{ "openapi": "3.0.1", "info": { "title": "oxAuth Public Endpoints", "description": "oxAuth - OAuth 2.0 server; OpenID Connect Provider (OP). List of Public Endpoints", "license": { "name": "License", "url": "https://github.com/GluuFederation/oxAuth/blob/master/LICENSE" }, "version": "master" }, "servers": [ { "url": "https://dc-api.app.dev.identity-dev.idemia.io", "description": "DC APP DEV" }, { "url": "https://dc-api.app.test.identity-dev.idemia.io", "description": "DC APP TEST" }, { "url": "https://dc-api.app.staging.identity-dev.idemia.io", "description": "DC APP STAGING" } ], "tags": [ { "name": null, "description": "oxAuth is the OpenID Connect Provider (OP) component of the Gluu Platform. It implements the complete OpenID Connect and OAuth 2.0 feature set, including the authorization server, discovery, JWKS, User Info, and session/logout endpoints. This deployment includes IDEMIA-specific customizations and is tightly integrated with oxTrust.\n" } ], "paths": { "/oxauth/restv1/authorize": { "get": { "tags": [ "Authorization" ], "summary": "The Authorization Endpoint performs Authentication of the End-User.", "description": "End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect.", "operationId": "get_authorize", "parameters": [ { "name": "scope", "in": "query", "required": true, "description": "OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present.", "schema": { "type": "string" } }, { "name": "response_type", "in": "query", "required": true, "description": "OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used.", "schema": { "type": "string" } }, { "name": "client_id", "in": "query", "required": true, "description": "OAuth 2.0 Client Identifier valid at the Authorization Server.", "schema": { "type": "string" } }, { "name": "redirect_uri", "in": "query", "required": true, "description": "Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.", "schema": { "type": "string" } }, { "name": "state", "in": "query", "required": false, "description": "Opaque value used to maintain state between the request and the callback.", "schema": { "type": "string" } }, { "name": "response_mode", "in": "query", "required": false, "description": "Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.", "schema": { "type": "string" } }, { "name": "nonce", "in": "query", "required": false, "description": "String value used to associate a Client session with an ID Token, and to mitigate replay attacks.", "schema": { "type": "string" } }, { "name": "display", "in": "query", "required": false, "description": "ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.", "schema": { "type": "string" } }, { "name": "prompt", "in": "query", "required": false, "description": "Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are - none, login, consent, select_account.", "schema": { "type": "string" } }, { "name": "max_age", "in": "query", "required": false, "description": "Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.", "schema": { "type": "integer" } }, { "name": "ui_locales", "in": "query", "required": false, "description": "End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.", "schema": { "type": "string" } }, { "name": "id_token_hint", "in": "query", "required": false, "description": "ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response.", "schema": { "type": "string" } }, { "name": "login_hint", "in": "query", "required": false, "description": "Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). The login hint may be the End-User’s email address.", "schema": { "type": "string" } }, { "name": "acr_values", "in": "query", "required": false, "description": "Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.", "schema": { "type": "string" } }, { "name": "amr_values", "in": "query", "required": false, "description": "AMR Values.", "schema": { "type": "string" } }, { "name": "request", "in": "query", "required": false, "description": "This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters.", "schema": { "type": "string" } }, { "name": "request_uri", "in": "query", "required": false, "description": "This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.", "schema": { "type": "string" } }, { "name": "request_session_id", "in": "query", "required": false, "description": "Request session id.", "schema": { "type": "string" } }, { "name": "session_id", "in": "query", "required": false, "description": "Session id of this call.", "schema": { "type": "string" } }, { "name": "origin_headers", "in": "query", "required": false, "description": "Origin headers. Used in custom workflows.", "schema": { "type": "string" } }, { "name": "code_challenge", "in": "query", "required": false, "description": "PKCE code challenge.", "schema": { "type": "string" } }, { "name": "code_challenge_method", "in": "query", "required": false, "description": "PKCE code challenge method.", "schema": { "type": "string" } }, { "name": "custom_response_headers", "in": "query", "required": false, "description": "Custom Response Headers.", "schema": { "type": "string" } }, { "name": "claims", "in": "query", "required": false, "description": "Requested Claims.", "schema": { "type": "string" } }, { "name": "auth_req_id", "in": "query", "required": false, "description": "CIBA authentication request Id.", "schema": { "type": "string" } }, { "name": "rp_name", "in": "query", "required": false, "description": "Relying Party name, displayed on the QR code scanning screen and in the