diff --git a/Makefile b/Makefile index 82fa29b..1acaa6b 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,15 @@ NDC_REST_VERSION ?= v0.2.0 -ORY_HYDRA_VERSION ?= v1.11.10 +ORY_HYDRA_VERSION ?= v2.2.0 UID ?= $(shell id -u) GID ?= $(shell id -g) .PHONY: build-schema build-schema: - go install github.com/hasura/ndc-rest-schema@$(NDC_REST_VERSION) + go install github.com/hasura/ndc-rest-schema@v0.2.0 ndc-rest-schema convert \ -c schema/public/config.yaml \ -o config/schema-public.json - ndc-rest-schema convert \ + /ndc-rest-schema convert \ -c schema/admin/config.yaml \ -o config/schema-admin.json diff --git a/README.md b/README.md index 2c3014a..f508080 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,10 @@ Ory Hydra connector provides instant queries and mutations to request Ory Hydra API resources. -This connector is built upon the [NDC Rest](https://github.com/hasura/ndc-rest) with [Ory Hydra's REST API Specification](https://raw.githubusercontent.com/ory/hydra/v1.11.10/spec/swagger.json). +This connector is built upon the [NDC Rest](https://github.com/hasura/ndc-rest) with [Ory Hydra's REST API Specification](https://raw.githubusercontent.com/ory/hydra/master/internal/httpclient/api/openapi.yaml). > [!NOTE] -> THe connector `v0.x` supports Hydra v1 API spec. Use `v1.x` or above if you want to use Hydra v2. +> THe connector `v1.x` supports Hydra v2 API spec. Use `v0.x` if you want to use Hydra v1. ## Environment Variables @@ -13,7 +13,6 @@ This connector is built upon the [NDC Rest](https://github.com/hasura/ndc-rest) | ------------------------------ | ------------------------------------------------------------- | --------------------- | | HYDRA_PUBLIC_SERVER_URL | Public Hydra server URL | http://localhost:4444 | | HYDRA_ADMIN_SERVER_URL | Admin Hydra server URL | http://localhost:4445 | -| HYDRA_PUBLIC_BASIC_TOKEN | Basic token for public Hydra server | | | HYDRA_PUBLIC_TIMEOUT | Default request timeout for public APIs in seconds | 30 | | HYDRA_PUBLIC_RETRY_TIMES | Number of retry times for public APIs | 0 | | HYDRA_PUBLIC_RETRY_DELAY | Delay time between each retry in milliseconds for public APIs | 1000 | diff --git a/config/schema-admin.json b/config/schema-admin.json index 5321e1e..342f677 100644 --- a/config/schema-admin.json +++ b/config/schema-admin.json @@ -10,46 +10,56 @@ "times": "{{HYDRA_ADMIN_RETRY_TIMES}}", "delay": "{{HYDRA_ADMIN_RETRY_DELAY}}", "httpStatus": "{{HYDRA_ADMIN_RETRY_HTTP_STATUS}}" - }, - "version": "latest" + } }, "collections": [], "functions": [ { "request": { - "url": "/clients", + "url": "/admin/clients", "method": "get", "parameters": [ { - "name": "limit", + "style": "form", + "explode": true, + "name": "client_name", "in": "query", "schema": { - "type": "Int64", + "type": "String", "nullable": true } }, { - "name": "offset", + "style": "form", + "explode": true, + "name": "owner", "in": "query", "schema": { - "type": "Int64", + "type": "String", "nullable": true } }, { - "name": "client_name", + "style": "form", + "explode": true, + "name": "page_size", "in": "query", "schema": { - "type": "String", - "nullable": true + "type": "Int64", + "nullable": true, + "maximum": 500, + "minimum": 1 } }, { - "name": "owner", + "style": "form", + "explode": true, + "name": "page_token", "in": "query", "schema": { "type": "String", - "nullable": true + "nullable": true, + "minimum": 1 } } ] @@ -65,18 +75,18 @@ } } }, - "limit": { - "description": "The maximum amount of clients to returned, upper bound is 500 clients.", + "owner": { + "description": "The owner of the clients to filter by.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "offset": { - "description": "The offset from where to start looking.", + "page_size": { + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "type": { "type": "nullable", "underlying_type": { @@ -85,8 +95,8 @@ } } }, - "owner": { - "description": "The owner of the clients to filter by.", + "page_token": { + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "type": { "type": "nullable", "underlying_type": { @@ -108,10 +118,12 @@ }, { "request": { - "url": "/clients/{id}", + "url": "/admin/clients/{id}", "method": "get", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -138,23 +150,12 @@ }, { "request": { - "url": "/health/alive", - "method": "get" - }, - "arguments": {}, - "description": "Check Alive Status", - "name": "isInstanceAlive", - "result_type": { - "name": "HealthStatus", - "type": "named" - } - }, - { - "request": { - "url": "/keys/{set}", + "url": "/admin/keys/{set}", "method": "get", "parameters": [ { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -165,7 +166,7 @@ }, "arguments": { "set": { - "description": "The set", + "description": "JSON Web Key Set ID", "type": { "name": "String", "type": "named" @@ -175,16 +176,18 @@ "description": "Retrieve a JSON Web Key Set", "name": "getJsonWebKeySet", "result_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } }, { "request": { - "url": "/keys/{set}/{kid}", + "url": "/admin/keys/{set}/{kid}", "method": "get", "parameters": [ { + "style": "simple", + "explode": false, "name": "kid", "in": "path", "schema": { @@ -192,6 +195,8 @@ } }, { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -202,33 +207,35 @@ }, "arguments": { "kid": { - "description": "The kid of the desired key", + "description": "JSON Web Key ID", "type": { "name": "String", "type": "named" } }, "set": { - "description": "The set", + "description": "JSON Web Key Set ID", "type": { "name": "String", "type": "named" } } }, - "description": "Fetch a JSON Web Key", + "description": "Get JSON Web Key", "name": "getJsonWebKey", "result_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/consent", + "url": "/admin/oauth2/auth/requests/consent", "method": "get", "parameters": [ { + "style": "form", + "explode": true, "name": "consent_challenge", "in": "query", "schema": { @@ -239,25 +246,28 @@ }, "arguments": { "consent_challenge": { + "description": "OAuth 2.0 Consent Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Get Consent Request Information", - "name": "getConsentRequest", + "description": "Get OAuth 2.0 Consent Request", + "name": "getOAuth2ConsentRequest", "result_type": { - "name": "ConsentRequest", + "name": "OAuth2ConsentRequest", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/login", + "url": "/admin/oauth2/auth/requests/login", "method": "get", "parameters": [ { + "style": "form", + "explode": true, "name": "login_challenge", "in": "query", "schema": { @@ -268,25 +278,28 @@ }, "arguments": { "login_challenge": { + "description": "OAuth 2.0 Login Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Get a Login Request", - "name": "getLoginRequest", + "description": "Get OAuth 2.0 Login Request", + "name": "getOAuth2LoginRequest", "result_type": { - "name": "LoginRequest", + "name": "OAuth2LoginRequest", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/logout", + "url": "/admin/oauth2/auth/requests/logout", "method": "get", "parameters": [ { + "style": "form", + "explode": true, "name": "logout_challenge", "in": "query", "schema": { @@ -303,56 +316,75 @@ } } }, - "description": "Get a Logout Request", - "name": "getLogoutRequest", + "description": "Get OAuth 2.0 Session Logout Request", + "name": "getOAuth2LogoutRequest", "result_type": { - "name": "LogoutRequest", + "name": "OAuth2LogoutRequest", "type": "named" } }, { "request": { - "url": "/oauth2/auth/sessions/consent", + "url": "/admin/oauth2/auth/sessions/consent", "method": "get", "parameters": [ { - "name": "subject", + "style": "form", + "explode": true, + "name": "login_session_id", "in": "query", "schema": { - "type": "String" + "type": "String", + "nullable": true } }, { - "name": "limit", + "style": "form", + "explode": true, + "name": "page_size", "in": "query", "schema": { "type": "Int64", - "nullable": true + "nullable": true, + "maximum": 500, + "minimum": 1 } }, { - "name": "offset", + "style": "form", + "explode": true, + "name": "page_token", "in": "query", "schema": { - "type": "Int64", - "nullable": true + "type": "String", + "nullable": true, + "minimum": 1 + } + }, + { + "style": "form", + "explode": true, + "name": "subject", + "in": "query", + "schema": { + "type": "String" } } ] }, "arguments": { - "limit": { - "description": "The maximum amount of consent sessions to be returned, upper bound is 500 sessions.", + "login_session_id": { + "description": "The login session id to list the consent sessions for.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "offset": { - "description": "The offset from where to start looking.", + "page_size": { + "description": "Items per Page\n\nThis is the number of items per page to return.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", "type": { "type": "nullable", "underlying_type": { @@ -361,18 +393,29 @@ } } }, + "page_token": { + "description": "Next Page Token\n\nThe next page token.\nFor details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, "subject": { + "description": "The subject to list the consent sessions for.", "type": { "name": "String", "type": "named" } } }, - "description": "Lists All Consent Sessions of a Subject", - "name": "listSubjectConsentSessions", + "description": "List OAuth 2.0 Consent Sessions of a Subject", + "name": "listOAuth2ConsentSessions", "result_type": { "element_type": { - "name": "PreviousConsentSession", + "name": "OAuth2ConsentSession", "type": "named" }, "type": "array" @@ -380,19 +423,23 @@ }, { "request": { - "url": "/trust/grants/jwt-bearer/issuers", + "url": "/admin/trust/grants/jwt-bearer/issuers", "method": "get", "parameters": [ { - "name": "issuer", + "style": "form", + "explode": true, + "name": "DefaultItems", "in": "query", "schema": { - "type": "String", + "type": "Int64", "nullable": true } }, { - "name": "limit", + "style": "form", + "explode": true, + "name": "MaxItems", "in": "query", "schema": { "type": "Int64", @@ -400,28 +447,28 @@ } }, { - "name": "offset", + "style": "form", + "explode": true, + "name": "issuer", "in": "query", "schema": { - "type": "Int64", + "type": "String", "nullable": true } } ] }, "arguments": { - "issuer": { - "description": "If optional \"issuer\" is supplied, only jwt-bearer grants with this issuer will be returned.", + "DefaultItems": { "type": { "type": "nullable", "underlying_type": { - "name": "String", + "name": "Int64", "type": "named" } } }, - "limit": { - "description": "The maximum amount of policies returned, upper bound is 500 policies", + "MaxItems": { "type": { "type": "nullable", "underlying_type": { @@ -430,22 +477,22 @@ } } }, - "offset": { - "description": "The offset from where to start looking.", + "issuer": { + "description": "If optional \"issuer\" is supplied, only jwt-bearer grants with this issuer will be returned.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } } }, "description": "List Trusted OAuth2 JWT Bearer Grant Type Issuers", - "name": "listTrustedJwtGrantIssuers", + "name": "listTrustedOAuth2JwtGrantIssuers", "result_type": { "element_type": { - "name": "TrustedJwtGrantIssuer", + "name": "TrustedOAuth2JwtGrantIssuer", "type": "named" }, "type": "array" @@ -453,10 +500,12 @@ }, { "request": { - "url": "/trust/grants/jwt-bearer/issuers/{id}", + "url": "/admin/trust/grants/jwt-bearer/issuers/{id}", "method": "get", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -474,10 +523,23 @@ } } }, - "description": "Get a Trusted OAuth2 JWT Bearer Grant Type Issuer", - "name": "getTrustedJwtGrantIssuer", + "description": "Get Trusted OAuth2 JWT Bearer Grant Type Issuer", + "name": "getTrustedOAuth2JwtGrantIssuer", + "result_type": { + "name": "TrustedOAuth2JwtGrantIssuer", + "type": "named" + } + }, + { + "request": { + "url": "/health/alive", + "method": "get" + }, + "arguments": {}, + "description": "Check HTTP Server Status", + "name": "isAlive", "result_type": { - "name": "TrustedJwtGrantIssuer", + "name": "HealthStatus", "type": "named" } }, @@ -487,17 +549,26 @@ "method": "get" }, "arguments": {}, - "description": "Get Service Version", + "description": "Return Running Software Version.", "name": "getVersion", "result_type": { - "name": "Version", + "name": "GetVersion200Response", "type": "named" } } ], "object_types": { - "AcceptConsentRequest": { + "AcceptOAuth2ConsentRequest": { "fields": { + "context": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "JSON", + "type": "named" + } + } + }, "grant_access_token_audience": { "type": { "type": "nullable", @@ -555,14 +626,38 @@ "type": { "type": "nullable", "underlying_type": { - "name": "ConsentRequestSession", + "name": "AcceptOAuth2ConsentRequestSession", + "type": "named" + } + } + } + } + }, + "AcceptOAuth2ConsentRequestSession": { + "fields": { + "access_token": { + "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!", + "type": { + "type": "nullable", + "underlying_type": { + "name": "JSON", + "type": "named" + } + } + }, + "id_token": { + "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!", + "type": { + "type": "nullable", + "underlying_type": { + "name": "JSON", "type": "named" } } } } }, - "AcceptLoginRequest": { + "AcceptOAuth2LoginRequest": { "fields": { "acr": { "description": "ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", @@ -590,7 +685,17 @@ "type": { "type": "nullable", "underlying_type": { - "name": "JSONRawMessage", + "name": "JSON", + "type": "named" + } + } + }, + "extend_session_lifespan": { + "description": "Extend OAuth2 authentication session lifespan\n\nIf set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously.\n\nThis value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", "type": "named" } } @@ -605,6 +710,16 @@ } } }, + "identity_provider_session_id": { + "description": "IdentityProviderSessionID is the session ID of the end-user that authenticated.\nIf specified, we will use this value to propagate the logout.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, "remember": { "description": "Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store\na cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she\nwill not be asked to log in again.", "type": { @@ -634,10 +749,25 @@ } } }, - "CompletedRequest": { + "CreateJsonWebKeySet": { + "description": "Create JSON Web Key Set Request Body", "fields": { - "redirect_to": { - "description": "RedirectURL is the URL which you should redirect the user to once the authentication process is completed.", + "alg": { + "description": "JSON Web Key Algorithm\n\nThe algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`.", + "type": { + "name": "JsonWebKeyAlgorithm", + "type": "named" + } + }, + "kid": { + "description": "JSON Web Key ID\n\nThe Key ID of the key to be created.", + "type": { + "name": "String", + "type": "named" + } + }, + "use": { + "description": "JSON Web Key Use\n\nThe \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".", "type": { "name": "String", "type": "named" @@ -645,10 +775,10 @@ } } }, - "ConsentRequest": { + "GetVersion200Response": { "fields": { - "acr": { - "description": "ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", + "version": { + "description": "The version of Ory Hydra.", "type": { "type": "nullable", "underlying_type": { @@ -656,75 +786,109 @@ "type": "named" } } - }, - "amr": { + } + } + }, + "HealthStatus": { + "fields": { + "status": { + "description": "Status always contains \"ok\".", "type": { "type": "nullable", "underlying_type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" + "name": "String", + "type": "named" + } + } + } + } + }, + "IntrospectOAuth2TokenRequest": { + "fields": { + "scope": { + "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" } } }, - "challenge": { - "description": "ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.", + "token": { + "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue returned.", "type": { "name": "String", "type": "named" } + } + } + }, + "IntrospectedOAuth2Token": { + "description": "Introspection contains an access token's session data as specified by\n[IETF RFC 7662](https://tools.ietf.org/html/rfc7662)", + "fields": { + "active": { + "description": "Active is a boolean indicator of whether or not the presented token\nis currently active. The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).", + "type": { + "name": "Boolean", + "type": "named" + } }, - "client": { + "aud": { + "description": "Audience contains a list of the token's intended audiences.", "type": { "type": "nullable", "underlying_type": { - "name": "OAuth2Client", - "type": "named" + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" } } }, - "context": { + "client_id": { + "description": "ID is aclient identifier for the OAuth 2.0 client that\nrequested this token.", "type": { "type": "nullable", "underlying_type": { - "name": "JSONRawMessage", + "name": "String", "type": "named" } } }, - "login_challenge": { - "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", + "exp": { + "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.", "type": { "type": "nullable", "underlying_type": { - "name": "String", + "name": "Int64", "type": "named" } } }, - "login_session_id": { - "description": "LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", + "ext": { + "description": "Extra is arbitrary data set by the session.", "type": { "type": "nullable", "underlying_type": { - "name": "String", + "name": "JSON", "type": "named" } } }, - "oidc_context": { + "iat": { + "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.", "type": { "type": "nullable", "underlying_type": { - "name": "OpenIDConnectContext", + "name": "Int64", "type": "named" } } }, - "request_url": { - "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", + "iss": { + "description": "IssuerURL is a string representing the issuer of this token", "type": { "type": "nullable", "underlying_type": { @@ -733,42 +897,38 @@ } } }, - "requested_access_token_audience": { + "nbf": { + "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.", "type": { "type": "nullable", "underlying_type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" + "name": "Int64", + "type": "named" } } }, - "requested_scope": { + "obfuscated_subject": { + "description": "ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization.\nIt is the `sub` value of the ID Token that was issued.", "type": { "type": "nullable", "underlying_type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" + "name": "String", + "type": "named" } } }, - "skip": { - "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.", + "scope": { + "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.", "type": { "type": "nullable", "underlying_type": { - "name": "Boolean", + "name": "String", "type": "named" } } }, - "subject": { - "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.", + "sub": { + "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.", "type": { "type": "nullable", "underlying_type": { @@ -776,51 +936,44 @@ "type": "named" } } - } - } - }, - "ConsentRequestSession": { - "fields": { - "access_token": { - "description": "AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the\nrefresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.\nIf only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties\ncan access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!", + }, + "token_type": { + "description": "TokenType is the introspected token's type, typically `Bearer`.", "type": { "type": "nullable", "underlying_type": { - "name": "JSON", + "name": "String", "type": "named" } } }, - "id_token": { - "description": "IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable\nby anyone that has access to the ID Challenge. Use with care!", + "token_use": { + "description": "TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.", "type": { "type": "nullable", "underlying_type": { - "name": "JSON", + "name": "String", "type": "named" } } - } - } - }, - "FlushInactiveOAuth2TokensRequest": { - "fields": { - "notAfter": { - "description": "NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history\nof recently issued tokens for auditing.", + }, + "username": { + "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.", "type": { "type": "nullable", "underlying_type": { - "name": "TimestampTZ", + "name": "String", "type": "named" } } } } }, - "HealthStatus": { + "JsonPatch": { + "description": "A JSONPatch document as defined by RFC 6902", "fields": { - "status": { - "description": "Status always contains \"ok\".", + "from": { + "description": "This field is used together with operation \"move\" and uses JSON Pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", "type": { "type": "nullable", "underlying_type": { @@ -828,32 +981,34 @@ "type": "named" } } - } - } - }, - "IntrospectOAuth2TokenBody": { - "fields": { - "scope": { - "description": "An optional, space separated list of required scopes. If the access token was not granted one of the\nscopes, the result of active will be false.", + }, + "op": { + "description": "The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\".", "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } + "name": "String", + "type": "named" } }, - "token": { - "description": "The string value of the token. For access tokens, this\nis the \"access_token\" value returned from the token endpoint\ndefined in OAuth 2.0. For refresh tokens, this is the \"refresh_token\"\nvalue returned.", + "path": { + "description": "The path to the target path. Uses JSON pointer notation.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", "type": { "name": "String", "type": "named" } + }, + "value": { + "description": "The value to be used within the operations.