Documentation ¶
Index ¶
- type APIClient
- func (c *APIClient) CallAPI(path string, method string, postBody interface{}, ...) (*resty.Response, error)
- func (c *APIClient) ParameterToString(obj interface{}, collectionFormat string) string
- func (c *APIClient) SelectHeaderAccept(accepts []string) string
- func (c *APIClient) SelectHeaderContentType(contentTypes []string) string
- type APIResponse
- type Configuration
- type ConsentRequest
- type ConsentRequestAcceptance
- type ConsentRequestManager
- type ConsentRequestRejection
- type Context
- type Firewall
- type FlushInactiveOAuth2TokensRequest
- type Group
- type GroupMembers
- type Handler
- type HealthApi
- type InlineResponse200
- type InlineResponse401
- type JoseWebKeySetRequest
- type JsonWebKey
- type JsonWebKeyApi
- func (a JsonWebKeyApi) CreateJsonWebKeySet(set string, body JsonWebKeySetGeneratorRequest) (*JsonWebKeySet, *APIResponse, error)
- func (a JsonWebKeyApi) DeleteJsonWebKey(kid string, set string) (*APIResponse, error)
- func (a JsonWebKeyApi) DeleteJsonWebKeySet(set string) (*APIResponse, error)
- func (a JsonWebKeyApi) GetJsonWebKey(kid string, set string) (*JsonWebKeySet, *APIResponse, error)
- func (a JsonWebKeyApi) GetJsonWebKeySet(set string) (*JsonWebKeySet, *APIResponse, error)
- func (a JsonWebKeyApi) UpdateJsonWebKey(kid string, set string, body JsonWebKey) (*JsonWebKey, *APIResponse, error)
- func (a JsonWebKeyApi) UpdateJsonWebKeySet(set string, body JsonWebKeySet) (*JsonWebKeySet, *APIResponse, error)
- type JsonWebKeySet
- type JsonWebKeySetGeneratorRequest
- type KeyGenerator
- type Manager
- type OAuth2Api
- func (a OAuth2Api) AcceptOAuth2ConsentRequest(id string, body ConsentRequestAcceptance) (*APIResponse, error)
- func (a OAuth2Api) CreateOAuth2Client(body OAuth2Client) (*OAuth2Client, *APIResponse, error)
- func (a OAuth2Api) DeleteOAuth2Client(id string) (*APIResponse, error)
- func (a OAuth2Api) FlushInactiveOAuth2Tokens(body FlushInactiveOAuth2TokensRequest) (*APIResponse, error)
- func (a OAuth2Api) GetOAuth2Client(id string) (*OAuth2Client, *APIResponse, error)
- func (a OAuth2Api) GetOAuth2ConsentRequest(id string) (*OAuth2ConsentRequest, *APIResponse, error)
- func (a OAuth2Api) GetWellKnown() (*WellKnown, *APIResponse, error)
- func (a OAuth2Api) IntrospectOAuth2Token(token string, scope string) (*OAuth2TokenIntrospection, *APIResponse, error)
- func (a OAuth2Api) ListOAuth2Clients(limit int64, offset int64) ([]OAuth2Client, *APIResponse, error)
- func (a OAuth2Api) OauthAuth() (*APIResponse, error)
- func (a OAuth2Api) OauthToken() (*OauthTokenResponse, *APIResponse, error)
- func (a OAuth2Api) RejectOAuth2ConsentRequest(id string, body ConsentRequestRejection) (*APIResponse, error)
- func (a OAuth2Api) RevokeOAuth2Token(token string) (*APIResponse, error)
- func (a OAuth2Api) UpdateOAuth2Client(id string, body OAuth2Client) (*OAuth2Client, *APIResponse, error)
- func (a OAuth2Api) Userinfo() (*UserinfoResponse, *APIResponse, error)
- func (a OAuth2Api) WellKnown() (*JsonWebKeySet, *APIResponse, error)
- type OAuth2Client
- type OAuth2ConsentRequest
- type OAuth2TokenIntrospection
- type OauthTokenResponse
- type Policy
- type PolicyApi
- func (a PolicyApi) CreatePolicy(body Policy) (*Policy, *APIResponse, error)
- func (a PolicyApi) DeletePolicy(id string) (*APIResponse, error)
- func (a PolicyApi) GetPolicy(id string) (*Policy, *APIResponse, error)
- func (a PolicyApi) ListPolicies(offset int64, limit int64) ([]Policy, *APIResponse, error)
- func (a PolicyApi) UpdatePolicy(id string, body Policy) (*Policy, *APIResponse, error)
- type PolicyConditions
- type RawMessage
- type SwaggerAcceptConsentRequest
- type SwaggerCreatePolicyParameters
- type SwaggerDoesWardenAllowAccessRequestParameters
- type SwaggerDoesWardenAllowTokenAccessRequestParameters
- type SwaggerFlushInactiveAccessTokens
- type SwaggerGetPolicyParameters
- type SwaggerJsonWebKeyQuery
- type SwaggerJwkCreateSet
- type SwaggerJwkSetQuery
- type SwaggerJwkUpdateSet
- type SwaggerJwkUpdateSetKey
- type SwaggerListPolicyParameters
- type SwaggerListPolicyResponse
- type SwaggerOAuthConsentRequestPayload
- type SwaggerOAuthIntrospectionRequest
- type SwaggerRejectConsentRequest
- type SwaggerRevokeOAuth2TokenParameters
- type SwaggerUpdatePolicyParameters
- type TokenAllowedRequest
- type UserinfoResponse
- type WardenAccessRequest
- type WardenAccessRequestResponse
- type WardenApi
- func (a WardenApi) AddMembersToGroup(id string, body GroupMembers) (*APIResponse, error)
- func (a WardenApi) CreateGroup(body Group) (*Group, *APIResponse, error)
- func (a WardenApi) DeleteGroup(id string) (*APIResponse, error)
- func (a WardenApi) DoesWardenAllowAccessRequest(body WardenAccessRequest) (*WardenAccessRequestResponse, *APIResponse, error)
- func (a WardenApi) DoesWardenAllowTokenAccessRequest(body WardenTokenAccessRequest) (*WardenTokenAccessRequestResponse, *APIResponse, error)
- func (a WardenApi) GetGroup(id string) (*Group, *APIResponse, error)
- func (a WardenApi) ListGroups(member string, limit int64, offset int64) ([]Group, *APIResponse, error)
- func (a WardenApi) RemoveMembersFromGroup(id string, body GroupMembers) (*APIResponse, error)
- type WardenTokenAccessRequest
