REST API
Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here.
You are viewing REST API documentation. This documentation is auto-generated from a swagger specification which itself is generated from annotations in the source code of the project. It is possible that this documentation includes bugs and that code samples are incomplete or wrong.
If you find issues in the respective documentation, please do not edit the Markdown files directly (as they are generated) but raise an issue on the project's GitHub presence instead. This documentation will improve over time with your help! If you have ideas how to improve this part of the documentation, feel free to share them in a GitHub issue any time.
Authentication
HTTP Authentication, scheme: basic - OAuth 2.0 Authorization. - Flow: authorizationCode
OAuth 2.0 Authorization URL = /oauth2/auth
OAuth 2.0 Token URL = /oauth2/token
OAuth 2.0 Scope
Scope Scope Description offline A scope required when requesting refresh tokens (alias for offline_access)offline_access A scope required when requesting refresh tokens openid Request an OpenID Connect ID Token
Public Endpoints
JSON Web Keys Discovery
GET /.well-known/jwks.json HTTP/1.1
Accept: application/json
This endpoint returns JSON Web Keys to be used as public keys for verifying OpenID Connect ID Tokens and, if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like node-jwks-rsa among others.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | JSONWebKeySet | JSONWebKeySet |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Code samples
curl -X GET /.well-known/jwks.json \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/.well-known/jwks.json", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/.well-known/jwks.json', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/.well-known/jwks.json");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/.well-known/jwks.json',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/.well-known/jwks.json',
params: {}, headers: headers
p JSON.parse(result)
OpenID Connect Discovery
GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html .
Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others. For a full list of clients go here: https://openid.net/developers/certified/
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | wellKnown | wellKnown |
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"authorization_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/auth",
"backchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"claims_parameter_supported": true,
"claims_supported": ["string"],
"end_session_endpoint": "string",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"grant_types_supported": ["string"],
"id_token_signing_alg_values_supported": ["string"],
"issuer": "https://playground.ory.sh/ory-hydra/public/",
"jwks_uri": "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json",
"registration_endpoint": "https://playground.ory.sh/ory-hydra/admin/client",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": ["string"],
"response_types_supported": ["string"],
"revocation_endpoint": "string",
"scopes_supported": ["string"],
"subject_types_supported": ["string"],
"token_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/token",
"token_endpoint_auth_methods_supported": ["string"],
"userinfo_endpoint": "string",
"userinfo_signing_alg_values_supported": ["string"]
}
Code samples
curl -X GET /.well-known/openid-configuration \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/.well-known/openid-configuration", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/.well-known/openid-configuration', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/.well-known/openid-configuration");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/.well-known/openid-configuration',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/.well-known/openid-configuration',
params: {}, headers: headers
p JSON.parse(result)
Check readiness status
GET /health/ready HTTP/1.1
Accept: application/json
This endpoint returns a 200 status code when the HTTP server is up running and the environment dependencies (e.g. the database) are responsive as well.
If the service supports TLS Edge Termination, this endpoint does not require the
X-Forwarded-Proto header to be set.
Be aware that if you are running multiple nodes of this service, the health status will never refer to the cluster state, only to a single instance.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | healthStatus | healthStatus |
| 503 | Service Unavailable | healthNotReadyStatus | healthNotReadyStatus |
Examples
200 response
{
"status": "string"
}
Code samples
curl -X GET /health/ready \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/health/ready", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/health/ready', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/health/ready");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/health/ready',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/health/ready',
params: {}, headers: headers
p JSON.parse(result)
The OAuth 2.0 authorize endpoint
GET /oauth2/auth HTTP/1.1
Accept: application/json
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.
To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 302 | Found | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X GET /oauth2/auth \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth',
params: {}, headers: headers
p JSON.parse(result)
Revoke OAuth2 tokens
POST /oauth2/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by the client the token was generated for.
Request body
token: string
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | object | false | none |
| » token | body | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X POST /oauth2/revoke \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/x-www-form-urlencoded"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/revoke", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"token": "string"
}';
const headers = {
'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'
}
fetch('/oauth2/revoke', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/revoke',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/revoke',
params: {}, headers: headers
p JSON.parse(result)
OpenID Connect Front-Backchannel enabled Logout
GET /oauth2/sessions/logout HTTP/1.1
This endpoint initiates and completes user logout at ORY Hydra and initiates OpenID Connect Front-/Back-channel logout:
https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 302 | Found | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None |
Code samples
curl -X GET /oauth2/sessions/logout
package main
import (
"bytes"
"net/http"
)
func main() {
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/sessions/logout", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
fetch('/oauth2/sessions/logout', {
method: 'GET'
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/sessions/logout");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
r = requests.get(
'/oauth2/sessions/logout',
params={)
print r.json()
require 'rest-client'
require 'json'
result = RestClient.get '/oauth2/sessions/logout',
params: {}
p JSON.parse(result)
The OAuth 2.0 token endpoint
POST /oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" HTTP request entity-body.
Do not implement a client for this endpoint yourself. Use a library. There are many libraries available for any programming language. You can find a list of libraries here: https://oauth.net/code/
Do note that Hydra SDK does not implement this endpoint properly. Use one of the libraries listed above!
Request body
grant_type: string
code: string
refresh_token: string
redirect_uri: string
client_id: string
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | object | false | none |
| » grant_type | body | string | true | none |
| » code | body | string | false | none |
| » refresh_token | body | string | false | none |
| » redirect_uri | body | string | false | none |
| » client_id | body | string | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | oauth2TokenResponse | oauth2TokenResponse |
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"access_token": "string",
"expires_in": 0,
"id_token": "string",
"refresh_token": "string",
"scope": "string",
"token_type": "string"
}
Code samples
curl -X POST /oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/x-www-form-urlencoded"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/token", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"grant_type": "string",
"code": "string",
"refresh_token": "string",
"redirect_uri": "string",
"client_id": "string"
}';
const headers = {
'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'
}
fetch('/oauth2/token', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/token");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/token',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/token',
params: {}, headers: headers
p JSON.parse(result)
OpenID Connect Userinfo
GET /userinfo HTTP/1.1
Accept: application/json
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 Access Token.