\n\nLearn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).", + "type": { + "type": "nullable", + "underlying_type": { + "name": "JSON", + "type": "named" + } + } } } }, - "JSONWebKey": { - "description": "It is important that this model object is named JSONWebKey for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKey.", + "JsonWebKey": { "fields": { "alg": { "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key. The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.", @@ -1006,16 +1161,16 @@ } } }, - "JSONWebKeySet": { - "description": "It is important that this model object is named JSONWebKeySet for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKeySet. Since one with the same name is previously defined as\nclient.Client.JSONWebKeys and this one is last, this one will be\neffectively written in the swagger spec.", + "JsonWebKeySet": { + "description": "JSON Web Key Set", "fields": { "keys": { - "description": "The value of the \"keys\" parameter is an array of JWK values. By\ndefault, the order of the JWK values within the array does not imply\nan order of preference among them, although applications of JWK Sets\ncan choose to assign a meaning to the order for their purposes, if\ndesired.", + "description": "List of JSON Web Keys\n\nThe value of the \"keys\" parameter is an array of JSON Web Key (JWK)\nvalues. By default, the order of the JWK values within the array does\nnot imply an order of preference among them, although applications\nof JWK Sets can choose to assign a meaning to the order for their\npurposes, if desired.", "type": { "type": "nullable", "underlying_type": { "element_type": { - "name": "JSONWebKey", + "name": "JsonWebKey", "type": "named" }, "type": "array" @@ -1024,149 +1179,11 @@ } } }, - "JsonWebKeySetGeneratorRequest": { - "fields": { - "alg": { - "description": "The algorithm to be used for creating the key. Supports \"RS256\", \"ES256\", \"ES512\", \"HS512\", and \"HS256\"", - "type": { - "name": "JsonWebKeyAlgorithm", - "type": "named" - } - }, - "kid": { - "description": "The kid of the key to be created", - "type": { - "name": "String", - "type": "named" - } - }, - "use": { - "description": "The \"use\" (public key use) parameter identifies the intended use of\nthe public key. The \"use\" parameter is employed to indicate whether\na public key is used for encrypting data or verifying the signature\non data. Valid values are \"enc\" and \"sig\".", - "type": { - "name": "String", - "type": "named" - } - } - } - }, - "LoginRequest": { - "fields": { - "challenge": { - "description": "ID is the identifier (\"login challenge\") of the login request. It is used to\nidentify the session.", - "type": { - "name": "String", - "type": "named" - } - }, - "client": { - "type": { - "name": "OAuth2Client", - "type": "named" - } - }, - "oidc_context": { - "type": { - "type": "nullable", - "underlying_type": { - "name": "OpenIDConnectContext", - "type": "named" - } - } - }, - "request_url": { - "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", - "type": { - "name": "String", - "type": "named" - } - }, - "requested_access_token_audience": { - "type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" - } - }, - "requested_scope": { - "type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" - } - }, - "session_id": { - "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "skip": { - "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", - "type": { - "name": "Boolean", - "type": "named" - } - }, - "subject": { - "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type\nwhen accepting the login request, or the request will fail.", - "type": { - "name": "String", - "type": "named" - } - } - } - }, - "LogoutRequest": { + "OAuth2Client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "fields": { - "challenge": { - "description": "Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to\nidentify the session.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "client": { - "type": { - "type": "nullable", - "underlying_type": { - "name": "OAuth2Client", - "type": "named" - } - } - }, - "request_url": { - "description": "RequestURL is the original Logout URL requested.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "rp_initiated": { - "description": "RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "Boolean", - "type": "named" - } - } - }, - "sid": { - "description": "SessionID is the login session ID that was requested to log out.", + "access_token_strategy": { + "description": "OAuth 2.0 Access Token Strategy\n\nAccessTokenStrategy is the strategy used to generate access tokens.\nValid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens\nSetting the stragegy here overrides the global setting in `strategies.access_token`.", "type": { "type": "nullable", "underlying_type": { @@ -1175,20 +1192,6 @@ } } }, - "subject": { - "description": "Subject is the user for whom the logout was request.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - } - } - }, - "OAuth2Client": { - "fields": { "allowed_cors_origins": { "type": { "type": "nullable", @@ -1214,7 +1217,7 @@ } }, "authorization_code_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1224,7 +1227,7 @@ } }, "authorization_code_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1234,7 +1237,7 @@ } }, "authorization_code_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1244,7 +1247,7 @@ } }, "backchannel_logout_session_required": { - "description": "Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", + "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": { "type": "nullable", "underlying_type": { @@ -1254,7 +1257,7 @@ } }, "backchannel_logout_uri": { - "description": "RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", + "description": "OpenID Connect Back-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", "type": { "type": "nullable", "underlying_type": { @@ -1264,7 +1267,7 @@ } }, "client_credentials_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1274,7 +1277,7 @@ } }, "client_id": { - "description": "ID is the id for this client.", + "description": "OAuth 2.0 Client ID\n\nThe ID is immutable. If no ID is provided, a UUID4 will be generated.", "type": { "type": "nullable", "underlying_type": { @@ -1284,7 +1287,7 @@ } }, "client_name": { - "description": "Name is the human-readable string name of the client to be presented to the\nend-user during authorization.", + "description": "OAuth 2.0 Client Name\n\nThe human-readable name of the client to be presented to the\nend-user during authorization.", "type": { "type": "nullable", "underlying_type": { @@ -1294,7 +1297,7 @@ } }, "client_secret": { - "description": "Secret is the client's secret. The secret will be included in the create request as cleartext, and then\nnever again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users\nthat they need to write the secret down as it will not be made available again.", + "description": "OAuth 2.0 Client Secret\n\nThe secret will be included in the create request as cleartext, and then\nnever again. The secret is kept in hashed format and is not recoverable once lost.", "type": { "type": "nullable", "underlying_type": { @@ -1304,7 +1307,7 @@ } }, "client_secret_expires_at": { - "description": "SecretExpiresAt is an integer holding the time at which the client\nsecret will expire or 0 if it will not expire. The time is\nrepresented as the number of seconds from 1970-01-01T00:00:00Z as\nmeasured in UTC until the date/time of expiration.\n\nThis feature is currently not supported and it's value will always\nbe set to 0.", + "description": "OAuth 2.0 Client Secret Expires At\n\nThe field is currently not supported and its value is always 0.", "type": { "type": "nullable", "underlying_type": { @@ -1314,7 +1317,7 @@ } }, "client_uri": { - "description": "ClientURI is an URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", + "description": "OAuth 2.0 Client URI\n\nClientURI is a URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", "type": { "type": "nullable", "underlying_type": { @@ -1336,7 +1339,7 @@ } }, "created_at": { - "description": "CreatedAt returns the timestamp of the client's creation.", + "description": "OAuth 2.0 Client Creation Date\n\nCreatedAt returns the timestamp of the client's creation.", "type": { "type": "nullable", "underlying_type": { @@ -1346,7 +1349,7 @@ } }, "frontchannel_logout_session_required": { - "description": "Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", + "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": { "type": "nullable", "underlying_type": { @@ -1356,7 +1359,7 @@ } }, "frontchannel_logout_uri": { - "description": "RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", + "description": "OpenID Connect Front-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", "type": { "type": "nullable", "underlying_type": { @@ -1378,7 +1381,7 @@ } }, "implicit_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1388,7 +1391,7 @@ } }, "implicit_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1398,16 +1401,17 @@ } }, "jwks": { + "description": "OAuth 2.0 Client JSON Web Key Set\n\nClient's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as\nthe jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter\nis intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for\ninstance, by native applications that might not have a location to host the contents of the JWK Set. If a Client\ncan use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation\n(which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks\nparameters MUST NOT be used together.", "type": { "type": "nullable", "underlying_type": { - "name": "JoseJSONWebKeySet", + "name": "JSON", "type": "named" } } }, "jwks_uri": { - "description": "URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", + "description": "OAuth 2.0 Client JSON Web Key Set URL\n\nURL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", "type": { "type": "nullable", "underlying_type": { @@ -1417,7 +1421,7 @@ } }, "jwt_bearer_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1427,7 +1431,7 @@ } }, "logo_uri": { - "description": "LogoURI is an URL string that references a logo for the client.", + "description": "OAuth 2.0 Client Logo URI\n\nA URL string referencing the client's logo.", "type": { "type": "nullable", "underlying_type": { @@ -1440,33 +1444,13 @@ "type": { "type": "nullable", "underlying_type": { - "name": "JSONRawMessage", + "name": "JSON", "type": "named" } } }, "owner": { - "description": "Owner is a string identifying the owner of the OAuth 2.0 Client.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "OAuth 2.0 Client Owner\n\nOwner is a string identifying the owner of the OAuth 2.0 Client.", "type": { "type": "nullable", "underlying_type": { @@ -1476,7 +1460,7 @@ } }, "policy_uri": { - "description": "PolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", + "description": "OAuth 2.0 Client Policy URI\n\nPolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", "type": { "type": "nullable", "underlying_type": { @@ -1510,7 +1494,7 @@ } }, "refresh_token_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1520,7 +1504,7 @@ } }, "refresh_token_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1530,7 +1514,7 @@ } }, "refresh_token_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1540,7 +1524,7 @@ } }, "registration_access_token": { - "description": "RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client.", + "description": "OpenID Connect Dynamic Client Registration Access Token\n\nRegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client\nusing Dynamic Client Registration.", "type": { "type": "nullable", "underlying_type": { @@ -1550,7 +1534,7 @@ } }, "registration_client_uri": { - "description": "RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", + "description": "OpenID Connect Dynamic Client Registration URL\n\nRegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", "type": { "type": "nullable", "underlying_type": { @@ -1560,7 +1544,7 @@ } }, "request_object_signing_alg": { - "description": "JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", + "description": "OpenID Connect Request Object Signing Algorithm\n\nJWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", "type": { "type": "nullable", "underlying_type": { @@ -1594,7 +1578,7 @@ } }, "scope": { - "description": "Scope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", + "description": "OAuth 2.0 Client Scope\n\nScope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", "type": { "type": "nullable", "underlying_type": { @@ -1604,7 +1588,7 @@ } }, "sector_identifier_uri": { - "description": "URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", + "description": "OpenID Connect Sector Identifier URI\n\nURL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", "type": { "type": "nullable", "underlying_type": { @@ -1613,8 +1597,28 @@ } } }, + "skip_consent": { + "description": "SkipConsent skips the consent screen for this client. This field can only\nbe set from the admin API.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, + "skip_logout_consent": { + "description": "SkipLogoutConsent skips the logout consent screen for this client. This field can only\nbe set from the admin API.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, "subject_type": { - "description": "SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", + "description": "OpenID Connect Subject Type\n\nThe `subject_types_supported` Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", "type": { "type": "nullable", "underlying_type": { @@ -1624,7 +1628,7 @@ } }, "token_endpoint_auth_method": { - "description": "Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,\nclient_secret_basic, private_key_jwt, and none.", + "description": "OAuth 2.0 Token Endpoint Authentication Method\n\nRequested Client Authentication method for the Token Endpoint. The options are:\n\n`client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.\n`client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.\n`private_key_jwt`: Use JSON Web Tokens to authenticate the client.\n`none`: Used for public clients (native apps, mobile apps) which can not have secrets.", "type": { "type": "nullable", "underlying_type": { @@ -1634,7 +1638,7 @@ } }, "token_endpoint_auth_signing_alg": { - "description": "Requested Client Authentication signing algorithm for the Token Endpoint.", + "description": "OAuth 2.0 Token Endpoint Signing Algorithm\n\nRequested Client Authentication signing algorithm for the Token Endpoint.", "type": { "type": "nullable", "underlying_type": { @@ -1644,7 +1648,7 @@ } }, "tos_uri": { - "description": "TermsOfServiceURI is a URL string that points to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", + "description": "OAuth 2.0 Client Terms of Service URI\n\nA URL string pointing to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", "type": { "type": "nullable", "underlying_type": { @@ -1654,7 +1658,7 @@ } }, "updated_at": { - "description": "UpdatedAt returns the timestamp of the last update.", + "description": "OAuth 2.0 Client Last Update Date\n\nUpdatedAt returns the timestamp of the last update.", "type": { "type": "nullable", "underlying_type": { @@ -1664,7 +1668,7 @@ } }, "userinfo_signed_response_alg": { - "description": "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", + "description": "OpenID Connect Request Userinfo Signed Response Algorithm\n\nJWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", "type": { "type": "nullable", "underlying_type": { @@ -1675,31 +1679,31 @@ } } }, - "OAuth2TokenIntrospection": { - "description": "https://tools.ietf.org/html/rfc7662", + "OAuth2ClientTokenLifespans": { + "description": "Lifespans of different token types issued for this OAuth 2.0 Client.", "fields": { - "active": { - "description": "Active is a boolean indicator of whether or not the presented token\nis currently active. The specifics of a token's \"active\" state\nwill vary depending on the implementation of the authorization\nserver and the information it keeps about its tokens, but a \"true\"\nvalue return for the \"active\" property will generally indicate\nthat a given token has been issued by this authorization server,\nhas not been revoked by the resource owner, and is within its\ngiven time window of validity (e.g., after its issuance time and\nbefore its expiration time).", + "authorization_code_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { - "name": "Boolean", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } } }, - "aud": { - "description": "Audience contains a list of the token's intended audiences.", + "authorization_code_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { - "element_type": { - "name": "String", - "type": "named" - }, - "type": "array" + "name": "String", + "type": "named" } } }, - "client_id": { - "description": "ID is aclient identifier for the OAuth 2.0 client that\nrequested this token.", + "authorization_code_grant_refresh_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1708,38 +1712,38 @@ } } }, - "exp": { - "description": "Expires at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token will expire.", + "client_credentials_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "ext": { - "description": "Extra is arbitrary data set by the session.", + "implicit_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { - "name": "JSON", + "name": "String", "type": "named" } } }, - "iat": { - "description": "Issued at is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token was\noriginally issued.", + "implicit_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "iss": { - "description": "IssuerURL is a string representing the issuer of this token", + "jwt_bearer_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1748,18 +1752,18 @@ } } }, - "nbf": { - "description": "NotBefore is an integer timestamp, measured in the number of seconds\nsince January 1 1970 UTC, indicating when this token is not to be\nused before.", + "refresh_token_grant_access_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "obfuscated_subject": { - "description": "ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization.\nIt is the `sub` value of the ID Token that was issued.", + "refresh_token_grant_id_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -1768,8 +1772,22 @@ } } }, - "scope": { - "description": "Scope is a JSON string containing a space-separated list of\nscopes associated with this token.", + "refresh_token_grant_refresh_token_lifespan": { + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + } + } + }, + "OAuth2ConsentRequest": { + "fields": { + "acr": { + "description": "ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it\nto express that, for example, a user authenticated using two factor authentication.", "type": { "type": "nullable", "underlying_type": { @@ -1778,8 +1796,46 @@ } } }, - "sub": { - "description": "Subject of the token, as defined in JWT [RFC7519].\nUsually a machine-readable identifier of the resource owner who\nauthorized this token.", + "amr": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "challenge": { + "description": "ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to\nidentify the session.", + "type": { + "name": "String", + "type": "named" + } + }, + "client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "OAuth2Client", + "type": "named" + } + } + }, + "context": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "JSON", + "type": "named" + } + } + }, + "login_challenge": { + "description": "LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate\na login and consent request in the login \u0026 consent app.", "type": { "type": "nullable", "underlying_type": { @@ -1788,8 +1844,8 @@ } } }, - "token_type": { - "description": "TokenType is the introspected token's type, typically `Bearer`.", + "login_session_id": { + "description": "LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", "type": { "type": "nullable", "underlying_type": { @@ -1798,8 +1854,17 @@ } } }, - "token_use": { - "description": "TokenUse is the introspected token's use, for example `access_token` or `refresh_token`.", + "oidc_context": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "OAuth2ConsentRequestOpenIDConnectContext", + "type": "named" + } + } + }, + "request_url": { + "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", "type": { "type": "nullable", "underlying_type": { @@ -1808,8 +1873,42 @@ } } }, - "username": { - "description": "Username is a human-readable identifier for the resource owner who\nauthorized this token.", + "requested_access_token_audience": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "requested_scope": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "skip": { + "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you must not ask the user to grant the requested scopes. You must however either allow or deny the\nconsent request using the usual API call.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client.", "type": { "type": "nullable", "underlying_type": { @@ -1820,7 +1919,7 @@ } } }, - "OpenIDConnectContext": { + "OAuth2ConsentRequestOpenIDConnectContext": { "fields": { "acr_values": { "description": "ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.\nIt is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.\n\nOpenID Connect defines it as follows:\n\u003e Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values\nthat the Authorization Server is being requested to use for processing this Authentication Request, with the\nvalues appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication\nperformed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a\nVoluntary Claim by this parameter.", @@ -1880,58 +1979,182 @@ } } }, - "PatchDocument": { - "description": "A JSONPatch document as defined by RFC 6902", + "OAuth2ConsentSession": { + "description": "A completed OAuth 2.0 Consent Session.", "fields": { - "from": { - "description": "A JSON-pointer", + "consent_request": { "type": { "type": "nullable", "underlying_type": { - "name": "String", + "name": "OAuth2ConsentRequest", "type": "named" } } }, - "op": { - "description": "The operation to be performed", + "context": { "type": { - "name": "String", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "JSON", + "type": "named" + } } }, - "path": { - "description": "A JSON-pointer", + "expires_at": { "type": { - "name": "String", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "OAuth2ConsentSessionExpiresAt", + "type": "named" + } } }, - "value": { - "description": "The value to be used within the operations", + "grant_access_token_audience": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "grant_scope": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "handled_at": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "TimestampTZ", + "type": "named" + } + } + }, + "remember": { + "description": "Remember Consent\n\nRemember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, + "remember_for": { + "description": "Remember Consent For\n\nRememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Int64", + "type": "named" + } + } + }, + "session": { "type": { "type": "nullable", "underlying_type": { - "name": "PatchDocumentValue", + "name": "AcceptOAuth2ConsentRequestSession", "type": "named" } } } } }, - "PreviousConsentSession": { - "description": "The response used to return used consent requests\nsame as HandledLoginRequest, just with consent_request exposed as json", + "OAuth2ConsentSessionExpiresAt": { "fields": { - "consent_request": { + "access_token": { "type": { "type": "nullable", "underlying_type": { - "name": "ConsentRequest", + "name": "TimestampTZ", "type": "named" } } }, - "grant_access_token_audience": { + "authorize_code": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "TimestampTZ", + "type": "named" + } + } + }, + "id_token": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "TimestampTZ", + "type": "named" + } + } + }, + "par_context": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "TimestampTZ", + "type": "named" + } + } + }, + "refresh_token": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "TimestampTZ", + "type": "named" + } + } + } + } + }, + "OAuth2LoginRequest": { + "fields": { + "challenge": { + "description": "ID is the identifier (\"login challenge\") of the login request. It is used to\nidentify the session.", + "type": { + "name": "String", + "type": "named" + } + }, + "client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "type": { + "name": "OAuth2Client", + "type": "named" + } + }, + "oidc_context": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "OAuth2ConsentRequestOpenIDConnectContext", + "type": "named" + } + } + }, + "request_url": { + "description": "RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which\ninitiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but\nmight come in handy if you want to deal with additional request parameters.", + "type": { + "name": "String", + "type": "named" + } + }, + "requested_access_token_audience": { "type": { "type": "nullable", "underlying_type": { @@ -1943,7 +2166,7 @@ } } }, - "grant_scope": { + "requested_scope": { "type": { "type": "nullable", "underlying_type": { @@ -1955,17 +2178,66 @@ } } }, - "handled_at": { + "session_id": { + "description": "SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)\nthis ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)\nthis will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back-\nchannel logout. It's value can generally be used to associate consecutive login requests by a certain user.", "type": { "type": "nullable", "underlying_type": { - "name": "TimestampTZ", + "name": "String", "type": "named" } } }, - "remember": { - "description": "Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same\nclient asks the same user for the same, or a subset of, scope.", + "skip": { + "description": "Skip, if true, implies that the client has requested the same scopes from the same user previously.