- type WardenTokenAccessRequestResponse
- type WellKnown
- type Writer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIClient ¶
type APIClient struct {
// contains filtered or unexported fields
}
func (*APIClient) ParameterToString ¶
func (*APIClient) SelectHeaderAccept ¶
func (*APIClient) SelectHeaderContentType ¶
type APIResponse ¶
type APIResponse struct { *http.Response `json:"-"` Message string `json:"message,omitempty"` // Operation is the name of the swagger operation. Operation string `json:"operation,omitempty"` // RequestURL is the request URL. This value is always available, even if the // embedded *http.Response is nil. RequestURL string `json:"url,omitempty"` // Method is the HTTP method used for the request. This value is always // available, even if the embedded *http.Response is nil. Method string `json:"method,omitempty"` // Payload holds the contents of the response body (which may be nil or empty). // This is provided here as the raw response.Body() reader will have already // been drained. Payload []byte `json:"-"` }
func NewAPIResponse ¶
func NewAPIResponse(r *http.Response) *APIResponse
func NewAPIResponseWithError ¶
func NewAPIResponseWithError(errorMessage string) *APIResponse
type Configuration ¶
type Configuration struct { Username string `json:"userName,omitempty"` Password string `json:"password,omitempty"` APIKeyPrefix map[string]string `json:"APIKeyPrefix,omitempty"` APIKey map[string]string `json:"APIKey,omitempty"` Debug bool `json:"debug,omitempty"` DebugFile string `json:"debugFile,omitempty"` OAuthToken string `json:"oAuthToken,omitempty"` BasePath string `json:"basePath,omitempty"` Host string `json:"host,omitempty"` Scheme string `json:"scheme,omitempty"` AccessToken string `json:"accessToken,omitempty"` DefaultHeader map[string]string `json:"defaultHeader,omitempty"` UserAgent string `json:"userAgent,omitempty"` APIClient *APIClient Transport http.RoundTripper Timeout *time.Duration `json:"timeout,omitempty"` }
func NewConfiguration ¶
func NewConfiguration() *Configuration
func (*Configuration) AddDefaultHeader ¶
func (c *Configuration) AddDefaultHeader(key string, value string)
func (*Configuration) GetAPIKeyWithPrefix ¶
func (c *Configuration) GetAPIKeyWithPrefix(APIKeyIdentifier string) string
func (*Configuration) GetBasicAuthEncodedString ¶
func (c *Configuration) GetBasicAuthEncodedString() string
type ConsentRequest ¶
type ConsentRequest struct { // ClientID is the client id that initiated the OAuth2 request. ClientId string `json:"clientId,omitempty"` // ExpiresAt is the time where the access request will expire. ExpiresAt time.Time `json:"expiresAt,omitempty"` // ID is the id of this consent request. Id string `json:"id,omitempty"` // Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected. RedirectUrl string `json:"redirectUrl,omitempty"` // RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator. RequestedScopes []string `json:"requestedScopes,omitempty"` }
type ConsentRequestAcceptance ¶
type ConsentRequestAcceptance struct { // AccessTokenExtra represents arbitrary data that will be added to the access token and that will be returned on introspection and warden requests. AccessTokenExtra map[string]interface{} `json:"accessTokenExtra,omitempty"` // A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request. GrantScopes []string `json:"grantScopes,omitempty"` // IDTokenExtra represents arbitrary data that will be added to the ID token. The ID token will only be issued if the user agrees to it and if the client requested an ID token. IdTokenExtra map[string]interface{} `json:"idTokenExtra,omitempty"` // Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the OAuth2 request. Subject string `json:"subject,omitempty"` }
type ConsentRequestManager ¶
type ConsentRequestManager struct { }
type ConsentRequestRejection ¶
type ConsentRequestRejection struct { // Reason represents the reason why the user rejected the consent request. Reason string `json:"reason,omitempty"` }
type Context ¶
type Context struct { // Extra represents arbitrary session data. AccessTokenExtra map[string]interface{} `json:"accessTokenExtra,omitempty"` // ClientID is id of the client the token was issued for.. ClientId string `json:"clientId,omitempty"` // ExpiresAt is the expiry timestamp. ExpiresAt time.Time `json:"expiresAt,omitempty"` // GrantedScopes is a list of scopes that the subject authorized when asked for consent. GrantedScopes []string `json:"grantedScopes,omitempty"` // IssuedAt is the token creation time stamp. IssuedAt time.Time `json:"issuedAt,omitempty"` // Issuer is the id of the issuer, typically an hydra instance. Issuer string `json:"issuer,omitempty"` // Subject is the identity that authorized issuing the token, for example a user or an OAuth2 app. This is usually a uuid but you can choose a urn or some other id too. Subject string `json:"subject,omitempty"` }
Context contains an access token's session data
type FlushInactiveOAuth2TokensRequest ¶ added in v0.11.10
type Group ¶
type Group struct { // ID is the groups id. Id string `json:"id,omitempty"` // Members is who belongs to the group. Members []string `json:"members,omitempty"` }
Group represents a warden group
type GroupMembers ¶
