Documentation
¶
Index ¶
- type Client
- func (c *Client) BeforeSave(_ *pop.Connection) error
- func (c *Client) GetAudience() fosite.Arguments
- func (c *Client) GetGrantTypes() fosite.Arguments
- func (c *Client) GetHashedSecret() []byte
- func (c *Client) GetID() string
- func (c *Client) GetJSONWebKeys() *jose.JSONWebKeySet
- func (c *Client) GetJSONWebKeysURI() string
- func (c *Client) GetOwner() string
- func (c *Client) GetRedirectURIs() []string
- func (c *Client) GetRequestObjectSigningAlgorithm() string
- func (c *Client) GetRequestURIs() []string
- func (c *Client) GetResponseModes() []fosite.ResponseModeType
- func (c *Client) GetResponseTypes() fosite.Arguments
- func (c *Client) GetScopes() fosite.Arguments
- func (c *Client) GetTokenEndpointAuthMethod() string
- func (c *Client) GetTokenEndpointAuthSigningAlgorithm() string
- func (c *Client) IsPublic() bool
- func (Client) TableName() string
- type ConsentRequest
- type ConsentRequestSessionData
- type CreateRequest
- type FlushInactiveOAuth2TokensRequest
- type HandledConsentRequest
- type HandledLoginRequest
- type Introspection
- type JSONWebKey
- type LoginRequest
- type LoginSession
- type LogoutRequest
- type LogoutResult
- type OpenIDConnectContext
- type PreviousConsentSession
- type RequestDeniedError
- type RequestHandlerResponse
- type RequestWasHandledResponse
- type WellKnown
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
ID int64 `json:"-" db:"pk"`
// ID is the id for this client.
OutfacingID string `json:"client_id" db:"id"`
// Name is the human-readable string name of the client to be presented to the
// end-user during authorization.
Name string `json:"client_name" db:"client_name"`
// Secret is the client's secret. The secret will be included in the create request as cleartext, and then
// never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users
// that they need to write the secret down as it will not be made available again.
Secret string `json:"client_secret,omitempty" db:"client_secret"`
// RedirectURIs is an array of allowed redirect urls for the client, for example http://mydomain/oauth/callback .
RedirectURIs sqlxx.StringSlicePipeDelimiter `json:"redirect_uris" db:"redirect_uris"`
// GrantTypes is an array of grant types the client is allowed to use.
//
// Pattern: client_credentials|authorization_code|implicit|refresh_token
GrantTypes sqlxx.StringSlicePipeDelimiter `json:"grant_types" db:"grant_types"`
// ResponseTypes is an array of the OAuth 2.0 response type strings that the client can
// use at the authorization endpoint.
//
// Pattern: id_token|code|token
ResponseTypes sqlxx.StringSlicePipeDelimiter `json:"response_types" db:"response_types"`
// Scope is a string containing a space-separated list of scope values (as
// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
// can use when requesting access tokens.
//
// Pattern: ([a-zA-Z0-9\.\*]+\s?)+
Scope string `json:"scope" db:"scope"`
// Audience is a whitelist defining the audiences this client is allowed to request tokens for. An audience limits
// the applicability of an OAuth 2.0 Access Token to, for example, certain API endpoints. The value is a list
// of URLs. URLs MUST NOT contain whitespaces.
Audience sqlxx.StringSlicePipeDelimiter `json:"audience" db:"audience"`
// Owner is a string identifying the owner of the OAuth 2.0 Client.
Owner string `json:"owner" db:"owner"`
// PolicyURI is a URL string that points to a human-readable privacy policy document
// that describes how the deployment organization collects, uses,
// retains, and discloses personal data.
PolicyURI string `json:"policy_uri" db:"policy_uri"`
// AllowedCORSOrigins are one or more URLs (scheme://host[:port]) which are allowed to make CORS requests
// to the /oauth/token endpoint. If this array is empty, the sever's CORS origin configuration (`CORS_ALLOWED_ORIGINS`)
// will be used instead. If this array is set, the allowed origins are appended to the server's CORS origin configuration.
// Be aware that environment variable `CORS_ENABLED` MUST be set to `true` for this to work.
AllowedCORSOrigins sqlxx.StringSlicePipeDelimiter `json:"allowed_cors_origins" db:"allowed_cors_origins"`
// TermsOfServiceURI is a URL string that points to a human-readable terms of service
// document for the client that describes a contractual relationship
// between the end-user and the client that the end-user accepts when
// authorizing the client.