\nIf true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.\n\nThis feature allows you to update / set session information.", + "type": { + "name": "Boolean", + "type": "named" + } + }, + "subject": { + "description": "Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope\nrequested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type\nwhen accepting the login request, or the request will fail.", + "type": { + "name": "String", + "type": "named" + } + } + } + }, + "OAuth2LogoutRequest": { + "fields": { + "challenge": { + "description": "Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to\nidentify the session.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "OAuth2Client", + "type": "named" + } + } + }, + "request_url": { + "description": "RequestURL is the original Logout URL requested.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "rp_initiated": { + "description": "RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.", "type": { "type": "nullable", "underlying_type": { @@ -1974,28 +2246,41 @@ } } }, - "remember_for": { - "description": "RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the\nauthorization will be remembered indefinitely.", + "sid": { + "description": "SessionID is the login session ID that was requested to log out.", "type": { "type": "nullable", "underlying_type": { - "name": "Int64", + "name": "String", "type": "named" } } }, - "session": { + "subject": { + "description": "Subject is the user for whom the logout was request.", "type": { "type": "nullable", "underlying_type": { - "name": "ConsentRequestSession", + "name": "String", "type": "named" } } } } }, - "RejectRequest": { + "OAuth2RedirectTo": { + "description": "Contains a redirect URL used to complete a login, consent, or logout request.", + "fields": { + "redirect_to": { + "description": "RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed.", + "type": { + "name": "String", + "type": "named" + } + } + } + }, + "RejectOAuth2Request": { "fields": { "error": { "description": "The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).\n\nDefaults to `request_denied`.", @@ -2049,7 +2334,8 @@ } } }, - "TrustJwtGrantIssuerBody": { + "TrustOAuth2JwtGrantIssuer": { + "description": "Trust OAuth2 JWT Bearer Grant Type Issuer Request Body", "fields": { "allow_any_subject": { "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", @@ -2077,7 +2363,7 @@ }, "jwk": { "type": { - "name": "JSONWebKey", + "name": "JsonWebKey", "type": "named" } }, @@ -2103,31 +2389,8 @@ } } }, - "TrustedJsonWebKey": { - "fields": { - "kid": { - "description": "The \"key_id\" is key unique identifier (same as kid header in jws/jwt).", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "set": { - "description": "The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - } - } - }, - "TrustedJwtGrantIssuer": { + "TrustedOAuth2JwtGrantIssuer": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trust Relationship", "fields": { "allow_any_subject": { "description": "The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT.", @@ -2179,10 +2442,11 @@ } }, "public_key": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key", "type": { "type": "nullable", "underlying_type": { - "name": "TrustedJsonWebKey", + "name": "TrustedOAuth2JwtGrantJsonWebKey", "type": "named" } } @@ -2212,111 +2476,11 @@ } } }, - "UpdateOAuth2ClientLifespans": { - "description": "The OIDC Hybrid grant type inherits token lifespan configuration from the implicit grant.", + "TrustedOAuth2JwtGrantJsonWebKey": { + "description": "OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key", "fields": { - "authorization_code_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "authorization_code_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "authorization_code_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "client_credentials_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "implicit_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "implicit_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "jwt_bearer_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "refresh_token_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "refresh_token_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "kid": { + "description": "The \"key_id\" is key unique identifier (same as kid header in jws/jwt).", "type": { "type": "nullable", "underlying_type": { @@ -2325,22 +2489,8 @@ } } }, - "refresh_token_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - } - } - }, - "Version": { - "fields": { - "version": { - "description": "Version is the service's version.", + "set": { + "description": "The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant.", "type": { "type": "nullable", "underlying_type": { @@ -2355,7 +2505,7 @@ "procedures": [ { "request": { - "url": "/clients", + "url": "/admin/clients", "method": "post", "requestBody": { "contentType": "application/json", @@ -2366,13 +2516,14 @@ }, "arguments": { "body": { + "description": "Request body of POST /admin/clients", "type": { "name": "OAuth2Client", "type": "named" } } }, - "description": "Create an OAuth 2.0 Client", + "description": "Create OAuth 2.0 Client", "name": "createOAuth2Client", "result_type": { "name": "OAuth2Client", @@ -2381,10 +2532,12 @@ }, { "request": { - "url": "/clients/{id}", + "url": "/admin/clients/{id}", "method": "put", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -2401,21 +2554,22 @@ }, "arguments": { "body": { + "description": "Request body of PUT /admin/clients/{id}", "type": { "name": "OAuth2Client", "type": "named" } }, "id": { - "description": "The id of the OAuth 2.0 Client.", + "description": "OAuth 2.0 Client ID", "type": { "name": "String", "type": "named" } } }, - "description": "Update an OAuth 2.0 Client", - "name": "updateOAuth2Client", + "description": "Set OAuth 2.0 Client", + "name": "setOAuth2Client", "result_type": { "name": "OAuth2Client", "type": "named" @@ -2423,10 +2577,12 @@ }, { "request": { - "url": "/clients/{id}", + "url": "/admin/clients/{id}", "method": "patch", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -2443,9 +2599,10 @@ }, "arguments": { "body": { + "description": "Request body of PATCH /admin/clients/{id}", "type": { "element_type": { - "name": "PatchDocument", + "name": "JsonPatch", "type": "named" }, "type": "array" @@ -2459,7 +2616,7 @@ } } }, - "description": "Patch an OAuth 2.0 Client", + "description": "Patch OAuth 2.0 Client", "name": "patchOAuth2Client", "result_type": { "name": "OAuth2Client", @@ -2468,10 +2625,12 @@ }, { "request": { - "url": "/clients/{id}", + "url": "/admin/clients/{id}", "method": "delete", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -2489,7 +2648,7 @@ } } }, - "description": "Deletes an OAuth 2.0 Client", + "description": "Delete OAuth 2.0 Client", "name": "deleteOAuth2Client", "result_type": { "type": "nullable", @@ -2501,10 +2660,12 @@ }, { "request": { - "url": "/clients/{id}/lifespans", + "url": "/admin/clients/{id}/lifespans", "method": "put", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -2515,30 +2676,32 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "UpdateOAuth2ClientLifespans", + "type": "OAuth2ClientTokenLifespans", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/clients/{id}/lifespans", "type": { "type": "nullable", "underlying_type": { - "name": "UpdateOAuth2ClientLifespans", + "name": "OAuth2ClientTokenLifespans", "type": "named" } } }, "id": { - "description": "The id of the OAuth 2.0 Client.", + "description": "OAuth 2.0 Client ID", "type": { "name": "String", "type": "named" } } }, - "name": "UpdateOAuth2ClientLifespans", + "description": "Set OAuth2 Client Token Lifespans", + "name": "setOAuth2ClientLifespans", "result_type": { "name": "OAuth2Client", "type": "named" @@ -2546,10 +2709,12 @@ }, { "request": { - "url": "/keys/{set}", + "url": "/admin/keys/{set}", "method": "post", "parameters": [ { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -2560,42 +2725,41 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "JsonWebKeySetGeneratorRequest", - "nullable": true + "type": "CreateJsonWebKeySet" } } }, "arguments": { "body": { + "description": "Request body of POST /admin/keys/{set}", "type": { - "type": "nullable", - "underlying_type": { - "name": "JsonWebKeySetGeneratorRequest", - "type": "named" - } + "name": "CreateJsonWebKeySet", + "type": "named" } }, "set": { - "description": "The set", + "description": "The JSON Web Key Set ID", "type": { "name": "String", "type": "named" } } }, - "description": "Generate a New JSON Web Key", + "description": "Create JSON Web Key", "name": "createJsonWebKeySet", "result_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } }, { "request": { - "url": "/keys/{set}", + "url": "/admin/keys/{set}", "method": "put", "parameters": [ { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -2606,23 +2770,24 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "JSONWebKeySet", + "type": "JsonWebKeySet", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/keys/{set}", "type": { "type": "nullable", "underlying_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } } }, "set": { - "description": "The set", + "description": "The JSON Web Key Set ID", "type": { "name": "String", "type": "named" @@ -2630,18 +2795,20 @@ } }, "description": "Update a JSON Web Key Set", - "name": "updateJsonWebKeySet", + "name": "setJsonWebKeySet", "result_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } }, { "request": { - "url": "/keys/{set}", + "url": "/admin/keys/{set}", "method": "delete", "parameters": [ { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -2652,14 +2819,14 @@ }, "arguments": { "set": { - "description": "The set", + "description": "The JSON Web Key Set", "type": { "name": "String", "type": "named" } } }, - "description": "Delete a JSON Web Key Set", + "description": "Delete JSON Web Key Set", "name": "deleteJsonWebKeySet", "result_type": { "type": "nullable", @@ -2671,10 +2838,12 @@ }, { "request": { - "url": "/keys/{set}/{kid}", + "url": "/admin/keys/{set}/{kid}", "method": "put", "parameters": [ { + "style": "simple", + "explode": false, "name": "kid", "in": "path", "schema": { @@ -2682,6 +2851,8 @@ } }, { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -2692,49 +2863,52 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "JSONWebKey", + "type": "JsonWebKey", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/keys/{set}/{kid}", "type": { "type": "nullable", "underlying_type": { - "name": "JSONWebKey", + "name": "JsonWebKey", "type": "named" } } }, "kid": { - "description": "The kid of the desired key", + "description": "JSON Web Key ID", "type": { "name": "String", "type": "named" } }, "set": { - "description": "The set", + "description": "The JSON Web Key Set ID", "type": { "name": "String", "type": "named" } } }, - "description": "Update a JSON Web Key", - "name": "updateJsonWebKey", + "description": "Set JSON Web Key", + "name": "setJsonWebKey", "result_type": { - "name": "JSONWebKey", + "name": "JsonWebKey", "type": "named" } }, { "request": { - "url": "/keys/{set}/{kid}", + "url": "/admin/keys/{set}/{kid}", "method": "delete", "parameters": [ { + "style": "simple", + "explode": false, "name": "kid", "in": "path", "schema": { @@ -2742,6 +2916,8 @@ } }, { + "style": "simple", + "explode": false, "name": "set", "in": "path", "schema": { @@ -2752,21 +2928,21 @@ }, "arguments": { "kid": { - "description": "The kid of the desired key", + "description": "The JSON Web Key ID (kid)", "type": { "name": "String", "type": "named" } }, "set": { - "description": "The set", + "description": "The JSON Web Key Set", "type": { "name": "String", "type": "named" } } }, - "description": "Delete a JSON Web Key", + "description": "Delete JSON Web Key", "name": "deleteJsonWebKey", "result_type": { "type": "nullable", @@ -2778,10 +2954,12 @@ }, { "request": { - "url": "/oauth2/auth/requests/consent/accept", + "url": "/admin/oauth2/auth/requests/consent/accept", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "consent_challenge", "in": "query", "schema": { @@ -2792,41 +2970,45 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "AcceptConsentRequest", + "type": "AcceptOAuth2ConsentRequest", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/oauth2/auth/requests/consent/accept", "type": { "type": "nullable", "underlying_type": { - "name": "AcceptConsentRequest", + "name": "AcceptOAuth2ConsentRequest", "type": "named" } } }, "consent_challenge": { + "description": "OAuth 2.0 Consent Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Accept a Consent Request", - "name": "acceptConsentRequest", + "description": "Accept OAuth 2.0 Consent Request", + "name": "acceptOAuth2ConsentRequest", "result_type": { - "name": "CompletedRequest", + "name": "OAuth2RedirectTo", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/consent/reject", + "url": "/admin/oauth2/auth/requests/consent/reject", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "consent_challenge", "in": "query", "schema": { @@ -2837,41 +3019,45 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "RejectRequest", + "type": "RejectOAuth2Request", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/oauth2/auth/requests/consent/reject", "type": { "type": "nullable", "underlying_type": { - "name": "RejectRequest", + "name": "RejectOAuth2Request", "type": "named" } } }, "consent_challenge": { + "description": "OAuth 2.0 Consent Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Reject a Consent Request", - "name": "rejectConsentRequest", + "description": "Reject OAuth 2.0 Consent Request", + "name": "rejectOAuth2ConsentRequest", "result_type": { - "name": "CompletedRequest", + "name": "OAuth2RedirectTo", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/login/accept", + "url": "/admin/oauth2/auth/requests/login/accept", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "login_challenge", "in": "query", "schema": { @@ -2882,41 +3068,45 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "AcceptLoginRequest", + "type": "AcceptOAuth2LoginRequest", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/oauth2/auth/requests/login/accept", "type": { "type": "nullable", "underlying_type": { - "name": "AcceptLoginRequest", + "name": "AcceptOAuth2LoginRequest", "type": "named" } } }, "login_challenge": { + "description": "OAuth 2.0 Login Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Accept a Login Request", - "name": "acceptLoginRequest", + "description": "Accept OAuth 2.0 Login Request", + "name": "acceptOAuth2LoginRequest", "result_type": { - "name": "CompletedRequest", + "name": "OAuth2RedirectTo", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/login/reject", + "url": "/admin/oauth2/auth/requests/login/reject", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "login_challenge", "in": "query", "schema": { @@ -2927,41 +3117,45 @@ "requestBody": { "contentType": "application/json", "schema": { - "type": "RejectRequest", + "type": "RejectOAuth2Request", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of PUT /admin/oauth2/auth/requests/login/reject", "type": { "type": "nullable", "underlying_type": { - "name": "RejectRequest", + "name": "RejectOAuth2Request", "type": "named" } } }, "login_challenge": { + "description": "OAuth 2.0 Login Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Reject a Login Request", - "name": "rejectLoginRequest", + "description": "Reject OAuth 2.0 Login Request", + "name": "rejectOAuth2LoginRequest", "result_type": { - "name": "CompletedRequest", + "name": "OAuth2RedirectTo", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/logout/accept", + "url": "/admin/oauth2/auth/requests/logout/accept", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "logout_challenge", "in": "query", "schema": { @@ -2972,50 +3166,37 @@ }, "arguments": { "logout_challenge": { + "description": "OAuth 2.0 Logout Request Challenge", "type": { "name": "String", "type": "named" } } }, - "description": "Accept a Logout Request", - "name": "acceptLogoutRequest", + "description": "Accept OAuth 2.0 Session Logout Request", + "name": "acceptOAuth2LogoutRequest", "result_type": { - "name": "CompletedRequest", + "name": "OAuth2RedirectTo", "type": "named" } }, { "request": { - "url": "/oauth2/auth/requests/logout/reject", + "url": "/admin/oauth2/auth/requests/logout/reject", "method": "put", "parameters": [ { + "style": "form", + "explode": true, "name": "logout_challenge", "in": "query", "schema": { "type": "String" } } - ], - "requestBody": { - "contentType": "application/json", - "schema": { - "type": "RejectRequest", - "nullable": true - } - } + ] }, "arguments": { - "body": { - "type": { - "type": "nullable", - "underlying_type": { - "name": "RejectRequest", - "type": "named" - } - } - }, "logout_challenge": { "type": { "name": "String", @@ -3023,8 +3204,8 @@ } } }, - "description": "Reject a Logout Request", - "name": "rejectLogoutRequest", + "description": "Reject OAuth 2.0 Session Logout Request", + "name": "rejectOAuth2LogoutRequest", "result_type": { "type": "nullable", "underlying_type": { @@ -3035,17 +3216,22 @@ }, { "request": { - "url": "/oauth2/auth/sessions/consent", + "url": "/admin/oauth2/auth/sessions/consent", "method": "delete", "parameters": [ { - "name": "subject", + "style": "form", + "explode": true, + "name": "all", "in": "query", "schema": { - "type": "String" + "type": "Boolean", + "nullable": true } }, { + "style": "form", + "explode": true, "name": "client", "in": "query", "schema": { @@ -3054,18 +3240,19 @@ } }, { - "name": "all", + "style": "form", + "explode": true, + "name": "subject", "in": "query", "schema": { - "type": "Boolean", - "nullable": true + "type": "String" } } ] }, "arguments": { "all": { - "description": "If set to `?all=true`, deletes all consent sessions by the Subject that have been granted.", + "description": "Revoke All Consent Sessions\n\nIf set to `true` deletes all consent sessions by the Subject that have been granted.", "type": { "type": "nullable", "underlying_type": { @@ -3075,7 +3262,7 @@ } }, "client": { - "description": "If set, deletes only those consent sessions by the Subject that have been granted to the specified OAuth 2.0 Client ID", + "description": "OAuth 2.0 Client ID\n\nIf set, deletes only those consent sessions that have been granted to the specified OAuth 2.0 Client ID.", "type": { "type": "nullable", "underlying_type": { @@ -3085,15 +3272,15 @@ } }, "subject": { - "description": "The subject (Subject) who's consent sessions should be deleted.", + "description": "OAuth 2.0 Consent Subject\n\nThe subject whose consent sessions should be deleted.", "type": { "name": "String", "type": "named" } } }, - "description": "Revokes Consent Sessions of a Subject for a Specific OAuth 2.0 Client", - "name": "revokeConsentSessions", + "description": "Revoke OAuth 2.0 Consent Sessions of a Subject", + "name": "revokeOAuth2ConsentSessions", "result_type": { "type": "nullable", "underlying_type": { @@ -3104,61 +3291,55 @@ }, { "request": { - "url": "/oauth2/auth/sessions/login", + "url": "/admin/oauth2/auth/sessions/login", "method": "delete", "parameters": [ { + "style": "form", + "explode": true, + "name": "sid", + "in": "query", + "schema": { + "type": "String", + "nullable": true + } + }, + { + "style": "form", + "explode": true, "name": "subject", "in": "query", "schema": { - "type": "String" + "type": "String", + "nullable": true } } ] }, "arguments": { - "subject": { + "sid": { + "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", "type": { - "name": "String", - "type": "named" - } - } - }, - "description": "Invalidates All Login Sessions of a Certain User\nInvalidates a Subject's Authentication Session", - "name": "revokeAuthenticationSession", - "result_type": { - "type": "nullable", - "underlying_type": { - "name": "Boolean", - "type": "named" - } - } - }, - { - "request": { - "url": "/oauth2/flush", - "method": "post", - "requestBody": { - "contentType": "application/json", - "schema": { - "type": "FlushInactiveOAuth2TokensRequest", - "nullable": true + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } } - } - }, - "arguments": { - "body": { + }, + "subject": { + "description": "OAuth 2.0 Subject\n\nThe subject to revoke authentication sessions for.", "type": { "type": "nullable", "underlying_type": { - "name": "FlushInactiveOAuth2TokensRequest", + "name": "String", "type": "named" } } } }, - "description": "Flush Expired OAuth2 Access Tokens", - "name": "flushInactiveOAuth2Tokens", + "description": "Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID", + "name": "revokeOAuth2LoginSessions", "result_type": { "type": "nullable", "underlying_type": { @@ -3169,46 +3350,43 @@ }, { "request": { - "url": "/oauth2/introspect", + "url": "/admin/oauth2/introspect", "method": "post", "requestBody": { "contentType": "application/x-www-form-urlencoded", "schema": { - "type": "object", - "properties": { - "scope": { - "type": "String", - "nullable": true - }, - "token": { - "type": "String" - } - } + "type": "IntrospectOAuth2TokenRequest", + "nullable": true } } }, "arguments": { "body": { - "description": "Form data of /oauth2/introspect", + "description": "Request body of POST /admin/oauth2/introspect", "type": { - "name": "IntrospectOAuth2TokenBody", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "IntrospectOAuth2TokenRequest", + "type": "named" + } } } }, - "description": "Introspect OAuth2 Tokens", + "description": "Introspect