type GroupMembers struct {
Members []string `json:"members,omitempty"`
}
type HealthApi ¶
type HealthApi struct {
Configuration *Configuration
}
func NewHealthApi ¶
func NewHealthApi() *HealthApi
func (HealthApi) GetInstanceStatus ¶
func (a HealthApi) GetInstanceStatus() (*InlineResponse200, *APIResponse, error)
*
- Check the Health Status
- This endpoint returns a 200 status code when the HTTP server is up running. `{ \"status\": \"ok\" }`. This status does currently not include checks whether the database connection is working. This endpoint does not require the `X-Forwarded-Proto` header when TLS termination is set. Be aware that if you are running multiple nodes of ORY Hydra, the health status will never refer to the cluster state, only to a single instance. *
- @return *InlineResponse200
type InlineResponse200 ¶
type InlineResponse200 struct { // Status always contains \"ok\" Status string `json:"status,omitempty"` }
type InlineResponse401 ¶
type JoseWebKeySetRequest ¶
type JoseWebKeySetRequest struct {
Keys []RawMessage `json:"keys,omitempty"`
}
type JsonWebKey ¶
type JsonWebKey struct { // The \"alg\" (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA \"JSON Web Signature and Encryption Algorithms\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. Alg string `json:"alg,omitempty"` Crv string `json:"crv,omitempty"` D string `json:"d,omitempty"` Dp string `json:"dp,omitempty"` Dq string `json:"dq,omitempty"` E string `json:"e,omitempty"` K string `json:"k,omitempty"` // The \"kid\" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the \"kid\" value is unspecified. When \"kid\" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct \"kid\" values. (One example in which different keys might use the same \"kid\" value is if they have different \"kty\" (key type) values but are considered to be equivalent alternatives by the application using them.) The \"kid\" value is a case-sensitive string. Kid string `json:"kid,omitempty"` // The \"kty\" (key type) parameter identifies the cryptographic algorithm family used with the key, such as \"RSA\" or \"EC\". \"kty\" values should either be registered in the IANA \"JSON Web Key Types\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. The \"kty\" value is a case-sensitive string. Kty string `json:"kty,omitempty"` N string `json:"n,omitempty"` P string `json:"p,omitempty"` Q string `json:"q,omitempty"` Qi string `json:"qi,omitempty"` // The \"use\" (public key use) parameter identifies the intended use of the public key. The \"use\" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly \"sig\" (signature) or \"enc\" (encryption). Use string `json:"use,omitempty"` X string `json:"x,omitempty"` // The \"x5c\" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. X5c []string `json:"x5c,omitempty"` Y string `json:"y,omitempty"` }
type JsonWebKeyApi ¶
type JsonWebKeyApi struct {
Configuration *Configuration
}
func NewJsonWebKeyApi ¶
func NewJsonWebKeyApi() *JsonWebKeyApi
func NewJsonWebKeyApiWithBasePath ¶
func NewJsonWebKeyApiWithBasePath(basePath string) *JsonWebKeyApi
func (JsonWebKeyApi) CreateJsonWebKeySet ¶
func (a JsonWebKeyApi) CreateJsonWebKeySet(set string, body JsonWebKeySetGeneratorRequest) (*JsonWebKeySet, *APIResponse, error)
*
- Generate a new JSON Web Key
- This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>:<kid>\"], \"actions\": [\"create\"], \"effect\": \"allow\" } ``` *
- @param set The set
- @param body
- @return *JsonWebKeySet
func (JsonWebKeyApi) DeleteJsonWebKey ¶
func (a JsonWebKeyApi) DeleteJsonWebKey(kid string, set string) (*APIResponse, error)
*
- Delete a JSON Web Key
- Use this endpoint to delete a single JSON Web Key. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>:<kid>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" } ``` *
- @param kid The kid of the desired key
- @param set The set
- @return void
func (JsonWebKeyApi) DeleteJsonWebKeySet ¶
func (a JsonWebKeyApi) DeleteJsonWebKeySet(set string) (*APIResponse, error)
*
- Delete a JSON Web Key Set
- Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" } ``` *
- @param set The set
- @return void
func (JsonWebKeyApi) GetJsonWebKey ¶
func (a JsonWebKeyApi) GetJsonWebKey(kid string, set string) (*JsonWebKeySet, *APIResponse, error)
*
- Retrieve a JSON Web Key
- This endpoint can be used to retrieve JWKs stored in ORY Hydra. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>:<kid>\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` *
- @param kid The kid of the desired key
- @param set The set
- @return *JsonWebKeySet
func (JsonWebKeyApi) GetJsonWebKeySet ¶
func (a JsonWebKeyApi) GetJsonWebKeySet(set string) (*JsonWebKeySet, *APIResponse, error)
*
- Retrieve a JSON Web Key Set
- This endpoint can be used to retrieve JWK Sets stored in ORY Hydra. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>:<kid>\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` *
- @param set The set
- @return *JsonWebKeySet
func (JsonWebKeyApi) UpdateJsonWebKey ¶
func (a JsonWebKeyApi) UpdateJsonWebKey(kid string, set string, body JsonWebKey) (*JsonWebKey, *APIResponse, error)
*
- Update a JSON Web Key
- Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>:<kid>\"], \"actions\": [\"update\"], \"effect\": \"allow\" } ``` *
