically register itself as an OAuth 2.0 client.", "operationId": "Post_oidc_register", "responses": { "201": { "description": "Successful registration including details about the registered values.", "content": { "application/json": { "schema": { "type": "object", "properties": { "client_id": { "type": "string", "example": "47231c87-74f3-4990-99ad-31e8a801e3b5", "description": "The registered client_id" }, "client_secret_expires_at": { "type": "integer", "example": 0, "description": "The timestamp in seconds indicating the time of expiration for this value. 0 indicates no expiration" }, "client_secret": { "type": "string", "example": "e4cccd81-1d19-41e7-b4b0-488aa28af77b", "description": "The registered client_secret" }, "registration_access_token": { "type": "string", "example": "db4b7554-e359-43ed-bbf6-1a50909ceeef", "description": "An access_token to be used at {registration_client_uri} to retrieve the registered information" }, "registration_client_uri": { "type": "string", "example": "https://mas.ca.com:8443/openid/connect/register/47231c87-74f3-4990-99ad-31e8a801e3b5", "description": "The URI to retrieved the registered values" }, "client_id_issued_at": { "type": "integer", "example": 1497455914, "description": "The timestamp in seconds indicating the time of registration" }, "token_endpoint_auth_method": { "type": "string", "example": "client_secret_basic", "description": "The requested client authentication method for the token endpoint. Supports: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, none" }, "application_type": { "type": "string", "example": "web", "description": "The kind of application" }, "redirect_uris": { "type": "array", "items": { "type": "string" }, "example": [ "https://client.example.org/callback", "https://client.example.org/callback2" ], "description": "The array of redirection URI values used by this client" }, "client_name": { "type": "string", "example": "https://whatever.com", "description": "The name of the client to be presented to the end-user" }, "subject_type": { "type": "string", "example": "pairwise", "description": "The subject type requested for responses to this client" }, "contacts": { "type": "array", "items": { "type": "string" }, "example": [ "[email protected]", "[email protected]" ], "description": "The array of e-mail addresses of people responsible for this client" }, "response_types": { "type": "array", "items": { "type": "string" }, "example": [ "code", "token_id_token" ], "description": "The array containing a list of the OAuth 2.0 response_type values that this client is declaring that it will restrict itself to using" }, "grant_types": { "type": "array", "items": { "type": "string" }, "example": [ "authorization_code", "implicit" ], "description": "The array containing a list of the OAuth 2.0 grant types that this client is declaring that it will restrict itself to using" }, "id_token_signed_response_alg": { "type": "string", "example": "RS256", "description": "The algorithm requried for signing the ID token issued to this client" }, "environment": { "type": "string", "example": "ALL", "description": "The development environment of the client e.g., IOS" }, "organization": { "type": "string", "example": "https://organization.com", "description": "The organization of the requestor" }, "master": { "type": "boolean", "example": false, "description": "The value identifies the client as being used as a master-key" }, "description": { "type": "string", "example": "Registered via OpenID Connect Dynamic Registration", "description": "A description for this client" }, "scope": { "type": "string", "example": "openid email profile openid_client_registration", "description": "A custom scope" } } } } } }, "400": { "description": "Missing or invalid parameters.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3009114 (invalid or missing redirect_uri(s)), 3009133 (invalid json)", "schema": { "type": "string", "default": "3009114" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3009203 (SSL required)", "schema": { "type": "string", "default": "3009203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "POST" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "429": { "description": "Too many requests", "headers": { "x-ca-err": { "description": "3009111 (too many requests)", "schema": { "type": "string", "default": "3009111" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "unknown error", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3009000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Dynamic Registration endpoint", "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "redirect_uris": { "type": "array", "items": { "type": "string" }, "example": [ "https://client.example.org/callback", "https://client.example.org/callback2" ] }, "response_types": { "type": "array", "items": { "type": "string" }, "example": [ "code", "token_id_token" ] }, "grant_types": { "type": "array", "items": { "type": "string" }, "example": [ "authorization_code", "implicit" ] }, "application_type": { "type": "string", "example": "web" }, "contacts": { "type": "array", "items": { "type": "string" }, "example": [ "[email protected]", "[email protected]" ] }, "client_name": { "type": "string", "example": "https://whatever.com" }, "subject_type": { "type": "string", "example": "pairwise" }, "id_token_signed_response_alg": { "type": "string", "example": "RS256" }, "token_endpoint_auth_method": { "type": "string", "example": "client_secret_basic" }, "scope": { "type": "string", "example": "openid email profile openid_client_registration" }, "organization": { "type": "string", "example": "https://organization.com" }, "description": { "type": "string", "example": "Registered via OpenID Connect Dynamic Registration" }, "environment": { "type": "string", "example": "ALL" }, "master": { "type": "boolean", "example": false } } } } }, "description": "Request body", "required": true } } }, "/openid/connect/register/{client_id}": { "options": { "tags": [ "Authorization Server APIs" ], "operationId": "Options_oidc_register_config", "description": "CORS preflight request", "parameters": [ { "name": "Access-Control-Request-Headers", "in": "header", "required": true, "description": "The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Access-Control-Request-Method", "in": "header", "required": true, "description": "The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Origin", "in": "header", "required": true, "description": "The Origin request header indicates where a fetch originates from.", "schema": { "type": "string" } }, { "in": "path", "name": "client_id", "description": "client_id that was returned in the client registration response", "required": true, "schema": { "type": "string" } } ], "responses": { "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, GET", "schema": { "type": "string", "default": "GET" } } } }, "400": { "description": "Bad request", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3009134 (request did not match CORS requirements)", "schema": { "type": "string", "default": "3009134" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Dynamic Registration Configuration endpoint" }, "get": { "tags": [ "Authorization Server APIs" ], "description": "This endpoint follows the specification defined at http://openid.net/specs/openid-connect-registration-1_0.html. It implements the 'registration_client_uri'.", "operationId": "Get_oidc_register_config", "parameters": [ { "in": "header", "name": "authorization", "description": "MUST be 'Bearer the-access_token'. The access_token was issued as part of the client registration and is SCOPE'd to 'openid_client_registration'", "required": true, "schema": { "type": "string" } }, { "in": "path", "name": "client_id", "description": "client_id that was returned in the client registration response", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful response including details about the client registration. Additional details may also be included", "content": { "application/json": { "schema": { "type": "object", "properties": { "client_id": { "type": "string", "example": "47231c87-74f3-4990-99ad-31e8a801e3b5", "description": "The registered client_id" }, "client_secret_expires_at": { "type": "integer", "example": 0, "description": "The timestamp in seconds indicating the time of expiration for this value. 0 indicates no expiration" }, "client_secret": { "type": "string", "example": "e4cccd81-1d19-41e7-b4b0-488aa28af77b", "description": "The registered client_secret" }, "registration_client_uri": { "type": "string", "example": "https://mas.ca.com:8443/openid/connect/register/47231c87-74f3-4990-99ad-31e8a801e3b5", "description": "The URI to retrieved the registered values" }, "client_id_issued_at": { "type": "integer", "example": 1497455914, "description": "The timestamp in seconds indicating the time of registration" }, "token_endpoint_auth_method": { "type": "string", "example": "client_secret_basic", "description": "The requested client authentication method for the token endpoint. Supports: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, none" }, "application_type": { "type": "string", "example": "web", "description": "The kind of application" }, "redirect_uris": { "type": "array", "items": { "type": "string" }, "example": [ "https://client.example.org/callback", "https://client.example.org/callback2" ], "description": "The