TermsOfServiceURI string `json:"tos_uri" db:"tos_uri"`
// ClientURI is an URL string of a web page providing information about the client.
// If present, the server SHOULD display this URL to the end-user in
// a clickable fashion.
ClientURI string `json:"client_uri" db:"client_uri"`
// LogoURI is an URL string that references a logo for the client.
LogoURI string `json:"logo_uri" db:"logo_uri"`
// Contacts is a array of strings representing ways to contact people responsible
// for this client, typically email addresses.
Contacts sqlxx.StringSlicePipeDelimiter `json:"contacts" db:"contacts"`
// SecretExpiresAt is an integer holding the time at which the client
// secret will expire or 0 if it will not expire. The time is
// represented as the number of seconds from 1970-01-01T00:00:00Z as
// measured in UTC until the date/time of expiration.
//
// This feature is currently not supported and it's value will always
// be set to 0.
SecretExpiresAt int `json:"client_secret_expires_at" db:"client_secret_expires_at"`
// SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a
// list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.
SubjectType string `json:"subject_type" db:"subject_type"`
// URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a
// file with a single JSON array of redirect_uri values.
SectorIdentifierURI string `json:"sector_identifier_uri,omitempty" db:"sector_identifier_uri"`
// URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains
// the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the
// Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing
// and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced
// JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both
// signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used
// to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST
// match those in the certificate.
JSONWebKeysURI string `json:"jwks_uri,omitempty" db:"jwks_uri"`
// Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as
// the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter
// is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for
// instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client
// can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation
// (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks
// parameters MUST NOT be used together.
JSONWebKeys *helpers.JoseJSONWebKeySet `json:"jwks,omitempty" db:"jwks"`
// Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,
// client_secret_basic, private_key_jwt, and none.
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty" db:"token_endpoint_auth_method"`
// Requested Client Authentication signing algorithm for the Token Endpoint.
TokenEndpointAuthSigningAlgorithm string `json:"token_endpoint_auth_signing_alg,omitempty" db:"token_endpoint_auth_signing_alg"`
// Array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the
// contents of the files referenced by these URIs and not retrieve them at the time they are used in a request.
// OPs can require that request_uri values used be pre-registered with the require_request_uri_registration
// discovery parameter.
RequestURIs sqlxx.StringSlicePipeDelimiter `json:"request_uris,omitempty" db:"request_uris"`
// JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects
// from this Client MUST be rejected, if not signed with this algorithm.
RequestObjectSigningAlgorithm string `json:"request_object_signing_alg,omitempty" db:"request_object_signing_alg"`
// JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT
// [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims
// as a UTF-8 encoded JSON object using the application/json content-type.
UserinfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty" db:"userinfo_signed_response_alg"`
// CreatedAt returns the timestamp of the client's creation.
CreatedAt time.Time `json:"created_at,omitempty" db:"created_at"`
// UpdatedAt returns the timestamp of the last update.
UpdatedAt time.Time `json:"updated_at,omitempty" db:"updated_at"`
// RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query
// parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the
// request and to determine which of the potentially multiple sessions is to be logged out; if either is
// included, both MUST be.
FrontChannelLogoutURI string `json:"frontchannel_logout_uri,omitempty" db:"frontchannel_logout_uri"`
// Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be
// included to identify the RP session with the OP when the frontchannel_logout_uri is used.
// If omitted, the default value is false.
FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required,omitempty" db:"frontchannel_logout_session_required"`
// Array of URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the
// post_logout_redirect_uri parameter after a logout has been performed.
PostLogoutRedirectURIs sqlxx.StringSlicePipeDelimiter `json:"post_logout_redirect_uris,omitempty" db:"post_logout_redirect_uris"`
// RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
BackChannelLogoutURI string `json:"backchannel_logout_uri,omitempty" db:"backchannel_logout_uri"`
// Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout
// Token to identify the RP session with the OP when the backchannel_logout_uri is used.
// If omitted, the default value is false.
BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required,omitempty" db:"backchannel_logout_session_required"`
// Metadata is arbitrary data.