- @param kid The kid of the desired key
- @param set The set
- @param body
- @return *JsonWebKey
func (JsonWebKeyApi) UpdateJsonWebKeySet ¶
func (a JsonWebKeyApi) UpdateJsonWebKeySet(set string, body JsonWebKeySet) (*JsonWebKeySet, *APIResponse, error)
*
- Update a JSON Web Key Set
- Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:<set>\"], \"actions\": [\"update\"], \"effect\": \"allow\" } ``` *
- @param set The set
- @param body
- @return *JsonWebKeySet
type JsonWebKeySet ¶
type JsonWebKeySet struct { // The value of the \"keys\" parameter is an array of JWK values. By default, the order of the JWK values within the array does not imply an order of preference among them, although applications of JWK Sets can choose to assign a meaning to the order for their purposes, if desired. Keys []JsonWebKey `json:"keys,omitempty"` }
type KeyGenerator ¶
type KeyGenerator struct { }
type OAuth2Api ¶
type OAuth2Api struct {
Configuration *Configuration
}
func NewOAuth2Api ¶
func NewOAuth2Api() *OAuth2Api
func (OAuth2Api) AcceptOAuth2ConsentRequest ¶
func (a OAuth2Api) AcceptOAuth2ConsentRequest(id string, body ConsentRequestAcceptance) (*APIResponse, error)
*
- Accept a consent request
- Call this endpoint to accept a consent request. This usually happens when a user agrees to give access rights to an application. The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd` The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"accept\"], \"effect\": \"allow\" } ``` *
- @param id
- @param body
- @return void
func (OAuth2Api) CreateOAuth2Client ¶
func (a OAuth2Api) CreateOAuth2Client(body OAuth2Client) (*OAuth2Client, *APIResponse, error)
*
- Create an OAuth 2.0 client
- Create a new OAuth 2.0 client If you pass `client_secret` the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"create\"], \"effect\": \"allow\" } ``` Additionally, the context key \"owner\" is set to the owner of the client, allowing policies such as: ``` { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"create\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } } ``` *
- @param body
- @return *OAuth2Client
func (OAuth2Api) DeleteOAuth2Client ¶
func (a OAuth2Api) DeleteOAuth2Client(id string) (*APIResponse, error)
*
- Deletes an OAuth 2.0 Client
- Delete an existing OAuth 2.0 Client by its ID. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" } ``` Additionally, the context key \"owner\" is set to the owner of the client, allowing policies such as: ``` { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } } ``` *
- @param id The id of the OAuth 2.0 Client.
- @return void
func (OAuth2Api) FlushInactiveOAuth2Tokens ¶ added in v0.11.10
func (a OAuth2Api) FlushInactiveOAuth2Tokens(body FlushInactiveOAuth2TokensRequest) (*APIResponse, error)
*
- Flush Expired OAuth2 Access Tokens
- This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow. ``` { \"resources\": [\"rn:hydra:oauth2:tokens\"], \"actions\": [\"flush\"], \"effect\": \"allow\" } ``` *
- @param body
- @return void
func (OAuth2Api) GetOAuth2Client ¶
func (a OAuth2Api) GetOAuth2Client(id string) (*OAuth2Client, *APIResponse, error)
*
- Get an OAuth 2.0 Client.
- Get an OAUth 2.0 client by its ID. This endpoint never returns passwords. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` Additionally, the context key \"owner\" is set to the owner of the client, allowing policies such as: ``` { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } } ``` *
- @param id The id of the OAuth 2.0 Client.
- @return *OAuth2Client
func (OAuth2Api) GetOAuth2ConsentRequest ¶
func (a OAuth2Api) GetOAuth2ConsentRequest(id string) (*OAuth2ConsentRequest, *APIResponse, error)
*
- Receive consent request information
- Call this endpoint to receive information on consent requests. The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd` The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` *
- @param id The id of the OAuth 2.0 Consent Request.
- @return *OAuth2ConsentRequest
func (OAuth2Api) GetWellKnown ¶
func (a OAuth2Api) GetWellKnown() (*WellKnown, *APIResponse, error)
*
- Server well known configuration
- The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html *
- @return *WellKnown
func (OAuth2Api) IntrospectOAuth2Token ¶
func (a OAuth2Api) IntrospectOAuth2Token(token string, scope string) (*OAuth2TokenIntrospection, *APIResponse, error)
*
- Introspect OAuth2 tokens
- The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow. ``` { \"resources\": [\"rn:hydra:oauth2:tokens\"], \"actions\": [\"introspect\"], \"effect\": \"allow\" } ``` *
- @param token The string value of the token. For access tokens, this is the \"access_token\" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. This endpoint DOES NOT accept refresh tokens for validation.
- @param scope An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false.
- @return *OAuth2TokenIntrospection
func (OAuth2Api) ListOAuth2Clients ¶
func (a OAuth2Api) ListOAuth2Clients(limit int64, offset int64) ([]OAuth2Client, *APIResponse, error)
*
- List OAuth 2.0 Clients
- This endpoint lists all clients in the database, and never returns client secrets. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` *
- @param limit The maximum amount of policies returned.