For more information please refer to the spec.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | userinfoResponse | userinfoResponse |
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"birthdate": "string",
"email": "string",
"email_verified": true,
"family_name": "string",
"gender": "string",
"given_name": "string",
"locale": "string",
"middle_name": "string",
"name": "string",
"nickname": "string",
"phone_number": "string",
"phone_number_verified": true,
"picture": "string",
"preferred_username": "string",
"profile": "string",
"sub": "string",
"updated_at": 0,
"website": "string",
"zoneinfo": "string"
}
Code samples
curl -X GET /userinfo \
-H 'Accept: application/json' \ -H 'Authorization: Bearer {access-token}'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
"Authorization": []string{"Bearer {access-token}"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/userinfo", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json', 'Authorization': 'Bearer {access-token}'
}
fetch('/userinfo', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/userinfo");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json',
'Authorization': 'Bearer {access-token}'
}
r = requests.get(
'/userinfo',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json',
'Authorization' => 'Bearer {access-token}'
}
result = RestClient.get '/userinfo',
params: {}, headers: headers
p JSON.parse(result)
Administrative Endpoints
List OAuth 2.0 Clients
GET /clients HTTP/1.1
Accept: application/json
This endpoint lists all clients in the database, and never returns client secrets.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The "Link" header is also included in successful responses, which contains one or more links for pagination, formatted like so: 'https://hydra-url/admin/clients?limit={limit}&offset={offset}; rel="{page}"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'. Multiple links can be included in this header, and will be separated by a comma.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| limit | query | integer(int64) | false | The maximum amount of policies returned. |
| offset | query | integer(int64) | false | The offset from where to start looking. |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A list of clients. | Inline |
| 500 | Internal Server Error | genericError | genericError |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | [oAuth2Client] | false | none | none |
| » OAuth2Client Client represents an OAuth 2.0 Client. | oAuth2Client | false | none | none |
| »» allowed_cors_origins | [string] | false | none | none |
| »» audience | [string] | false | none | none |
| »» backchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. |
| »» backchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. |
| »» client_id | string | false | none | ClientID is the id for this client. |
| »» client_name | string | false | none | Name is the human-readable string name of the client to be presented to the end-user during authorization. |
| »» client_secret | string | false | none | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. |
| »» client_secret_expires_at | integer(int64) | false | none | SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. |
| »» client_uri | string | false | none | ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. |
| »» contacts | [string] | false | none | none |
| »» created_at | string(date-time) | false | none | CreatedAt returns the timestamp of the client's creation. Format: date-time |
| »» frontchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. |
| »» frontchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. |
| »» grant_types | [string] | false | none | none |
| »» jwks | JoseJSONWebKeySet | false | none | none |
| »» jwks_uri | string | false | none | URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. |
| »» logo_uri | string | false | none | LogoURI is an URL string that references a logo for the client. |
| »» metadata | JSONRawMessage | false | none | none |
| »» owner | string | false | none | Owner is a string identifying the owner of the OAuth 2.0 Client. |
| »» policy_uri | string | false | none | PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. |
| »» post_logout_redirect_uris | [string] | false | none | none |
| »» redirect_uris | [string] | false | none | none |
| »» request_object_signing_alg | string | false | none | JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. |
| »» request_uris | [string] | false | none | none |
| »» response_types | [string] | false | none | none |
| »» scope | string | false | none | Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. |
| »» sector_identifier_uri | string | false | none | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. |
| »» subject_type | string | false | none | SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. |
| »» token_endpoint_auth_method | string | false | none | Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none. |
| »» tos_uri | string | false | none | TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. |
| »» updated_at | string(date-time) | false | none | UpdatedAt returns the timestamp of the last update. Format: date-time |
| »» userinfo_signed_response_alg | string | false | none | JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. |
Examples
200 response
[
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
]
Code samples
curl -X GET /clients \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/clients", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/clients',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/clients',
params: {}, headers: headers
p JSON.parse(result)
Create an OAuth 2.0 client
POST /clients HTTP/1.1
Content-Type: application/json
Accept: application/json
Create a new OAuth 2.0 client If you pass client_secret the secret will be
used, otherwise a random secret will be generated. The secret will be returned
in the response and you will not be able to retrieve it later on. Write the
secret down and keep it somwhere safe.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Request body
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | oAuth2Client | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | oAuth2Client | oAuth2Client |
| 400 | Bad Request | genericError | genericError |
| 409 | Conflict | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
201 response
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
Code samples
curl -X POST /clients \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/clients", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/clients', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.post(
'/clients',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.post '/clients',
params: {}, headers: headers
p JSON.parse(result)
Get an OAuth 2.0 Client.
GET /clients/{id} HTTP/1.1
Accept: application/json
Get an OAUth 2.0 client by its ID. This endpoint never returns passwords.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | The id of the OAuth 2.0 Client. |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | oAuth2Client | oAuth2Client |
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
Code samples
curl -X GET /clients/{id} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)
Update an OAuth 2.0 Client
PUT /clients/{id} HTTP/1.1
Content-Type: application/json
Accept: application/json
Update an existing OAuth 2.0 Client. If you pass client_secret the secret will
be updated and returned via the API. This is the only time you will be able to
retrieve the client secret, so write it down and keep it safe.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Request body
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | none |
| body | body | oAuth2Client | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | oAuth2Client | oAuth2Client |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
Code samples
curl -X PUT /clients/{id} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"allowed_cors_origins": [
"string"
],
"audience": [
"string"
],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": [
"string"
],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": [
"string"
],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": [
"string"
],
"redirect_uris": [
"string"
],
"request_object_signing_alg": "string",
"request_uris": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)
Deletes an OAuth 2.0 Client
DELETE /clients/{id} HTTP/1.1
Accept: application/json
Delete an existing OAuth 2.0 Client by its ID.
OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | The id of the OAuth 2.0 Client. |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
404 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X DELETE /clients/{id} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/clients/{id}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/clients/{id}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/clients/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/clients/{id}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/clients/{id}',
params: {}, headers: headers
p JSON.parse(result)
Check alive status
GET /health/alive HTTP/1.1
Accept: application/json
This endpoint returns a 200 status code when the HTTP server is up running. This status does currently not include checks whether the database connection is working.
If the service supports TLS Edge Termination, this endpoint does not require the
X-Forwarded-Proto header to be set.
Be aware that if you are running multiple nodes of this service, the health status will never refer to the cluster state, only to a single instance.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | healthStatus | healthStatus |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"status": "string"
}
Code samples
curl -X GET /health/alive \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/health/alive", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/health/alive', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/health/alive");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/health/alive',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/health/alive',
params: {}, headers: headers
p JSON.parse(result)
Retrieve a JSON Web Key Set
GET /keys/{set} HTTP/1.1
Accept: application/json
This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| set | path | string | true | The set |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | JSONWebKeySet | JSONWebKeySet |
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Code samples
curl -X GET /keys/{set} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)
Update a JSON Web Key Set
PUT /keys/{set} HTTP/1.1
Content-Type: application/json
Accept: application/json
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Request body
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| set | path | string | true | The set |
| body | body | JSONWebKeySet | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | JSONWebKeySet | JSONWebKeySet |
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Code samples
curl -X PUT /keys/{set} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)
Generate a new JSON Web Key
POST /keys/{set} HTTP/1.1
Content-Type: application/json
Accept: application/json
This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Request body
{
"alg": "string",
"kid": "string",
"use": "string"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| set | path | string | true | The set |
| body | body | jsonWebKeySetGeneratorRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 201 | Created | JSONWebKeySet | JSONWebKeySet |
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
201 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Code samples
curl -X POST /keys/{set} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"alg": "string",
"kid": "string",
"use": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.post(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.post '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)
Delete a JSON Web Key Set
DELETE /keys/{set} HTTP/1.1
Accept: application/json
Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| set | path | string | true | The set |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X DELETE /keys/{set} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/keys/{set}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/keys/{set}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/keys/{set}',
params: {}, headers: headers
p JSON.parse(result)
Fetch a JSON Web Key
GET /keys/{set}/{kid} HTTP/1.1
Accept: application/json
This endpoint returns a singular JSON Web Key, identified by the set and the specific key ID (kid).