Metadata sqlxx.JSONRawMessage `json:"metadata,omitempty" db:"metadata"`
}
Client represents an OAuth 2.0 Client.
swagger:model oAuth2Client
func (*Client) BeforeSave ¶
func (*Client) GetAudience ¶
func (*Client) GetGrantTypes ¶
func (*Client) GetHashedSecret ¶
func (*Client) GetJSONWebKeys ¶
func (c *Client) GetJSONWebKeys() *jose.JSONWebKeySet
func (*Client) GetJSONWebKeysURI ¶
func (*Client) GetRedirectURIs ¶
func (*Client) GetRequestObjectSigningAlgorithm ¶
func (*Client) GetRequestURIs ¶
func (*Client) GetResponseModes ¶
func (c *Client) GetResponseModes() []fosite.ResponseModeType
func (*Client) GetResponseTypes ¶
func (*Client) GetTokenEndpointAuthMethod ¶
func (*Client) GetTokenEndpointAuthSigningAlgorithm ¶
type ConsentRequest ¶
type ConsentRequest struct {
// ID is the identifier ("authorization challenge") of the consent authorization request. It is used to
// identify the session.
//
// required: true
ID string `json:"challenge" db:"challenge"`
// RequestedScope contains the OAuth 2.0 Scope requested by the OAuth 2.0 Client.
RequestedScope sqlxx.StringSlicePipeDelimiter `json:"requested_scope" db:"requested_scope"`
// RequestedScope contains the access token audience as requested by the OAuth 2.0 Client.
RequestedAudience sqlxx.StringSlicePipeDelimiter `json:"requested_access_token_audience" db:"requested_at_audience"`
// Skip, if true, implies that the client has requested the same scopes from the same user previously.
// If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the
// consent request using the usual API call.
Skip bool `json:"skip" db:"skip"`
// Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
// requested by the OAuth 2.0 client.
Subject string `json:"subject" db:"subject"`
// OpenIDConnectContext provides context for the (potential) OpenID Connect context. Implementation of these
// values in your app are optional but can be useful if you want to be fully compliant with the OpenID Connect spec.
OpenIDConnectContext *OpenIDConnectContext `json:"oidc_context" db:"oidc_context"`
// Client is the OAuth 2.0 Client that initiated the request.
Client *Client `json:"client" db:"-"`
ClientID string `json:"-" db:"client_id"`
// RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
// initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
// might come in handy if you want to deal with additional request parameters.
RequestURL string `json:"request_url" db:"request_url"`
// LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate
// a login and consent request in the login & consent app.
LoginChallenge sqlxx.NullString `json:"login_challenge" db:"login_challenge"`
// LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
// this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
// this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
// channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
LoginSessionID sqlxx.NullString `json:"login_session_id" db:"login_session_id"`
// ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
// to express that, for example, a user authenticated using two factor authentication.
ACR string `json:"acr" db:"acr"`
// Context contains arbitrary information set by the login endpoint or is empty if not set.
Context sqlxx.JSONRawMessage `json:"context,omitempty" db:"context"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_handled,r"`
// ForceSubjectIdentifier is the value from authentication (if set).
ForceSubjectIdentifier string `json:"-" db:"forced_subject_identifier"`
SubjectIdentifier string `json:"-" db:"-"`
Verifier string `json:"-" db:"verifier"`
CSRF string `json:"-" db:"csrf"`
AuthenticatedAt sqlxx.NullTime `json:"-" db:"authenticated_at"`
RequestedAt time.Time `json:"-" db:"requested_at"`
}
Contains information on an ongoing consent request.
swagger:model consentRequest
func (*ConsentRequest) AfterFind ¶
func (r *ConsentRequest) AfterFind(c *pop.Connection) error
func (*ConsentRequest) BeforeSave ¶
func (r *ConsentRequest) BeforeSave(_ *pop.Connection) error
func (*ConsentRequest) FindInDB ¶
func (r *ConsentRequest) FindInDB(c *pop.Connection, id string) error
func (ConsentRequest) TableName ¶
func (_ ConsentRequest) TableName() string
type ConsentRequestSessionData ¶
type ConsentRequestSessionData struct {
// AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the
// refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.
// If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties
// can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!
AccessToken map[string]interface{} `json:"access_token"`
// IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable
// by anyone that has access to the ID Challenge. Use with care!