- @param offset The offset from where to start looking.
- @return []OAuth2Client
func (OAuth2Api) OauthAuth ¶
func (a OAuth2Api) OauthAuth() (*APIResponse, error)
*
- The OAuth 2.0 authorize endpoint
- This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749 *
- @return void
func (OAuth2Api) OauthToken ¶
func (a OAuth2Api) OauthToken() (*OauthTokenResponse, *APIResponse, error)
*
- The OAuth 2.0 token endpoint
- This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749 *
- @return *OauthTokenResponse
func (OAuth2Api) RejectOAuth2ConsentRequest ¶
func (a OAuth2Api) RejectOAuth2ConsentRequest(id string, body ConsentRequestRejection) (*APIResponse, error)
*
- Reject a consent request
- Call this endpoint to reject a consent request. This usually happens when a user denies access rights to an application. The consent request id is usually transmitted via the URL query `consent`. For example: `http://consent-app.mydomain.com/?consent=1234abcd` The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"reject\"], \"effect\": \"allow\" } ``` *
- @param id
- @param body
- @return void
func (OAuth2Api) RevokeOAuth2Token ¶
func (a OAuth2Api) RevokeOAuth2Token(token string) (*APIResponse, error)
*
- Revoke OAuth2 tokens
- Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. *
- @param token
- @return void
func (OAuth2Api) UpdateOAuth2Client ¶
func (a OAuth2Api) UpdateOAuth2Client(id string, body OAuth2Client) (*OAuth2Client, *APIResponse, error)
*
- Update an OAuth 2.0 Client
- Update an existing OAuth 2.0 Client. If you pass `client_secret` the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"update\"], \"effect\": \"allow\" } ``` Additionally, the context key \"owner\" is set to the owner of the client, allowing policies such as: ``` { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"update\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } } ``` *
- @param id
- @param body
- @return *OAuth2Client
func (OAuth2Api) Userinfo ¶ added in v0.10.4
func (a OAuth2Api) Userinfo() (*UserinfoResponse, *APIResponse, error)
*
- OpenID Connect Userinfo
- This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token. The endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo . *
- @return *UserinfoResponse
func (OAuth2Api) WellKnown ¶
func (a OAuth2Api) WellKnown() (*JsonWebKeySet, *APIResponse, error)
*
- Get Well-Known JSON Web Keys
- Returns metadata for discovering important JSON Web Keys. Currently, this endpoint returns the public key for verifying OpenID Connect ID Tokens. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:keys:hydra.openid.id-token:public\"], \"actions\": [\"GET\"], \"effect\": \"allow\" } ``` *
- @return *JsonWebKeySet
type OAuth2Client ¶
type OAuth2Client struct { // Name is the human-readable string name of the client to be presented to the end-user during authorization. ClientName string `json:"client_name,omitempty"` // Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. ClientSecret string `json:"client_secret,omitempty"` // ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. ClientUri string `json:"client_uri,omitempty"` // Contacts is a array of strings representing ways to contact people responsible for this client, typically email addresses. Contacts []string `json:"contacts,omitempty"` // GrantTypes is an array of grant types the client is allowed to use. GrantTypes []string `json:"grant_types,omitempty"` // ID is the id for this client. Id string `json:"id,omitempty"` // LogoURI is an URL string that references a logo for the client. LogoUri string `json:"logo_uri,omitempty"` // Owner is a string identifying the owner of the OAuth 2.0 Client. Owner string `json:"owner,omitempty"` // PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. PolicyUri string `json:"policy_uri,omitempty"` // Public is a boolean that identifies this client as public, meaning that it does not have a secret. It will disable the client_credentials grant type for this client if set. Public bool `json:"public,omitempty"` // RedirectURIs is an array of allowed redirect urls for the client, for example http://mydomain/oauth/callback . RedirectUris []string `json:"redirect_uris,omitempty"` // ResponseTypes is an array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. ResponseTypes []string `json:"response_types,omitempty"` // Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. Scope string `json:"scope,omitempty"` // TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. TosUri string `json:"tos_uri,omitempty"` }
type OAuth2ConsentRequest ¶
type OAuth2ConsentRequest struct { // ClientID is the client id that initiated the OAuth2 request. ClientId string `json:"clientId,omitempty"` // ExpiresAt is the time where the access request will expire. ExpiresAt string `json:"expiresAt,omitempty"` // ID is the id of this consent request. Id string `json:"id,omitempty"` // Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected. RedirectUrl string `json:"redirectUrl,omitempty"` // RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator. RequestedScopes []string `json:"requestedScopes,omitempty"` }
type OAuth2TokenIntrospection ¶
type OAuth2TokenIntrospection struct { // Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's \"active\" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a \"true\" value return for the \"active\" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). Active bool `json:"active,omitempty"` // ClientID is a service-specific string identifier or list of string identifiers representing the intended audience for this token. Aud string `json:"aud,omitempty"` // ClientID is aclient identifier for the OAuth 2.0 client that requested this token. ClientId string `json:"client_id,omitempty"` // Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. Exp int64 `json:"exp,omitempty"` // Extra is arbitrary data set by the session. Ext map[string]interface{} `json:"ext,omitempty"` // Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued. Iat int64 `json:"iat,omitempty"` // Issuer is a string representing the issuer of this token Iss string `json:"iss,omitempty"` // NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before. Nbf int64 `json:"nbf,omitempty"` // Scope is a JSON string containing a space-separated list of scopes associated with this token. Scope string `json:"scope,omitempty"` // Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token. Sub string `json:"sub,omitempty"` // Username is a human-readable identifier for the resource owner who authorized this token. Username string `json:"username,omitempty"` }