OAuth2 Access and Refresh Tokens", "name": "introspectOAuth2Token", "result_type": { - "name": "OAuth2TokenIntrospection", + "name": "IntrospectedOAuth2Token", "type": "named" } }, { "request": { - "url": "/oauth2/tokens", + "url": "/admin/oauth2/tokens", "method": "delete", "parameters": [ { + "style": "form", + "explode": true, "name": "client_id", "in": "query", "schema": { @@ -3219,13 +3397,14 @@ }, "arguments": { "client_id": { + "description": "OAuth 2.0 Client ID", "type": { "name": "String", "type": "named" } } }, - "description": "Delete OAuth2 Access Tokens from a Client", + "description": "Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client", "name": "deleteOAuth2Token", "result_type": { "type": "nullable", @@ -3237,40 +3416,43 @@ }, { "request": { - "url": "/trust/grants/jwt-bearer/issuers", + "url": "/admin/trust/grants/jwt-bearer/issuers", "method": "post", "requestBody": { "contentType": "application/json", "schema": { - "type": "TrustJwtGrantIssuerBody", + "type": "TrustOAuth2JwtGrantIssuer", "nullable": true } } }, "arguments": { "body": { + "description": "Request body of POST /admin/trust/grants/jwt-bearer/issuers", "type": { "type": "nullable", "underlying_type": { - "name": "TrustJwtGrantIssuerBody", + "name": "TrustOAuth2JwtGrantIssuer", "type": "named" } } } }, - "description": "Trust an OAuth2 JWT Bearer Grant Type Issuer", - "name": "trustJwtGrantIssuer", + "description": "Trust OAuth2 JWT Bearer Grant Type Issuer", + "name": "trustOAuth2JwtGrantIssuer", "result_type": { - "name": "TrustedJwtGrantIssuer", + "name": "TrustedOAuth2JwtGrantIssuer", "type": "named" } }, { "request": { - "url": "/trust/grants/jwt-bearer/issuers/{id}", + "url": "/admin/trust/grants/jwt-bearer/issuers/{id}", "method": "delete", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -3288,8 +3470,8 @@ } } }, - "description": "Delete a Trusted OAuth2 JWT Bearer Grant Type Issuer", - "name": "deleteTrustedJwtGrantIssuer", + "description": "Delete Trusted OAuth2 JWT Bearer Grant Type Issuer", + "name": "deleteTrustedOAuth2JwtGrantIssuer", "result_type": { "type": "nullable", "underlying_type": { @@ -3321,20 +3503,6 @@ "type": "json" } }, - "JSONRawMessage": { - "aggregate_functions": {}, - "comparison_operators": {}, - "representation": { - "type": "json" - } - }, - "JoseJSONWebKeySet": { - "aggregate_functions": {}, - "comparison_operators": {}, - "representation": { - "type": "json" - } - }, "JsonWebKeyAlgorithm": { "aggregate_functions": {}, "comparison_operators": {}, @@ -3392,7 +3560,8 @@ "representation": { "one_of": [ "none", - "RS256" + "RS256", + "ES256" ], "type": "enum" } @@ -3408,13 +3577,6 @@ "type": "enum" } }, - "PatchDocumentValue": { - "aggregate_functions": {}, - "comparison_operators": {}, - "representation": { - "type": "json" - } - }, "String": { "aggregate_functions": {}, "comparison_operators": {}, diff --git a/config/schema-public.json b/config/schema-public.json index 831c7ce..5a3f134 100644 --- a/config/schema-public.json +++ b/config/schema-public.json @@ -10,8 +10,7 @@ "times": "{{HYDRA_PUBLIC_RETRY_TIMES}}", "delay": "{{HYDRA_PUBLIC_RETRY_DELAY}}", "httpStatus": "{{HYDRA_PUBLIC_RETRY_HTTP_STATUS}}" - }, - "version": "latest" + } }, "collections": [], "functions": [ @@ -21,10 +20,10 @@ "method": "get" }, "arguments": {}, - "description": "JSON Web Keys Discovery", - "name": "wellKnown", + "description": "Discover Well-Known JSON Web Keys", + "name": "discoverJsonWebKeys", "result_type": { - "name": "JSONWebKeySet", + "name": "JsonWebKeySet", "type": "named" } }, @@ -35,9 +34,9 @@ }, "arguments": {}, "description": "OpenID Connect Discovery", - "name": "discoverOpenIDConfiguration", + "name": "discoverOidcConfiguration", "result_type": { - "name": "WellKnown", + "name": "OidcConfiguration", "type": "named" } }, @@ -47,10 +46,10 @@ "method": "get" }, "arguments": {}, - "description": "Check Readiness Status", - "name": "isInstanceReady", + "description": "Check HTTP Server and Database Status", + "name": "isReady", "result_type": { - "name": "HealthStatus", + "name": "IsReady200Response", "type": "named" } }, @@ -60,8 +59,8 @@ "method": "get" }, "arguments": {}, - "description": "The OAuth 2.0 Authorize Endpoint", - "name": "oauthAuth", + "description": "OAuth 2.0 Authorize Endpoint", + "name": "oAuth2Authorize", "result_type": { "type": "nullable", "underlying_type": { @@ -76,12 +75,19 @@ "method": "get", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { "type": "String" } } + ], + "security": [ + { + "bearer": [] + } ] }, "arguments": { @@ -93,8 +99,8 @@ } } }, - "description": "Get an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", - "name": "dynamicClientRegistrationGetOAuth2Client", + "description": "Get OAuth2 Client using OpenID Dynamic Client Registration", + "name": "getOidcDynamicClient", "result_type": { "name": "OAuth2Client", "type": "named" @@ -106,8 +112,8 @@ "method": "get" }, "arguments": {}, - "description": "OpenID Connect Front-Backchannel Enabled Logout", - "name": "disconnectUser", + "description": "OpenID Connect Front- and Back-channel Enabled Logout", + "name": "revokeOidcSession", "result_type": { "type": "nullable", "underlying_type": { @@ -118,10 +124,98 @@ } ], "object_types": { - "HealthStatus": { + "CreateVerifiableCredentialRequestBody": { + "fields": { + "format": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "proof": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "VerifiableCredentialProof", + "type": "named" + } + } + }, + "types": { + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + } + } + }, + "CredentialSupportedDraft00": { + "description": "Includes information about the supported verifiable credentials.", + "fields": { + "cryptographic_binding_methods_supported": { + "description": "OpenID Connect Verifiable Credentials Cryptographic Binding Methods Supported\n\nContains a list of cryptographic binding methods supported for signing the proof.", + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "cryptographic_suites_supported": { + "description": "OpenID Connect Verifiable Credentials Cryptographic Suites Supported\n\nContains a list of cryptographic suites methods supported for signing the proof.", + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + }, + "format": { + "description": "OpenID Connect Verifiable Credentials Format\n\nContains the format that is supported by this authorization server.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "types": { + "description": "OpenID Connect Verifiable Credentials Types\n\nContains the types of verifiable credentials supported.", + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + } + } + } + }, + "IsReady200Response": { "fields": { "status": { - "description": "Status always contains \"ok\".", + "description": "Always \"ok\".", "type": { "type": "nullable", "underlying_type": { @@ -132,8 +226,7 @@ } } }, - "JSONWebKey": { - "description": "It is important that this model object is named JSONWebKey for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKey.", + "JsonWebKey": { "fields": { "alg": { "description": "The \"alg\" (algorithm) parameter identifies the algorithm intended for\nuse with the key. The values used should either be registered in the\nIANA \"JSON Web Signature and Encryption Algorithms\" registry\nestablished by [JWA] or be a value that contains a Collision-\nResistant Name.", @@ -286,16 +379,16 @@ } } }, - "JSONWebKeySet": { - "description": "It is important that this model object is named JSONWebKeySet for\n\"swagger generate spec\" to generate only on definition of a\nJSONWebKeySet. Since one with the same name is previously defined as\nclient.Client.JSONWebKeys and this one is last, this one will be\neffectively written in the swagger spec.", + "JsonWebKeySet": { + "description": "JSON Web Key Set", "fields": { "keys": { - "description": "The value of the \"keys\" parameter is an array of JWK values. By\ndefault, the order of the JWK values within the array does not imply\nan order of preference among them, although applications of JWK Sets\ncan choose to assign a meaning to the order for their purposes, if\ndesired.", + "description": "List of JSON Web Keys\n\nThe value of the \"keys\" parameter is an array of JSON Web Key (JWK)\nvalues. By default, the order of the JWK values within the array does\nnot imply an order of preference among them, although applications\nof JWK Sets can choose to assign a meaning to the order for their\npurposes, if desired.", "type": { "type": "nullable", "underlying_type": { "element_type": { - "name": "JSONWebKey", + "name": "JsonWebKey", "type": "named" }, "type": "array" @@ -305,7 +398,18 @@ } }, "OAuth2Client": { + "description": "OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are\ngenerated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.", "fields": { + "access_token_strategy": { + "description": "OAuth 2.0 Access Token Strategy\n\nAccessTokenStrategy is the strategy used to generate access tokens.\nValid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens\nSetting the stragegy here overrides the global setting in `strategies.access_token`.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, "allowed_cors_origins": { "type": { "type": "nullable", @@ -331,7 +435,7 @@ } }, "authorization_code_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -341,7 +445,7 @@ } }, "authorization_code_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -351,7 +455,7 @@ } }, "authorization_code_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -361,7 +465,7 @@ } }, "backchannel_logout_session_required": { - "description": "Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", + "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout\nToken to identify the RP session with the OP when the backchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": { "type": "nullable", "underlying_type": { @@ -371,7 +475,7 @@ } }, "backchannel_logout_uri": { - "description": "RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", + "description": "OpenID Connect Back-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when sent a Logout Token by the OP.", "type": { "type": "nullable", "underlying_type": { @@ -381,7 +485,7 @@ } }, "client_credentials_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -391,7 +495,7 @@ } }, "client_id": { - "description": "ID is the id for this client.", + "description": "OAuth 2.0 Client ID\n\nThe ID is immutable. If no ID is provided, a UUID4 will be generated.", "type": { "type": "nullable", "underlying_type": { @@ -401,7 +505,7 @@ } }, "client_name": { - "description": "Name is the human-readable string name of the client to be presented to the\nend-user during authorization.", + "description": "OAuth 2.0 Client Name\n\nThe human-readable name of the client to be presented to the\nend-user during authorization.", "type": { "type": "nullable", "underlying_type": { @@ -411,7 +515,7 @@ } }, "client_secret": { - "description": "Secret is the client's secret. The secret will be included in the create request as cleartext, and then\nnever again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users\nthat they need to write the secret down as it will not be made available again.", + "description": "OAuth 2.0 Client Secret\n\nThe secret will be included in the create request as cleartext, and then\nnever again. The secret is kept in hashed format and is not recoverable once lost.", "type": { "type": "nullable", "underlying_type": { @@ -421,7 +525,7 @@ } }, "client_secret_expires_at": { - "description": "SecretExpiresAt is an integer holding the time at which the client\nsecret will expire or 0 if it will not expire. The time is\nrepresented as the number of seconds from 1970-01-01T00:00:00Z as\nmeasured in UTC until the date/time of expiration.\n\nThis feature is currently not supported and it's value will always\nbe set to 0.", + "description": "OAuth 2.0 Client Secret Expires At\n\nThe field is currently not supported and its value is always 0.", "type": { "type": "nullable", "underlying_type": { @@ -431,7 +535,7 @@ } }, "client_uri": { - "description": "ClientURI is an URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", + "description": "OAuth 2.0 Client URI\n\nClientURI is a URL string of a web page providing information about the client.\nIf present, the server SHOULD display this URL to the end-user in\na clickable fashion.", "type": { "type": "nullable", "underlying_type": { @@ -453,7 +557,7 @@ } }, "created_at": { - "description": "CreatedAt returns the timestamp of the client's creation.", + "description": "OAuth 2.0 Client Creation Date\n\nCreatedAt returns the timestamp of the client's creation.", "type": { "type": "nullable", "underlying_type": { @@ -463,7 +567,7 @@ } }, "frontchannel_logout_session_required": { - "description": "Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", + "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be\nincluded to identify the RP session with the OP when the frontchannel_logout_uri is used.\nIf omitted, the default value is false.", "type": { "type": "nullable", "underlying_type": { @@ -473,7 +577,7 @@ } }, "frontchannel_logout_uri": { - "description": "RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", + "description": "OpenID Connect Front-Channel Logout URI\n\nRP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query\nparameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the\nrequest and to determine which of the potentially multiple sessions is to be logged out; if either is\nincluded, both MUST be.", "type": { "type": "nullable", "underlying_type": { @@ -495,7 +599,7 @@ } }, "implicit_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -505,7 +609,7 @@ } }, "implicit_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -515,16 +619,17 @@ } }, "jwks": { + "description": "OAuth 2.0 Client JSON Web Key Set\n\nClient's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as\nthe jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter\nis intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for\ninstance, by native applications that might not have a location to host the contents of the JWK Set. If a Client\ncan use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation\n(which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks\nparameters MUST NOT be used together.", "type": { "type": "nullable", "underlying_type": { - "name": "JoseJSONWebKeySet", + "name": "JSON", "type": "named" } } }, "jwks_uri": { - "description": "URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", + "description": "OAuth 2.0 Client JSON Web Key Set URL\n\nURL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains\nthe signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the\nClient's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing\nand encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced\nJWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both\nsignatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used\nto provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST\nmatch those in the certificate.", "type": { "type": "nullable", "underlying_type": { @@ -534,7 +639,7 @@ } }, "jwt_bearer_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -544,7 +649,7 @@ } }, "logo_uri": { - "description": "LogoURI is an URL string that references a logo for the client.", + "description": "OAuth 2.0 Client Logo URI\n\nA URL string referencing the client's logo.", "type": { "type": "nullable", "underlying_type": { @@ -557,33 +662,13 @@ "type": { "type": "nullable", "underlying_type": { - "name": "JSONRawMessage", + "name": "JSON", "type": "named" } } }, "owner": { - "description": "Owner is a string identifying the owner of the OAuth 2.0 Client.", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", - "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } - } - }, - "password_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "OAuth 2.0 Client Owner\n\nOwner is a string identifying the owner of the OAuth 2.0 Client.", "type": { "type": "nullable", "underlying_type": { @@ -593,7 +678,7 @@ } }, "policy_uri": { - "description": "PolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", + "description": "OAuth 2.0 Client Policy URI\n\nPolicyURI is a URL string that points to a human-readable privacy policy document\nthat describes how the deployment organization collects, uses,\nretains, and discloses personal data.", "type": { "type": "nullable", "underlying_type": { @@ -627,7 +712,7 @@ } }, "refresh_token_grant_access_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -637,7 +722,7 @@ } }, "refresh_token_grant_id_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -647,7 +732,7 @@ } }, "refresh_token_grant_refresh_token_lifespan": { - "description": "TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x", + "description": "Specify a time duration in milliseconds, seconds, minutes, hours.", "type": { "type": "nullable", "underlying_type": { @@ -657,7 +742,7 @@ } }, "registration_access_token": { - "description": "RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client.", + "description": "OpenID Connect Dynamic Client Registration Access Token\n\nRegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client\nusing Dynamic Client Registration.", "type": { "type": "nullable", "underlying_type": { @@ -667,7 +752,7 @@ } }, "registration_client_uri": { - "description": "RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", + "description": "OpenID Connect Dynamic Client Registration URL\n\nRegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.", "type": { "type": "nullable", "underlying_type": { @@ -677,7 +762,7 @@ } }, "request_object_signing_alg": { - "description": "JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", + "description": "OpenID Connect Request Object Signing Algorithm\n\nJWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects\nfrom this Client MUST be rejected, if not signed with this algorithm.", "type": { "type": "nullable", "underlying_type": { @@ -711,7 +796,7 @@ } }, "scope": { - "description": "Scope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", + "description": "OAuth 2.0 Client Scope\n\nScope is a string containing a space-separated list of scope values (as\ndescribed in Section 3.3 of OAuth 2.0 [RFC6749]) that the client\ncan use when requesting access tokens.", "type": { "type": "nullable", "underlying_type": { @@ -721,7 +806,7 @@ } }, "sector_identifier_uri": { - "description": "URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", + "description": "OpenID Connect Sector Identifier URI\n\nURL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a\nfile with a single JSON array of redirect_uri values.", "type": { "type": "nullable", "underlying_type": { @@ -730,8 +815,28 @@ } } }, + "skip_consent": { + "description": "SkipConsent skips the consent screen for this client. This field can only\nbe set from the admin API.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, + "skip_logout_consent": { + "description": "SkipLogoutConsent skips the logout consent screen for this client. This field can only\nbe set from the admin API.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "Boolean", + "type": "named" + } + } + }, "subject_type": { - "description": "SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", + "description": "OpenID Connect Subject Type\n\nThe `subject_types_supported` Discovery parameter contains a\nlist of the supported subject_type values for this server. Valid types include `pairwise` and `public`.", "type": { "type": "nullable", "underlying_type": { @@ -741,7 +846,7 @@ } }, "token_endpoint_auth_method": { - "description": "Requested Client Authentication method for the Token Endpoint. The options are client_secret_post,\nclient_secret_basic, private_key_jwt, and none.", + "description": "OAuth 2.0 Token Endpoint Authentication Method\n\nRequested Client Authentication method for the Token Endpoint. The options are:\n\n`client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.\n`client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.\n`private_key_jwt`: Use JSON Web Tokens to authenticate the client.