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| kid | path | string | true | The kid of the desired key |
| set | path | string | true | The set |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | JSONWebKeySet | JSONWebKeySet |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
Code samples
curl -X GET /keys/{set}/{kid} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)
Update a JSON Web Key
PUT /keys/{set}/{kid} HTTP/1.1
Content-Type: application/json
Accept: application/json
Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Request body
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| kid | path | string | true | The kid of the desired key |
| set | path | string | true | The set |
| body | body | JSONWebKey | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | JSONWebKey | JSONWebKey |
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
Code samples
curl -X PUT /keys/{set}/{kid} \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": [
"string"
],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)
Delete a JSON Web Key
DELETE /keys/{set}/{kid} HTTP/1.1
Accept: application/json
Use this endpoint to delete a single JSON Web Key.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| kid | path | string | true | The kid of the desired key |
| set | path | string | true | The set |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 401 | Unauthorized | genericError | genericError |
| 403 | Forbidden | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X DELETE /keys/{set}/{kid} \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/keys/{set}/{kid}", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/keys/{set}/{kid}', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/keys/{set}/{kid}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/keys/{set}/{kid}',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/keys/{set}/{kid}',
params: {}, headers: headers
p JSON.parse(result)
Get snapshot metrics from the Hydra service. If you're using k8s, you can then add annotations to
your deployment like so:
GET /metrics/prometheus HTTP/1.1
metadata:
annotations:
prometheus.io/port: "4445"
prometheus.io/path: "/metrics/prometheus"
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None |
Code samples
curl -X GET /metrics/prometheus
package main
import (
"bytes"
"net/http"
)
func main() {
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/metrics/prometheus", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
fetch('/metrics/prometheus', {
method: 'GET'
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/metrics/prometheus");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
r = requests.get(
'/metrics/prometheus',
params={)
print r.json()
require 'rest-client'
require 'json'
result = RestClient.get '/metrics/prometheus',
params: {}
p JSON.parse(result)
Get consent request information
GET /oauth2/auth/requests/consent?consent_challenge=string HTTP/1.1
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted or rejected the request.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| consent_challenge | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | consentRequest | consentRequest |
| 404 | Not Found | genericError | genericError |
| 409 | Conflict | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"acr": "string",
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"context": {},
"login_challenge": "string",
"login_session_id": "string",
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"skip": true,
"subject": "string"
}
Code samples
curl -X GET /oauth2/auth/requests/consent?consent_challenge=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth/requests/consent", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/consent?consent_challenge=string', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/consent?consent_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth/requests/consent',
params={
'consent_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth/requests/consent',
params: {
'consent_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Accept a consent request
PUT /oauth2/auth/requests/consent/accept?consent_challenge=string HTTP/1.1
Content-Type: application/json
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted or rejected the request.
This endpoint tells ORY Hydra that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf. The consent provider includes additional information, such as session data for access and ID tokens, and if the consent request should be used as basis for future requests.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
Request body
{
"grant_access_token_audience": ["string"],
"grant_scope": ["string"],
"handled_at": "2020-04-04T21:15:27Z",
"remember": true,
"remember_for": 0,
"session": {
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| consent_challenge | query | string | true | none |
| body | body | acceptConsentRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | completedRequest | completedRequest |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"redirect_to": "string"
}
Code samples
curl -X PUT /oauth2/auth/requests/consent/accept?consent_challenge=string \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/consent/accept", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"grant_access_token_audience": [
"string"
],
"grant_scope": [
"string"
],
"handled_at": "2020-04-04T21:15:27Z",
"remember": true,
"remember_for": 0,
"session": {
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/consent/accept?consent_challenge=string', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/consent/accept?consent_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/consent/accept',
params={
'consent_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/consent/accept',
params: {
'consent_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Reject a consent request
PUT /oauth2/auth/requests/consent/reject?consent_challenge=string HTTP/1.1
Content-Type: application/json
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the subject and then tell ORY Hydra now about it. If the subject authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
The consent provider which handles this request and is a web app implemented and hosted by you. It shows a subject interface which asks the subject to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files").
The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the subject accepted or rejected the request.
This endpoint tells ORY Hydra that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf. The consent provider must include a reason why the consent was not granted.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
Request body
{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| consent_challenge | query | string | true | none |
| body | body | rejectRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | completedRequest | completedRequest |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"redirect_to": "string"
}
Code samples
curl -X PUT /oauth2/auth/requests/consent/reject?consent_challenge=string \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/consent/reject", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/consent/reject?consent_challenge=string', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/consent/reject?consent_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/consent/reject',
params={
'consent_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/consent/reject',
params: {
'consent_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Get a login request
GET /oauth2/auth/requests/login?login_challenge=string HTTP/1.1
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen") a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| login_challenge | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | loginRequest | loginRequest |
| 400 | Bad Request | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 409 | Conflict | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"session_id": "string",
"skip": true,
"subject": "string"
}
Code samples
curl -X GET /oauth2/auth/requests/login?login_challenge=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth/requests/login", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/login?login_challenge=string', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/login?login_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth/requests/login',
params={
'login_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth/requests/login',
params: {
'login_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Accept a login request
PUT /oauth2/auth/requests/login/accept?login_challenge=string HTTP/1.1
Content-Type: application/json
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen") a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells ORY Hydra that the subject has successfully authenticated and includes additional information such as the subject's ID and if ORY Hydra should remember the subject's subject agent for future authentication attempts by setting a cookie.
The response contains a redirect URL which the login provider should redirect the user-agent to.
Request body
{
"acr": "string",
"context": {},
"force_subject_identifier": "string",
"remember": true,
"remember_for": 0,
"subject": "string"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| login_challenge | query | string | true | none |
| body | body | acceptLoginRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | completedRequest | completedRequest |
| 401 | Unauthorized | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"redirect_to": "string"
}
Code samples
curl -X PUT /oauth2/auth/requests/login/accept?login_challenge=string \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/login/accept", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"acr": "string",
"context": {},
"force_subject_identifier": "string",
"remember": true,
"remember_for": 0,
"subject": "string"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/login/accept?login_challenge=string', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/login/accept?login_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/login/accept',
params={
'login_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/login/accept',
params: {
'login_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Reject a login request
PUT /oauth2/auth/requests/login/reject?login_challenge=string HTTP/1.1
Content-Type: application/json
Accept: application/json
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the subject and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the subject a login screen") a subject (in OAuth2 the proper name for subject is "resource owner").