IDToken map[string]interface{} `json:"id_token"`
}
Used to pass session data to a consent request.
swagger:model consentRequestSession
func NewConsentRequestSessionData ¶
func NewConsentRequestSessionData() *ConsentRequestSessionData
type CreateRequest ¶
type CreateRequest struct {
// The algorithm to be used for creating the key. Supports "RS256", "ES512", "HS512", and "HS256"
// required: true
Algorithm string `json:"alg"`
// The "use" (public key use) parameter identifies the intended use of
// the public key. The "use" parameter is employed to indicate whether
// a public key is used for encrypting data or verifying the signature
// on data. Valid values are "enc" and "sig".
// required: true
Use string `json:"use"`
// The kid of the key to be created
// required: true
KeyID string `json:"kid"`
}
swagger:model jsonWebKeySetGeneratorRequest
type FlushInactiveOAuth2TokensRequest ¶
type FlushInactiveOAuth2TokensRequest struct {
// NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history
// of recently issued tokens for auditing.
NotAfter time.Time `json:"notAfter"`
}
swagger:model flushInactiveOAuth2TokensRequest
type HandledConsentRequest ¶
type HandledConsentRequest struct {
// ID instead of Challenge because of pop
ID string `json:"-" db:"challenge"`
// GrantScope sets the scope the user authorized the client to use. Should be a subset of `requested_scope`.
GrantedScope sqlxx.StringSlicePipeDelimiter `json:"grant_scope" db:"granted_scope"`
// GrantedAudience sets the audience the user authorized the client to use. Should be a subset of `requested_access_token_audience`.
GrantedAudience sqlxx.StringSlicePipeDelimiter `json:"grant_access_token_audience" db:"granted_at_audience"`
// Session allows you to set (optional) session data for access and ID tokens.
Session *ConsentRequestSessionData `json:"session" db:"-"`
// Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
// client asks the same user for the same, or a subset of, scope.
Remember bool `json:"remember" db:"remember"`
// RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
// authorization will be remembered indefinitely.
RememberFor int `json:"remember_for" db:"remember_for"`
// HandledAt contains the timestamp the consent request was handled.
HandledAt sqlxx.NullTime `json:"handled_at" db:"handled_at"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_used"`
ConsentRequest *ConsentRequest `json:"-" db:"-"`
Error *RequestDeniedError `json:"-" db:"error"`
RequestedAt time.Time `json:"-" db:"requested_at"`
AuthenticatedAt sqlxx.NullTime `json:"-" db:"authenticated_at"`
SessionIDToken sqlxx.MapStringInterface `db:"session_id_token" json:"-"`
SessionAccessToken sqlxx.MapStringInterface `db:"session_access_token" json:"-"`
}
The request payload used to accept a consent request.
swagger:model acceptConsentRequest
func (*HandledConsentRequest) AfterFind ¶
func (r *HandledConsentRequest) AfterFind(c *pop.Connection) error
func (*HandledConsentRequest) AfterSave ¶
func (r *HandledConsentRequest) AfterSave(c *pop.Connection) error
func (*HandledConsentRequest) BeforeSave ¶
func (r *HandledConsentRequest) BeforeSave(_ *pop.Connection) error
func (*HandledConsentRequest) HasError ¶
func (r *HandledConsentRequest) HasError() bool
func (HandledConsentRequest) TableName ¶
func (_ HandledConsentRequest) TableName() string
type HandledLoginRequest ¶
type HandledLoginRequest struct {
// ID instead of challenge for pop
ID string `json:"-" db:"challenge"`
// Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store
// a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she
// will not be asked to log in again.
Remember bool `json:"remember" db:"remember"`
// RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the
// authorization will be remembered for the duration of the browser session (using a session cookie).
RememberFor int `json:"remember_for" db:"remember_for"`
// ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
// to express that, for example, a user authenticated using two factor authentication.
ACR string `json:"acr" db:"acr"`
// Subject is the user ID of the end-user that authenticated.
//
// required: true
Subject string `json:"subject" db:"subject"`
// ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the
// (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID
// Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client.
//
// Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the
// sub claim in the OAuth 2.0 Introspection.
//
// Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself
// you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in
// ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's
// configuration).
//
// Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies
// that you have to compute this value on every authentication process (probably depending on the client ID or some
// other unique value).
//
// If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.
ForceSubjectIdentifier string `json:"force_subject_identifier" db:"forced_subject_identifier"`
// Context is an optional object which can hold arbitrary data. The data will be made available when fetching the
// consent request under the "context" field. This is useful in scenarios where login and consent endpoints share
// data.