\n`none`: Used for public clients (native apps, mobile apps) which can not have secrets.", "type": { "type": "nullable", "underlying_type": { @@ -751,7 +856,7 @@ } }, "token_endpoint_auth_signing_alg": { - "description": "Requested Client Authentication signing algorithm for the Token Endpoint.", + "description": "OAuth 2.0 Token Endpoint Signing Algorithm\n\nRequested Client Authentication signing algorithm for the Token Endpoint.", "type": { "type": "nullable", "underlying_type": { @@ -761,7 +866,7 @@ } }, "tos_uri": { - "description": "TermsOfServiceURI is a URL string that points to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", + "description": "OAuth 2.0 Client Terms of Service URI\n\nA URL string pointing to a human-readable terms of service\ndocument for the client that describes a contractual relationship\nbetween the end-user and the client that the end-user accepts when\nauthorizing the client.", "type": { "type": "nullable", "underlying_type": { @@ -771,7 +876,7 @@ } }, "updated_at": { - "description": "UpdatedAt returns the timestamp of the last update.", + "description": "OAuth 2.0 Client Last Update Date\n\nUpdatedAt returns the timestamp of the last update.", "type": { "type": "nullable", "underlying_type": { @@ -781,7 +886,7 @@ } }, "userinfo_signed_response_alg": { - "description": "JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", + "description": "OpenID Connect Request Userinfo Signed Response Algorithm\n\nJWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT\n[JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims\nas a UTF-8 encoded JSON object using the application/json content-type.", "type": { "type": "nullable", "underlying_type": { @@ -792,9 +897,11 @@ } } }, - "Oauth2TokenBody": { + "OAuth2TokenExchange": { + "description": "OAuth2 Token Exchange Result", "fields": { - "client_id": { + "access_token": { + "description": "The access token issued by the authorization server.", "type": { "type": "nullable", "underlying_type": { @@ -803,16 +910,18 @@ } } }, - "client_secret": { + "expires_in": { + "description": "The lifetime in seconds of the access token. For\nexample, the value \"3600\" denotes that the access token will\nexpire in one hour from the time the response was generated.", "type": { "type": "nullable", "underlying_type": { - "name": "String", + "name": "Int64", "type": "named" } } }, - "code": { + "id_token": { + "description": "To retrieve a refresh token request the id_token scope.", "type": { "type": "nullable", "underlying_type": { @@ -821,13 +930,8 @@ } } }, - "grant_type": { - "type": { - "name": "String", - "type": "named" - } - }, - "redirect_uri": { + "refresh_token": { + "description": "The refresh token, which can be used to obtain new\naccess tokens. To retrieve it add the scope \"offline\" to your access token request.", "type": { "type": "nullable", "underlying_type": { @@ -836,7 +940,8 @@ } } }, - "refresh_token": { + "scope": { + "description": "The scope of the access token", "type": { "type": "nullable", "underlying_type": { @@ -845,7 +950,8 @@ } } }, - "scope": { + "token_type": { + "description": "The type of the token issued", "type": { "type": "nullable", "underlying_type": { @@ -856,10 +962,9 @@ } } }, - "Oauth2TokenResponse": { - "description": "The Access Token Response", + "Oauth2TokenExchangeRequest": { "fields": { - "access_token": { + "client_id": { "type": { "type": "nullable", "underlying_type": { @@ -868,16 +973,7 @@ } } }, - "expires_in": { - "type": { - "type": "nullable", - "underlying_type": { - "name": "Int64", - "type": "named" - } - } - }, - "id_token": { + "client_secret": { "type": { "type": "nullable", "underlying_type": { @@ -886,7 +982,7 @@ } } }, - "refresh_token": { + "code": { "type": { "type": "nullable", "underlying_type": { @@ -895,16 +991,13 @@ } } }, - "scope": { + "grant_type": { "type": { - "type": "nullable", - "underlying_type": { - "name": "String", - "type": "named" - } + "name": "String", + "type": "named" } }, - "token_type": { + "redirect_uri": { "type": { "type": "nullable", "underlying_type": { @@ -912,12 +1005,8 @@ "type": "named" } } - } - } - }, - "RevokeOAuth2TokenBody": { - "fields": { - "client_id": { + }, + "refresh_token": { "type": { "type": "nullable", "underlying_type": { @@ -926,7 +1015,7 @@ } } }, - "client_secret": { + "scope": { "type": { "type": "nullable", "underlying_type": { @@ -934,27 +1023,21 @@ "type": "named" } } - }, - "token": { - "type": { - "name": "String", - "type": "named" - } } } }, - "WellKnown": { - "description": "It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms\namong others.", + "OidcConfiguration": { + "description": "Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms\namong others.", "fields": { "authorization_endpoint": { - "description": "URL of the OP's OAuth 2.0 Authorization Endpoint.", + "description": "OAuth 2.0 Authorization Endpoint URL", "type": { "name": "String", "type": "named" } }, "backchannel_logout_session_supported": { - "description": "Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP\nsession with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP", + "description": "OpenID Connect Back-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP\nsession with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP", "type": { "type": "nullable", "underlying_type": { @@ -964,7 +1047,7 @@ } }, "backchannel_logout_supported": { - "description": "Boolean value specifying whether the OP supports back-channel logout, with true indicating support.", + "description": "OpenID Connect Back-Channel Logout Supported\n\nBoolean value specifying whether the OP supports back-channel logout, with true indicating support.", "type": { "type": "nullable", "underlying_type": { @@ -974,7 +1057,7 @@ } }, "claims_parameter_supported": { - "description": "Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.", + "description": "OpenID Connect Claims Parameter Parameter Supported\n\nBoolean value specifying whether the OP supports use of the claims parameter, with true indicating support.", "type": { "type": "nullable", "underlying_type": { @@ -984,7 +1067,7 @@ } }, "claims_supported": { - "description": "JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.", + "description": "OpenID Connect Supported Claims\n\nJSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply\nvalues for. Note that for privacy or other reasons, this might not be an exhaustive list.", "type": { "type": "nullable", "underlying_type": { @@ -997,7 +1080,7 @@ } }, "code_challenge_methods_supported": { - "description": "JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported\nby this authorization server.", + "description": "OAuth 2.0 PKCE Supported Code Challenge Methods\n\nJSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported\nby this authorization server.", "type": { "type": "nullable", "underlying_type": { @@ -1009,8 +1092,31 @@ } } }, + "credentials_endpoint_draft_00": { + "description": "OpenID Connect Verifiable Credentials Endpoint\n\nContains the URL of the Verifiable Credentials Endpoint.", + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "credentials_supported_draft_00": { + "description": "OpenID Connect Verifiable Credentials Supported\n\nJSON array containing a list of the Verifiable Credentials supported by this authorization server.", + "type": { + "type": "nullable", + "underlying_type": { + "element_type": { + "name": "CredentialSupportedDraft00", + "type": "named" + }, + "type": "array" + } + } + }, "end_session_endpoint": { - "description": "URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.", + "description": "OpenID Connect End-Session Endpoint\n\nURL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.", "type": { "type": "nullable", "underlying_type": { @@ -1020,7 +1126,7 @@ } }, "frontchannel_logout_session_supported": { - "description": "Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify\nthe RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also\nincluded in ID Tokens issued by the OP.", + "description": "OpenID Connect Front-Channel Logout Session Required\n\nBoolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify\nthe RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also\nincluded in ID Tokens issued by the OP.", "type": { "type": "nullable", "underlying_type": { @@ -1030,7 +1136,7 @@ } }, "frontchannel_logout_supported": { - "description": "Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.", + "description": "OpenID Connect Front-Channel Logout Supported\n\nBoolean value specifying whether the OP supports HTTP-based logout, with true indicating support.", "type": { "type": "nullable", "underlying_type": { @@ -1040,7 +1146,7 @@ } }, "grant_types_supported": { - "description": "JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.", + "description": "OAuth 2.0 Supported Grant Types\n\nJSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.", "type": { "type": "nullable", "underlying_type": { @@ -1052,8 +1158,18 @@ } } }, + "id_token_signed_response_alg": { + "description": "OpenID Connect Default ID Token Signing Algorithms\n\nAlgorithm used to sign OpenID Connect ID Tokens.", + "type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + }, "id_token_signing_alg_values_supported": { - "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.", + "description": "OpenID Connect Supported ID Token Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.", "type": { "element_type": { "name": "OAuth2SigningAlgorithm", @@ -1063,21 +1179,21 @@ } }, "issuer": { - "description": "URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.", + "description": "OpenID Connect Issuer URL\n\nAn URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.\nIf IssuerURL discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.", "type": { "name": "String", "type": "named" } }, "jwks_uri": { - "description": "URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", + "description": "OpenID Connect Well-Known JSON Web Keys URL\n\nURL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate\nsignatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs\nto encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)\nparameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.\nAlthough some algorithms allow the same key to be used for both signatures and encryption, doing so is\nNOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of\nkeys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.", "type": { "name": "String", "type": "named" } }, "registration_endpoint": { - "description": "URL of the OP's Dynamic Client Registration Endpoint.", + "description": "OpenID Connect Dynamic Client Registration Endpoint URL", "type": { "type": "nullable", "underlying_type": { @@ -1087,7 +1203,7 @@ } }, "request_object_signing_alg_values_supported": { - "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,\nwhich are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when\nthe Request Object is passed by value (using the request parameter) and when it is passed by reference\n(using the request_uri parameter).", + "description": "OpenID Connect Supported Request Object Signing Algorithms\n\nJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,\nwhich are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when\nthe Request Object is passed by value (using the request parameter) and when it is passed by reference\n(using the request_uri parameter).", "type": { "type": "nullable", "underlying_type": { @@ -1100,7 +1216,7 @@ } }, "request_parameter_supported": { - "description": "Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.", + "description": "OpenID Connect Request Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request parameter, with true indicating support.", "type": { "type": "nullable", "underlying_type": { @@ -1110,7 +1226,7 @@ } }, "request_uri_parameter_supported": { - "description": "Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.", + "description": "OpenID Connect Request URI Parameter Supported\n\nBoolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.", "type": { "type": "nullable", "underlying_type": { @@ -1120,7 +1236,7 @@ } }, "require_request_uri_registration": { - "description": "Boolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.", + "description": "OpenID Connect Requires Request URI Registration\n\nBoolean value specifying whether the OP requires any request_uri values used to be pre-registered\nusing the request_uris registration parameter.", "type": { "type": "nullable", "underlying_type": { @@ -1130,7 +1246,7 @@ } }, "response_modes_supported": { - "description": "JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.", + "description": "OAuth 2.0 Supported Response Modes\n\nJSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.", "type": { "type": "nullable", "underlying_type": { @@ -1143,7 +1259,7 @@ } }, "response_types_supported": { - "description": "JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.", + "description": "OAuth 2.0 Supported Response Types\n\nJSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID\nProviders MUST support the code, id_token, and the token id_token Response Type values.", "type": { "element_type": { "name": "String", @@ -1153,7 +1269,7 @@ } }, "revocation_endpoint": { - "description": "URL of the authorization server's OAuth 2.0 revocation endpoint.", + "description": "OAuth 2.0 Token Revocation URL\n\nURL of the authorization server's OAuth 2.0 revocation endpoint.", "type": { "type": "nullable", "underlying_type": { @@ -1163,7 +1279,7 @@ } }, "scopes_supported": { - "description": "SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used", + "description": "OAuth 2.0 Supported Scope Values\n\nJSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST\nsupport the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used", "type": { "type": "nullable", "underlying_type": { @@ -1176,7 +1292,7 @@ } }, "subject_types_supported": { - "description": "JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.", + "description": "OpenID Connect Supported Subject Types\n\nJSON array containing a list of the Subject Identifier types that this OP supports. Valid types include\npairwise and public.", "type": { "element_type": { "name": "OpenIDConnectSubjectType", @@ -1186,14 +1302,14 @@ } }, "token_endpoint": { - "description": "URL of the OP's OAuth 2.0 Token Endpoint", + "description": "OAuth 2.0 Token Endpoint URL", "type": { "name": "String", "type": "named" } }, "token_endpoint_auth_methods_supported": { - "description": "JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0", + "description": "OAuth 2.0 Supported Client Authentication Methods\n\nJSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0", "type": { "type": "nullable", "underlying_type": { @@ -1206,7 +1322,7 @@ } }, "userinfo_endpoint": { - "description": "URL of the OP's UserInfo Endpoint.", + "description": "OpenID Connect Userinfo URL\n\nURL of the OP's UserInfo Endpoint.", "type": { "type": "nullable", "underlying_type": { @@ -1215,8 +1331,18 @@ } } }, + "userinfo_signed_response_alg": { + "description": "OpenID Connect User Userinfo Signing Algorithm\n\nAlgorithm used to sign OpenID Connect Userinfo Responses.", + "type": { + "element_type": { + "name": "String", + "type": "named" + }, + "type": "array" + } + }, "userinfo_signing_alg_values_supported": { - "description": "JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].", + "description": "OpenID Connect Supported Userinfo Signing Algorithm\n\nJSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].", "type": { "type": "nullable", "underlying_type": { @@ -1229,9 +1355,112 @@ } } } + }, + "RevokeOAuth2TokenRequest": { + "fields": { + "client_id": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "client_secret": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "token": { + "type": { + "name": "String", + "type": "named" + } + } + } + }, + "VerifiableCredentialProof": { + "fields": { + "jwt": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "proof_type": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + } + } + }, + "VerifiableCredentialResponse": { + "fields": { + "credential_draft_00": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + }, + "format": { + "type": { + "type": "nullable", + "underlying_type": { + "name": "String", + "type": "named" + } + } + } + } } }, "procedures": [ + { + "request": { + "url": "/credentials", + "method": "post", + "requestBody": { + "contentType": "application/json", + "schema": { + "type": "CreateVerifiableCredentialRequestBody", + "nullable": true + } + } + }, + "arguments": { + "body": { + "description": "Request body of POST /credentials", + "type": { + "type": "nullable", + "underlying_type": { + "name": "CreateVerifiableCredentialRequestBody", + "type": "named" + } + } + } + }, + "description": "Issues a Verifiable Credential", + "name": "createVerifiableCredential", + "result_type": { + "name": "VerifiableCredentialResponse", + "type": "named" + } + }, { "request": { "url": "/oauth2/register", @@ -1245,14 +1474,15 @@ }, "arguments": { "body": { + "description": "Request body of POST /oauth2/register", "type": { "name": "OAuth2Client", "type": "named" } } }, - "description": "Register an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", - "name": "dynamicClientRegistrationCreateOAuth2Client", + "description": "Register OAuth2 Client using OpenID Dynamic Client Registration", + "name": "createOidcDynamicClient", "result_type": { "name": "OAuth2Client", "type": "named" @@ -1264,6 +1494,8 @@ "method": "put", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { @@ -1271,6 +1503,11 @@ } } ], + "security": [ + { + "bearer": [] + } + ], "requestBody": { "contentType": "application/json", "schema": { @@ -1280,21 +1517,22 @@ }, "arguments": { "body": { + "description": "Request body of PUT /oauth2/register/{id}", "type": { "name": "OAuth2Client", "type": "named" } }, "id": { - "description": "The id of the OAuth 2.0 Client.", + "description": "OAuth 2.0 Client ID", "type": { "name": "String", "type": "named" } } }, - "description": "Update an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", - "name": "dynamicClientRegistrationUpdateOAuth2Client", + "description": "Set OAuth2 Client using OpenID Dynamic Client Registration", + "name": "setOidcDynamicClient", "result_type": { "name": "OAuth2Client", "type": "named" @@ -1306,12 +1544,19 @@ "method": "delete", "parameters": [ { + "style": "simple", + "explode": false, "name": "id", "in": "path", "schema": { "type": "String" } } + ], + "security": [ + { + "bearer": [] + } ] }, "arguments": { @@ -1323,8 +1568,8 @@ } } }, - "description": "Deletes an OAuth 2.0 Client using the OpenID / OAuth2 Dynamic Client Registration Management Protocol", - "name": "dynamicClientRegistrationDeleteOAuth2Client", + "description": "Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration Management Protocol", + "name": "deleteOidcDynamicClient", "result_type": { "type": "nullable", "underlying_type": { @@ -1340,33 +1585,24 @@ "requestBody": { "contentType": "application/x-www-form-urlencoded", "schema": { - "type": "object", - "properties": { - "client_id": { - "type": "String", - "nullable": true - }, - "client_secret": { - "type": "String", - "nullable": true - }, - "token": { - "type": "String" - } - } + "type": "RevokeOAuth2TokenRequest", + "nullable": true } } }, "arguments": { "body": { - "description": "Form data of /oauth2/revoke", + "description": "Request body of POST /oauth2/revoke", "type": { - "name": "RevokeOAuth2TokenBody", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "RevokeOAuth2TokenRequest", + "type": "named" + } } } }, - "description": "Revoke OAuth2 Tokens", + "description": "Revoke OAuth 2.0 Access or Refresh Token", "name": "revokeOAuth2Token", "result_type": { "type": "nullable", @@ -1383,52 +1619,27 @@ "requestBody": { "contentType": "application/x-www-form-urlencoded", "schema": { - "type": "object", - "properties": { - "client_id": { - "type": "String", - "nullable": true - }, - "client_secret": { - "type": "String", - "nullable": true - }, - "code": { - "type": "String", - "nullable": true - }, - "grant_type": { - "type": "String" - }, - "redirect_uri": { - "type": "String", - "nullable": true - }, - "refresh_token": { - "type": "String", - "nullable": true - }, - "scope": { - "type": "String", - "nullable": true - } - } + "type": "Oauth2TokenExchangeRequest", + "nullable": true } } }, "arguments": { "body": { - "description": "Form data of /oauth2/token", + "description": "Request body of POST /oauth2/token", "type": { - "name": "Oauth2TokenBody", - "type": "named" + "type": "nullable", + "underlying_type": { + "name": "Oauth2TokenExchangeRequest", + "type": "named" + } } } }, "description": "The OAuth 2.0 Token Endpoint", - "name": "oauth2Token", + "name": "oauth2TokenExchange", "result_type": { - "name": "Oauth2TokenResponse", + "name": "OAuth2TokenExchange", "type": "named" } } @@ -1455,20 +1666,6 @@ "type": "json" } }, - "JSONRawMessage": { - "aggregate_functions": {}, - "comparison_operators": {}, - "representation": { - "type": "json" - } - }, - "JoseJSONWebKeySet": { - "aggregate_functions": {}, - "comparison_operators": {}, - "representation": { - "type": "json" - } - }, "OAuth2CodeChallenge": { "aggregate_functions": {}, "comparison_operators": {}, @@ -1523,7 +1720,8 @@ "representation": { "one_of": [ "none", - "RS256" + "RS256", + "ES256" ], "type": "enum" } diff --git a/docker-compose.yaml b/docker-compose.yaml index 25b5d8e..d820a1d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -4,52 +4,55 @@ services: context: . ports: - 8080:8080 - # volumes: - # - ./config:/etc/connector:ro + volumes: + - ./config:/etc/connector:ro environment: HYDRA_PUBLIC_SERVER_URL: http://hydra:4444 HYDRA_ADMIN_SERVER_URL: http://hydra:4445 HASURA_LOG_LEVEL: debug hydra: - restart: always - image: oryd/hydra:v1.11.10 - command: - - serve - - all - - --dangerous-force-http - depends_on: - - hydra-migrate - - postgres + image: oryd/hydra:v2.2.0 ports: - - "4444:4444" - - "4445:4445" + - "4444:4444" # Public port + - "4445:4445" # Admin port + - "5555:5555" # Port for hydra token user + command: serve -c /etc/config/hydra/hydra.yml all --dev + volumes: + - type: volume + source: hydra-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./testdata/hydra.yml + target: /etc/config/hydra/hydra.yml environment: - DSN: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable - SECRETS_SYSTEM: ${SECRETS_SYSTEM} - OIDC_DYNAMIC_CLIENT_REGISTRATION_ENABLED: "true" - LOG_LEAK_SENSITIVE_VALUES: "true" + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + restart: unless-stopped + depends_on: + - hydra-migrate hydra-migrate: - restart: on-failure - image: oryd/hydra:v1.11.10 - depends_on: - - postgres - command: migrate sql -e --yes + image: oryd/hydra:v2.2.0 environment: - DSN: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable - - postgres: - image: postgres:16-alpine3.18 - restart: always + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes volumes: - - postgres_data:/var/lib/postgresql/data - ports: - - "10432:5432" + - type: volume + source: hydra-sqlite + target: /var/lib/sqlite + read_only: false + - type: bind + source: ./testdata/hydra.yml + target: /etc/config/hydra/hydra.yml + restart: on-failure + consent: environment: - POSTGRES_USER: ${POSTGRES_USER} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - POSTGRES_DB: ${POSTGRES_DB} + - HYDRA_ADMIN_URL=http://hydra:4445 + image: oryd/hydra-login-consent-node:v2.2.0 + ports: + - "3000:3000" + restart: unless-stopped volumes: - postgres_data: + hydra-sqlite: diff --git a/schema/admin/config.yaml b/schema/admin/config.yaml index 877cf14..1ae03f4 100644 --- a/schema/admin/config.yaml +++ b/schema/admin/config.yaml @@ -1,5 +1,5 @@ -file: https://raw.githubusercontent.com/ory/hydra/v1.11.10/spec/swagger.json -spec: oas2 +file: https://raw.githubusercontent.com/ory/hydra/v2.2.0/internal/httpclient/api/openapi.yaml +spec: oas3 envPrefix: HYDRA_ADMIN patchBefore: - path: patch-before.yaml diff --git a/schema/admin/patch-after.yaml b/schema/admin/patch-after.yaml index fc6144b..29aa75d 100644 --- a/schema/admin/patch-after.yaml +++ b/schema/admin/patch-after.yaml @@ -85,6 +85,7 @@ one_of: - none - RS256 + - ES256 type: enum - op: replace path: /object_types/OAuth2Client/fields/token_endpoint_auth_signing_alg/type/underlying_type/name @@ -109,8 +110,8 @@ - EdDSA type: enum - op: replace - path: /object_types/JsonWebKeySetGeneratorRequest/fields/alg/type/name + path: /object_types/CreateJsonWebKeySet/fields/alg/type/name value: JsonWebKeyAlgorithm - op: replace - path: /object_types/JSONWebKey/fields/alg/type/name + path: /object_types/JsonWebKey/fields/alg/type/name value: JsonWebKeyAlgorithm diff --git a/schema/admin/patch-before.yaml b/schema/admin/patch-before.yaml index 5eb03c7..1369d91 100644 --- a/schema/admin/patch-before.yaml +++ b/schema/admin/patch-before.yaml @@ -2,6 +2,8 @@ path: /paths/~1.well-known~1jwks.json - op: remove path: /paths/~1.well-known~1openid-configuration +- op: remove + path: /paths/~1credentials - op: remove path: /paths/~1health~1ready - op: remove diff --git a/schema/public/config.yaml b/schema/public/config.yaml index e1eef4e..8af7c0b 100644 --- a/schema/public/config.yaml +++ b/schema/public/config.yaml @@ -1,5 +1,5 @@ -file: https://raw.githubusercontent.com/ory/hydra/v1.11.10/spec/swagger.json -spec: oas2 +file: https://raw.githubusercontent.com/ory/hydra/v2.2.0/internal/httpclient/api/openapi.yaml +spec: oas3 envPrefix: HYDRA_PUBLIC patchBefore: - path: patch-before.yaml diff --git a/schema/public/patch-after.yaml b/schema/public/patch-after.yaml index 6b2b464..822d438 100644 --- a/schema/public/patch-after.yaml +++ b/schema/public/patch-after.yaml @@ -21,7 +21,7 @@ path: /object_types/OAuth2Client/fields/token_endpoint_auth_method/type/underlying_type/name