app request card during login.", "schema": { "type": "string" } }, { "name": "rp_client_logo_url", "in": "query", "required": false, "description": "URL to the Relying Party’s custom logo in SVG format (must have the .svg file extension), displayed on the QR code scanning screen and in the app request card during login.", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": {} }, "302": { "description": "Error codes for authorization endpoint.", "content": { "application/json": { "schema": { "title": "AuthorizeError", "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "unauthorized_client", "disabled_client", "access_denied", "retry", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable", "invalid_request_redirect_uri", "login_required", "session_selection_required", "consent_required", "user_mismatched", "request_not_supported", "request_uri_not_supported", "invalid_request_uri", "invalid_request_object", "authentication_session_invalid", "invalid_authentication_method" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "400": { "$ref": "#/components/responses/InvalidRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/InternalServerError" } } }, "post": { "tags": [ "Authorization" ], "summary": "The Authorization Endpoint performs Authentication of the End-User.", "description": "End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect.", "operationId": "post_authorize", "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "scope", "response_type", "client_id", "redirect_uri" ], "properties": { "scope": { "type": "string", "description": "OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present." }, "response_type": { "type": "string", "description": "OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used." }, "client_id": { "type": "string", "description": "OAuth 2.0 Client Identifier valid at the Authorization Server." }, "redirect_uri": { "type": "string", "description": "Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider." }, "state": { "type": "string", "description": "Opaque value used to maintain state between the request and the callback." }, "response_mode": { "type": "string", "description": "Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint." }, "nonce": { "type": "string", "description": "String value used to associate a Client session with an ID Token, and to mitigate replay attacks." }, "display": { "type": "string", "description": "ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User." }, "prompt": { "type": "string", "description": "Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent." }, "max_age": { "type": "integer", "description": "Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP." }, "ui_locales": { "type": "string", "description": "End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.", "example": "\\\"fr-CA fr en\\\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation)." }, "id_token_hint": { "type": "string", "description": "ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response." }, "login_hint": { "type": "string", "description": "Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). The login hint may be the End-User’s email address." }, "acr_values": { "type": "string", "description": "Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference." }, "amr_values": { "type": "string", "description": "AMR Values." }, "request": { "type": "string", "description": "This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters." }, "request_uri": { "type": "string", "description": "This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters." }, "request_session_id": { "type": "string", "description": "Request session id." }, "session_id": { "type": "string", "description": "Session id of this call." }, "origin_headers": { "type": "string", "description": "Origin headers. Used in custom workflows." }, "code_challenge": { "type": "string", "description": "PKCE code challenge." }, "code_challenge_method": { "type": "string", "description": "PKCE code challenge method." }, "custom_response_headers": { "type": "string", "description": "Custom Response Headers." }, "claims": { "type": "string", "description": "Requested Claims." }, "rp_name": { "type": "string", "description": "Relying Party name, displayed on the QR code scanning screen and in the app request card during login." }, "rp_client_logo_url": { "type": "string", "description": "URL to the Relying Party’s custom logo in SVG format (must have the .svg file extension), displayed on the QR code scanning screen and in the app request card during login." } } } } } }, "responses": { "200": { "description": "OK", "content": {} }, "302": { "description": "Error codes for authorization endpoint.", "content": { "application/json": { "schema": { "title": "AuthorizeError", "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "unauthorized_client", "disabled_client", "access_denied", "retry", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable", "invalid_request_redirect_uri", "login_required", "session_selection_required", "consent_required", "user_mismatched", "request_not_supported", "request_uri_not_supported", "invalid_request_uri", "invalid_request_object", "authentication_session_invalid", "invalid_authentication_method" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "400": { "$ref": "#/components/responses/InvalidRequest" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/bc-authorize": { "post": { "tags": [ "Authorization" ], "summary": "Performs backchannel authorization of the end-user.", "description": "The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user.", "operationId": "bc-authorize", "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "client_id", "scope", "client_notification_token" ], "properties": { "client_id": { "type": "string", "description": "OAuth 2.0 Client Identifier valid at the Authorization Server." }, "scope": { "type": "string", "description": "CIBA authentication requests must contain the openid scope value." }, "client_notification_token": { "type": "string", "description": "It is a bearer token provided by the Client that will be used by the OpenID Provider to authenticate the callback request to the Client. It is required if the Client is registered to use Ping or Push modes." }, "acr_values": { "type": "string", "description": "Requested Authentication Context Class Reference values." }, "login_hint_token": { "type": "string", "description": "A token containing information identifying the end-user for whom authentication is being requested." }, "id_token_hint": { "type": "string", "description": "An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested." }, "login_hint": { "type": "string", "description": "A hint to the OpenID Provider regarding the end-user for whom authentication is being requested." }, "binding_message": { "type": "string", "description": "A human readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user." }, "user_code": { "type": "string", "description": "A secret code, such as password or pin, known only to the user but verifiable by the OP." }, "requested_expiry": { "type": "integer", "description": "A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return." } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "Backchannel Authorization", "required": [ "AUTH_REQ_ID", "EXPIRES_IN", "INTERVAL" ], "type": "object", "properties": { "AUTH_REQ_ID": { "type": "string" }, "EXPIRES_IN": { "type": "integer" }, "INTERVAL": { "type": "integer" } } } } } }, "400": { "$ref": "#/components/responses/InvalidRequest" }, "401": { "description": "Unauthorized CIBA (Client Initiated Backchannel Authentication) access.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "invalid_scope", "expired_login_hint_token", "unknown_user_id", "unauthorized_client", "missing_user_code", "invalid_user_code", "invalid_binding_message", "invalid_client", "unauthorized_end_user_device", "access_denied" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "403": { "$ref": "#/components/responses/AccessDenied" } } } }, "/oxauth/restv1/clientinfo": { "get": { "tags": [ "Client Info" ], "summary": "To get Claims details about the registered client.", "description": "The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client.", "operationId": "get_clientinfo", "parameters": [ { "name": "access_token", "in": "query", "schema": { "type": "string", "description": "Client-specific access token." } }, { "name": "Authorization", "in": "header", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "ClientInfoResponse", "description": "Client details in response.", "type": "object", "properties": { "displayName": { "type": "string" }, "inum": { "type": "string", "description": "XRI i-number" }, "oxAuthAppType": { "type": "string", "description": "oxAuth Appication type" }, "oxAuthIdTokenSignedResponseAlg": { "type": "string", "description": "oxAuth ID Token Signed Response Algorithm" }, "oxAuthRedirectURI": { "type": "array", "description": "Array of redirect URIs values used in the Authorization", "items": { "type": "string" } }, "oxId": { "type": "string", "example": null, "description": "oxAuth Attribute Scope Id" }, "custom_attributes": { "type": "array", "items": { "type": "string" } } } } } } }, "400": { "description": "Invalid Request are provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "invalid_token" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } }, "post": { "tags": [ "Client Info" ], "summary": "To get Claims details about the registered client.", "description": "The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client.", "operationId": "post_clientinfo", "parameters": [ { "name": "Authorization", "in": "header", "schema": { "type": "string" } } ], "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "access_token" ], "properties": { "access_token": { "type": "string", "description": "Client-specific access token." } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "ClientInfoResponse", "description": "Client details in response.", "type": "object", "properties": { "displayName": { "type": "string" }, "inum": { "type": "string", "description": "XRI i-number" }, "oxAuthAppType": { "type": "string", "description": "oxAuth Appication type" }, "oxAuthIdTokenSignedResponseAlg": { "type": "string", "description": "oxAuth ID Token Signed Response Algorithm" }, "oxAuthRedirectURI": { "type": "array", "description": "Array of redirect URIs values used in the Authorization", "items": { "type": "string" } }, "oxId": { "type": "string", "example": null, "description": "oxAuth Attribute Scope Id" }, "custom_attributes": { "type": "array", "items": { "type": "string" } } } } } } }, "400": { "description": "Invalid Request are provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "invalid_token" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } } }, "/.well-known/openid-configuration": { "get": { "tags": [ "OIDC Configuration" ], "summary": "Gets OpenID Connect configuration data that contains non-standard OpenID Connect discovery metadata.", "description": "Returns OpenID Connect Provider metadata as defined by the OpenID Connect Discovery specification. The response contains endpoint URLs, supported scopes, claims, grant types, authentication methods, and cryptographic capabilities of the Gluu oxAuth authorization server.