Context sqlxx.JSONRawMessage `json:"context" db:"context"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_used"`
LoginRequest *LoginRequest `json:"-" db:"-"`
Error *RequestDeniedError `json:"-" db:"error"`
RequestedAt time.Time `json:"-" db:"requested_at"`
AuthenticatedAt sqlxx.NullTime `json:"-" db:"authenticated_at"`
}
HandledLoginRequest is the request payload used to accept a login request.
swagger:model acceptLoginRequest
func (*HandledLoginRequest) AfterUpdate ¶
func (r *HandledLoginRequest) AfterUpdate(c *pop.Connection) error
func (*HandledLoginRequest) BeforeSave ¶
func (r *HandledLoginRequest) BeforeSave(_ *pop.Connection) error
func (*HandledLoginRequest) HasError ¶
func (r *HandledLoginRequest) HasError() bool
func (HandledLoginRequest) TableName ¶
func (_ HandledLoginRequest) TableName() string
type Introspection ¶
type Introspection struct {
// Active is a boolean indicator of whether or not the presented token
// is currently active. The specifics of a token's "active" state
// will vary depending on the implementation of the authorization
// server and the information it keeps about its tokens, but a "true"
// value return for the "active" property will generally indicate
// that a given token has been issued by this authorization server,
// has not been revoked by the resource owner, and is within its
// given time window of validity (e.g., after its issuance time and
// before its expiration time).
//
// required: true
Active bool `json:"active"`
// Scope is a JSON string containing a space-separated list of
// scopes associated with this token.
Scope string `json:"scope,omitempty"`
// ID is aclient identifier for the OAuth 2.0 client that
// requested this token.
ClientID string `json:"client_id"`
// Subject of the token, as defined in JWT [RFC7519].
// Usually a machine-readable identifier of the resource owner who
// authorized this token.
Subject string `json:"sub"`
// ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
// It is the `sub` value of the ID Token that was issued.
ObfuscatedSubject string `json:"obfuscated_subject,omitempty"`
// Expires at is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token will expire.
ExpiresAt int64 `json:"exp"`
// Issued at is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token was
// originally issued.
IssuedAt int64 `json:"iat"`
// NotBefore is an integer timestamp, measured in the number of seconds
// since January 1 1970 UTC, indicating when this token is not to be
// used before.
NotBefore int64 `json:"nbf"`
// Username is a human-readable identifier for the resource owner who
// authorized this token.
Username string `json:"username,omitempty"`
// Audience contains a list of the token's intended audiences.
Audience []string `json:"aud"`
// IssuerURL is a string representing the issuer of this token
Issuer string `json:"iss"`
// TokenType is the introspected token's type, typically `Bearer`.
TokenType string `json:"token_type"`
// TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.
TokenUse string `json:"token_use"`
// Extra is arbitrary data set by the session.
Extra map[string]interface{} `json:"ext,omitempty"`
}
Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662 swagger:model oAuth2TokenIntrospection
type JSONWebKey ¶
type JSONWebKey struct {
// Use ("public key use") identifies the intended use of
// the public key. The "use" parameter is employed to indicate whether
// a public key is used for encrypting data or verifying the signature
// on data. Values are commonly "sig" (signature) or "enc" (encryption).
//
// required: true
// example: sig
Use string `json:"use,omitempty"`
// The "kty" (key type) parameter identifies the cryptographic algorithm
// family used with the key, such as "RSA" or "EC". "kty" values should
// either be registered in the IANA "JSON Web Key Types" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name. The "kty" value is a case-sensitive string.
//
// required: true
// example: RSA
Kty string `json:"kty,omitempty"`
// The "kid" (key ID) parameter is used to match a specific key. This
// is used, for instance, to choose among a set of keys within a JWK Set
// during key rollover. The structure of the "kid" value is
// unspecified. When "kid" values are used within a JWK Set, different
// keys within the JWK Set SHOULD use distinct "kid" values. (One
// example in which different keys might use the same "kid" value is if
// they have different "kty" (key type) values but are considered to be
// equivalent alternatives by the application using them.) The "kid"
// value is a case-sensitive string.
//
// required: true
// example: 1603dfe0af8f4596
Kid string `json:"kid,omitempty"`
// The "alg" (algorithm) parameter identifies the algorithm intended for
// use with the key. The values used should either be registered in the
// IANA "JSON Web Signature and Encryption Algorithms" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name.