type OauthTokenResponse ¶ added in v0.11.10
type OauthTokenResponse struct { // The access token issued by the authorization server. AccessToken string `json:"access_token,omitempty"` // The lifetime in seconds of the access token. For example, the value \"3600\" denotes that the access token will expire in one hour from the time the response was generated. ExpiresIn int64 `json:"expires_in,omitempty"` // To retrieve a refresh token request the id_token scope. IdToken int64 `json:"id_token,omitempty"` // The refresh token, which can be used to obtain new access tokens. To retrieve it add the scope \"offline\" to your access token request. RefreshToken string `json:"refresh_token,omitempty"` // The scope of the access token Scope int64 `json:"scope,omitempty"` // The type of the token issued TokenType string `json:"token_type,omitempty"` }
The token response
type Policy ¶
type Policy struct { // Actions impacted by the policy. Actions []string `json:"actions,omitempty"` // Conditions under which the policy is active. Conditions map[string]PolicyConditions `json:"conditions,omitempty"` // Description of the policy. Description string `json:"description,omitempty"` // Effect of the policy Effect string `json:"effect,omitempty"` // ID of the policy. Id string `json:"id,omitempty"` // Resources impacted by the policy. Resources []string `json:"resources,omitempty"` // Subjects impacted by the policy. Subjects []string `json:"subjects,omitempty"` }
type PolicyApi ¶
type PolicyApi struct {
Configuration *Configuration
}
func NewPolicyApi ¶
func NewPolicyApi() *PolicyApi
func (PolicyApi) CreatePolicy ¶
func (a PolicyApi) CreatePolicy(body Policy) (*Policy, *APIResponse, error)
*
- Create an Access Control Policy
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:policies\"], \"actions\": [\"create\"], \"effect\": \"allow\" } ``` *
- @param body
- @return *Policy
func (PolicyApi) DeletePolicy ¶
func (a PolicyApi) DeletePolicy(id string) (*APIResponse, error)
*
- Delete an Access Control Policy
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:policies:<id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" } ``` *
- @param id The id of the policy.
- @return void
func (PolicyApi) GetPolicy ¶
func (a PolicyApi) GetPolicy(id string) (*Policy, *APIResponse, error)
*
- Get an Access Control Policy
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:policies:<id>\"], \"actions\": [\"get\"], \"effect\": \"allow\" } ``` *
- @param id The id of the policy.
- @return *Policy
func (PolicyApi) ListPolicies ¶
*
- List Access Control Policies
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:policies\"], \"actions\": [\"list\"], \"effect\": \"allow\" } ``` *
- @param offset The offset from where to start looking.
- @param limit The maximum amount of policies returned.
- @return []Policy
func (PolicyApi) UpdatePolicy ¶
*
- Update an Access Control Polic
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:policies\"], \"actions\": [\"update\"], \"effect\": \"allow\" } ``` *
- @param id The id of the policy.
- @param body
- @return *Policy
type PolicyConditions ¶
type RawMessage ¶
type RawMessage struct { }
It implements Marshaler and Unmarshaler and can be used to delay JSON decoding or precompute a JSON encoding.
type SwaggerAcceptConsentRequest ¶
type SwaggerAcceptConsentRequest struct { Body ConsentRequestAcceptance `json:"Body"` // in: path Id string `json:"id"` }
type SwaggerCreatePolicyParameters ¶
type SwaggerCreatePolicyParameters struct {
Body Policy `json:"Body,omitempty"`
}
type SwaggerDoesWardenAllowAccessRequestParameters ¶
type SwaggerDoesWardenAllowAccessRequestParameters struct {
Body WardenAccessRequest `json:"Body,omitempty"`
}
type SwaggerDoesWardenAllowTokenAccessRequestParameters ¶
type SwaggerDoesWardenAllowTokenAccessRequestParameters struct {
Body WardenTokenAccessRequest `json:"Body,omitempty"`
}
type SwaggerFlushInactiveAccessTokens ¶ added in v0.11.10
type SwaggerFlushInactiveAccessTokens struct {
Body FlushInactiveOAuth2TokensRequest `json:"Body,omitempty"`
}
type SwaggerGetPolicyParameters ¶
type SwaggerGetPolicyParameters struct { // The id of the policy. in: path Id string `json:"id,omitempty"` }
type SwaggerJsonWebKeyQuery ¶
type SwaggerJwkCreateSet ¶
type SwaggerJwkCreateSet struct { Body JsonWebKeySetGeneratorRequest `json:"Body,omitempty"` // The set in: path Set string `json:"set"` }
type SwaggerJwkSetQuery ¶
type SwaggerJwkSetQuery struct { // The set in: path Set string `json:"set"` }
type SwaggerJwkUpdateSet ¶
type SwaggerJwkUpdateSet struct { Body JsonWebKeySet `json:"Body,omitempty"` // The set in: path Set string `json:"set"` }
type SwaggerJwkUpdateSetKey ¶
type SwaggerJwkUpdateSetKey struct { Body JsonWebKey `json:"Body,omitempty"` // The kid of the desired key in: path Kid string `json:"kid"` // The set in: path Set string `json:"set"` }
type SwaggerListPolicyResponse ¶
type SwaggerListPolicyResponse struct { // in: body type: array Body []Policy `json:"Body,omitempty"` }
A policy
type SwaggerOAuthConsentRequestPayload ¶
type SwaggerOAuthConsentRequestPayload struct { // The id of the OAuth 2.0 Consent Request. Id string `json:"id"` }
type SwaggerOAuthIntrospectionRequest ¶
type SwaggerOAuthIntrospectionRequest struct { // An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false. in: formData Scope string `json:"scope,omitempty"` // The string value of the token. For access tokens, this is the \"access_token\" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. This endpoint DOES NOT accept refresh tokens for validation. Token string `json:"token"` }
type SwaggerRejectConsentRequest ¶
type SwaggerRejectConsentRequest struct { Body ConsentRequestRejection `json:"Body"` // in: path Id string `json:"id"` }
type SwaggerRevokeOAuth2TokenParameters ¶
type SwaggerRevokeOAuth2TokenParameters struct { // in: formData Token string `json:"token"` }