The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
This endpoint tells ORY Hydra that the subject has not authenticated and includes a reason why the authentication was be denied.
The response contains a redirect URL which the login provider should redirect the user-agent to.
Request body
{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| login_challenge | query | string | true | none |
| body | body | rejectRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | completedRequest | completedRequest |
| 401 | Unauthorized | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"redirect_to": "string"
}
Code samples
curl -X PUT /oauth2/auth/requests/login/reject?login_challenge=string \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/login/reject", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/login/reject?login_challenge=string', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/login/reject?login_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/login/reject',
params={
'login_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/login/reject',
params: {
'login_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Get a logout request
GET /oauth2/auth/requests/logout?logout_challenge=string HTTP/1.1
Accept: application/json
Use this endpoint to fetch a logout request.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| logout_challenge | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | logoutRequest | logoutRequest |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"request_url": "string",
"rp_initiated": true,
"sid": "string",
"subject": "string"
}
Code samples
curl -X GET /oauth2/auth/requests/logout?logout_challenge=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth/requests/logout", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/logout?logout_challenge=string', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/logout?logout_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth/requests/logout',
params={
'logout_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth/requests/logout',
params: {
'logout_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Accept a logout request
PUT /oauth2/auth/requests/logout/accept?logout_challenge=string HTTP/1.1
Accept: application/json
When a user or an application requests ORY Hydra to log out a user, this endpoint is used to confirm that logout request. No body is required.
The response contains a redirect URL which the consent provider should redirect the user-agent to.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| logout_challenge | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | completedRequest | completedRequest |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"redirect_to": "string"
}
Code samples
curl -X PUT /oauth2/auth/requests/logout/accept?logout_challenge=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/logout/accept", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/logout/accept?logout_challenge=string', {
method: 'PUT',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/logout/accept?logout_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/logout/accept',
params={
'logout_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/logout/accept',
params: {
'logout_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Reject a logout request
PUT /oauth2/auth/requests/logout/reject?logout_challenge=string HTTP/1.1
Content-Type: application/json
Accept: application/json
When a user or an application requests ORY Hydra to log out a user, this endpoint is used to deny that logout request. No body is required.
The response is empty as the logout provider has to chose what action to perform next.
Request body
{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}
error: string
error_debug: string
error_description: string
error_hint: string
status_code: 0
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| logout_challenge | query | string | true | none |
| body | body | rejectRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
404 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X PUT /oauth2/auth/requests/logout/reject?logout_challenge=string \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("PUT", "/oauth2/auth/requests/logout/reject", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/auth/requests/logout/reject?logout_challenge=string', {
method: 'PUT',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/requests/logout/reject?logout_challenge=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.put(
'/oauth2/auth/requests/logout/reject',
params={
'logout_challenge': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.put '/oauth2/auth/requests/logout/reject',
params: {
'logout_challenge' => 'string'}, headers: headers
p JSON.parse(result)
Lists all consent sessions of a subject
GET /oauth2/auth/sessions/consent?subject=string HTTP/1.1
Accept: application/json
This endpoint lists all subject's granted consent sessions, including client and granted scope. The "Link" header is also included in successful responses, which contains one or more links for pagination, formatted like so: 'https://hydra-url/admin/oauth2/auth/sessions/consent?subject={user}&limit={limit}&offset={offset}; rel="{page}"', where page is one of the following applicable pages: 'first', 'next', 'last', and 'previous'. Multiple links can be included in this header, and will be separated by a comma.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| subject | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A list of used consent requests. | Inline |
| 400 | Bad Request | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| anonymous | [PreviousConsentSession] | false | none | [PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession The response used to return used consent requests same as HandledLoginRequest, just with consent_request exposed as json] |
| » consent_request | consentRequest | false | none | none |
| »» acr | string | false | none | ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. |
| »» challenge | string | false | none | Challenge is the identifier ("authorization challenge") of the consent authorization request. It is used to identify the session. |
| »» client | oAuth2Client | false | none | none |
| »»» allowed_cors_origins | [string] | false | none | none |
| »»» audience | [string] | false | none | none |
| »»» backchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. |
| »»» backchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. |
| »»» client_id | string | false | none | ClientID is the id for this client. |
| »»» client_name | string | false | none | Name is the human-readable string name of the client to be presented to the end-user during authorization. |
| »»» client_secret | string | false | none | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. |
| »»» client_secret_expires_at | integer(int64) | false | none | SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. |
| »»» client_uri | string | false | none | ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. |
| »»» contacts | [string] | false | none | none |
| »»» created_at | string(date-time) | false | none | CreatedAt returns the timestamp of the client's creation. Format: date-time |
| »»» frontchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. |
| »»» frontchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. |
| »»» grant_types | [string] | false | none | none |
| »»» jwks | JoseJSONWebKeySet | false | none | none |
| »»» jwks_uri | string | false | none | URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. |
| »»» logo_uri | string | false | none | LogoURI is an URL string that references a logo for the client. |
| »»» metadata | JSONRawMessage | false | none | none |
| »»» owner | string | false | none | Owner is a string identifying the owner of the OAuth 2.0 Client. |
| »»» policy_uri | string | false | none | PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. |
| »»» post_logout_redirect_uris | [string] | false | none | none |
| »»» redirect_uris | [string] | false | none | none |
| »»» request_object_signing_alg | string | false | none | JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. |
| »»» request_uris | [string] | false | none | none |
| »»» response_types | [string] | false | none | none |
| »»» scope | string | false | none | Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. |
| »»» sector_identifier_uri | string | false | none | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. |
| »»» subject_type | string | false | none | SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. |
| »»» token_endpoint_auth_method | string | false | none | Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none. |
| »»» tos_uri | string | false | none | TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. |
| »»» updated_at | string(date-time) | false | none | UpdatedAt returns the timestamp of the last update. Format: date-time |
| »»» userinfo_signed_response_alg | string | false | none | JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. |
| »» context | JSONRawMessage | false | none | none |
| »» login_challenge | string | false | none | LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. |
| »» login_session_id | string | false | none | LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. |
| »» oidc_context | openIDConnectContext | false | none | none |
| »»» acr_values | [string] | false | none | ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. |
| »»» display | string | false | none | Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. |
| »»» id_token_hint_claims | object | false | none | IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. |
| »»»» additionalProperties | object | false | none | none |
| »»» login_hint | string | false | none | LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. |
| »»» ui_locales | [string] | false | none | UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. |