//
// required: true
// example: RS256
Alg string `json:"alg,omitempty"`
// The "x5c" (X.509 certificate chain) parameter contains a chain of one
// or more PKIX certificates [RFC5280]. The certificate chain is
// represented as a JSON array of certificate value strings. Each
// string in the array is a base64-encoded (Section 4 of [RFC4648] --
// not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
// The PKIX certificate containing the key value MUST be the first
// certificate.
X5c []string `json:"x5c,omitempty"`
// example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
N string `json:"n,omitempty"`
// example: AQAB
E string `json:"e,omitempty"`
// example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
D string `json:"d,omitempty"`
// example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
P string `json:"p,omitempty"`
// example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
Q string `json:"q,omitempty"`
// example: P-256
Crv string `json:"crv,omitempty"`
// example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
Dp string `json:"dp,omitempty"`
// example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
Dq string `json:"dq,omitempty"`
// example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
Qi string `json:"qi,omitempty"`
// example: GawgguFyGrWKav7AX4VKUg
K string `json:"k,omitempty"`
// example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
X string `json:"x,omitempty"`
// example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
Y string `json:"y,omitempty"`
}
It is important that this model object is named JSONWebKey for "swagger generate spec" to generate only on definition of a JSONWebKey.
swagger:model JSONWebKey
type LoginRequest ¶
type LoginRequest struct {
// ID is the identifier ("login challenge") of the login request. It is used to
// identify the session.
//
// required: true
ID string `json:"challenge" db:"challenge"`
// RequestedScope contains the OAuth 2.0 Scope requested by the OAuth 2.0 Client.
//
// required: true
RequestedScope sqlxx.StringSlicePipeDelimiter `json:"requested_scope" db:"requested_scope"`
// RequestedScope contains the access token audience as requested by the OAuth 2.0 Client.
//
// required: true
RequestedAudience sqlxx.StringSlicePipeDelimiter `json:"requested_access_token_audience" db:"requested_at_audience"`
// Skip, if true, implies that the client has requested the same scopes from the same user previously.
// If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.
//
// This feature allows you to update / set session information.
//
// required: true
Skip bool `json:"skip" db:"skip"`
// Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
// requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type
// when accepting the login request, or the request will fail.
//
// required: true
Subject string `json:"subject" db:"subject"`
// OpenIDConnectContext provides context for the (potential) OpenID Connect context. Implementation of these
// values in your app are optional but can be useful if you want to be fully compliant with the OpenID Connect spec.
OpenIDConnectContext *OpenIDConnectContext `json:"oidc_context" db:"oidc_context"`
// Client is the OAuth 2.0 Client that initiated the request.
//
// required: true
Client *Client `json:"client" db:"-"`
ClientID string `json:"-" db:"client_id"`
// RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
// initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
// might come in handy if you want to deal with additional request parameters.
//
// required: true
RequestURL string `json:"request_url" db:"request_url"`
// SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
// this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
// this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
// channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
SessionID sqlxx.NullString `json:"session_id" db:"login_session_id"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_handled,r"`
ForceSubjectIdentifier string `json:"-" db:"-"` // this is here but has no meaning apart from sql_helper working properly.
Verifier string `json:"-" db:"verifier"`
CSRF string `json:"-" db:"csrf"`
AuthenticatedAt sqlxx.NullTime `json:"-" db:"authenticated_at"`
RequestedAt time.Time `json:"-" db:"requested_at"`
}
Contains information on an ongoing login request.
swagger:model loginRequest
func (*LoginRequest) AfterFind ¶
func (r *LoginRequest) AfterFind(c *pop.Connection) error
func (*LoginRequest) BeforeSave ¶
func (r *LoginRequest) BeforeSave(_ *pop.Connection) error
func (*LoginRequest) FindInDB ¶
func (r *LoginRequest) FindInDB(c *pop.Connection, id string) error
func (LoginRequest) TableName ¶
func (_ LoginRequest) TableName() string
type LoginSession ¶
type LoginSession struct {
ID string `db:"id"`
AuthenticatedAt sqlxx.NullTime `db:"authenticated_at"`
Subject string `db:"subject"`
Remember bool `db:"remember"`
}
swagger:ignore
func (LoginSession) TableName ¶
func (_ LoginSession) TableName() string
type LogoutRequest ¶
type LogoutRequest struct {
// Challenge is the identifier ("logout challenge") of the logout authentication request. It is used to
// identify the session.