array of redirection URI values used by this client" }, "client_name": { "type": "string", "example": "https://whatever.com", "description": "The name of the client to be presented to the end-user" }, "subject_type": { "type": "string", "example": "pairwise", "description": "The subject type requested for responses to this client" }, "contacts": { "type": "array", "items": { "type": "string" }, "example": [ "[email protected]", "[email protected]" ], "description": "The array of e-mail addresses of people responsible for this client" }, "response_types": { "type": "array", "items": { "type": "string" }, "example": [ "code", "token_id_token" ], "description": "The array containing a list of the OAuth 2.0 response_type values that this client is declaring that it will restrict itself to using" }, "grant_types": { "type": "array", "items": { "type": "string" }, "example": [ "authorization_code", "implicit" ], "description": "The array containing a list of the OAuth 2.0 grant types that this client is declaring that it will restrict itself to using" }, "id_token_signed_response_alg": { "type": "string", "example": "RS256", "description": "The algorithm requried for signing the ID token issued to this client" }, "environment": { "type": "string", "example": "ALL", "description": "The development environment of the client e.g., IOS" }, "organization": { "type": "string", "example": "https://organization.com", "description": "The organization of the requestor" }, "master": { "type": "boolean", "example": false, "description": "The value identifies the client as being used as a master-key" }, "description": { "type": "string", "example": "Registered via OpenID Connect Dynamic Registration", "description": "A description for this client" }, "scope": { "type": "string", "example": "openid email profile openid_client_registration", "description": "A custom scope" } } } } } }, "400": { "description": "Missing or invalid parameters.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3009117 (unauthorized client)", "schema": { "type": "string", "default": "3009117" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "401": { "description": "Authentication - Authorization.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3009201 (unknown client), 3009990 - 3009993 (invalid access_token)", "schema": { "type": "string", "default": "3009201" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3009203 (SSL required)", "schema": { "type": "string", "default": "3009203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "GET" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "unknown error", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3009000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect Dynamic Registration Configuration endpoint" } }, "/openid/connect/jwks.json": { "options": { "tags": [ "Authorization Server APIs" ], "operationId": "Options_jwk_set_", "description": "CORS preflight request", "parameters": [ { "name": "Access-Control-Request-Headers", "in": "header", "required": true, "description": "The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Access-Control-Request-Method", "in": "header", "required": true, "description": "The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.", "schema": { "type": "string" } }, { "name": "Origin", "in": "header", "required": true, "description": "The Origin request header indicates where a fetch originates from.", "schema": { "type": "string" } } ], "responses": { "204": { "description": "No Content, applicable to OPTIONS request with preflight configuration", "headers": { "Access-Control-Allow-Methods": { "description": "Allowable Methods, GET", "schema": { "type": "string", "default": "GET" } } } }, "400": { "description": "Bad request", "headers": { "x-ca-err": { "description": "Custom error extension, possible values: 3010134 (request did not match CORS requirements)", "schema": { "type": "string", "default": "3010134" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect jwks endpoint" }, "get": { "tags": [ "Authorization Server APIs" ], "operationId": "Get_jwk_set_", "description": "This endpoint implements the JWKS_URI as specified at http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata", "responses": { "200": { "description": "JWK set containing public keys that enable clients to validate a JSON Web Token (JWT) issued by this OpenID Connect Provider", "content": { "application/json": { "schema": { "type": "object", "properties": { "keys": { "type": "array", "items": { "type": "string" }, "example": [ { "kty": "RSA", "kid": "default_ssl_key", "use": "sig", "n": "58BezRBeYOM3rOo1vcllcLc8QAwz6AmQj4EvGUqATMUz4bfYJ9Lf2wb9xCQhSLSkndfFAF5V754G0mRelBGK7yIja-M-EBXoJeT3nvwA46g7MkZGf11uP2dz2k4CkLdFHnlGzvuLQVBQpqbz-O_hFfEDxBk9zV4shR8O_iGv4fDi0dNHZfXzxkr_iH8Oj2qQeZFvv61I4RffeNmx04lYea2KFsF_8rWDlENWAr8RbqpY_y5lbxgC_xyBunTkoIEommqz55ZFIcklYerJUVSeIA90KMyM60wZh0JF_T5kuXEs-3AWh8Bkx-sVE2hu5S5x4_lADsPojLwWTT7or_sw9Q", "e": "AQAB" } ], "description": "JWK set in JSON array format" } } } } } }, "403": { "description": "Forbidden.", "headers": { "x-ca-err": { "description": "Custom error extension. Possible values: 3010203 (SSL required)", "schema": { "type": "string", "default": "3010203" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "405": { "description": "The HTTP method is not valid", "headers": { "Allow": { "description": "This header is required by RFC 2616 and contains a comma separated list of valid HTTP methods.", "schema": { "type": "string", "default": "GET" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } }, "500": { "description": "unknown error", "headers": { "x-ca-err": { "description": "Custom error extension", "schema": { "type": "string", "default": "3010000" } }, "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } } } }, "summary": "OpenID Connect jwks endpoint" } } }, "servers": [ { "url": "https://${request.url.host}:${request.url.port}/", "variables": { "request.url.host": { "default": "unknown" }, "request.url.port": { "default": "unknown" } } } ], "components": { "responses": { "export200": { "description": "A JSON message including details about a client in order to configure it. The client_secret may or may not be included depending on the OAuth server configuration.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ExportData" } } } }, "auth302": { "description": "Will contain either: A success response including the redirect location header to the server that handles the authentication. The redirect parameter 'sessionData's structure looks like the model schema shown OR 'invalid mag-identifier' OR 'invalid scope' OR 'unsupported response type' OR 'unauthorized client'. The non-successful conditions may include redirect query params as follows: 'error', string with default value: invalid_request 'error_description', string with description of error 'state', string with no default value. It is opaque to the server and returned as received. 'x-ca-err', string with default 3000108", "headers": { "location": { "description": "Location (URL) includes these required parameters: action=(display or login depending on 'prompt' and 'id_token_hint') and sessionID and sessionData (a JWT containing a JSON message holding session data)", "schema": { "type": "string" } }, "Pragma": { "description": "Pragma directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache control directive", "schema": { "type": "string", "default": "no-store" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SessionData" } } } }, "authToken200": { "description": "A success response that includes the issued token, expire and other details from the OAuth Server", "headers": { "Pragma": { "description": "Pragma browser directive", "schema": { "type": "string", "default": "no-cache" } }, "Cache-Control": { "description": "Cache-Control browser directive", "schema": { "type": "string", "default": "no-store" } } }, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TokenData" } } } } }, "securitySchemes": { "OAuth2": { "type": "oauth2", "flows": { "implicit": { "authorizationUrl": "${host_oauth2_auth_server}${oauth2_auth_path}", "scopes": { "openid": "For access to OpenId endpoints", "email": "Example data access", "profile": "Example data access", "phone": "Example data access", "address": "Example data access" } } } } }, "schemas": { "TokenData": { "type": "object", "properties": { "access_token": { "type": "string", "description": "The Access Token for the given token request" }, "token_type": { "type": "string", "description": "The Token Type issued", "example": "Bearer" }, "expires_in": { "type": "string", "description": "The expiry time, in seconds", "example": "3600" }, "refresh_token": { "type": "string", "description": "The refresh token, if applicable" }, "scope": { "type": "string", "description": "The issued scope", "example": "oob" }, "id_token": { "type": "string", "description": "If the requested SCOPE included 'msso' or 'openid', response includes an id_token" }, "id_token_type": { "type": "string", "description": "If the requested SCOPE included 'msso' or 'openid', response includes an id_token_type" } }, "title": "TokenData" }, "SessionData": { "required": [ "session", "request_consent", "request_parameters" ], "type": "object", "properties": { "session": { "$ref": "#/components/schemas/SessionObject" }, "request_consent": { "$ref": "#/components/schemas/RequestConsentObject" }, "request_parameters": { "$ref": "#/components/schemas/RequestParametersObject" } }, "title": "ServiceProviderConfigurationData" }, "ExportData": { "type": "object", "properties": { "server": { "$ref": "#/components/schemas/ServerObject" }, "oauth": { "$ref": "#/components/schemas/OAuthObject" }, "custom": { "$ref": "#/components/schemas/CustomObject" } }, "title": "ExportData" }, "CustomObject": { "type": "object", "properties": { "mag_demo_products_endpoint_path": { "type": "string", "description": "MAG API demo endpoint", "example": "/protected/resource/products" }, "oauth_demo_protected_api_endpoint_path": { "type": "string", "description": "OAuth API demo endpoint", "example": "/oauth/v2/protectedapi/foo" } }, "title": "CustomObject" }, "ServerObject": { "type": "object", "properties": { "hostname": { "type": "string", "description": "The hostname of the server" }, "port": { "type": "string", "description": "The port of the server" }, "prefix": { "type": "string", "description": "URL prefix", "example": "/urlprefix" }, "server_certs": { "type": "string", "description": "The server certificate(s)" } }, "title": "ServerObject" }, "OAuthObject": { "type": "object", "properties": { "client": { "$ref": "#/components/schemas/ClientObject" }, "system_endpoints": { "$ref": "#/components/schemas/SystemEndpointsObject" }, "oauth_protected_endpoints": { "$ref": "#/components/schemas/OAuthProtectedEndpointsObject" } }, "title": "OAuthObject" }, "SystemEndpointsObject": { "type": "object", "properties": { "authorization_endpoint_path": { "type": "string", "description": "Authorization endpoint", "example": "/auth/oauth/v2/authorize" }, "token_endpoint_path": { "type": "string", "description": "Token endpoint", "example": "/auth/oauth/v2/token" }, "token_revocation_endpoint_path": { "type": "string", "description": "Token revocation endpoint", "example": "/auth/oauth/v2/token/revoke" }, "usersession_logout_endpoint_path": { "type": "string", "description": "User logout endpoint", "example": "/connect/session/logout" } }, "title": "SystemEndpointsObject" }, "OAuthProtectedEndpointsObject": { "type": "object", "properties": { "userinfo_endpoint_path": { "type": "string", "description": "UserInfo endpoint", "example": "/openid/connect/v1/userinfo" }, "usersession_status_endpoint_path": { "type": "string", "description": "User Session status endpoint", "example": "/connect/session/status" } }, "title": "OAuthProtectedEndpointsObject" }, "ClientObject": { "type": "object", "properties": { "organization": { "type": "string", "description": "A session ID, matching the sessionID" }, "description": { "type": "string", "description": "expiry" }, "client_name": { "type": "string", "description": "current_username" }, "client_type": { "type": "string", "description": "current_user_consent" }, "registered_by": { "type": "string", "description": "current_user_role" }, "client_ids": { "type": "array", "items": { "$ref": "#/components/schemas/ClientIdObject" } } }, "title": "ClientObject" }, "ClientIdObject": { "type": "object", "properties": { "client_id": { "type": "string", "description": "A client id", "example": "84695 ... b39770c3d" }, "client_secret": { "type": "string", "description": "A client secret", "example": "abcde ... ldjjakkC" }, "scope": { "type": "string", "description": "The scopes available for the client", "example": "openid email profile" }, "redirect_uri": { "type": "string", "description": "The registered redirect_uri for the client", "example": "https://example.com/client/consent?state=23n23n...13k1j4" }, "environment": { "type": "string", "description": "", "example": "ALL" }, "status": { "type": "string", "description": "", "example": "ENABLED" }, "registered_by": { "type": "string", "description": "The id of the entity that registered the client" } }, "title": "ClientIdObject" }, "SessionObject": { "type": "object", "properties": { "sessionID": { "type": "string", "description": "A session ID, matching the sessionID" }, "exp": { "type": "string", "description": "expiry" }, "current_username": { "type": "string", "description": "current_username" }, "current_user_consent": { "type": "string", "description": "current_user_consent" }, "current_user_role": { "type": "string", "description": "current_user_role" }, "current_user_acr": { "type": "string", "description": "current_user_acr" }, "current_user_authTime": { "type": "string", "description": "current_user_authTime" }, "salt": { "type": "string", "description": "salt" }, "third_party_sso_token": { "type": "string", "description": "third_party_sso_token" }, "third_party_sso_token_type": { "type": "string", "description": "third_party_sso_token_type" } }, "title": "SessionObject" }, "RequestConsentObject": { "type": "object", "properties": { "client_name": { "type": "string", "description": "Client