| »» request_url | string | false | none | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. |
| »» requested_access_token_audience | [string] | false | none | none |
| »» requested_scope | [string] | false | none | none |
| »» skip | boolean | false | none | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the consent request using the usual API call. |
| »» subject | string | false | none | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. |
| » grant_access_token_audience | [string] | false | none | GrantedAudience sets the audience the user authorized the client to use. Should be a subset of requested_access_token_audience. |
| » grant_scope | [string] | false | none | GrantScope sets the scope the user authorized the client to use. Should be a subset of requested_scope |
| » handled_at | string(date-time) | false | none | handled at Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time |
| » remember | boolean | false | none | Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. |
| » remember_for | integer(int64) | false | none | RememberFor sets how long the consent authorization should be remembered for in seconds. If set to 0, the authorization will be remembered indefinitely. |
| » session | consentRequestSession | false | none | none |
| »» access_token | object | false | none | AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care! |
| »»» additionalProperties | object | false | none | none |
| »» id_token | object | false | none | IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! |
| »»» additionalProperties | object | false | none | none |
Examples
200 response
[
{
"consent_request": {
"acr": "string",
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"context": {},
"login_challenge": "string",
"login_session_id": "string",
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"skip": true,
"subject": "string"
},
"grant_access_token_audience": ["string"],
"grant_scope": ["string"],
"handled_at": "2020-04-04T21:15:27Z",
"remember": true,
"remember_for": 0,
"session": {
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
}
]
Code samples
curl -X GET /oauth2/auth/sessions/consent?subject=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/oauth2/auth/sessions/consent", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/sessions/consent?subject=string', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/sessions/consent?subject=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/oauth2/auth/sessions/consent',
params={
'subject': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/oauth2/auth/sessions/consent',
params: {
'subject' => 'string'}, headers: headers
p JSON.parse(result)
Revokes consent sessions of a subject for a specific OAuth 2.0 Client
DELETE /oauth2/auth/sessions/consent?subject=string HTTP/1.1
Accept: application/json
This endpoint revokes a subject's granted consent sessions for a specific OAuth 2.0 Client and invalidates all associated OAuth 2.0 Access Tokens.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| subject | query | string | true | The subject (Subject) who's consent sessions should be deleted. |
| client | query | string | false | If set, deletes only those consent sessions by the Subject that have been granted to the specified OAuth 2.0 Client ID |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 400 | Bad Request | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
400 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X DELETE /oauth2/auth/sessions/consent?subject=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/oauth2/auth/sessions/consent", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/sessions/consent?subject=string', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/sessions/consent?subject=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/oauth2/auth/sessions/consent',
params={
'subject': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/oauth2/auth/sessions/consent',
params: {
'subject' => 'string'}, headers: headers
p JSON.parse(result)
Invalidates all login sessions of a certain user
Invalidates a subject's authentication session
DELETE /oauth2/auth/sessions/login?subject=string HTTP/1.1
Accept: application/json
This endpoint invalidates a subject's authentication session. After revoking the authentication session, the subject has to re-authenticate at ORY Hydra. This endpoint does not invalidate any tokens and does not work with OpenID Connect Front- or Back-channel logout.
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| subject | query | string | true | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 400 | Bad Request | genericError | genericError |
| 404 | Not Found | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
400 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X DELETE /oauth2/auth/sessions/login?subject=string \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("DELETE", "/oauth2/auth/sessions/login", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/oauth2/auth/sessions/login?subject=string', {
method: 'DELETE',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/auth/sessions/login?subject=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("DELETE");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'/oauth2/auth/sessions/login',
params={
'subject': 'string'},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.delete '/oauth2/auth/sessions/login',
params: {
'subject' => 'string'}, headers: headers
p JSON.parse(result)
Flush Expired OAuth2 Access Tokens
POST /oauth2/flush HTTP/1.1
Content-Type: application/json
Accept: application/json
This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow.
Request body
{
"notAfter": "2020-04-04T21:15:27Z"
}
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | flushInactiveOAuth2TokensRequest | false | none |
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 204 | No Content | Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is | |
| typically 201. | None | ||
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
401 response
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
Code samples
curl -X POST /oauth2/flush \
-H 'Content-Type: application/json' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/flush", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"notAfter": "2020-04-04T21:15:27Z"
}';
const headers = {
'Content-Type': 'application/json', 'Accept': 'application/json'
}
fetch('/oauth2/flush', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/flush");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/flush',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/flush',
params: {}, headers: headers
p JSON.parse(result)
Introspect OAuth2 tokens
POST /oauth2/introspect HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
The introspection endpoint allows to check if a token (both refresh and access)
is active or not. An active token is neither expired nor revoked. If a token is
active, additional information on the token will be included. You can set
additional data for a token by setting accessTokenExtra during the consent
flow.
For more information read this blog post.
Request body
token: string
scope: string
Parameters
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
| body | body | object | false | none |
| » token | body | string | true | The string value of the token. For access tokens, this |
| » scope | body | string | false | An optional, space separated list of required scopes. If the access token was not granted one of the |
Detailed descriptions
» token: The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0. For refresh tokens, this is the "refresh_token" value returned.
» scope: An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | oAuth2TokenIntrospection | oAuth2TokenIntrospection |
| 401 | Unauthorized | genericError | genericError |
| 500 | Internal Server Error | genericError | genericError |
Examples
200 response
{
"active": true,
"aud": ["string"],
"client_id": "string",
"exp": 0,
"ext": {
"property1": {},
"property2": {}
},
"iat": 0,
"iss": "string",
"nbf": 0,
"obfuscated_subject": "string",
"scope": "string",
"sub": "string",
"token_type": "string",
"username": "string"
}
Code samples
curl -X POST /oauth2/introspect \
-H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/x-www-form-urlencoded"},
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("POST", "/oauth2/introspect", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const input = '{
"token": "string",
"scope": "string"
}';
const headers = {
'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json'
}
fetch('/oauth2/introspect', {
method: 'POST',
body: input,
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/oauth2/introspect");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
r = requests.post(
'/oauth2/introspect',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
}
result = RestClient.post '/oauth2/introspect',
params: {}, headers: headers
p JSON.parse(result)
Get service version
GET /version HTTP/1.1
Accept: application/json
This endpoint returns the service version typically notated using semantic versioning.
If the service supports TLS Edge Termination, this endpoint does not require the
X-Forwarded-Proto header to be set.
Responses
Overview
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | version | version |
Examples
200 response
{
"version": "string"
}
Code samples
curl -X GET /version \
-H 'Accept: application/json'
package main
import (
"bytes"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
var body []byte
// body = ...
req, err := http.NewRequest("GET", "/version", bytes.NewBuffer(body))
req.Header = headers
client := &http.Client{}
resp, err := client.Do(req)
// ...
}
const fetch = require('node-fetch');
const headers = {
'Accept': 'application/json'
}
fetch('/version', {
method: 'GET',
headers
})
.then(r => r.json())
.then((body) => {
console.log(body)
})
// This sample needs improvement.