\n", "operationId": "well-known-oidc-configuration", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "OpenIDConfigurationResponse", "description": "Client GluuAttribute by Dn(Distinguished Name) based on Authorization Scope.", "required": [ "id_generation_endpoint", "introspection_endpoint" ], "type": "object", "properties": { "id_generation_endpoint": { "type": "string" }, "introspection_endpoint": { "type": "string" }, "auth_level_mapping": { "type": "object", "additionalProperties": { "type": "string", "description": "Additional Custom Acr's map object" } }, "scope_to_claims_mapping": { "type": "object", "additionalProperties": { "type": "string", "description": "Scope map object" } } } } } } }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/introspection": { "get": { "tags": [ "Token" ], "summary": "The Introspection OAuth 2 Endpoint.", "description": "The Introspection OAuth 2 Endpoint.", "operationId": "get-introspection", "parameters": [ { "name": "Authorization", "in": "header", "required": true, "description": "Client Authorization details that contains the access token along with other details.", "schema": { "type": "string" }, "example": "Bearer 23410913-abewfq.123483" }, { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "example": "token=2YotnFZFEjr1zCsicMWpAA" }, { "name": "token_type_hint", "in": "query", "description": "ID Token previously issued by the Authorization Server being passed as a hint about the End-User.", "schema": { "type": "string" } }, { "name": "response_as_jwt", "in": "query", "description": "OPTIONAL. Boolean value with default value false. If true, returns introspection response as JWT (signed based on client configuration used for authentication to Introspection Endpoint).", "schema": { "type": "boolean" }, "example": "response_as_jwt=false" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "IntrospectionResponse", "description": "meta-information about token", "required": [ "active" ], "type": "object", "properties": { "active": { "type": "boolean", "description": "Boolean indicator of whether or not the presented token is currently active.", "example": true }, "scope": { "type": "array", "description": "Provide list of scopes to which access was granted for this resource.", "example": [ "read write dolphin" ], "items": { "type": "string" } }, "client_id": { "type": "string", "description": "Client identifier for the OAuth 2.0 client that requested this token.", "example": "1238j323ds-23ij4" }, "username": { "type": "string", "description": "Human-readable identifier for the resource owner who authorized this token.", "example": "jdoe" }, "token_type": { "type": "string", "description": "Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].", "example": "bearer, mac" }, "exp": { "type": "integer", "description": "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire." }, "iat": { "type": "integer", "example": "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued." }, "sub": { "type": "string", "description": "Subject of the token, as defined in JWT [RFC7519].", "example": "Z5O3upPC88QrAjx00dis" }, "aud": { "type": "string", "description": "Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].", "example": "https://protected.example.net/resource" }, "iss": { "type": "string", "description": "String representing the issuer of this token, as defined in JWT [RFC7519].", "example": "https://server.example.com/" }, "acr_values": { "type": "string", "description": "Authentication Context Class Reference values." }, "jti": { "type": "string", "description": "String identifier for the token, as defined in JWT." } } } } } }, "400": { "description": "Error codes for introspection endpoint.", "content": { "application/json": { "schema": { "title": "AuthorizeError", "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "unauthorized_client", "disabled_client", "access_denied", "retry", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable", "invalid_request_redirect_uri", "login_required", "session_selection_required", "consent_required", "user_mismatched", "invalid_request_uri", "invalid_request_object", "authentication_session_invalid", "invalid_authentication_method" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/InternalServerError" } } }, "post": { "tags": [ "Token" ], "summary": "The Introspection OAuth 2 Endpoint.", "description": "The Introspection OAuth 2 Endpoint.", "operationId": "post-introspection", "parameters": [ { "name": "Authorization", "in": "header", "required": true, "description": "Client Authorization details that contains the access token along with other details.", "schema": { "type": "string" }, "example": "Bearer 23410913-abewfq.123483" } ], "requestBody": { "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "token" ], "properties": { "token": { "type": "string", "description": "Client access token.", "example": "token=2YotnFZFEjr1zCsicMWpAA" } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "IntrospectionResponse", "description": "meta-information about token", "required": [ "active" ], "type": "object", "properties": { "active": { "type": "boolean", "description": "Boolean indicator of whether or not the presented token is currently active.", "example": true }, "scope": { "type": "array", "description": "Provide list of scopes to which access was granted for this resource.", "example": [ "read write dolphin" ], "items": { "type": "string" } }, "client_id": { "type": "string", "description": "Client identifier for the OAuth 2.0 client that requested this token.", "example": "1238j323ds-23ij4" }, "username": { "type": "string", "description": "Human-readable identifier for the resource owner who authorized this token.", "example": "jdoe" }, "token_type": { "type": "string", "description": "Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].", "example": "bearer, mac" }, "exp": { "type": "integer", "description": "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire." }, "iat": { "type": "integer", "example": "Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued." }, "sub": { "type": "string", "description": "Subject of the token, as defined in JWT [RFC7519].", "example": "Z5O3upPC88QrAjx00dis" }, "aud": { "type": "string", "description": "Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].", "example": "https://protected.example.net/resource" }, "iss": { "type": "string", "description": "String representing the issuer of this token, as defined in JWT [RFC7519].", "example": "https://server.example.com/" }, "acr_values": { "type": "string", "description": "Authentication Context Class Reference values." }, "jti": { "type": "string", "description": "String identifier for the token, as defined in JWT." } } } } } }, "400": { "description": "Error codes for introspection endpoint.", "content": { "application/json": { "schema": { "title": "AuthorizeError", "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request", "unauthorized_client", "disabled_client", "access_denied", "retry", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable", "invalid_request_redirect_uri", "login_required", "session_selection_required", "consent_required", "user_mismatched", "invalid_request_uri", "invalid_request_object", "authentication_session_invalid", "invalid_authentication_method" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/jwks": { "get": { "tags": [ "JWK - JSON Web Key Set (JWKs)" ], "summary": "A JSON Web Key (JWK) used by server. JWK is a JSON data structure that represents a set of public keys as a JSON object [RFC4627].", "description": "Provides list of JWK used by server.", "operationId": "jwks", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "WebKeysConfiguration", "required": [ "keys" ], "type": "object", "description": "JSON Web Key Set (JWKS) - A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs.", "properties": { "keys": { "type": "array", "description": "List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.", "items": { "$ref": "#/components/schemas/JsonWebKey" } } } } } } }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/revoke": { "post": { "tags": [ "Token" ], "summary": "Revoke an Access Token or a Refresh Token, the RP (Client).", "description": "Revoke an Access Token or a Refresh Token, the RP (Client).", "operationId": "revoke", "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "token" ], "properties": { "token": { "type": "string", "description": "The token that the client wants to get revoked." }, "token_type_hint": { "type": "string", "description": "A hint about the type of the token submitted for revocation." } } } } } }, "responses": { "200": { "description": "OK", "content": { "content": {} } }, "400": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "unsupported_token_type", "invalid_client", "invalid_request" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } } }, "/oxauth/restv1/session_status": { "get": { "tags": [ "Session Management" ], "summary": "Determine current sesion status.", "description": "Determine current sesion status.", "operationId": "session_status", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "SessionStateObject", "type": "object", "properties": { "state": { "type": "string", "description": "String that represents the End-User's login state at the OP. It MUST NOT contain the space (\\\" \\\") character." }, "auth_time": { "type": "string", "format": "date", "description": "specifies the time at which session was authenticated.", "example": 100000000 }, "custom_state": { "type": "string" } } } } } } } } }, "/oxauth/restv1/revoke_session": { "post": { "tags": [ "Session Management" ], "summary": "Revoke all sessions for user.", "description": "Revoke all sessions for user (requires revoke_session scope).", "operationId": "revoke-session", "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "user_criterion_key", "user_criterion_value" ], "properties": { "user_criterion_key": { "type": "string", "description": "user criterion key (e.g. uid)" }, "user_criterion_value": { "type": "string", "description": "user criterion value (e.g. chris)" } } } } } }, "responses": { "200": { "description": "OK - Returned if request was processed successfully. Means it will return in case sessions are found as well as in case sessions are not found (error is not returned to not disclose internal information)." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/end_session": { "get": { "tags": [ "Session Management" ], "summary": "End current session.", "description": "End current session.", "operationId": "end_session", "parameters": [ { "name": "id_token_hint", "in": "query", "description": "Previously issued ID Token (id_token) passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value.", "schema": { "type": "string" } }, { "name": "post_logout_redirect_uri", "in": "query", "description": "URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.", "schema": { "type": "string" } }, { "name": "state", "in": "query", "description": "Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP.", "schema": { "type": "string" } }, { "name": "session_id", "in": "query", "description": "Session Id", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK - User redirected to logout page", "content": {} }, "302": { "$ref": "#/components/responses/Found" }, "400": { "description": "Error codes for end session endpoint.", "content": { "application/json": { "schema": { "title": "EndSessionError", "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_grant", "invalid_request", "invalid_grant_and_session", "session_not_passed", "post_logout_uri_not_passed", "post_logout_uri_not_associated_with_client" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/token": { "post": { "tags": [ "Token" ], "summary": "To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client).", "description": "To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client).", "operationId": "post-token", "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "grant_type" ], "properties": { "grant_type": { "type": "array", "description": "Provide a list of the OAuth 2.0 grant types that the Client is declaring that it will restrict itself to using.", "example": [ "authorization_code", "client_credentials" ], "items": { "type": "string" } }, "code": { "type": "string", "description": "Code which is returned by authorization endpoint. (For grant_type=authorization_code)" }, "redirect_uri": { "type": "string", "description": "Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider." }, "username": { "type": "string", "description": "End-User username." }, "password": { "type": "string", "description": "End-User password." }, "scope": { "type": "array", "description": "OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.", "items": { "type": "string" } }, "assertion": { "type": "string", "description": "Assertion." }, "refresh_token": { "type": "string", "description": "Refresh token." }, "client_id": { "type": "string", "description": "OAuth 2.0 Client Identifier valid at the Authorization Server." }, "client_secret": { "type": "string", "description": "The client secret. The client MAY omit the parameter if the client secret is an empty string." }, "code_verifier": { "type": "string", "description": "The client's PKCE code verifier." }, "ticket": { "type": "string" }, "claim_token": { "type": "string" }, "claim_token_format": { "type": "string" }, "pct": { "type": "string" }, "rpt": { "type": "string" } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "object", "description": "AccessTokenResponse.", "required": [ "access_token", "token_type" ], "properties": { "access_token": { "type": "string", "description": "The access token issued by the authorization server." }, "token_type": { "type": "string", "description": "The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes)." }, "expires_in": { "type": "integer", "description": "The lifetime in seconds of the access token. For example, the value \\\"3600\\\" denotes that the access token will expire in one hour from the time the response was generated." }, "refresh_token": { "type": "string", "description": "The refresh token, which can be used to obtain new access tokens using the same authorization grant" }, "scope": { "type": "array", "example": [ "openid", "oxd" ], "items": { "type": "string" } }, "id_token": { "type": "string" } } } } } }, "400": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_client_metadata", "invalid_token" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" }, "403": { "$ref": "#/components/responses/AccessDenied" }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/userinfo": { "get": { "tags": [ "User Info" ], "summary": "Returns Claims about the authenticated End-User.", "description": "Returns Claims about the authenticated End-User.", "operationId": "get-userinfo", "parameters": [ { "name": "access_token", "in": "query", "required": true, "description": "OAuth 2.0 Access Token.", "schema": { "type": "string" } }, { "name": "Authorization", "in": "header", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "application/jwt": { "schema": { "title": "User Claims details", "properties": { "sub": { "type": "integer", "example": 248289761001 }, "name": { "type": "string", "example": "Jane Doe" }, "given_name": { "type": "string", "example": "Jane" }, "family_name": { "type": "string", "example": "Doe" }, "preferred_username": { "type": "string", "example": "j.doe" }, "email": { "type": "string", "example": "janedoe@example.com" }, "picture": { "type": "string", "example": "http://example.com/janedoe/me.jpg" } } } } } }, "400": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "401": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_token" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "403": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "insufficient_scope" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "$ref": "#/components/responses/InternalServerError" } } }, "post": { "tags": [ "User Info" ], "summary": "Returns Claims about the authenticated End-User.", "description": "Returns Claims about the authenticated End-User.", "operationId": "post-userinfo", "parameters": [ { "name": "Authorization", "in": "header", "description": "Client Authorization details that contains the access token along with other details.", "schema": { "type": "string" } } ], "requestBody": { "required": true, "content": { "application/x-www-form-urlencoded": { "schema": { "type": "object", "required": [ "access_token" ], "properties": { "access_token": { "type": "string", "description": "OAuth 2.0 Access Token." } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/jwt": { "schema": { "title": "User Claims details", "properties": { "sub": { "type": "integer", "example": 248289761001 }, "name": { "type": "string", "example": "Jane Doe" }, "given_name": { "type": "string", "example": "Jane" }, "family_name": { "type": "string", "example": "Doe" }, "preferred_username": { "type": "string", "example": "j.doe" }, "email": { "type": "string", "example": "janedoe@example.com" }, "picture": { "type": "string", "example": "http://example.com/janedoe/me.jpg" } } } } } }, "400": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_request" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "401": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "invalid_token" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "403": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "insufficient_scope" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "$ref": "#/components/responses/InternalServerError" } } } }, "/oxauth/restv1/fido/u2f/authentication": { "get": { "tags": [ "FIDO U2F" ], "summary": "Performs FIDO U2F authentication of end-user.", "description": "Performs FIDO U2F authentication of end-user.", "operationId": "get-fido-u2f-authentication", "parameters": [ { "name": "username", "in": "query", "required": true, "schema": { "type": "string" } }, { "name": "keyhandle", "in": "query", "schema": { "type": "string", "description": "Websafe-base64 encoding of the key handle obtained from the U2F token during registration." } }, { "name": "application", "in": "query", "description": "The application id that the RP would like to assert.", "schema": { "type": "string" } }, { "name": "session_id", "in": "query", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "AuthenticateRequestMessage", "description": "FIDO U2F device authentication request.", "required": [ "version", "challenge", "appId", "keyHandle" ], "type": "object", "properties": { "version": { "type": "string", "description": "Version of the protocol that the to-be-registered U2F token must speak.", "example": "U2F_V2" }, "challenge": { "type": "string", "description": "The websafe-base64-encoded challenge." }, "appId": { "type": "string", "description": "The application id that the RP would like to assert." }, "keyHandle": { "type": "string", "description": "Websafe-base64 encoding of the key handle obtained from the U2F token during registration." } } } } } }, "403": { "$ref": "#/components/responses/AccessDenied" }, "404": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "no_eligable_devices" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "server_error" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } }, "post": { "tags": [ "FIDO U2F" ], "summary": "Performs FIDO U2F authentication of end-user.", "description": "Performs FIDO U2F authentication of end-user.", "operationId": "post-fido-u2f-authentication", "requestBody": { "content": { "application/json": { "schema": { "title": "GetClientTokenParams", "required": [ "username", "tokenResponse" ], "type": "object", "properties": { "username": { "type": "string" }, "tokenResponse": { "type": "object", "properties": { "clientData": { "type": "string", "description": "base64(UTF8(client data))" }, "signatureData": { "type": "string", "description": "base64(raw response from U2F device)" }, "keyHandle": { "type": "string", "description": "keyHandle originally passed" } } } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "AuthenticateStatus", "description": "FIDO U2F device authentication status.", "required": [ "status", "challenge" ], "type": "object", "properties": { "status": { "type": "string", "description": "Version of the protocol that the to-be-registered U2F token must speak.", "example": "U2F_V2" }, "challenge": { "type": "string", "description": "The websafe-base64-encoded challenge." } } } } } }, "403": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "session_expired", "invalid_request", "device_compromised" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "server_error" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } } }, "/oxauth/restv1/fido-configuration": { "get": { "tags": [ "FIDO U2F" ], "summary": "Performs FIDO configuration data.", "description": "Performs FIDO configuration data.", "operationId": "fido-configuration", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "U2fConfiguration", "description": "FIDO U2F Configuration.", "required": [ "version", "issuer" ], "properties": { "version": { "type": "string", "description": "The version of the FIDO U2F core protocol to which this server conforms. The value MUST be the string 1.0." }, "issuer": { "type": "string", "description": "A URI indicating the party operating the FIDO U2F