Name" }, "scope_verified": { "type": "string", "description": "Valid scope for this client" } }, "title": "RequestConsentObject" }, "RequestParametersObject": { "type": "object", "properties": { "display": { "type": "string", "description": "Display Value" }, "prompt": { "type": "string", "description": "Prompt Value" }, "id_token_hint": { "type": "string", "description": "Id Token For Authenticated User" }, "acr_values": { "type": "string", "description": "A List of ACR Values" }, "client_id": { "type": "string", "description": "A Client ID" }, "nonce": { "type": "string", "description": "A nonce" }, "scope": { "type": "string", "description": "Requested Scope" } }, "title": "RequestParametersObject" }, "OpenIDDiscovery": { "required": [ "authorization_endpoint", "id_token_signing_alg_values_supported", "issuer", "jwks_uri", "response_types_supported", "subject_types_supported", "token_endpoint" ], "type": "object", "properties": { "userinfo_endpoint": { "type": "string", "example": "https://example.com:8443/openid/connect/v1/userinfo", "description": "URL of the user info endpoint" }, "jwks_uri": { "type": "string", "example": "https://example.com/openid/connect/jwks.json", "description": "URL of JSON Web Key Set document" }, "scopes_supported": { "items": { "type": "string" }, "type": "array", "example": [ "openid" ], "description": "list of the OAuth 2.0 scope values that this server supports" }, "subject_types_supported": { "items": { "type": "string" }, "type": "array", "example": [ "pairwise" ], "description": "list of the Subject Identifier types that this OP supports" }, "token_endpoint": { "type": "string", "example": "https://example.com:8443/auth/oauth/v2/token", "description": "URL of the OAuth 2.0 token endpoint" }, "id_token_signing_alg_values_supported": { "items": { "type": "string" }, "type": "array", "example": [ "RS256", "HS256" ], "description": "list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT" }, "response_types_supported": { "items": { "type": "string" }, "type": "array", "example": [ "code", "token_id_token" ], "description": "ist of the OAuth 2.0 response_type values that this OP supports" }, "claims_supported": { "items": { "type": "string" }, "type": "array", "example": [ "sub", "iss", "auth_time", "acr" ], "description": "list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for" }, "authorization_endpoint": { "type": "string", "example": "https://example.com:8443/auth/oauth/v2/authorize", "description": "URL of the OAuth 2.0 authorization endpoint" }, "issuer": { "type": "string", "example": "https://example.com", "description": "the identifier of the token's issuer. This is identical to the 'iss' Claim value in ID Tokens" }, "grant_types_supported": { "items": { "type": "string" }, "type": "array", "example": [ "authorization_code", "implicit" ], "description": "list of the OAuth 2.0 Grant Type values that this OP supports" }, "acr_values_supported": { "items": { "type": "string" }, "type": "array", "example": [ "urn:mace:incommon:iap:silver" ], "description": "list of the Authentication Context Class References that this OP supports" }, "token_endpoint_auth_methods_supported": { "items": { "type": "string" }, "type": "array", "example": [ "client_secret_basic" ], "description": "list of Client Authentication methods supported by this Token Endpoint" }, "token_endpoint_auth_signing_alg_values_supported": { "items": { "type": "string" }, "type": "array", "example": [ "RS256" ], "description": "list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used." }, "display_values_supported": { "items": { "type": "string" }, "type": "array", "example": [ "page", "popup" ], "description": "list of the display parameter values that the OpenID Provider supports" }, "claim_types_supported": { "items": { "type": "string" }, "type": "array", "example": [ "normal" ], "description": "list of the Claim Types that the OpenID Provider supports" }, "service_documentation": { "type": "string", "example": "http://masdemo12.dev.ca.com:8443/openid/connect/v1/service_documentation.html", "description": "URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider" }, "ui_locales_supported": { "items": { "type": "string" }, "type": "array", "example": [ "en-US", "en-GB" ], "description": "Languages and scripts supported for the user interface" } }, "description": "The OpenID configuration document as defined by the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata" } } } }