URL obj = new URL("/version");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream())
);
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
System.out.println(response.toString());
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'/version',
params={},
headers = headers)
print r.json()
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient.get '/version',
params: {}, headers: headers
p JSON.parse(result)
Schemas
JSONRawMessage
{}
JSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger.
Properties
None
JSONWebKey
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
It is important that this model object is named JSONWebKey for "swagger generate spec" to generate only on definition of a JSONWebKey.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| alg | string | true | none | The "alg" (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA "JSON Web Signature and Encryption Algorithms" registry established by [JWA] or be a value that contains a Collision- Resistant Name. |
| crv | string | false | none | none |
| d | string | false | none | none |
| dp | string | false | none | none |
| dq | string | false | none | none |
| e | string | false | none | none |
| k | string | false | none | none |
| kid | string | true | none | The "kid" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the "kid" value is unspecified. When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.) The "kid" value is a case-sensitive string. |
| kty | string | true | none | The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC". "kty" values should either be registered in the IANA "JSON Web Key Types" registry established by [JWA] or be a value that contains a Collision- Resistant Name. The "kty" value is a case-sensitive string. |
| n | string | false | none | none |
| p | string | false | none | none |
| q | string | false | none | none |
| qi | string | false | none | none |
| use | string | true | none | Use ("public key use") identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly "sig" (signature) or "enc" (encryption). |
| x | string | false | none | none |
| x5c | [string] | false | none | The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. |
| y | string | false | none | none |
JSONWebKeySet
{
"keys": [
{
"alg": "RS256",
"crv": "P-256",
"d": "T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE",
"dp": "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq": "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"e": "AQAB",
"k": "GawgguFyGrWKav7AX4VKUg",
"kid": "1603dfe0af8f4596",
"kty": "RSA",
"n": "vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0",
"p": "6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ",
"q": "0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ",
"qi": "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"use": "sig",
"x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"x5c": ["string"],
"y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
}
]
}
It is important that this model object is named JSONWebKeySet for "swagger generate spec" to generate only on definition of a JSONWebKeySet. Since one with the same name is previously defined as client.Client.JSONWebKeys and this one is last, this one will be effectively written in the swagger spec.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| keys | [JSONWebKey] | false | none | The value of the "keys" parameter is an array of JWK values. By default, the order of the JWK values within the array does not imply an order of preference among them, although applications of JWK Sets can choose to assign a meaning to the order for their purposes, if desired. |
JoseJSONWebKeySet
{}
Properties
None
NullTime
"2020-04-04T21:15:27Z"
NullTime implements sql.NullTime functionality.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| NullTime implements sql.NullTime functionality. | string(date-time) | false | none | none |
PreviousConsentSession
{
"consent_request": {
"acr": "string",
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"context": {},
"login_challenge": "string",
"login_session_id": "string",
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"skip": true,
"subject": "string"
},
"grant_access_token_audience": ["string"],
"grant_scope": ["string"],
"handled_at": "2020-04-04T21:15:27Z",
"remember": true,
"remember_for": 0,
"session": {
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
}
PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession PreviousConsentSession The response used to return used consent requests same as HandledLoginRequest, just with consent_request exposed as json
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| consent_request | consentRequest | false | none | none |
| grant_access_token_audience | [string] | false | none | GrantedAudience sets the audience the user authorized the client to use. Should be a subset of requested_access_token_audience. |
| grant_scope | [string] | false | none | GrantScope sets the scope the user authorized the client to use. Should be a subset of requested_scope |
| handled_at | string(date-time) | false | none | handled at Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time Format: date-time |
| remember | boolean | false | none | Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. |
| remember_for | integer(int64) | false | none | RememberFor sets how long the consent authorization should be remembered for in seconds. If set to 0, the authorization will be remembered indefinitely. |
| session | consentRequestSession | false | none | none |
StringSlicePipeDelimiter
["string"]
StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| StringSlicePipeDelimiter de/encodes the string slice to/from a SQL string. | [string] | false | none | none |
acceptConsentRequest
{
"grant_access_token_audience": ["string"],
"grant_scope": ["string"],
"handled_at": "2020-04-04T21:15:27Z",
"remember": true,
"remember_for": 0,
"session": {
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
}
AcceptConsentRequest AcceptConsentRequest The request payload used to accept a consent request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| grant_access_token_audience | StringSlicePipeDelimiter | false | none | none |
| grant_scope | StringSlicePipeDelimiter | false | none | none |
| handled_at | NullTime | false | none | none |
| remember | boolean | false | none | Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. |
| remember_for | integer(int64) | false | none | RememberFor sets how long the consent authorization should be remembered for in seconds. If set to 0, the authorization will be remembered indefinitely. |
| session | consentRequestSession | false | none | none |
acceptLoginRequest
{
"acr": "string",
"context": {},
"force_subject_identifier": "string",
"remember": true,
"remember_for": 0,
"subject": "string"
}
AcceptLoginRequest AcceptLoginRequest AcceptLoginRequest HandledLoginRequest is the request payload used to accept a login request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| acr | string | false | none | ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. |
| context | JSONRawMessage | false | none | none |
| force_subject_identifier | string | false | none | ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client. Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the sub claim in the OAuth 2.0 Introspection. Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself you can use this field. Please note that setting this field has no effect if pairwise is not configured in ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via subject_type key in the client's configuration). Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies that you have to compute this value on every authentication process (probably depending on the client ID or some other unique value). If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail. |
| remember | boolean | false | none | Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she will not be asked to log in again. |
| remember_for | integer(int64) | false | none | RememberFor sets how long the authentication should be remembered for in seconds. If set to 0, the authorization will be remembered for the duration of the browser session (using a session cookie). |
| subject | string | true | none | Subject is the user ID of the end-user that authenticated. |
completedRequest
{
"redirect_to": "string"
}
The response payload sent when accepting or rejecting a login or consent request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| redirect_to | string | false | none | RedirectURL is the URL which you should redirect the user to once the authentication process is completed. |
consentRequest
{
"acr": "string",
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"context": {},
"login_challenge": "string",
"login_session_id": "string",
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"skip": true,
"subject": "string"
}
Contains information on an ongoing consent request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| acr | string | false | none | ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. |
| challenge | string | false | none | Challenge is the identifier ("authorization challenge") of the consent authorization request. It is used to identify the session. |
| client | oAuth2Client | false | none | none |
| context | JSONRawMessage | false | none | none |
| login_challenge | string | false | none | LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. |
| login_session_id | string | false | none | LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. |
| oidc_context | openIDConnectContext | false | none | none |
| request_url | string | false | none | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. |