server." }, "registration_endpoint": { "type": "string" }, "authentication_endpoint": { "type": "string" } } } } } }, "403": { "$ref": "#/components/responses/AccessDenied" }, "500": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "server_error" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } } }, "/oxauth/restv1/fido/u2f/registration": { "get": { "tags": [ "FIDO U2F" ], "summary": "U2F device registration.", "description": "U2F device registration.", "operationId": "get-fido-u2f-registration", "parameters": [ { "name": "username", "in": "query", "required": true, "schema": { "type": "string" } }, { "name": "application", "in": "query", "description": "The application id that the RP would like to assert.", "schema": { "type": "string" } }, { "name": "session_id", "in": "query", "schema": { "type": "string" } }, { "name": "enrollment_code", "in": "query", "schema": { "type": "string" } } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "RegisterRequestMessage", "description": "RegisterRequestMessage", "required": [ "authenticateRequests", "registerRequests" ], "type": "object", "properties": { "authenticateRequests": { "type": "array", "items": { "type": "object", "description": "list of AuthenticateRequest", "properties": { "version": { "type": "string", "description": "Version of the protocol that the to-be-registered U2F token must speak.", "example": "U2F_V2" }, "challenge": { "type": "string", "description": "The websafe-base64-encoded challenge." }, "appId": { "type": "string", "description": "The application id that the RP would like to assert." }, "keyHandle": { "type": "string", "description": "websafe-base64 encoding of the key handle obtained from the U2F token during registration" } } } }, "registerRequests": { "type": "array", "items": { "type": "object", "description": "list of RegisterRequest", "properties": { "version": { "type": "string", "description": "Version of the protocol that the to-be-registered U2F token must speak.", "example": "U2F_V2" }, "challenge": { "type": "string", "description": "The websafe-base64-encoded challenge." }, "appId": { "type": "string", "description": "The application id that the RP would like to assert." } } } } } } } } }, "403": { "$ref": "#/components/responses/AccessDenied" }, "406": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "registration_not_allowed" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "server_error" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } }, "post": { "tags": [ "FIDO U2F" ], "summary": "U2F device registration.", "description": "U2F device registration.", "operationId": "post-fido-u2f-registration", "requestBody": { "content": { "application/json": { "schema": { "title": "RegisterSiteParams", "required": [ "username" ], "type": "object", "properties": { "username": { "type": "string" }, "tokenResponse": { "type": "object", "description": "FIDO U2F device registration details", "properties": { "registrationData": { "type": "string" }, "clientData": { "type": "string" }, "deviceData": { "type": "string" } } } } } } } }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "title": "RegisterStatus", "description": "RegisterRequestMessage", "type": "object", "properties": { "status": { "type": "string" }, "challenge": { "type": "string" } } } } } }, "403": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "session_expired", "invalid_request" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "406": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "registration_not_allowed" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } }, "500": { "description": "Invalid parameters provided to endpoint.", "content": { "application/json": { "schema": { "type": "object", "required": [ "error", "error_description" ], "properties": { "error": { "type": "string", "format": "enum", "example": [ "server_error" ] }, "error_description": { "type": "string" }, "details": { "type": "string" } } } } } } } } } }, "components": { "responses": { "Found": { "description": "Resource Found.", "content": {} }, "InvalidRequest": { "description": "Invalid parameters are provided to endpoint.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } }, "Unauthorized": { "description": "Unauthorized access request.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } }, "AccessDenied": { "description": "Invalid details provided hence access denied.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } }, "NotFound": { "description": "Resource Not Found.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } }, "NotAcceptable": { "description": "Request Not Acceptable.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } }, "InternalServerError": { "description": "Internal error occured. Please check log file for details.", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "schemas": { "ErrorResponse": { "required": [ "error", "error_description" ], "type": "object", "properties": { "error": { "type": "string" }, "error_description": { "type": "string" }, "details": { "type": "string" } } }, "JsonWebKey": { "required": [ "alg", "exp", "key_ops", "kid", "kty", "use", "x5c" ], "type": "object", "properties": { "kid": { "type": "string" }, "kty": { "type": "string" }, "use": { "type": "string" }, "alg": { "type": "string" }, "crv": { "type": "string" }, "exp": { "type": "integer", "format": "int64" }, "x5c": { "type": "array", "items": { "type": "string" } }, "n": { "type": "string" }, "e": { "type": "string" }, "x": { "type": "string" }, "y": { "type": "string" } } } } } }