type TokenAllowedRequest ¶
type TokenAllowedRequest struct { // Action is the action that is requested on the resource. Action string `json:"action,omitempty"` // Context is the request's environmental context. Context map[string]interface{} `json:"context,omitempty"` // Resource is the resource that access is requested to. Resource string `json:"resource,omitempty"` }
type UserinfoResponse ¶ added in v0.11.10
type UserinfoResponse struct { // End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates. Birthdate string `json:"birthdate,omitempty"` // End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7. Email string `json:"email,omitempty"` // True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. EmailVerified bool `json:"email_verified,omitempty"` // Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. FamilyName string `json:"family_name,omitempty"` // End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. Gender string `json:"gender,omitempty"` // Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. GivenName string `json:"given_name,omitempty"` // End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well. Locale string `json:"locale,omitempty"` // Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. MiddleName string `json:"middle_name,omitempty"` // End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. Name string `json:"name,omitempty"` // Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. Nickname string `json:"nickname,omitempty"` // End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678. PhoneNumber string `json:"phone_number,omitempty"` // True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. PhoneNumberVerified bool `json:"phone_number_verified,omitempty"` // URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User. Picture string `json:"picture,omitempty"` // Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. PreferredUsername string `json:"preferred_username,omitempty"` // URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. Profile string `json:"profile,omitempty"` // Subject - Identifier for the End-User at the Issuer. Sub string `json:"sub,omitempty"` // Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. UpdatedAt int64 `json:"updated_at,omitempty"` // URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. Website string `json:"website,omitempty"` // String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. Zoneinfo string `json:"zoneinfo,omitempty"` }
The userinfo response
type WardenAccessRequest ¶
type WardenAccessRequest struct { // Action is the action that is requested on the resource. Action string `json:"action,omitempty"` // Context is the request's environmental context. Context map[string]interface{} `json:"context,omitempty"` // Resource is the resource that access is requested to. Resource string `json:"resource,omitempty"` // Subejct is the subject that is requesting access. Subject string `json:"subject,omitempty"` }
type WardenAccessRequestResponse ¶
type WardenAccessRequestResponse struct { // Allowed is true if the request is allowed and false otherwise. Allowed bool `json:"allowed,omitempty"` }
The warden access request response
type WardenApi ¶
type WardenApi struct {
Configuration *Configuration
}
func NewWardenApi ¶
func NewWardenApi() *WardenApi
func (WardenApi) AddMembersToGroup ¶
func (a WardenApi) AddMembersToGroup(id string, body GroupMembers) (*APIResponse, error)
*
- Add members to a group
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups:<id>\"], \"actions\": [\"members.add\"], \"effect\": \"allow\" } ``` *
- @param id The id of the group to modify.
- @param body
- @return void
func (WardenApi) CreateGroup ¶
func (a WardenApi) CreateGroup(body Group) (*Group, *APIResponse, error)
*
- Create a group
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups\"], \"actions\": [\"create\"], \"effect\": \"allow\" } ``` *
- @param body
- @return *Group
func (WardenApi) DeleteGroup ¶
func (a WardenApi) DeleteGroup(id string) (*APIResponse, error)
*
- Delete a group by id
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups:<id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" } ``` *
- @param id The id of the group to look up.
- @return void
func (WardenApi) DoesWardenAllowAccessRequest ¶
func (a WardenApi) DoesWardenAllowAccessRequest(body WardenAccessRequest) (*WardenAccessRequestResponse, *APIResponse, error)
*
- Check if an access request is valid (without providing an access token)
- Checks if a subject (typically a user or a service) is allowed to perform an action on a resource. This endpoint requires a subject, a resource name, an action name and a context. If the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ \"allowed\": false}`, otherwise `{ \"allowed\": true }` is returned. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:allowed\"], \"actions\": [\"decide\"], \"effect\": \"allow\" } ``` *
- @param body
- @return *WardenAccessRequestResponse
func (WardenApi) DoesWardenAllowTokenAccessRequest ¶
func (a WardenApi) DoesWardenAllowTokenAccessRequest(body WardenTokenAccessRequest) (*WardenTokenAccessRequestResponse, *APIResponse, error)
*
- Check if an access request is valid (providing an access token)
- Checks if a token is valid and if the token subject is allowed to perform an action on a resource. This endpoint requires a token, a scope, a resource name, an action name and a context. If a token is expired/invalid, has not been granted the requested scope or the subject is not allowed to perform the action on the resource, this endpoint returns a 200 response with `{ \"allowed\": false}`. Extra data set through the `accessTokenExtra` field in the consent flow will be included in the response. The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:token:allowed\"], \"actions\": [\"decide\"], \"effect\": \"allow\" } ``` *
- @param body
- @return *WardenTokenAccessRequestResponse
func (WardenApi) GetGroup ¶
func (a WardenApi) GetGroup(id string) (*Group, *APIResponse, error)
*
- Get a group by id
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups:<id>\"], \"actions\": [\"create\"], \"effect\": \"allow\" } ``` *
- @param id The id of the group to look up.