| requested_access_token_audience | StringSlicePipeDelimiter | false | none | requested access token audience |
| requested_scope | StringSlicePipeDelimiter | false | none | requested scope |
| skip | boolean | false | none | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the consent request using the usual API call. |
| subject | string | false | none | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. |
consentRequestSession
{
"access_token": {
"property1": {},
"property2": {}
},
"id_token": {
"property1": {},
"property2": {}
}
}
Used to pass session data to a consent request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| access_token | object | false | none | AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care! |
| » additionalProperties | object | false | none | none |
| id_token | object | false | none | IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! |
| » additionalProperties | object | false | none | none |
flushInactiveOAuth2TokensRequest
flushInactiveOAuth2TokensRequest
{
"notAfter": "2020-04-04T21:15:27Z"
}
FlushInactiveOAuth2TokensRequest flush inactive o auth2 tokens request
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| notAfter | string(date-time) | false | none | NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history of recently issued tokens for auditing. Format: date-time |
genericError
{
"debug": "The database adapter was unable to find the element",
"error": "The requested resource could not be found",
"error_description": "Object with ID 12345 does not exist",
"status_code": 404
}
GenericError Error response
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| debug | string | false | none | Debug contains debug information. This is usually not available and has to be enabled. |
| error | string | true | none | Name is the error name. |
| error_description | string | false | none | Description contains further information on the nature of the error. |
| status_code | integer(int64) | false | none | Code represents the error status code (404, 403, 401, ...). |
healthNotReadyStatus
{
"errors": {
"property1": "string",
"property2": "string"
}
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| errors | object | false | none | Errors contains a list of errors that caused the not ready status. |
| » additionalProperties | string | false | none | none |
healthStatus
{
"status": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| status | string | false | none | Status always contains "ok". |
jsonWebKeySetGeneratorRequest
{
"alg": "string",
"kid": "string",
"use": "string"
}
JSONWebKeySetGeneratorRequest JSONWebKeySetGeneratorRequest JSONWebKeySetGeneratorRequest JSONWebKeySetGeneratorRequest JSONWebKeySetGeneratorRequest json web key set generator request
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| alg | string | true | none | The algorithm to be used for creating the key. Supports "RS256", "ES512", "HS512", and "HS256" |
| kid | string | true | none | The kid of the key to be created |
| use | string | true | none | The "use" (public key use) parameter identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Valid values are "enc" and "sig". |
loginRequest
{
"challenge": "string",
"client": {
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
},
"oidc_context": {
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
},
"request_url": "string",
"requested_access_token_audience": ["string"],
"requested_scope": ["string"],
"session_id": "string",
"skip": true,
"subject": "string"
}
LoginRequest Contains information on an ongoing login request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| challenge | string | false | none | Challenge is the identifier ("login challenge") of the login request. It is used to identify the session. |
| client | oAuth2Client | false | none | none |
| oidc_context | openIDConnectContext | false | none | none |
| request_url | string | false | none | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. |
| requested_access_token_audience | StringSlicePipeDelimiter | false | none | none |
| requested_scope | StringSlicePipeDelimiter | false | none | none |
| session_id | string | false | none | SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. |
| skip | boolean | false | none | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. |
| subject | string | false | none | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and skip is true, you MUST include this subject type when accepting the login request, or the request will fail. |
logoutRequest
{
"request_url": "string",
"rp_initiated": true,
"sid": "string",
"subject": "string"
}
Contains information about an ongoing logout request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| request_url | string | false | none | RequestURL is the original Logout URL requested. |
| rp_initiated | boolean | false | none | RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client. |
| sid | string | false | none | SessionID is the login session ID that was requested to log out. |
| subject | string | false | none | Subject is the user for whom the logout was request. |
oAuth2Client
{
"allowed_cors_origins": ["string"],
"audience": ["string"],
"backchannel_logout_session_required": true,
"backchannel_logout_uri": "string",
"client_id": "string",
"client_name": "string",
"client_secret": "string",
"client_secret_expires_at": 0,
"client_uri": "string",
"contacts": ["string"],
"created_at": "2020-04-04T21:15:27Z",
"frontchannel_logout_session_required": true,
"frontchannel_logout_uri": "string",
"grant_types": ["string"],
"jwks": {},
"jwks_uri": "string",
"logo_uri": "string",
"metadata": {},
"owner": "string",
"policy_uri": "string",
"post_logout_redirect_uris": ["string"],
"redirect_uris": ["string"],
"request_object_signing_alg": "string",
"request_uris": ["string"],
"response_types": ["string"],
"scope": "string",
"sector_identifier_uri": "string",
"subject_type": "string",
"token_endpoint_auth_method": "string",
"tos_uri": "string",
"updated_at": "2020-04-04T21:15:27Z",
"userinfo_signed_response_alg": "string"
}
OAuth2Client Client represents an OAuth 2.0 Client.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| allowed_cors_origins | StringSlicePipeDelimiter | false | none | none |
| audience | StringSlicePipeDelimiter | false | none | none |
| backchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. |
| backchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. |
| client_id | string | false | none | ClientID is the id for this client. |
| client_name | string | false | none | Name is the human-readable string name of the client to be presented to the end-user during authorization. |
| client_secret | string | false | none | Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. |
| client_secret_expires_at | integer(int64) | false | none | SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. |
| client_uri | string | false | none | ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. |
| contacts | StringSlicePipeDelimiter | false | none | none |
| created_at | string(date-time) | false | none | CreatedAt returns the timestamp of the client's creation. Format: date-time |
| frontchannel_logout_session_required | boolean | false | none | Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. |
| frontchannel_logout_uri | string | false | none | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. |
| grant_types | StringSlicePipeDelimiter | false | none | none |
| jwks | JoseJSONWebKeySet | false | none | none |
| jwks_uri | string | false | none | URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. |
| logo_uri | string | false | none | LogoURI is an URL string that references a logo for the client. |
| metadata | JSONRawMessage | false | none | none |
| owner | string | false | none | Owner is a string identifying the owner of the OAuth 2.0 Client. |
| policy_uri | string | false | none | PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. |
| post_logout_redirect_uris | StringSlicePipeDelimiter | false | none | none |
| redirect_uris | StringSlicePipeDelimiter | false | none | none |
| request_object_signing_alg | string | false | none | JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. |
| request_uris | StringSlicePipeDelimiter | false | none | none |
| response_types | StringSlicePipeDelimiter | false | none | none |
| scope | string | false | none | Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. |
| sector_identifier_uri | string | false | none | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. |
| subject_type | string | false | none | SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. |
| token_endpoint_auth_method | string | false | none | Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none. |
| tos_uri | string | false | none | TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. |
| updated_at | string(date-time) | false | none | UpdatedAt returns the timestamp of the last update. Format: date-time |
| userinfo_signed_response_alg | string | false | none | JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. |
oAuth2TokenIntrospection
{
"active": true,
"aud": ["string"],
"client_id": "string",
"exp": 0,
"ext": {
"property1": {},
"property2": {}
},
"iat": 0,
"iss": "string",
"nbf": 0,
"obfuscated_subject": "string",
"scope": "string",
"sub": "string",
"token_type": "string",
"username": "string"
}
Introspection contains an access token's session data as specified by IETF RFC 7662, see:
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| active | boolean | true | none | Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). |
| aud | [string] | false | none | Audience contains a list of the token's intended audiences. |