ID string `json:"challenge" db:"challenge"`
// Subject is the user for whom the logout was request.
Subject string `json:"subject" db:"subject"`
// SessionID is the login session ID that was requested to log out.
SessionID string `json:"sid,omitempty" db:"sid"`
// RequestURL is the original Logout URL requested.
RequestURL string `json:"request_url" db:"request_url"`
// RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.
RPInitiated bool `json:"rp_initiated" db:"rp_initiated"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_used"`
Verifier string `json:"-" db:"verifier"`
PostLogoutRedirectURI string `json:"-" db:"redir_url"`
Accepted bool `json:"-" db:"accepted"`
Rejected bool `db:"rejected" json:"-"`
ClientID sql.NullString `json:"-" db:"client_id"`
Client *Client `json:"client" db:"-"`
}
Contains information about an ongoing logout request.
swagger:model logoutRequest
func (*LogoutRequest) AfterFind ¶
func (r *LogoutRequest) AfterFind(c *pop.Connection) error
func (*LogoutRequest) BeforeSave ¶
func (r *LogoutRequest) BeforeSave(_ *pop.Connection) error
func (LogoutRequest) TableName ¶
func (_ LogoutRequest) TableName() string
type OpenIDConnectContext ¶
type OpenIDConnectContext struct {
// ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.
// It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.
//
// OpenID Connect defines it as follows:
// > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values
// that the Authorization Server is being requested to use for processing this Authentication Request, with the
// values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication
// performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a
// Voluntary Claim by this parameter.
ACRValues []string `json:"acr_values,omitempty"`
// UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a
// space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
// "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation),
// followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested
// locales are not supported by the OpenID Provider.
UILocales []string `json:"ui_locales,omitempty"`
// Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
// The defined values are:
// - page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
// - popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
// - touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
// - wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
//
// The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.
Display string `json:"display,omitempty"`
// IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the
// End-User's current or past authenticated session with the Client.
IDTokenHintClaims map[string]interface{} `json:"id_token_hint_claims,omitempty"`
// LoginHint hints about the login identifier the End-User might use to log in (if necessary).
// This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)
// and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a
// phone number in the format specified for the phone_number Claim. The use of this parameter is optional.
LoginHint string `json:"login_hint,omitempty"`
}
Contains optional information about the OpenID Connect request.
swagger:model openIDConnectContext
func (*OpenIDConnectContext) Scan ¶
func (n *OpenIDConnectContext) Scan(value interface{}) error
type PreviousConsentSession ¶
type PreviousConsentSession struct {
// Named ID because of pop
ID string `json:"-" db:"challenge"`
// GrantScope sets the scope the user authorized the client to use. Should be a subset of `requested_scope`.
GrantedScope sqlxx.StringSlicePipeDelimiter `json:"grant_scope" db:"granted_scope"`
// GrantedAudience sets the audience the user authorized the client to use. Should be a subset of `requested_access_token_audience`.
GrantedAudience sqlxx.StringSlicePipeDelimiter `json:"grant_access_token_audience" db:"granted_at_audience"`
// Session allows you to set (optional) session data for access and ID tokens.
Session *ConsentRequestSessionData `json:"session" db:"-"`
// Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
// client asks the same user for the same, or a subset of, scope.
Remember bool `json:"remember" db:"remember"`
// RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
// authorization will be remembered indefinitely.
RememberFor int `json:"remember_for" db:"remember_for"`
// HandledAt contains the timestamp the consent request was handled.
HandledAt sqlxx.NullTime `json:"handled_at" db:"handled_at"`
// If set to true means that the request was already handled. This
// can happen on form double-submit or other errors. If this is set
// we recommend redirecting the user to `request_url` to re-initiate
// the flow.
WasHandled bool `json:"-" db:"was_used"`
ConsentRequest *ConsentRequest `json:"consent_request" db:"-"`
Error *RequestDeniedError `json:"-" db:"error"`
RequestedAt time.Time `json:"-" db:"requested_at"`
AuthenticatedAt sqlxx.NullTime `json:"-" db:"authenticated_at"`
SessionIDToken sqlxx.MapStringInterface `db:"session_id_token" json:"-"`
SessionAccessToken sqlxx.MapStringInterface `db:"session_access_token" json:"-"`
}
The response used to return used consent requests same as HandledLoginRequest, just with consent_request exposed as json
type RequestDeniedError ¶
type RequestDeniedError struct {
// The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).