- @return *Group
func (WardenApi) ListGroups ¶ added in v0.11.0
func (a WardenApi) ListGroups(member string, limit int64, offset int64) ([]Group, *APIResponse, error)
*
- List groups
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups\"], \"actions\": [\"list\"], \"effect\": \"allow\" } ``` *
- @param member The id of the member to look up.
- @param limit The maximum amount of policies returned.
- @param offset The offset from where to start looking.
- @return []Group
func (WardenApi) RemoveMembersFromGroup ¶
func (a WardenApi) RemoveMembersFromGroup(id string, body GroupMembers) (*APIResponse, error)
*
- Remove members from a group
- The subject making the request needs to be assigned to a policy containing: ``` { \"resources\": [\"rn:hydra:warden:groups:<id>\"], \"actions\": [\"members.remove\"], \"effect\": \"allow\" } ``` *
- @param id The id of the group to modify.
- @param body
- @return void
type WardenTokenAccessRequest ¶
type WardenTokenAccessRequest struct { // Action is the action that is requested on the resource. Action string `json:"action,omitempty"` // Context is the request's environmental context. Context map[string]interface{} `json:"context,omitempty"` // Resource is the resource that access is requested to. Resource string `json:"resource,omitempty"` // Scopes is an array of scopes that are requried. Scopes []string `json:"scopes,omitempty"` // Token is the token to introspect. Token string `json:"token,omitempty"` }
type WardenTokenAccessRequestResponse ¶
type WardenTokenAccessRequestResponse struct { // Extra represents arbitrary session data. AccessTokenExtra map[string]interface{} `json:"accessTokenExtra,omitempty"` // Allowed is true if the request is allowed and false otherwise. Allowed bool `json:"allowed,omitempty"` // ClientID is the id of the OAuth2 client that requested the token. ClientId string `json:"clientId,omitempty"` // ExpiresAt is the expiry timestamp. ExpiresAt string `json:"expiresAt,omitempty"` // GrantedScopes is a list of scopes that the subject authorized when asked for consent. GrantedScopes []string `json:"grantedScopes,omitempty"` // IssuedAt is the token creation time stamp. IssuedAt string `json:"issuedAt,omitempty"` // Issuer is the id of the issuer, typically an hydra instance. Issuer string `json:"issuer,omitempty"` // Subject is the identity that authorized issuing the token, for example a user or an OAuth2 app. This is usually a uuid but you can choose a urn or some other id too. Subject string `json:"subject,omitempty"` }
The warden access request (with token) response
type WellKnown ¶
type WellKnown struct { // URL of the OP's OAuth 2.0 Authorization Endpoint AuthorizationEndpoint string `json:"authorization_endpoint"` // JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. ClaimsSupported []string `json:"claims_supported,omitempty"` // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. IdTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` // URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported , this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. Issuer string `json:"issuer"` // URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. JwksUri string `json:"jwks_uri"` // JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. ResponseTypesSupported []string `json:"response_types_supported"` // SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used ScopesSupported []string `json:"scopes_supported,omitempty"` // JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. SubjectTypesSupported []string `json:"subject_types_supported"` // URL of the OP's OAuth 2.0 Token Endpoint TokenEndpoint string `json:"token_endpoint"` // JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` // URL of the OP's UserInfo Endpoint. UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` }
Source Files ¶
- api_client.go
- api_response.go
- configuration.go
- consent_request.go
- consent_request_acceptance.go
- consent_request_manager.go
- consent_request_rejection.go
- context.go
- firewall.go
- flush_inactive_o_auth2_tokens_request.go
- group.go
- group_members.go
- handler.go
- health_api.go
- inline_response_200.go
- inline_response_401.go
- jose_web_key_set_request.go
- json_web_key.go
- json_web_key_api.go
- json_web_key_set.go
- json_web_key_set_generator_request.go
- key_generator.go
- manager.go
- o_auth2_api.go
- o_auth2_client.go
- o_auth2_consent_request.go
- o_auth2_token_introspection.go
- oauth_token_response.go
- policy.go
- policy_api.go
- policy_conditions.go
- raw_message.go
- swagger_accept_consent_request.go
- swagger_create_policy_parameters.go
- swagger_does_warden_allow_access_request_parameters.go
- swagger_does_warden_allow_token_access_request_parameters.go
- swagger_flush_inactive_access_tokens.go
- swagger_get_policy_parameters.go
- swagger_json_web_key_query.go
- swagger_jwk_create_set.go
- swagger_jwk_set_query.go
- swagger_jwk_update_set.go
- swagger_jwk_update_set_key.go
- swagger_list_policy_parameters.go
- swagger_list_policy_response.go
- swagger_o_auth_consent_request_payload.go
- swagger_o_auth_introspection_request.go
- swagger_reject_consent_request.go
- swagger_revoke_o_auth2_token_parameters.go
- swagger_update_policy_parameters.go
- token_allowed_request.go
- userinfo_response.go
- warden_access_request.go
- warden_access_request_response.go
- warden_api.go
- warden_token_access_request.go
- warden_token_access_request_response.go
- well_known.go
- writer.go
Click to show internal directories.
Click to hide internal directories.