value: TokenEndpointAuthMethod - op: replace - path: /object_types/WellKnown/fields/token_endpoint_auth_methods_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/token_endpoint_auth_methods_supported/type/underlying_type/element_type/name value: TokenEndpointAuthMethod - op: add path: /scalar_types/OpenIDConnectSubjectType @@ -37,7 +37,7 @@ path: /object_types/OAuth2Client/fields/subject_type/type/underlying_type/name value: OpenIDConnectSubjectType - op: replace - path: /object_types/WellKnown/fields/subject_types_supported/type/element_type/name + path: /object_types/OidcConfiguration/fields/subject_types_supported/type/element_type/name value: OpenIDConnectSubjectType - op: add path: /scalar_types/OAuth2GrantType @@ -52,7 +52,7 @@ - refresh_token type: enum - op: replace - path: /object_types/WellKnown/fields/grant_types_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/grant_types_supported/type/underlying_type/element_type/name value: OAuth2GrantType - op: replace path: /object_types/OAuth2Client/fields/grant_types/type/underlying_type/element_type/name @@ -83,7 +83,7 @@ - openid type: enum - op: replace - path: /object_types/WellKnown/fields/scopes_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/scopes_supported/type/underlying_type/element_type/name value: OAuth2Scope - op: replace path: /object_types/OAuth2Client/fields/scope/type/underlying_type/name @@ -99,7 +99,7 @@ - S256 type: enum - op: replace - path: /object_types/WellKnown/fields/code_challenge_methods_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/code_challenge_methods_supported/type/underlying_type/element_type/name value: OAuth2CodeChallenge - op: add path: /scalar_types/OAuth2SigningAlgorithm @@ -110,15 +110,16 @@ one_of: - none - RS256 + - ES256 type: enum - op: replace - path: /object_types/WellKnown/fields/id_token_signing_alg_values_supported/type/element_type/name + path: /object_types/OidcConfiguration/fields/id_token_signing_alg_values_supported/type/element_type/name value: OAuth2SigningAlgorithm - op: replace - path: /object_types/WellKnown/fields/request_object_signing_alg_values_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/request_object_signing_alg_values_supported/type/underlying_type/element_type/name value: OAuth2SigningAlgorithm - op: replace - path: /object_types/WellKnown/fields/userinfo_signing_alg_values_supported/type/underlying_type/element_type/name + path: /object_types/OidcConfiguration/fields/userinfo_signing_alg_values_supported/type/underlying_type/element_type/name value: OAuth2SigningAlgorithm - op: replace path: /object_types/OAuth2Client/fields/token_endpoint_auth_signing_alg/type/underlying_type/name diff --git a/schema/public/patch-before.yaml b/schema/public/patch-before.yaml index 212b7ab..dabf7e7 100644 --- a/schema/public/patch-before.yaml +++ b/schema/public/patch-before.yaml @@ -1,76 +1,58 @@ - op: remove - path: /paths/~1clients -- op: remove - path: /paths/~1clients~1{id} + path: /paths/~1health~1alive - op: remove - path: /paths/~1clients~1{id}~1lifespans + path: /paths/~1admin~1clients - op: remove - path: /paths/~1health~1alive + path: /paths/~1admin~1clients~1{id} - op: remove - path: /paths/~1keys~1{set} + path: /paths/~1admin~1clients~1{id}~1lifespans - op: remove - path: /paths/~1keys~1{set}~1{kid} + path: /paths/~1admin~1keys~1{set} - op: remove - path: /paths/~1oauth2~1auth~1requests~1consent + path: /paths/~1admin~1keys~1{set}~1{kid} - op: remove - path: /paths/~1oauth2~1auth~1requests~1consent~1accept + path: /paths/~1admin~1oauth2~1auth~1requests~1consent - op: remove - path: /paths/~1oauth2~1auth~1requests~1consent~1reject + path: /paths/~1admin~1oauth2~1auth~1requests~1consent~1accept - op: remove - path: /paths/~1oauth2~1auth~1requests~1login + path: /paths/~1admin~1oauth2~1auth~1requests~1consent~1reject - op: remove - path: /paths/~1oauth2~1auth~1requests~1login~1accept + path: /paths/~1admin~1oauth2~1auth~1requests~1login - op: remove - path: /paths/~1oauth2~1auth~1requests~1login~1reject + path: /paths/~1admin~1oauth2~1auth~1requests~1login~1accept - op: remove - path: /paths/~1oauth2~1auth~1requests~1logout + path: /paths/~1admin~1oauth2~1auth~1requests~1login~1reject - op: remove - path: /paths/~1oauth2~1auth~1requests~1logout~1accept + path: /paths/~1admin~1oauth2~1auth~1requests~1logout - op: remove - path: /paths/~1oauth2~1auth~1requests~1logout~1reject + path: /paths/~1admin~1oauth2~1auth~1requests~1logout~1accept - op: remove - path: /paths/~1oauth2~1auth~1sessions~1consent + path: /paths/~1admin~1oauth2~1auth~1requests~1logout~1reject - op: remove - path: /paths/~1oauth2~1auth~1sessions~1login + path: /paths/~1admin~1oauth2~1auth~1sessions~1consent - op: remove - path: /paths/~1oauth2~1flush + path: /paths/~1admin~1oauth2~1auth~1sessions~1login - op: remove - path: /paths/~1oauth2~1introspect + path: /paths/~1admin~1oauth2~1introspect - op: remove - path: /paths/~1oauth2~1tokens + path: /paths/~1admin~1oauth2~1tokens - op: remove - path: /paths/~1trust~1grants~1jwt-bearer~1issuers + path: /paths/~1admin~1trust~1grants~1jwt-bearer~1issuers - op: remove - path: /paths/~1trust~1grants~1jwt-bearer~1issuers~1{id} + path: /paths/~1admin~1trust~1grants~1jwt-bearer~1issuers~1{id} - op: remove path: /paths/~1version +- op: remove + path: /paths/~1userinfo - op: remove path: /paths/~1oauth2~1token/post/security - op: add - path: /paths/~1oauth2~1token/post/parameters/5 + path: /components/schemas/oauth2TokenExchange_request/properties/client_secret value: type: string - name: client_secret - in: formData - op: add - path: /paths/~1oauth2~1token/post/parameters/6 + path: /components/schemas/oauth2TokenExchange_request/properties/scope value: type: string - name: scope - in: formData -- op: remove - path: /paths/~1userinfo - op: remove path: /paths/~1oauth2~1revoke/post/security -- op: add - path: /paths/~1oauth2~1revoke/post/parameters/1 - value: - type: string - name: client_id - in: formData -- op: add - path: /paths/~1oauth2~1revoke/post/parameters/2 - value: - type: string - name: client_secret - in: formData diff --git a/scripts/update-deps.sh b/scripts/update-deps.sh index 7391cea..1db9b8b 100755 --- a/scripts/update-deps.sh +++ b/scripts/update-deps.sh @@ -9,6 +9,8 @@ sed -i -r "s/v[0-9.]+$/$VERSION/" Dockerfile sed -i -r "s/NDC_REST_VERSION\s+\?\=\s+[a-z0-9.]+$/NDC_REST_VERSION ?= $VERSION/" Makefile if [ -n "$ORY_HYDRA_VERSION" ]; then + sed -i -r "s/ory\/hydra\/v[0-9.]+/ory\/hydra\/$ORY_HYDRA_VERSION/" schema/public/config.yaml + sed -i -r "s/ory\/hydra\/v[0-9.]+/ory\/hydra\/$ORY_HYDRA_VERSION/" schema/admin/config.yaml sed -i -r "s/oryd\/hydra:v[0-9.]+$/oryd\/hydra:$ORY_HYDRA_VERSION/" docker-compose.yaml sed -i -r "s/ORY_HYDRA_VERSION\s+\?\=\s+[a-z0-9.]+$/ORY_HYDRA_VERSION ?= $ORY_HYDRA_VERSION/" Makefile fi \ No newline at end of file diff --git a/testdata/01-setup/mutation/01-createOAuth2Client/expected.json b/testdata/01-setup/mutation/01-createOAuth2Client/expected.json index 8fdf4a4..3cdd1dc 100644 --- a/testdata/01-setup/mutation/01-createOAuth2Client/expected.json +++ b/testdata/01-setup/mutation/01-createOAuth2Client/expected.json @@ -1,7 +1,9 @@ { "operation_results": [ { + "type": "procedure", "result": { + "access_token_strategy": "opaque", "allowed_cors_origins": ["http://localhost:8080"], "audience": ["user"], "authorization_code_grant_access_token_lifespan": "1h0m0s", @@ -16,7 +18,7 @@ "client_secret_expires_at": 0, "client_uri": "http://localhost:8080", "contacts": ["bouUoMs41s"], - "frontchannel_logout_session_required": true, + "frontchannel_logout_session_required": null, "frontchannel_logout_uri": "http://frontchannel/logout", "grant_types": ["client_credentials"], "implicit_grant_access_token_lifespan": "1h0m0s", @@ -25,29 +27,29 @@ "jwks_uri": "http://localhost:8080/jwks", "jwt_bearer_grant_access_token_lifespan": "3h0m0s", "logo_uri": "http://localhost:8080/logo", - "metadata": { "foo": "bar" }, + "metadata": { + "foo": "bar" + }, "owner": "FiZD1435Ve", - "password_grant_access_token_lifespan": "4h0m0s", - "password_grant_refresh_token_lifespan": "3h0m0s", "policy_uri": "http://localhost:8080/policy_uri", "post_logout_redirect_uris": ["http://localhost:8080/post-logout"], "redirect_uris": ["http://localhost:8080/redirect_uris"], "refresh_token_grant_access_token_lifespan": "2h0m0s", "refresh_token_grant_id_token_lifespan": "1h0m0s", "refresh_token_grant_refresh_token_lifespan": "2h0m0s", - "registration_client_uri": "http://localhost:4444/oauth2/register/test-client", "request_object_signing_alg": "HS256", "request_uris": ["http://localhost:8080/request_uris"], "response_types": ["code"], - "scope": "read offline", + "scope": "offline_access", "sector_identifier_uri": null, + "skip_consent": true, + "skip_logout_consent": false, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", - "token_endpoint_auth_signing_alg": "none", - "tos_uri": "eE5F7kI9Uz", - "userinfo_signed_response_alg": "none" - }, - "type": "procedure" + "token_endpoint_auth_signing_alg": "RS256", + "tos_uri": "riMbw3Zubq", + "userinfo_signed_response_alg": "RS256" + } } ] } diff --git a/testdata/01-setup/mutation/01-createOAuth2Client/request.json b/testdata/01-setup/mutation/01-createOAuth2Client/request.json index 5947670..d7e3fa2 100644 --- a/testdata/01-setup/mutation/01-createOAuth2Client/request.json +++ b/testdata/01-setup/mutation/01-createOAuth2Client/request.json @@ -6,6 +6,7 @@ "name": "createOAuth2Client", "arguments": { "body": { + "access_token_strategy": "opaque", "allowed_cors_origins": ["http://localhost:8080"], "audience": ["user"], "authorization_code_grant_access_token_lifespan": "1h", @@ -19,8 +20,7 @@ "client_secret": "randomsecret", "client_uri": "http://localhost:8080", "contacts": ["bouUoMs41s"], - "created_at": "2019-08-24T14:15:22Z", - "frontchannel_logout_session_required": true, + "frontchannel_logout_session_required": false, "frontchannel_logout_uri": "http://frontchannel/logout", "grant_types": ["client_credentials"], "implicit_grant_access_token_lifespan": "1h", @@ -33,8 +33,6 @@ "foo": "bar" }, "owner": "FiZD1435Ve", - "password_grant_access_token_lifespan": "4h", - "password_grant_refresh_token_lifespan": "3h", "policy_uri": "http://localhost:8080/policy_uri", "post_logout_redirect_uris": ["http://localhost:8080/post-logout"], "redirect_uris": ["http://localhost:8080/redirect_uris"], @@ -45,18 +43,23 @@ "request_object_signing_alg": "HS256", "request_uris": ["http://localhost:8080/request_uris"], "response_types": ["code"], - "scope": "read offline", + "scope": "offline_access", "sector_identifier_uri": null, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", - "token_endpoint_auth_signing_alg": "none", - "tos_uri": "eE5F7kI9Uz", - "updated_at": "1970-01-01T00:00:01Z", - "userinfo_signed_response_alg": "none" + "skip_consent": true, + "skip_logout_consent": false, + "token_endpoint_auth_signing_alg": "RS256", + "tos_uri": "riMbw3Zubq", + "userinfo_signed_response_alg": "RS256" } }, "fields": { "fields": { + "access_token_strategy": { + "column": "access_token_strategy", + "type": "column" + }, "allowed_cors_origins": { "column": "allowed_cors_origins", "type": "column" @@ -157,14 +160,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -189,10 +184,6 @@ "column": "refresh_token_grant_refresh_token_lifespan", "type": "column" }, - "registration_client_uri": { - "column": "registration_client_uri", - "type": "column" - }, "request_object_signing_alg": { "column": "request_object_signing_alg", "type": "column" @@ -213,6 +204,14 @@ "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/01-setup/mutation/02-patchOAuth2Client/expected.json b/testdata/01-setup/mutation/02-patchOAuth2Client/expected.json index ea29092..58ae650 100644 --- a/testdata/01-setup/mutation/02-patchOAuth2Client/expected.json +++ b/testdata/01-setup/mutation/02-patchOAuth2Client/expected.json @@ -3,6 +3,7 @@ { "type": "procedure", "result": { + "access_token_strategy": "opaque", "allowed_cors_origins": ["http://localhost:8080"], "audience": ["user", "admin"], "authorization_code_grant_access_token_lifespan": "1h0m0s", @@ -17,7 +18,7 @@ "client_secret_expires_at": 0, "client_uri": "http://localhost:8080", "contacts": ["bouUoMs41s"], - "frontchannel_logout_session_required": true, + "frontchannel_logout_session_required": null, "frontchannel_logout_uri": "http://frontchannel/logout", "grant_types": ["client_credentials"], "implicit_grant_access_token_lifespan": "1h0m0s", @@ -30,8 +31,6 @@ "foo": "bar" }, "owner": "FiZD1435Ve", - "password_grant_access_token_lifespan": "4h0m0s", - "password_grant_refresh_token_lifespan": "3h0m0s", "policy_uri": "http://localhost:8080/policy_uri", "post_logout_redirect_uris": ["http://localhost:8080/post-logout"], "redirect_uris": ["http://localhost:8080/redirect_uris"], @@ -43,13 +42,15 @@ "request_object_signing_alg": "HS256", "request_uris": ["http://localhost:8080/request_uris"], "response_types": ["code"], - "scope": "read offline", + "scope": "offline_access", "sector_identifier_uri": null, + "skip_consent": true, + "skip_logout_consent": false, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", - "token_endpoint_auth_signing_alg": "none", - "tos_uri": "eE5F7kI9Uz", - "userinfo_signed_response_alg": "none" + "token_endpoint_auth_signing_alg": "RS256", + "tos_uri": "riMbw3Zubq", + "userinfo_signed_response_alg": "RS256" } } ] diff --git a/testdata/01-setup/mutation/02-patchOAuth2Client/request.json b/testdata/01-setup/mutation/02-patchOAuth2Client/request.json index 3dcbc49..bc334de 100644 --- a/testdata/01-setup/mutation/02-patchOAuth2Client/request.json +++ b/testdata/01-setup/mutation/02-patchOAuth2Client/request.json @@ -26,6 +26,10 @@ }, "fields": { "fields": { + "access_token_strategy": { + "column": "access_token_strategy", + "type": "column" + }, "allowed_cors_origins": { "column": "allowed_cors_origins", "type": "column" @@ -126,14 +130,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -186,6 +182,14 @@ "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/01-setup/mutation/03-updateOAuth2Client/expected.json b/testdata/01-setup/mutation/03-setOAuth2Client/expected.json similarity index 91% rename from testdata/01-setup/mutation/03-updateOAuth2Client/expected.json rename to testdata/01-setup/mutation/03-setOAuth2Client/expected.json index 172c7ab..dd9e60f 100644 --- a/testdata/01-setup/mutation/03-updateOAuth2Client/expected.json +++ b/testdata/01-setup/mutation/03-setOAuth2Client/expected.json @@ -3,6 +3,7 @@ { "type": "procedure", "result": { + "access_token_strategy": "jwt", "allowed_cors_origins": ["http://localhost:3000"], "audience": ["customer"], "authorization_code_grant_access_token_lifespan": "1h30m0s", @@ -30,8 +31,6 @@ "foo": "baz" }, "owner": "test", - "password_grant_access_token_lifespan": "1h0m0s", - "password_grant_refresh_token_lifespan": "2h0m0s", "policy_uri": "http://localhost:3000/policy_uri", "post_logout_redirect_uris": ["http://localhost:3000/post-logout"], "redirect_uris": ["http://localhost:3000/redirect_uris"], @@ -43,13 +42,15 @@ "request_object_signing_alg": "none", "request_uris": ["http://localhost:3000/request_uris"], "response_types": ["token"], - "scope": "read offline", + "scope": "offline", "sector_identifier_uri": null, + "skip_consent": false, + "skip_logout_consent": true, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_signing_alg": "none", "tos_uri": "none", - "userinfo_signed_response_alg": "none" + "userinfo_signed_response_alg": "RS256" } } ] diff --git a/testdata/01-setup/mutation/03-updateOAuth2Client/request.json b/testdata/01-setup/mutation/03-setOAuth2Client/request.json similarity index 92% rename from testdata/01-setup/mutation/03-updateOAuth2Client/request.json rename to testdata/01-setup/mutation/03-setOAuth2Client/request.json index 4641c34..f4d5d62 100644 --- a/testdata/01-setup/mutation/03-updateOAuth2Client/request.json +++ b/testdata/01-setup/mutation/03-setOAuth2Client/request.json @@ -3,9 +3,10 @@ "operations": [ { "type": "procedure", - "name": "updateOAuth2Client", + "name": "setOAuth2Client", "arguments": { "body": { + "access_token_strategy": "jwt", "allowed_cors_origins": ["http://localhost:3000"], "audience": ["customer"], "authorization_code_grant_access_token_lifespan": "1h30m", @@ -17,10 +18,9 @@ "client_id": "test-client", "client_name": "Test client updated", "client_secret": "randomsecret", + "client_secret_expires_at": 0, "client_uri": "http://localhost:3000", "contacts": ["test"], - "created_at": "1970-01-01T00:00:00Z", - "frontchannel_logout_session_required": false, "frontchannel_logout_uri": "http://frontchannel-update/logout", "grant_types": ["client_credentials"], "implicit_grant_access_token_lifespan": "1h30m", @@ -33,8 +33,6 @@ "foo": "baz" }, "owner": "test", - "password_grant_access_token_lifespan": "1h", - "password_grant_refresh_token_lifespan": "2h", "policy_uri": "http://localhost:3000/policy_uri", "post_logout_redirect_uris": ["http://localhost:3000/post-logout"], "redirect_uris": ["http://localhost:3000/redirect_uris"], @@ -46,19 +44,24 @@ "request_object_signing_alg": "none", "request_uris": ["http://localhost:3000/request_uris"], "response_types": ["token"], - "scope": "read offline", + "scope": "offline", "sector_identifier_uri": null, + "skip_consent": false, + "skip_logout_consent": true, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_signing_alg": "none", "tos_uri": "none", - "updated_at": "1970-01-01T00:00:00Z", - "userinfo_signed_response_alg": "none" + "userinfo_signed_response_alg": "RS256" }, "id": "test-client" }, "fields": { "fields": { + "access_token_strategy": { + "column": "access_token_strategy", + "type": "column" + }, "allowed_cors_origins": { "column": "allowed_cors_origins", "type": "column" @@ -159,14 +162,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -219,6 +214,14 @@ "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/expected.json b/testdata/01-setup/mutation/04-createOidcDynamicClient/expected.json similarity index 89% rename from testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/expected.json rename to testdata/01-setup/mutation/04-createOidcDynamicClient/expected.json index 63b0b52..c7020d4 100644 --- a/testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/expected.json +++ b/testdata/01-setup/mutation/04-createOidcDynamicClient/expected.json @@ -1,7 +1,9 @@ { "operation_results": [ { + "type": "procedure", "result": { + "access_token_strategy": null, "allowed_cors_origins": ["http://localhost:8080"], "audience": ["user"], "authorization_code_grant_access_token_lifespan": "1h0m0s", @@ -13,7 +15,7 @@ "client_name": "Test dynamic client", "client_secret_expires_at": 0, "client_uri": "http://localhost:8080", - "contacts": ["bouUoMs41s"], + "contacts": ["ZOM9SouByM"], "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "http://frontchannel/logout", "grant_types": ["client_credentials"], @@ -25,8 +27,6 @@ "logo_uri": "http://localhost:8080/logo", "metadata": {}, "owner": "FiZD1435Ve", - "password_grant_access_token_lifespan": "4h0m0s", - "password_grant_refresh_token_lifespan": "3h0m0s", "policy_uri": "http://localhost:8080/policy_uri", "post_logout_redirect_uris": ["http://localhost:8080/post-logout"], "redirect_uris": ["http://localhost:8080/redirect_uris"], @@ -38,13 +38,14 @@ "response_types": ["code"], "scope": "email", "sector_identifier_uri": null, + "skip_consent": false, + "skip_logout_consent": null, "subject_type": "public", "token_endpoint_auth_method": "client_secret_basic", "token_endpoint_auth_signing_alg": "none", "tos_uri": "eE5F7kI9Uz", - "userinfo_signed_response_alg": "none" - }, - "type": "procedure" + "userinfo_signed_response_alg": "RS256" + } } ] } diff --git a/testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/request.json b/testdata/01-setup/mutation/04-createOidcDynamicClient/request.json similarity index 91% rename from testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/request.json rename to testdata/01-setup/mutation/04-createOidcDynamicClient/request.json index 4b115fd..1b0592a 100644 --- a/testdata/01-setup/mutation/04-dynamicClientRegistrationCreateOAuth2Client/request.json +++ b/testdata/01-setup/mutation/04-createOidcDynamicClient/request.json @@ -3,7 +3,7 @@ "operations": [ { "type": "procedure", - "name": "dynamicClientRegistrationCreateOAuth2Client", + "name": "createOidcDynamicClient", "arguments": { "body": { "allowed_cors_origins": ["http://localhost:8080"], @@ -18,8 +18,7 @@ "client_name": "Test dynamic client", "client_secret_expires_at": 3600, "client_uri": "http://localhost:8080", - "contacts": ["bouUoMs41s"], - "created_at": "2019-08-24T14:15:22Z", + "contacts": ["ZOM9SouByM"], "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "http://frontchannel/logout", "grant_types": ["client_credentials"], @@ -30,15 +29,12 @@ "jwt_bearer_grant_access_token_lifespan": "3h", "logo_uri": "http://localhost:8080/logo", "owner": "FiZD1435Ve", - "password_grant_access_token_lifespan": "4h", - "password_grant_refresh_token_lifespan": "3h", "policy_uri": "http://localhost:8080/policy_uri", "post_logout_redirect_uris": ["http://localhost:8080/post-logout"], "redirect_uris": ["http://localhost:8080/redirect_uris"], "refresh_token_grant_access_token_lifespan": "2h", "refresh_token_grant_id_token_lifespan": "1h", "refresh_token_grant_refresh_token_lifespan": "2h", - "registration_access_token": "randomtoken", "registration_client_uri": "http://localhost:8080", "request_object_signing_alg": "HS256", "request_uris": ["http://localhost:8080/request_uris"], @@ -49,12 +45,15 @@ "token_endpoint_auth_method": "client_secret_basic", "token_endpoint_auth_signing_alg": "none", "tos_uri": "eE5F7kI9Uz", - "updated_at": "1970-01-01T00:00:01Z", - "userinfo_signed_response_alg": "none" + "userinfo_signed_response_alg": "RS256" } }, "fields": { "fields": { + "access_token_strategy": { + "column": "access_token_strategy", + "type": "column" + }, "allowed_cors_origins": { "column": "allowed_cors_origins", "type": "column" @@ -147,14 +146,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -199,6 +190,14 @@ "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/01-setup/mutation/05-createJsonWebKeySet/expected.json b/testdata/01-setup/mutation/05-createJsonWebKeySet/expected.json new file mode 100644 index 0000000..cded83f --- /dev/null +++ b/testdata/01-setup/mutation/05-createJsonWebKeySet/expected.json @@ -0,0 +1,23 @@ +{ + "operation_results": [ + { + "type": "procedure", + "result": { + "keys": [ + { + "alg": "RS256", + "crv": null, + "e": "AQAB", + "k": null, + "kid": "eAJi2E8Clh", + "kty": "RSA", + "use": "sig", + "x": null, + "x5c": null, + "y": null + } + ] + } + } + ] +} diff --git a/testdata/01-setup/mutation/06-createJsonWebKeySet/request.json b/testdata/01-setup/mutation/05-createJsonWebKeySet/request.json similarity index 83% rename from testdata/01-setup/mutation/06-createJsonWebKeySet/request.json rename to testdata/01-setup/mutation/05-createJsonWebKeySet/request.json index b3a7e2b..1343f79 100644 --- a/testdata/01-setup/mutation/06-createJsonWebKeySet/request.json +++ b/testdata/01-setup/mutation/05-createJsonWebKeySet/request.json @@ -27,14 +27,6 @@ "column": "crv", "type": "column" }, - "dp": { - "column": "dp", - "type": "column" - }, - "dq": { - "column": "dq", - "type": "column" - }, "e": { "column": "e", "type": "column" @@ -51,10 +43,6 @@ "column": "kty", "type": "column" }, - "qi": { - "column": "qi", - "type": "column" - }, "use": { "column": "use", "type": "column" diff --git a/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/expected.json b/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/expected.json deleted file mode 100644 index e62ec74..0000000 --- a/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/expected.