//
// Defaults to `request_denied`.
Name string `json:"error"`
// Description of the error in a human readable format.
Description string `json:"error_description"`
// Hint to help resolve the error.
Hint string `json:"error_hint"`
// Represents the HTTP status code of the error (e.g. 401 or 403)
//
// Defaults to 400
Code int `json:"status_code"`
// Debug contains information to help resolve the problem as a developer. Usually not exposed
// to the public but only in the server logs.
Debug string `json:"error_debug"`
// contains filtered or unexported fields
}
The request payload used to accept a login or consent request.
swagger:model rejectRequest
func (*RequestDeniedError) IsError ¶
func (e *RequestDeniedError) IsError() bool
func (*RequestDeniedError) Scan ¶
func (e *RequestDeniedError) Scan(value interface{}) error
func (*RequestDeniedError) SetDefaults ¶
func (e *RequestDeniedError) SetDefaults(name string)
type RequestHandlerResponse ¶
type RequestHandlerResponse struct {
// RedirectURL is the URL which you should redirect the user to once the authentication process is completed.
//
// required: true
RedirectTo string `json:"redirect_to"`
}
The response payload sent when accepting or rejecting a login or consent request.
swagger:model completedRequest
type RequestWasHandledResponse ¶
type RequestWasHandledResponse struct {
// Original request URL to which you should redirect the user if request was already handled.
//
// required: true
RedirectTo string `json:"redirect_to"`
}
The response payload sent when there is an attempt to access already handled request.
swagger:model requestWasHandledResponse
type WellKnown ¶
type WellKnown struct {
// URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
// If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
// by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
//
// required: true
// example: https://playground.ory.sh/ory-hydra/public/
Issuer string `json:"issuer"`
// URL of the OP's OAuth 2.0 Authorization Endpoint.
//
// required: true
// example: https://playground.ory.sh/ory-hydra/public/oauth2/auth
AuthURL string `json:"authorization_endpoint"`
// URL of the OP's Dynamic Client Registration Endpoint.
// example: https://playground.ory.sh/ory-hydra/admin/client
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
// URL of the OP's OAuth 2.0 Token Endpoint
//
// required: true
// example: https://playground.ory.sh/ory-hydra/public/oauth2/token
TokenURL string `json:"token_endpoint"`
// URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
// signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
// to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
// parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
// Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
// NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
// keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
//
// required: true
// example: https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json
JWKsURI string `json:"jwks_uri"`
// JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
// pairwise and public.
//
// required: true
// example:
// - public
// - pairwise
SubjectTypes []string `json:"subject_types_supported"`
// JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
// Providers MUST support the code, id_token, and the token id_token Response Type values.
//
// required: true
ResponseTypes []string `json:"response_types_supported"`
// JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
// values for. Note that for privacy or other reasons, this might not be an exhaustive list.
ClaimsSupported []string `json:"claims_supported"`
// JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
GrantTypesSupported []string `json:"grant_types_supported"`
// JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
ResponseModesSupported []string `json:"response_modes_supported"`
// URL of the OP's UserInfo Endpoint.
UserinfoEndpoint string `json:"userinfo_endpoint"`
// SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
// support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
ScopesSupported []string `json:"scopes_supported"`
// JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
// client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
// JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"`
// JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
// to encode the Claims in a JWT.
//
// required: true
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
// Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
RequestParameterSupported bool `json:"request_parameter_supported"`
// Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
// Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
// using the request_uris registration parameter.
RequireRequestURIRegistration bool `json:"require_request_uri_registration"`
// Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
ClaimsParameterSupported bool `json:"claims_parameter_supported"`
// URL of the authorization server's OAuth 2.0 revocation endpoint.
RevocationEndpoint string `json:"revocation_endpoint"`
// Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`
// Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP
// session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP
BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
// Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.
FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`
// Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify
// the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
// included in ID Tokens issued by the OP.
FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
// URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
EndSessionEndpoint string `json:"end_session_endpoint"`
// JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,
// which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when
// the Request Object is passed by value (using the request parameter) and when it is passed by reference
// (using the request_uri parameter).
RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
// JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported
// by this authorization server.
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
}
WellKnown represents important OpenID Connect discovery metadata
It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms among others.
swagger:model wellKnown
Source Files
Click to show internal directories.
Click to hide internal directories.