| client_id | string | false | none | ClientID is aclient identifier for the OAuth 2.0 client that requested this token. |
| exp | integer(int64) | false | none | Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. |
| ext | object | false | none | Extra is arbitrary data set by the session. |
| » additionalProperties | object | false | none | none |
| iat | integer(int64) | false | none | Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued. |
| iss | string | false | none | IssuerURL is a string representing the issuer of this token |
| nbf | integer(int64) | false | none | NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before. |
| obfuscated_subject | string | false | none | ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization. It is the sub value of the ID Token that was issued. |
| scope | string | false | none | Scope is a JSON string containing a space-separated list of scopes associated with this token. |
| sub | string | false | none | Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token. |
| token_type | string | false | none | TokenType is the introspected token's type, for example access_token or refresh_token. |
| username | string | false | none | Username is a human-readable identifier for the resource owner who authorized this token. |
oauth2TokenResponse
{
"access_token": "string",
"expires_in": 0,
"id_token": "string",
"refresh_token": "string",
"scope": "string",
"token_type": "string"
}
The Access Token Response
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| access_token | string | false | none | access token |
| expires_in | integer(int64) | false | none | expires in |
| id_token | string | false | none | id token |
| refresh_token | string | false | none | refresh token |
| scope | string | false | none | scope |
| token_type | string | false | none | token type |
openIDConnectContext
{
"acr_values": ["string"],
"display": "string",
"id_token_hint_claims": {
"property1": {},
"property2": {}
},
"login_hint": "string",
"ui_locales": ["string"]
}
Contains optional information about the OpenID Connect request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| acr_values | [string] | false | none | ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. |
| display | string | false | none | Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. |
| id_token_hint_claims | object | false | none | IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. |
| » additionalProperties | object | false | none | none |
| login_hint | string | false | none | LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. |
| ui_locales | [string] | false | none | UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. |
rejectRequest
{
"error": "string",
"error_debug": "string",
"error_description": "string",
"error_hint": "string",
"status_code": 0
}
RejectRequest The request payload used to accept a login or consent request.
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| error | string | false | none | error |
| error_debug | string | false | none | error debug |
| error_description | string | false | none | error description |
| error_hint | string | false | none | error hint |
| status_code | integer(int64) | false | none | status code |
userinfoResponse
{
"birthdate": "string",
"email": "string",
"email_verified": true,
"family_name": "string",
"gender": "string",
"given_name": "string",
"locale": "string",
"middle_name": "string",
"name": "string",
"nickname": "string",
"phone_number": "string",
"phone_number_verified": true,
"picture": "string",
"preferred_username": "string",
"profile": "string",
"sub": "string",
"updated_at": 0,
"website": "string",
"zoneinfo": "string"
}
The userinfo response
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| birthdate | string | false | none | End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates. |
| string | false | none | End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7. | |
| email_verified | boolean | false | none | True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. |
| family_name | string | false | none | Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. |
| gender | string | false | none | End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. |
| given_name | string | false | none | Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. |
| locale | string | false | none | End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well. |
| middle_name | string | false | none | Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. |
| name | string | false | none | End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. |
| nickname | string | false | none | Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. |
| phone_number | string | false | none | End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678. |
| phone_number_verified | boolean | false | none | True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. |
| picture | string | false | none | URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User. |
| preferred_username | string | false | none | Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. |
| profile | string | false | none | URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. |
| sub | string | false | none | Subject - Identifier for the End-User at the IssuerURL. |
| updated_at | integer(int64) | false | none | Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. |
| website | string | false | none | URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. |
| zoneinfo | string | false | none | String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. |
version
{
"version": "string"
}
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| version | string | false | none | Version is the service's version. |
wellKnown
{
"authorization_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/auth",
"backchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"claims_parameter_supported": true,
"claims_supported": ["string"],
"end_session_endpoint": "string",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"grant_types_supported": ["string"],
"id_token_signing_alg_values_supported": ["string"],
"issuer": "https://playground.ory.sh/ory-hydra/public/",
"jwks_uri": "https://playground.ory.sh/ory-hydra/public/.well-known/jwks.json",
"registration_endpoint": "https://playground.ory.sh/ory-hydra/admin/client",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": ["string"],
"response_types_supported": ["string"],
"revocation_endpoint": "string",
"scopes_supported": ["string"],
"subject_types_supported": ["string"],
"token_endpoint": "https://playground.ory.sh/ory-hydra/public/oauth2/token",
"token_endpoint_auth_methods_supported": ["string"],
"userinfo_endpoint": "string",
"userinfo_signing_alg_values_supported": ["string"]
}
WellKnown WellKnown WellKnown WellKnown WellKnown represents important OpenID Connect discovery metadata
Properties
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| authorization_endpoint | string | true | none | URL of the OP's OAuth 2.0 Authorization Endpoint. |
| backchannel_logout_session_supported | boolean | false | none | Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP |
| backchannel_logout_supported | boolean | false | none | Boolean value specifying whether the OP supports back-channel logout, with true indicating support. |
| claims_parameter_supported | boolean | false | none | Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. |
| claims_supported | [string] | false | none | JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. |
| end_session_endpoint | string | false | none | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. |
| frontchannel_logout_session_supported | boolean | false | none | Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. |
| frontchannel_logout_supported | boolean | false | none | Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. |
| grant_types_supported | [string] | false | none | JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. |
| id_token_signing_alg_values_supported | [string] | true | none | JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. |
| issuer | string | true | none | URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL. |
| jwks_uri | string | true | none | URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. |
| registration_endpoint | string | false | none | URL of the OP's Dynamic Client Registration Endpoint. |
| request_parameter_supported | boolean | false | none | Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. |
| request_uri_parameter_supported | boolean | false | none | Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. |
| require_request_uri_registration | boolean | false | none | Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. |
| response_modes_supported | [string] | false | none | JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports. |
| response_types_supported | [string] | true | none | JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. |
| revocation_endpoint | string | false | none | URL of the authorization server's OAuth 2.0 revocation endpoint. |
| scopes_supported | [string] | false | none | SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used |
| subject_types_supported | [string] | true | none | JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. |
| token_endpoint | string | true | none | URL of the OP's OAuth 2.0 Token Endpoint |
| token_endpoint_auth_methods_supported | [string] | false | none | JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 |
| userinfo_endpoint | string | false | none | URL of the OP's UserInfo Endpoint. |
| userinfo_signing_alg_values_supported | [string] | false | none | JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. |