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "operation_results": [ - { - "result": true, - "type": "procedure" - } - ] -} diff --git a/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/request.json b/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/request.json deleted file mode 100644 index 43123a4..0000000 --- a/testdata/01-setup/mutation/05-flushInactiveOAuth2Tokens/request.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "collection_relationships": {}, - "operations": [ - { - "type": "procedure", - "name": "flushInactiveOAuth2Tokens", - "arguments": { - "body": { - "notAfter": "2024-01-01T00:00:00Z" - } - } - } - ] -} diff --git a/testdata/01-setup/mutation/06-createJsonWebKeySet/expected.json b/testdata/01-setup/mutation/06-setJsonWebKeySet/expected.json similarity index 53% rename from testdata/01-setup/mutation/06-createJsonWebKeySet/expected.json rename to testdata/01-setup/mutation/06-setJsonWebKeySet/expected.json index ba7516b..0e5b6a5 100644 --- a/testdata/01-setup/mutation/06-createJsonWebKeySet/expected.json +++ b/testdata/01-setup/mutation/06-setJsonWebKeySet/expected.json @@ -1,7 +1,6 @@ { "operation_results": [ { - "type": "procedure", "result": { "keys": [ { @@ -18,24 +17,10 @@ "x": null, "x5c": null, "y": null - }, - { - "alg": "RS256", - "crv": null, - "dp": null, - "dq": null, - "e": "AQAB", - "k": null, - "kid": "public:eAJi2E8Clh", - "kty": "RSA", - "qi": null, - "use": "sig", - "x": null, - "x5c": null, - "y": null } ] - } + }, + "type": "procedure" } ] } diff --git a/testdata/01-setup/mutation/07-updateJsonWebKeySet/request.json b/testdata/01-setup/mutation/06-setJsonWebKeySet/request.json similarity index 90% rename from testdata/01-setup/mutation/07-updateJsonWebKeySet/request.json rename to testdata/01-setup/mutation/06-setJsonWebKeySet/request.json index 524d51f..808abd3 100644 --- a/testdata/01-setup/mutation/07-updateJsonWebKeySet/request.json +++ b/testdata/01-setup/mutation/06-setJsonWebKeySet/request.json @@ -3,7 +3,7 @@ "operations": [ { "type": "procedure", - "name": "updateJsonWebKeySet", + "name": "setJsonWebKeySet", "arguments": { "body": { "keys": [ @@ -45,10 +45,6 @@ "column": "crv", "type": "column" }, - "d": { - "column": "d", - "type": "column" - }, "dp": { "column": "dp", "type": "column" @@ -73,18 +69,6 @@ "column": "kty", "type": "column" }, - "n": { - "column": "n", - "type": "column" - }, - "p": { - "column": "p", - "type": "column" - }, - "q": { - "column": "q", - "type": "column" - }, "qi": { "column": "qi", "type": "column" diff --git a/testdata/01-setup/mutation/07-setJsonWebKey/expected.json b/testdata/01-setup/mutation/07-setJsonWebKey/expected.json new file mode 100644 index 0000000..c279ad3 --- /dev/null +++ b/testdata/01-setup/mutation/07-setJsonWebKey/expected.json @@ -0,0 +1,22 @@ +{ + "operation_results": [ + { + "type": "procedure", + "result": { + "alg": "RS256", + "crv": null, + "dp": null, + "dq": null, + "e": "AQAB", + "k": null, + "kid": "private:eAJi2E8Clh", + "kty": "RSA", + "qi": null, + "use": "sig", + "x": null, + "x5c": null, + "y": null + } + } + ] +} diff --git a/testdata/01-setup/mutation/08-updateJsonWebKey/request.json b/testdata/01-setup/mutation/07-setJsonWebKey/request.json similarity index 91% rename from testdata/01-setup/mutation/08-updateJsonWebKey/request.json rename to testdata/01-setup/mutation/07-setJsonWebKey/request.json index d088b0c..07d43ef 100644 --- a/testdata/01-setup/mutation/08-updateJsonWebKey/request.json +++ b/testdata/01-setup/mutation/07-setJsonWebKey/request.json @@ -3,7 +3,7 @@ "operations": [ { "type": "procedure", - "name": "updateJsonWebKey", + "name": "setJsonWebKey", "arguments": { "body": { "alg": "RS256", @@ -37,10 +37,6 @@ "column": "crv", "type": "column" }, - "d": { - "column": "d", - "type": "column" - }, "dp": { "column": "dp", "type": "column" @@ -65,18 +61,6 @@ "column": "kty", "type": "column" }, - "n": { - "column": "n", - "type": "column" - }, - "p": { - "column": "p", - "type": "column" - }, - "q": { - "column": "q", - "type": "column" - }, "qi": { "column": "qi", "type": "column" diff --git a/testdata/01-setup/mutation/07-updateJsonWebKeySet/expected.json b/testdata/01-setup/mutation/07-updateJsonWebKeySet/expected.json deleted file mode 100644 index 406d104..0000000 --- a/testdata/01-setup/mutation/07-updateJsonWebKeySet/expected.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "operation_results": [ - { - "result": { - "keys": [ - { - "alg": "RS256", - "crv": null, - "d": "GRSr36MI4AvopL53amId5_yNc2PJU5ingxssc4T09y9NPaVzcKJ4AvJT_1iLWJE2H3kU5OC4_mq_PaLgTs0CIALT7vngRZizXfJNcMBoV7hztkfM-sH7GL8lpfs3V8kJnBrhGsZJjUGdWM6Q9bbQQSuQBJeIXnAGDbp-voI0Gy83uEpukHa5WpB6CzzD6-ivZpD5LF_g4zmWscht1CYENkk9wcmU9A34HH1vxAzRhktE6Rd7s_twMCwzsrNEDpfKpoC0ltOdOr9zCdekM344_hCjkxdXiTZ7qzH3e64OuSBGHLNmdMD1YzEi5WIdK-er8A57j9HQqDIY2DePVEk4veInAPG_b8fFUDFjDMX4yMBzkluJqlFIH33ce8-lcCrLkIOJdiQFEVGZNTX_ZkfgmT_zjIMnHGlgVvL61akP2RhWB-M0DDy7YCImgXT4EqPW53RuN8g6FewuHAIJ3Ka0F-a-1u6Uf34bM9RPY6rcfYGMYDmqf-9chip68Z1qrxPVDkoJXQZh4afdLv0HQntxdMkwnFIadqX0fppiBJXe2Um03D6so9RXD9moab31S5vLmWqq-0i9LVi819JQ_Y8bKSsZprkBywpsU3RudTFh7HWW58RguXXNduyzyILiI2a7cH80E52Mb-jzpWuHslgMdIWzVNrGgAkXrjIJ6hwLtpE", - "dp": null, - "dq": null, - "e": "AQAB", - "k": null, - "kid": "private:eAJi2E8Clh", - "kty": "RSA", - "n": "yLKyzaQeWovuRB0jGP3SLfaK6DhpQaPzHUdQ6pntf_ojCcYlEwB1MqXh64MNucARhpIMEG312Ht0-mCVlsPzp2IVr8l2kzD6xNmosvn4YIxkPB_cEjjSYvgiqzGdsd4pC7Sk94qbRg21rro5xdqNaLUU0omQSMewaQr0d08J27hSwT1Kq9UL2wxVoxCqUAnbF7R5MluP0dDsab-Y3iylrMZsvwamV3zZIT5180Pg1vPI33EdbY_6XIjnhbARD-_I7unHWLcr5aPIht3eNvbTT4IFPis3t-ulx8mSBky4BPhJbGLfbzJERXiIPKvfLhmgV9jagBMFAGYOs25zRfjHxxrL3-WObPHLJZNSg2qUIDvS1JmtkUQG1RhxeGgJEC9kSyntDFEVAZFUkCztr2Oo46q7Mnag7SVGMD9deVvE9i7jlapYRNTzEzePUhsCzepc6GO9MO61NTE_Qp3sxHmxURkgp9hkOBng_YsusNf4Af0eBd93md8a3bHd3BR4iSAp1MRzC03Eob0AmvJUNpImQu-f5tqf8nAWzvH6OfgIXtUMKiu9QeM_Jm3BIcW38ZxzZEkAMKeD46gvesWuKjyOzMzs3XMtZ5PCoBIPJjaryP0-8ii3NFIMLRj63j6gohjxHnW6KqS0OWpgq_gKFr_E6_FDCYv7dIYDdWmth_fu4cM", - "p": "-NP2Sc8RXFccjfzMYe0LZc9lptSTPDMMgLL4nWXIlCmIoxJlNvzNypz4wy97cHmSi_t3tJCAJ2G69KO-tJ8rpmDlqQNE7vaL5Rtsaz8thcgtZpftF4Kp9wlALWuaWcz3szj2fSuqO6tbGDYI5UeyBUn77HS6ZiSJ93KaO2TYRmZvL4hHvtvrS_mj-MnZ6mLWwa0jQFYvcK9vZaHLJMDFBjH0McFdkSE4OBYvmIJ2AqmYPmwndUbPFjXs7dWTo975wgfTpmzcTiKb-Z_mu2zdMJYw-cU9e8-jpLA6R2Lc25nEtKwC7m0yN77tke7eJrByzBIunGsnzxbDh1GQXo3k1Q", - "q": "znuZELOen_vxzkhU6li6JnXfoQOx2319AyVo2CohhvukHCQuRrFSo1EqiUtKimG7QPt6yHPWsJmeArb1W6UBOnTNWUsDv_1AcdC-oYZ_sz1LK3rHe93kva34brIXqjcJujcI5VW_HHP23CV67d6_7oRmyHpqIr1D8WXQvx-tpW8PVsmo_0h8H2smas9046eonI6BQG3fPdIhwXbI-c6I-VuudTyEVEbvP_l74tiJQeqkZfaPvOIOMkIN5pMDPrRxIq_35l4Eu3xy2UwASJLSTvX7KE2d3HWHMtDipdN8UdHnlMbMs5ZwfhoC8Pr3lw30K6Jtl9_7NRbaNyBisGPYNw", - "qi": null, - "use": "sig", - "x": null, - "x5c": null, - "y": null - } - ] - }, - "type": "procedure" - } - ] -} diff --git a/testdata/01-setup/mutation/09-oauth2Token/expected.json b/testdata/01-setup/mutation/08-oauth2TokenExchange/expected.json similarity index 85% rename from testdata/01-setup/mutation/09-oauth2Token/expected.json rename to testdata/01-setup/mutation/08-oauth2TokenExchange/expected.json index 066a237..9f1f1cc 100644 --- a/testdata/01-setup/mutation/09-oauth2Token/expected.json +++ b/testdata/01-setup/mutation/08-oauth2TokenExchange/expected.json @@ -1,14 +1,14 @@ { "operation_results": [ { - "type": "procedure", "result": { "expires_in": 16199, "id_token": null, "refresh_token": null, "scope": "", "token_type": "bearer" - } + }, + "type": "procedure" } ] } diff --git a/testdata/01-setup/mutation/09-oauth2Token/request.json b/testdata/01-setup/mutation/08-oauth2TokenExchange/request.json similarity index 95% rename from testdata/01-setup/mutation/09-oauth2Token/request.json rename to testdata/01-setup/mutation/08-oauth2TokenExchange/request.json index 6dd8e5b..ad9f44c 100644 --- a/testdata/01-setup/mutation/09-oauth2Token/request.json +++ b/testdata/01-setup/mutation/08-oauth2TokenExchange/request.json @@ -3,7 +3,7 @@ "operations": [ { "type": "procedure", - "name": "oauth2Token", + "name": "oauth2TokenExchange", "arguments": { "body": { "grant_type": "client_credentials", diff --git a/testdata/01-setup/mutation/08-updateJsonWebKey/expected.json b/testdata/01-setup/mutation/08-updateJsonWebKey/expected.json deleted file mode 100644 index b4bb7f9..0000000 --- a/testdata/01-setup/mutation/08-updateJsonWebKey/expected.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "operation_results": [ - { - "result": { - "alg": "RS256", - "crv": null, - "d": "GRSr36MI4AvopL53amId5_yNc2PJU5ingxssc4T09y9NPaVzcKJ4AvJT_1iLWJE2H3kU5OC4_mq_PaLgTs0CIALT7vngRZizXfJNcMBoV7hztkfM-sH7GL8lpfs3V8kJnBrhGsZJjUGdWM6Q9bbQQSuQBJeIXnAGDbp-voI0Gy83uEpukHa5WpB6CzzD6-ivZpD5LF_g4zmWscht1CYENkk9wcmU9A34HH1vxAzRhktE6Rd7s_twMCwzsrNEDpfKpoC0ltOdOr9zCdekM344_hCjkxdXiTZ7qzH3e64OuSBGHLNmdMD1YzEi5WIdK-er8A57j9HQqDIY2DePVEk4veInAPG_b8fFUDFjDMX4yMBzkluJqlFIH33ce8-lcCrLkIOJdiQFEVGZNTX_ZkfgmT_zjIMnHGlgVvL61akP2RhWB-M0DDy7YCImgXT4EqPW53RuN8g6FewuHAIJ3Ka0F-a-1u6Uf34bM9RPY6rcfYGMYDmqf-9chip68Z1qrxPVDkoJXQZh4afdLv0HQntxdMkwnFIadqX0fppiBJXe2Um03D6so9RXD9moab31S5vLmWqq-0i9LVi819JQ_Y8bKSsZprkBywpsU3RudTFh7HWW58RguXXNduyzyILiI2a7cH80E52Mb-jzpWuHslgMdIWzVNrGgAkXrjIJ6hwLtpE", - "dp": null, - "dq": null, - "e": "AQAB", - "k": null, - "kid": "private:eAJi2E8Clh", - "kty": "RSA", - "n": "yLKyzaQeWovuRB0jGP3SLfaK6DhpQaPzHUdQ6pntf_ojCcYlEwB1MqXh64MNucARhpIMEG312Ht0-mCVlsPzp2IVr8l2kzD6xNmosvn4YIxkPB_cEjjSYvgiqzGdsd4pC7Sk94qbRg21rro5xdqNaLUU0omQSMewaQr0d08J27hSwT1Kq9UL2wxVoxCqUAnbF7R5MluP0dDsab-Y3iylrMZsvwamV3zZIT5180Pg1vPI33EdbY_6XIjnhbARD-_I7unHWLcr5aPIht3eNvbTT4IFPis3t-ulx8mSBky4BPhJbGLfbzJERXiIPKvfLhmgV9jagBMFAGYOs25zRfjHxxrL3-WObPHLJZNSg2qUIDvS1JmtkUQG1RhxeGgJEC9kSyntDFEVAZFUkCztr2Oo46q7Mnag7SVGMD9deVvE9i7jlapYRNTzEzePUhsCzepc6GO9MO61NTE_Qp3sxHmxURkgp9hkOBng_YsusNf4Af0eBd93md8a3bHd3BR4iSAp1MRzC03Eob0AmvJUNpImQu-f5tqf8nAWzvH6OfgIXtUMKiu9QeM_Jm3BIcW38ZxzZEkAMKeD46gvesWuKjyOzMzs3XMtZ5PCoBIPJjaryP0-8ii3NFIMLRj63j6gohjxHnW6KqS0OWpgq_gKFr_E6_FDCYv7dIYDdWmth_fu4cM", - "p": "-NP2Sc8RXFccjfzMYe0LZc9lptSTPDMMgLL4nWXIlCmIoxJlNvzNypz4wy97cHmSi_t3tJCAJ2G69KO-tJ8rpmDlqQNE7vaL5Rtsaz8thcgtZpftF4Kp9wlALWuaWcz3szj2fSuqO6tbGDYI5UeyBUn77HS6ZiSJ93KaO2TYRmZvL4hHvtvrS_mj-MnZ6mLWwa0jQFYvcK9vZaHLJMDFBjH0McFdkSE4OBYvmIJ2AqmYPmwndUbPFjXs7dWTo975wgfTpmzcTiKb-Z_mu2zdMJYw-cU9e8-jpLA6R2Lc25nEtKwC7m0yN77tke7eJrByzBIunGsnzxbDh1GQXo3k1Q", - "q": "znuZELOen_vxzkhU6li6JnXfoQOx2319AyVo2CohhvukHCQuRrFSo1EqiUtKimG7QPt6yHPWsJmeArb1W6UBOnTNWUsDv_1AcdC-oYZ_sz1LK3rHe93kva34brIXqjcJujcI5VW_HHP23CV67d6_7oRmyHpqIr1D8WXQvx-tpW8PVsmo_0h8H2smas9046eonI6BQG3fPdIhwXbI-c6I-VuudTyEVEbvP_l74tiJQeqkZfaPvOIOMkIN5pMDPrRxIq_35l4Eu3xy2UwASJLSTvX7KE2d3HWHMtDipdN8UdHnlMbMs5ZwfhoC8Pr3lw30K6Jtl9_7NRbaNyBisGPYNw", - "qi": null, - "use": "sig", - "x": null, - "x5c": null, - "y": null - }, - "type": "procedure" - } - ] -} diff --git a/testdata/01-setup/mutation/10-trustJwtGrantIssuer/expected.json b/testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/expected.json similarity index 80% rename from testdata/01-setup/mutation/10-trustJwtGrantIssuer/expected.json rename to testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/expected.json index b96d528..84ae19b 100644 --- a/testdata/01-setup/mutation/10-trustJwtGrantIssuer/expected.json +++ b/testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/expected.json @@ -2,12 +2,12 @@ "operation_results": [ { "result": { - "allow_any_subject": false, + "allow_any_subject": true, "expires_at": "2040-01-01T00:00:00Z", "issuer": "etd1aDJlEd", "public_key": { "kid": "private:eAJi2E8Clh", "set": "etd1aDJlEd" }, "scope": ["StkNfiEI2M"], - "subject": "TibzF1JqYe" + "subject": "" }, "type": "procedure" } diff --git a/testdata/01-setup/mutation/10-trustJwtGrantIssuer/request.json b/testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/request.json similarity index 96% rename from testdata/01-setup/mutation/10-trustJwtGrantIssuer/request.json rename to testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/request.json index 5a33324..45b6e4b 100644 --- a/testdata/01-setup/mutation/10-trustJwtGrantIssuer/request.json +++ b/testdata/01-setup/mutation/09-trustOAuth2JwtGrantIssuer/request.json @@ -3,10 +3,10 @@ "operations": [ { "type": "procedure", - "name": "trustJwtGrantIssuer", + "name": "trustOAuth2JwtGrantIssuer", "arguments": { "body": { - "allow_any_subject": false, + "allow_any_subject": true, "expires_at": "2040-01-01T00:00:00Z", "issuer": "etd1aDJlEd", "jwk": { @@ -28,8 +28,7 @@ "x5c": null, "y": null }, - "scope": ["StkNfiEI2M"], - "subject": "TibzF1JqYe" + "scope": ["StkNfiEI2M"] } }, "fields": { diff --git a/testdata/01-setup/mutation/11-introspectOAuth2Token/expected.json b/testdata/01-setup/mutation/10-introspectOAuth2Token/expected.json similarity index 100% rename from testdata/01-setup/mutation/11-introspectOAuth2Token/expected.json rename to testdata/01-setup/mutation/10-introspectOAuth2Token/expected.json diff --git a/testdata/01-setup/mutation/11-introspectOAuth2Token/request.json b/testdata/01-setup/mutation/10-introspectOAuth2Token/request.json similarity index 96% rename from testdata/01-setup/mutation/11-introspectOAuth2Token/request.json rename to testdata/01-setup/mutation/10-introspectOAuth2Token/request.json index 8b0cdcc..d9d0d73 100644 --- a/testdata/01-setup/mutation/11-introspectOAuth2Token/request.json +++ b/testdata/01-setup/mutation/10-introspectOAuth2Token/request.json @@ -6,8 +6,8 @@ "name": "introspectOAuth2Token", "arguments": { "body": { - "scope": "LaPNxdOGOl", - "token": "pQFJANQfMG" + "scope": "3dzFFNHez5", + "token": "fYwxrBwcrO" } }, "fields": { @@ -73,4 +73,4 @@ } } ] -} +} \ No newline at end of file diff --git a/testdata/01-setup/query/wellKnown/expected.json b/testdata/01-setup/query/discoverJsonWebKeys/expected.json similarity index 55% rename from testdata/01-setup/query/wellKnown/expected.json rename to testdata/01-setup/query/discoverJsonWebKeys/expected.json index 66cdb43..92a0e9c 100644 --- a/testdata/01-setup/query/wellKnown/expected.json +++ b/testdata/01-setup/query/discoverJsonWebKeys/expected.json @@ -12,7 +12,23 @@ "dq": null, "e": "AQAB", "k": null, - "kid": "public:hydra.openid.id-token", + "kty": "RSA", + "p": null, + "q": null, + "qi": null, + "use": "sig", + "x": null, + "x5c": null, + "y": null + }, + { + "alg": "RS256", + "crv": null, + "d": null, + "dp": null, + "dq": null, + "e": "AQAB", + "k": null, "kty": "RSA", "p": null, "q": null, diff --git a/testdata/01-setup/query/wellKnown/request.json b/testdata/01-setup/query/discoverJsonWebKeys/request.json similarity index 94% rename from testdata/01-setup/query/wellKnown/request.json rename to testdata/01-setup/query/discoverJsonWebKeys/request.json index b0c903a..da08cef 100644 --- a/testdata/01-setup/query/wellKnown/request.json +++ b/testdata/01-setup/query/discoverJsonWebKeys/request.json @@ -1,6 +1,6 @@ { "arguments": {}, - "collection": "wellKnown", + "collection": "discoverJsonWebKeys", "collection_relationships": {}, "query": { "fields": { @@ -41,10 +41,6 @@ "column": "k", "type": "column" }, - "kid": { - "column": "kid", - "type": "column" - }, "kty": { "column": "kty", "type": "column" diff --git a/testdata/01-setup/query/discoverOpenIDConfiguration/expected.json b/testdata/01-setup/query/discoverOidcConfiguration/expected.json similarity index 52% rename from testdata/01-setup/query/discoverOpenIDConfiguration/expected.json rename to testdata/01-setup/query/discoverOidcConfiguration/expected.json index 1cbab95..53b910d 100644 --- a/testdata/01-setup/query/discoverOpenIDConfiguration/expected.json +++ b/testdata/01-setup/query/discoverOidcConfiguration/expected.json @@ -3,13 +3,33 @@ "rows": [ { "__value": { - "authorization_endpoint": "http://localhost:4444/oauth2/auth", + "authorization_endpoint": "http://127.0.0.1:4444/oauth2/auth", "backchannel_logout_session_supported": true, "backchannel_logout_supported": true, "claims_parameter_supported": false, "claims_supported": ["sub"], "code_challenge_methods_supported": ["plain", "S256"], - "end_session_endpoint": "http://localhost:4444/oauth2/sessions/logout", + "credentials_endpoint_draft_00": "http://127.0.0.1:4444/credentials", + "credentials_supported_draft_00": [ + { + "cryptographic_binding_methods_supported": ["jwk"], + "cryptographic_suites_supported": [ + "PS256", + "RS256", + "ES256", + "PS384", + "RS384", + "ES384", + "PS512", + "RS512", + "ES512", + "EdDSA" + ], + "format": "jwt_vc_json", + "types": ["VerifiableCredential", "UserInfoCredential"] + } + ], + "end_session_endpoint": "http://127.0.0.1:4444/oauth2/sessions/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "grant_types_supported": [ @@ -18,11 +38,16 @@ "client_credentials", "refresh_token" ], + "id_token_signed_response_alg": ["RS256"], "id_token_signing_alg_values_supported": ["RS256"], - "issuer": "http://localhost:4444/", - "jwks_uri": "http://localhost:4444/.well-known/jwks.json", + "issuer": "http://127.0.0.1:4444", + "jwks_uri": "http://127.0.0.1:4444/.well-known/jwks.json", "registration_endpoint": null, - "request_object_signing_alg_values_supported": ["RS256", "none"], + "request_object_signing_alg_values_supported": [ + "none", + "RS256", + "ES256" + ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, @@ -35,17 +60,18 @@ "token", "token id_token code" ], - "revocation_endpoint": "http://localhost:4444/oauth2/revoke", + "revocation_endpoint": "http://127.0.0.1:4444/oauth2/revoke", "scopes_supported": ["offline_access", "offline", "openid"], - "subject_types_supported": ["public"], - "token_endpoint": "http://localhost:4444/oauth2/token", + "subject_types_supported": ["pairwise", "public"], + "token_endpoint": "http://127.0.0.1:4444/oauth2/token", "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", "private_key_jwt", "none" ], - "userinfo_endpoint": "http://localhost:4444/userinfo", + "userinfo_endpoint": "http://127.0.0.1:4444/userinfo", + "userinfo_signed_response_alg": ["RS256"], "userinfo_signing_alg_values_supported": ["none", "RS256"] } } diff --git a/testdata/01-setup/query/discoverOpenIDConfiguration/request.json b/testdata/01-setup/query/discoverOidcConfiguration/request.json similarity index 73% rename from testdata/01-setup/query/discoverOpenIDConfiguration/request.json rename to testdata/01-setup/query/discoverOidcConfiguration/request.json index f46e43c..8e43e88 100644 --- a/testdata/01-setup/query/discoverOpenIDConfiguration/request.json +++ b/testdata/01-setup/query/discoverOidcConfiguration/request.json @@ -1,6 +1,6 @@ { "arguments": {}, - "collection": "discoverOpenIDConfiguration", + "collection": "discoverOidcConfiguration", "collection_relationships": {}, "query": { "fields": { @@ -32,6 +32,38 @@ "column": "code_challenge_methods_supported", "type": "column" }, + "credentials_endpoint_draft_00": { + "column": "credentials_endpoint_draft_00", + "type": "column" + }, + "credentials_supported_draft_00": { + "column": "credentials_supported_draft_00", + "fields": { + "fields": { + "fields": { + "cryptographic_binding_methods_supported": { + "column": "cryptographic_binding_methods_supported", + "type": "column" + }, + "cryptographic_suites_supported": { + "column": "cryptographic_suites_supported", + "type": "column" + }, + "format": { + "column": "format", + "type": "column" + }, + "types": { + "column": "types", + "type": "column" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": "column" + }, "end_session_endpoint": { "column": "end_session_endpoint", "type": "column" @@ -48,6 +80,10 @@ "column": "grant_types_supported", "type": "column" }, + "id_token_signed_response_alg": { + "column": "id_token_signed_response_alg", + "type": "column" + }, "id_token_signing_alg_values_supported": { "column": "id_token_signing_alg_values_supported", "type": "column" @@ -112,6 +148,10 @@ "column": "userinfo_endpoint", "type": "column" }, + "userinfo_signed_response_alg": { + "column": "userinfo_signed_response_alg", + "type": "column" + }, "userinfo_signing_alg_values_supported": { "column": "userinfo_signing_alg_values_supported", "type": "column" @@ -123,4 +163,4 @@ } } } -} \ No newline at end of file +} diff --git a/testdata/01-setup/query/getVersion/expected.json b/testdata/01-setup/query/getVersion/expected.json index 9c4f5c2..00862ae 100644 --- a/testdata/01-setup/query/getVersion/expected.json +++ b/testdata/01-setup/query/getVersion/expected.json @@ -1 +1 @@ -[{ "rows": [{ "__value": { "version": "v1.11.10" } }] }] +[{ "rows": [{ "__value": { "version": "v2.2.0" } }] }] diff --git a/testdata/01-setup/query/isInstanceAlive/expected.json b/testdata/01-setup/query/isAlive/expected.json similarity index 100% rename from testdata/01-setup/query/isInstanceAlive/expected.json rename to testdata/01-setup/query/isAlive/expected.json diff --git a/testdata/01-setup/query/isInstanceReady/request.json b/testdata/01-setup/query/isAlive/request.json similarity index 91% rename from testdata/01-setup/query/isInstanceReady/request.json rename to testdata/01-setup/query/isAlive/request.json index 453642d..d3fe95b 100644 --- a/testdata/01-setup/query/isInstanceReady/request.json +++ b/testdata/01-setup/query/isAlive/request.json @@ -1,6 +1,6 @@ { "arguments": {}, - "collection": "isInstanceReady", + "collection": "isAlive", "collection_relationships": {}, "query": { "fields": { diff --git a/testdata/01-setup/query/isInstanceReady/expected.json b/testdata/01-setup/query/isReady/expected.json similarity index 100% rename from testdata/01-setup/query/isInstanceReady/expected.json rename to testdata/01-setup/query/isReady/expected.json diff --git a/testdata/01-setup/query/isInstanceAlive/request.json b/testdata/01-setup/query/isReady/request.json similarity index 91% rename from testdata/01-setup/query/isInstanceAlive/request.json rename to testdata/01-setup/query/isReady/request.json index 70d1cee..659ea36 100644 --- a/testdata/01-setup/query/isInstanceAlive/request.json +++ b/testdata/01-setup/query/isReady/request.json @@ -1,6 +1,6 @@ { "arguments": {}, - "collection": "isInstanceAlive", + "collection": "isReady", "collection_relationships": {}, "query": { "fields": { diff --git a/testdata/01-setup/query/listSubjectConsentSessions/request.json b/testdata/01-setup/query/listSubjectConsentSessions/request.json deleted file mode 100644 index 1c5dadb..0000000 --- a/testdata/01-setup/query/listSubjectConsentSessions/request.json +++ /dev/null @@ -1,342 +0,0 @@ -{ - "arguments": { - "limit": { - "type": "literal", - "value": 10 - }, - "offset": { - "type": "literal", - "value": 0 - }, - "subject": { - "type": "literal", - "value": "oh3Y0W34jO" - } - }, - "collection": "listSubjectConsentSessions", - "collection_relationships": {}, - "query": { - "fields": { - "__value": { - "column": "__value", - "fields": { - "fields": { - "fields": { - "consent_request": { - "column": "consent_request", - "fields": { - "fields": { - "acr": { - "column": "acr", - "type": "column" - }, - "amr": { - "column": "amr", - "type": "column" - }, - "challenge": { - "column": "challenge", - "type": "column" - }, - "client": { - "column": "client", - "fields": { - "fields": { - "allowed_cors_origins": { - "column": "allowed_cors_origins", - "type": "column" - }, - "audience": { - "column": "audience", - "type": "column" - }, - "authorization_code_grant_access_token_lifespan": { - "column": "authorization_code_grant_access_token_lifespan", - "type": "column" - }, - "authorization_code_grant_id_token_lifespan": { - "column": "authorization_code_grant_id_token_lifespan", - "type": "column" - }, - "authorization_code_grant_refresh_token_lifespan": { - "column": "authorization_code_grant_refresh_token_lifespan", - "type": "column" - }, - "backchannel_logout_session_required": { - "column": "backchannel_logout_session_required", - "type": "column" - }, - "backchannel_logout_uri": { - "column": "backchannel_logout_uri", - "type": "column" - }, - "client_credentials_grant_access_token_lifespan": { - "column": "client_credentials_grant_access_token_lifespan", - "type": "column" - }, - "client_id": { - "column": "client_id", - "type": "column" - }, - "client_name": { - "column": "client_name", - "type": "column" - }, - "client_secret": { - "column": "client_secret", - "type": "column" - }, - "client_secret_expires_at": { - "column": "client_secret_expires_at", - "type": "column" - }, - "client_uri": { - "column": "client_uri", - "type": "column" - }, - "contacts": { - "column": "contacts", - "type": "column" - }, - "frontchannel_logout_session_required": { - "column": "frontchannel_logout_session_required", - "type": "column" - }, - "frontchannel_logout_uri": { - "column": "frontchannel_logout_uri", - "type": "column" - }, - "grant_types": { - "column": "grant_types", - "type": "column" - }, - "implicit_grant_access_token_lifespan": { - "column": "implicit_grant_access_token_lifespan", - "type": "column" - }, - "implicit_grant_id_token_lifespan": { - "column": "implicit_grant_id_token_lifespan", - "type": "column" - }, - "jwks": { - "column": "jwks", - "type": "column" - }, - "jwks_uri": { - "column": "jwks_uri", - "type": "column" - }, - "jwt_bearer_grant_access_token_lifespan": { - "column": "jwt_bearer_grant_access_token_lifespan", - "type": "column" - }, - "logo_uri": { - "column": "logo_uri", - "type": "column" - }, - "metadata": { - "column": "metadata", - "type": "column" - }, - "owner": { - "column": "owner", - "type": "column" - }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, - "policy_uri": { - "column": "policy_uri", - "type": "column" - }, - "post_logout_redirect_uris": { - "column": "post_logout_redirect_uris", - "type": "column" - }, - "redirect_uris": { - "column": "redirect_uris", - "type": "column" - }, - "refresh_token_grant_access_token_lifespan": { - "column": "refresh_token_grant_access_token_lifespan", - "type": "column" - }, - "refresh_token_grant_id_token_lifespan": { - "column": "refresh_token_grant_id_token_lifespan", - "type": "column" - }, - "refresh_token_grant_refresh_token_lifespan": { - "column": "refresh_token_grant_refresh_token_lifespan", - "type": "column" - }, - "registration_access_token": { - "column": "registration_access_token", - "type": "column" - }, - "registration_client_uri": { - "column": "registration_client_uri", - "type": "column" - }, - "request_object_signing_alg": { - "column": "request_object_signing_alg", - "type": "column" - }, - "request_uris": { - "column": "request_uris", - "type": "column" - }, - "response_types": { - "column": "response_types", - "type": "column" - }, - "scope": { - "column": "scope", - "type": "column" - }, - "sector_identifier_uri": { - "column": "sector_identifier_uri", - "type": "column" - }, - "subject_type": { - "column": "subject_type", - "type": "column" - }, - "token_endpoint_auth_method": { - "column": "token_endpoint_auth_method", - "type": "column" - }, - "token_endpoint_auth_signing_alg": { - "column": "token_endpoint_auth_signing_alg", - "type": "column" - }, - "tos_uri": { - "column": "tos_uri", - "type": "column" - }, - "userinfo_signed_response_alg": { - "column": "userinfo_signed_response_alg", - "type": "column" - } - }, - "type": "object" - }, - "type": "column" - }, - "context": { - "column": "context", - "type": "column" - }, - "login_challenge": { - "column": "login_challenge", - "type": "column" - }, - "login_session_id": { - "column": "login_session_id", - "type": "column" - }, - "oidc_context": { - "column": "oidc_context", - "fields": { - "fields": { - "acr_values": { - "column": "acr_values", - "type": "column" - }, - "display": { - "column": "display", - "type": "column" - }, - "id_token_hint_claims": { - "column": "id_token_hint_claims", - "type": "column" - }, - "login_hint": { - "column": "login_hint", - "type": "column" - }, - "ui_locales": { - "column": "ui_locales", - "type": "column" - } - }, - "type": "object" - }, - "type": "column" - }, - "request_url": { - "column": "request_url", - "type": "column" - }, - "requested_access_token_audience": { - "column": "requested_access_token_audience", - "type": "column" - }, - "requested_scope": { - "column": "requested_scope", - "type": "column" - }, - "skip": { - "column": "skip", - "type": "column" - }, - "subject": { - "column": "subject", - "type": "column" - } - }, - "type": "object" - }, - "type": "column" - }, - "grant_access_token_audience": { - "column": "grant_access_token_audience", - "type": "column" - }, - "grant_scope": { - "column": "grant_scope", - "type": "column" - }, - "handled_at": { - "column": "handled_at", - "type": "column" - }, - "remember": { - "column": "remember", - "type": "column" - }, - "remember_for": { - "column": "remember_for", - "type": "column" - }, - "session": { - "column": "session", - "fields": { - "fields": { - "access_token": { - "column": "access_token", - "type": "column" - }, - "id_token": { - "column": "id_token", - "type": "column" - } - }, - "type": "object" - }, - "type": "column" - } - }, - "type": "object" - }, - "type": "array" - }, - "type": "column" - } - } - } -} diff --git a/testdata/02-getData/query/getJsonWebKeySet/expected.json b/testdata/02-getData/query/getJsonWebKeySet/expected.json index e5c7420..a77fa7d 100644 --- a/testdata/02-getData/query/getJsonWebKeySet/expected.json +++ b/testdata/02-getData/query/getJsonWebKeySet/expected.json @@ -7,16 +7,12 @@ { "alg": "RS256", "crv": null, - "d": "GRSr36MI4AvopL53amId5_yNc2PJU5ingxssc4T09y9NPaVzcKJ4AvJT_1iLWJE2H3kU5OC4_mq_PaLgTs0CIALT7vngRZizXfJNcMBoV7hztkfM-sH7GL8lpfs3V8kJnBrhGsZJjUGdWM6Q9bbQQSuQBJeIXnAGDbp-voI0Gy83uEpukHa5WpB6CzzD6-ivZpD5LF_g4zmWscht1CYENkk9wcmU9A34HH1vxAzRhktE6Rd7s_twMCwzsrNEDpfKpoC0ltOdOr9zCdekM344_hCjkxdXiTZ7qzH3e64OuSBGHLNmdMD1YzEi5WIdK-er8A57j9HQqDIY2DePVEk4veInAPG_b8fFUDFjDMX4yMBzkluJqlFIH33ce8-lcCrLkIOJdiQFEVGZNTX_ZkfgmT_zjIMnHGlgVvL61akP2RhWB-M0DDy7YCImgXT4EqPW53RuN8g6FewuHAIJ3Ka0F-a-1u6Uf34bM9RPY6rcfYGMYDmqf-9chip68Z1qrxPVDkoJXQZh4afdLv0HQntxdMkwnFIadqX0fppiBJXe2Um03D6so9RXD9moab31S5vLmWqq-0i9LVi819JQ_Y8bKSsZprkBywpsU3RudTFh7HWW58RguXXNduyzyILiI2a7cH80E52Mb-jzpWuHslgMdIWzVNrGgAkXrjIJ6hwLtpE", "dp": null, "dq": null, "e": "AQAB", "k": null, "kid": "private:eAJi2E8Clh", "kty": "RSA", - "n": "yLKyzaQeWovuRB0jGP3SLfaK6DhpQaPzHUdQ6pntf_ojCcYlEwB1MqXh64MNucARhpIMEG312Ht0-mCVlsPzp2IVr8l2kzD6xNmosvn4YIxkPB_cEjjSYvgiqzGdsd4pC7Sk94qbRg21rro5xdqNaLUU0omQSMewaQr0d08J27hSwT1Kq9UL2wxVoxCqUAnbF7R5MluP0dDsab-Y3iylrMZsvwamV3zZIT5180Pg1vPI33EdbY_6XIjnhbARD-_I7unHWLcr5aPIht3eNvbTT4IFPis3t-ulx8mSBky4BPhJbGLfbzJERXiIPKvfLhmgV9jagBMFAGYOs25zRfjHxxrL3-WObPHLJZNSg2qUIDvS1JmtkUQG1RhxeGgJEC9kSyntDFEVAZFUkCztr2Oo46q7Mnag7SVGMD9deVvE9i7jlapYRNTzEzePUhsCzepc6GO9MO61NTE_Qp3sxHmxURkgp9hkOBng_YsusNf4Af0eBd93md8a3bHd3BR4iSAp1MRzC03Eob0AmvJUNpImQu-f5tqf8nAWzvH6OfgIXtUMKiu9QeM_Jm3BIcW38ZxzZEkAMKeD46gvesWuKjyOzMzs3XMtZ5PCoBIPJjaryP0-8ii3NFIMLRj63j6gohjxHnW6KqS0OWpgq_gKFr_E6_FDCYv7dIYDdWmth_fu4cM", - "p": "-NP2Sc8RXFccjfzMYe0LZc9lptSTPDMMgLL4nWXIlCmIoxJlNvzNypz4wy97cHmSi_t3tJCAJ2G69KO-tJ8rpmDlqQNE7vaL5Rtsaz8thcgtZpftF4Kp9wlALWuaWcz3szj2fSuqO6tbGDYI5UeyBUn77HS6ZiSJ93KaO2TYRmZvL4hHvtvrS_mj-MnZ6mLWwa0jQFYvcK9vZaHLJMDFBjH0McFdkSE4OBYvmIJ2AqmYPmwndUbPFjXs7dWTo975wgfTpmzcTiKb-Z_mu2zdMJYw-cU9e8-jpLA6R2Lc25nEtKwC7m0yN77tke7eJrByzBIunGsnzxbDh1GQXo3k1Q", - "q": "znuZELOen_vxzkhU6li6JnXfoQOx2319AyVo2CohhvukHCQuRrFSo1EqiUtKimG7QPt6yHPWsJmeArb1W6UBOnTNWUsDv_1AcdC-oYZ_sz1LK3rHe93kva34brIXqjcJujcI5VW_HHP23CV67d6_7oRmyHpqIr1D8WXQvx-tpW8PVsmo_0h8H2smas9046eonI6BQG3fPdIhwXbI-c6I-VuudTyEVEbvP_l74tiJQeqkZfaPvOIOMkIN5pMDPrRxIq_35l4Eu3xy2UwASJLSTvX7KE2d3HWHMtDipdN8UdHnlMbMs5ZwfhoC8Pr3lw30K6Jtl9_7NRbaNyBisGPYNw", "qi": null, "use": "sig", "x": null, diff --git a/testdata/02-getData/query/getJsonWebKeySet/request.json b/testdata/02-getData/query/getJsonWebKeySet/request.json index a3e9111..b8db2fc 100644 --- a/testdata/02-getData/query/getJsonWebKeySet/request.json +++ b/testdata/02-getData/query/getJsonWebKeySet/request.json @@ -26,10 +26,6 @@ "column": "crv", "type": "column" }, - "d": { - "column": "d", - "type": "column" - }, "dp": { "column": "dp", "type": "column" @@ -54,18 +50,6 @@ "column": "kty", "type": "column" }, - "n": { - "column": "n", - "type": "column" - }, - "p": { - "column": "p", - "type": "column" - }, - "q": { - "column": "q", - "type": "column" - }, "qi": { "column": "qi", "type": "column" diff --git a/testdata/02-getData/query/getOAuth2Client/expected.json b/testdata/02-getData/query/getOAuth2Client/expected.json index 105097e..b75c130 100644 --- a/testdata/02-getData/query/getOAuth2Client/expected.json +++ b/testdata/02-getData/query/getOAuth2Client/expected.json @@ -27,8 +27,6 @@ "logo_uri": "http://localhost:3000/logo", "metadata": { "foo": "baz" }, "owner": "test", - "password_grant_access_token_lifespan": "1h0m0s", - "password_grant_refresh_token_lifespan": "2h0m0s", "policy_uri": "http://localhost:3000/policy_uri", "post_logout_redirect_uris": ["http://localhost:3000/post-logout"], "redirect_uris": ["http://localhost:3000/redirect_uris"], @@ -40,12 +38,15 @@ "request_object_signing_alg": "none", "request_uris": ["http://localhost:3000/request_uris"], "response_types": ["token"], + "scope": "offline", "sector_identifier_uri": null, + "skip_consent": false, + "skip_logout_consent": true, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_signing_alg": "none", "tos_uri": "none", - "userinfo_signed_response_alg": "none" + "userinfo_signed_response_alg": "RS256" } } ] diff --git a/testdata/02-getData/query/getOAuth2Client/request.json b/testdata/02-getData/query/getOAuth2Client/request.json index a152d5e..5af2571 100644 --- a/testdata/02-getData/query/getOAuth2Client/request.json +++ b/testdata/02-getData/query/getOAuth2Client/request.json @@ -109,14 +109,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -161,10 +153,22 @@ "column": "response_types", "type": "column" }, + "scope": { + "column": "scope", + "type": "column" + }, "sector_identifier_uri": { "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/02-getData/query/listOAuth2Clients/expected.json b/testdata/02-getData/query/listOAuth2Clients/expected.json index 48a0c87..ad0a944 100644 --- a/testdata/02-getData/query/listOAuth2Clients/expected.json +++ b/testdata/02-getData/query/listOAuth2Clients/expected.json @@ -28,8 +28,6 @@ "logo_uri": "http://localhost:3000/logo", "metadata": { "foo": "baz" }, "owner": "test", - "password_grant_access_token_lifespan": "1h0m0s", - "password_grant_refresh_token_lifespan": "2h0m0s", "policy_uri": "http://localhost:3000/policy_uri", "post_logout_redirect_uris": ["http://localhost:3000/post-logout"], "redirect_uris": ["http://localhost:3000/redirect_uris"], @@ -41,12 +39,15 @@ "request_object_signing_alg": "none", "request_uris": ["http://localhost:3000/request_uris"], "response_types": ["token"], + "scope": "offline", "sector_identifier_uri": null, + "skip_consent": false, + "skip_logout_consent": true, "subject_type": "public", "token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_signing_alg": "none", "tos_uri": "none", - "userinfo_signed_response_alg": "none" + "userinfo_signed_response_alg": "RS256" } ] } diff --git a/testdata/02-getData/query/listOAuth2Clients/request.json b/testdata/02-getData/query/listOAuth2Clients/request.json index 64685e8..6105f72 100644 --- a/testdata/02-getData/query/listOAuth2Clients/request.json +++ b/testdata/02-getData/query/listOAuth2Clients/request.json @@ -4,17 +4,13 @@ "type": "literal", "value": "Test client updated" }, - "limit": { - "type": "literal", - "value": 10 - }, - "offset": { - "type": "literal", - "value": 0 - }, "owner": { "type": "literal", "value": "test" + }, + "page_size": { + "type": "literal", + "value": 10 } }, "collection": "listOAuth2Clients", @@ -122,14 +118,6 @@ "column": "owner", "type": "column" }, - "password_grant_access_token_lifespan": { - "column": "password_grant_access_token_lifespan", - "type": "column" - }, - "password_grant_refresh_token_lifespan": { - "column": "password_grant_refresh_token_lifespan", - "type": "column" - }, "policy_uri": { "column": "policy_uri", "type": "column" @@ -174,10 +162,22 @@ "column": "response_types", "type": "column" }, + "scope": { + "column": "scope", + "type": "column" + }, "sector_identifier_uri": { "column": "sector_identifier_uri", "type": "column" }, + "skip_consent": { + "column": "skip_consent", + "type": "column" + }, + "skip_logout_consent": { + "column": "skip_logout_consent", + "type": "column" + }, "subject_type": { "column": "subject_type", "type": "column" diff --git a/testdata/02-getData/query/listTrustedJwtGrantIssuers/expected.json b/testdata/02-getData/query/listTrustedJwtGrantIssuers/expected.json deleted file mode 100644 index 55b091a..0000000 --- a/testdata/02-getData/query/listTrustedJwtGrantIssuers/expected.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "rows": [ - { - "__value": [ - { - "allow_any_subject": false, - "expires_at": "2040-01-01T00:00:00Z", - "issuer": "etd1aDJlEd", - "public_key": { "kid": "private:eAJi2E8Clh", "set": "etd1aDJlEd" }, - "scope": ["StkNfiEI2M"], - "subject": "TibzF1JqYe" - } - ] - } - ] - } -] diff --git a/testdata/01-setup/query/listSubjectConsentSessions/expected.json b/testdata/02-getData/query/listTrustedOAuth2JwtGrantIssuers/expected.json similarity index 100% rename from testdata/01-setup/query/listSubjectConsentSessions/expected.json rename to testdata/02-getData/query/listTrustedOAuth2JwtGrantIssuers/expected.json diff --git a/testdata/02-getData/query/listTrustedJwtGrantIssuers/request.json b/testdata/02-getData/query/listTrustedOAuth2JwtGrantIssuers/request.json similarity index 81% rename from testdata/02-getData/query/listTrustedJwtGrantIssuers/request.json rename to testdata/02-getData/query/listTrustedOAuth2JwtGrantIssuers/request.json index 2288268..9867d70 100644 --- a/testdata/02-getData/query/listTrustedJwtGrantIssuers/request.json +++ b/testdata/02-getData/query/listTrustedOAuth2JwtGrantIssuers/request.json @@ -1,19 +1,19 @@ { "arguments": { - "issuer": { + "DefaultItems": { "type": "literal", - "value": "etd1aDJlEd" + "value": 10 }, - "limit": { + "MaxItems": { "type": "literal", "value": 10 }, - "offset": { + "issuer": { "type": "literal", - "value": 0 + "value": "6HOCk4qgcn" } }, - "collection": "listTrustedJwtGrantIssuers", + "collection": "listTrustedOAuth2JwtGrantIssuers", "collection_relationships": {}, "query": { "fields": { @@ -26,10 +26,18 @@ "column": "allow_any_subject", "type": "column" }, + "created_at": { + "column": "created_at", + "type": "column" + }, "expires_at": { "column": "expires_at", "type": "column" }, + "id": { + "column": "id", + "type": "column" + }, "issuer": { "column": "issuer", "type": "column" diff --git a/testdata/03-cleanup/mutation/01-rejectLogoutRequest/expected.json b/testdata/03-cleanup/mutation/01-rejectLogoutRequest/expected.json deleted file mode 100644 index e62ec74..0000000 --- a/testdata/03-cleanup/mutation/01-rejectLogoutRequest/expected.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "operation_results": [ - { - "result": true, - "type": "procedure" - } - ] -} diff --git a/testdata/03-cleanup/mutation/01-rejectLogoutRequest/request.json b/testdata/03-cleanup/mutation/01-rejectLogoutRequest/request.json deleted file mode 100644 index 33f3724..0000000 --- a/testdata/03-cleanup/mutation/01-rejectLogoutRequest/request.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "collection_relationships": {}, - "operations": [ - { - "type": "procedure", - "name": "rejectLogoutRequest", - "arguments": { - "body": { - "error": "k4iDrz9ZY9", - "error_debug": "65Utc1tt0r", - "error_description": "poQ76Ab9wa", - "error_hint": "TyGMw0igWO", - "status_code": "6038855996888211756" - }, - "logout_challenge": "0gLczrTMZ6" - } - } - ] -} \ No newline at end of file diff --git a/testdata/03-cleanup/mutation/02-revokeAuthenticationSession/expected.json b/testdata/03-cleanup/mutation/01-revokeOAuth2ConsentSessions/expected.json similarity index 100% rename from testdata/03-cleanup/mutation/02-revokeAuthenticationSession/expected.json rename to testdata/03-cleanup/mutation/01-revokeOAuth2ConsentSessions/expected.json diff --git a/testdata/03-cleanup/mutation/03-revokeConsentSessions/request.json b/testdata/03-cleanup/mutation/01-revokeOAuth2ConsentSessions/request.json similarity index 57% rename from testdata/03-cleanup/mutation/03-revokeConsentSessions/request.json rename to testdata/03-cleanup/mutation/01-revokeOAuth2ConsentSessions/request.json index fcf28c3..96aef45 100644 --- a/testdata/03-cleanup/mutation/03-revokeConsentSessions/request.json +++ b/testdata/03-cleanup/mutation/01-revokeOAuth2ConsentSessions/request.json @@ -3,11 +3,11 @@ "operations": [ { "type": "procedure", - "name": "revokeConsentSessions", + "name": "revokeOAuth2ConsentSessions", "arguments": { "all": false, - "client": "D1btRXgLLv", - "subject": "mNMMhSMG6n" + "client": "Bi66JVozLG", + "subject": "TyXDXJg3k7" } } ] diff --git a/testdata/03-cleanup/mutation/03-revokeConsentSessions/expected.json b/testdata/03-cleanup/mutation/02-revokeOAuth2LoginSessions/expected.json similarity index 100% rename from testdata/03-cleanup/mutation/03-revokeConsentSessions/expected.json rename to testdata/03-cleanup/mutation/02-revokeOAuth2LoginSessions/expected.json diff --git a/testdata/03-cleanup/mutation/02-revokeAuthenticationSession/request.json b/testdata/03-cleanup/mutation/02-revokeOAuth2LoginSessions/request.json similarity index 54% rename from testdata/03-cleanup/mutation/02-revokeAuthenticationSession/request.json rename to testdata/03-cleanup/mutation/02-revokeOAuth2LoginSessions/request.json index 28b8dfa..a2a6cb3 100644 --- a/testdata/03-cleanup/mutation/02-revokeAuthenticationSession/request.json +++ b/testdata/03-cleanup/mutation/02-revokeOAuth2LoginSessions/request.json @@ -3,9 +3,10 @@ "operations": [ { "type": "procedure", - "name": "revokeAuthenticationSession", + "name": "revokeOAuth2LoginSessions", "arguments": { - "subject": "Aj0GdX5REb" + "sid": "8UNRGYWiRb", + "subject": "9PIQZxuHCQ" } } ] diff --git a/testdata/03-cleanup/mutation/04-deleteJsonWebKey/expected.json b/testdata/03-cleanup/mutation/03-deleteJsonWebKey/expected.json similarity index 100% rename from testdata/03-cleanup/mutation/04-deleteJsonWebKey/expected.json rename to testdata/03-cleanup/mutation/03-deleteJsonWebKey/expected.json diff --git a/testdata/03-cleanup/mutation/04-deleteJsonWebKey/request.json b/testdata/03-cleanup/mutation/03-deleteJsonWebKey/request.json similarity index 100% rename from testdata/03-cleanup/mutation/04-deleteJsonWebKey/request.json rename to testdata/03-cleanup/mutation/03-deleteJsonWebKey/request.json diff --git a/testdata/03-cleanup/mutation/05-deleteJsonWebKeySet/expected.json b/testdata/03-cleanup/mutation/04-deleteJsonWebKeySet/expected.json similarity index 100% rename from testdata/03-cleanup/mutation/05-deleteJsonWebKeySet/expected.json rename to testdata/03-cleanup/mutation/04-deleteJsonWebKeySet/expected.json diff --git a/testdata/03-cleanup/mutation/05-deleteJsonWebKeySet/request.json b/testdata/03-cleanup/mutation/04-deleteJsonWebKeySet/request.json similarity index 100% rename from testdata/03-cleanup/mutation/05-deleteJsonWebKeySet/request.json rename to testdata/03-cleanup/mutation/04-deleteJsonWebKeySet/request.json diff --git a/testdata/03-cleanup/mutation/deleteOAuth2Client/expected.json b/testdata/03-cleanup/mutation/05-deleteOAuth2Client/expected.json similarity index 100% rename from testdata/03-cleanup/mutation/deleteOAuth2Client/expected.json rename to testdata/03-cleanup/mutation/05-deleteOAuth2Client/expected.json diff --git a/testdata/03-cleanup/mutation/deleteOAuth2Client/request.json b/testdata/03-cleanup/mutation/05-deleteOAuth2Client/request.json similarity index 100% rename from testdata/03-cleanup/mutation/deleteOAuth2Client/request.json rename to testdata/03-cleanup/mutation/05-deleteOAuth2Client/request.json diff --git a/testdata/03-cleanup/mutation/06-deleteOAuth2Token/expected.json b/testdata/03-cleanup/mutation/06-deleteOAuth2Token/expected.json index 777dfc1..e28c88a 100644 --- a/testdata/03-cleanup/mutation/06-deleteOAuth2Token/expected.json +++ b/testdata/03-cleanup/mutation/06-deleteOAuth2Token/expected.json @@ -1 +1,8 @@ -{ "operation_results": [{ "result": true, "type": "procedure" }] } +{ + "operation_results": [ + { + "result": true, + "type": "procedure" + } + ] +} \ No newline at end of file diff --git a/testdata/03-cleanup/mutation/06-deleteOAuth2Token/request.json b/testdata/03-cleanup/mutation/06-deleteOAuth2Token/request.json index c549a32..dadf8af 100644 --- a/testdata/03-cleanup/mutation/06-deleteOAuth2Token/request.json +++ b/testdata/03-cleanup/mutation/06-deleteOAuth2Token/request.json @@ -5,7 +5,7 @@ "type": "procedure", "name": "deleteOAuth2Token", "arguments": { - "client_id": "2tQDnpJogH" + "client_id": "9dX7Ph9Zgs" } } ] diff --git a/testdata/hydra.yml b/testdata/hydra.yml new file mode 100644 index 0000000..72b8ef7 --- /dev/null +++ b/testdata/hydra.yml @@ -0,0 +1,29 @@ +serve: + cookies: + same_site_mode: Lax + +urls: + self: + issuer: http://127.0.0.1:4444 + consent: http://127.0.0.1:3000/consent + login: http://127.0.0.1:3000/login + logout: http://127.0.0.1:3000/logout + +secrets: + system: + - youReallyNeedToChangeThis + +oidc: + dynamic_client_registration: + enabled: true + subject_identifiers: + supported_types: + - pairwise + - public + pairwise: + salt: youReallyNeedToChangeThis + +log: + level: info + format: text + leak_sensitive_values: true