Oauth 2.0 OpenID连接的Swagger规范
由于OpenIDConnect使用HTTP、头文件、查询字符串等,因此我希望获得一个Swagger/OpenAPI规范作为文档。 我曾试图找到它,但没有成功 你知道在哪里可以找到它吗 /Joacim来源 如果你向下滚动,他们的招摇过市界面也会向上Oauth 2.0 OpenID连接的Swagger规范,oauth-2.0,identityserver4,openid-connect,Oauth 2.0,Identityserver4,Openid Connect,由于OpenIDConnect使用HTTP、头文件、查询字符串等,因此我希望获得一个Swagger/OpenAPI规范作为文档。 我曾试图找到它,但没有成功 你知道在哪里可以找到它吗 /Joacim来源 如果你向下滚动,他们的招摇过市界面也会向上 在30K字符限制下被切断你能为OpenID连接流找到好的招摇过市规范吗?不,我没有,我自己开始破解一个,但不完整,也不在招摇过市UI中工作。如果您有任何想法,请让我知道:)这是我的OAuth2规范版本,用于授权代码授予: swagger: '2.0
在30K字符限制下被切断你能为OpenID连接流找到好的招摇过市规范吗?不,我没有,我自己开始破解一个,但不完整,也不在招摇过市UI中工作。如果您有任何想法,请让我知道:)这是我的OAuth2规范版本,用于授权代码授予:
swagger: '2.0'
info:
description: >-
Gravitee.io - Access Management - OpenID Connect API.
Defines The OpenID Connect Endpoints exposed by AM server.
version: 2.8.0
title: Gravitee.io - Access Management - OpenID Connect API
contact:
email: contact@graviteesource.com
license:
name: Apache 2.0
url: 'http://www.apache.org/licenses/LICENSE-2.0.html'
host: auth.gravitee.io
basePath: /{domain}/oidc
schemes:
- https
paths:
/.well-known/openid-configuration:
get:
tags:
- OpenID Connect
summary: Get OpenID Provider configuration information
description: Discovery endpoint used by OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.
produces:
- application/json
responses:
'200':
description: The OpenID Provider Metadata values
schema:
$ref: '#/definitions/OpenIDProviderMetadataResponse'
/.well-known/jwks.json:
get:
tags:
- OpenID Connect
summary: Get JSON Web Key Set
description: JWKS endpoint containing the public keys used by OpenID Connect Relying Party to verify any JWT issued by the authorization server.
produces:
- application/json
responses:
'200':
description: A JSON object that represents a set of JWKs
schema:
$ref: '#/definitions/JWKSetResponse'
/userinfo:
get:
tags:
- OpenID Connect
summary: Get claims about the authenticated End-User
description: The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.
produces:
- application/json
parameters:
- in: header
name: Authorization
description: To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication
type: string
required: true
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'200':
description: Claims about the authenticated End-User
schema:
$ref: '#/definitions/UserInfoResponse'
post:
tags:
- OpenID Connect
summary: Get claims about the authenticated End-User
description: The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User.
consumes:
- application/x-www-form-urlencoded
produces:
- application/json
parameters:
- in: formData
name: access_token
description: To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication
type: string
required: true
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'200':
description: Claims about the authenticated End-User
schema:
$ref: '#/definitions/UserInfoResponse'
/register:
post:
tags:
- OpenID Connect
summary: Register (create) a new client.
description: The Dynamic Client Registration (dcr) Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested.
consumes:
- application/json
produces:
- application/json
parameters:
- in: header
name: Authorization
description: Bearer token obtained through client crendentials flow with as mandatory scope "dcr_admin". Token required unless open dynamic client registration is enabled.
type: string
required: false
- in: body
name: request
schema:
$ref: '#/definitions/ClientRegistrationRequest'
required: true
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'403':
description: Registration forbidden
'201':
description: Claims about the registred client
schema:
$ref: '#/definitions/ClientRegistrationResponse'
/register/{client_id}:
get:
tags:
- OpenID Connect
summary: Get a registred client.
description: See information about a registred client.
produces:
- application/json
parameters:
- in: header
name: Authorization
description: Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
type: string
required: true
- in: path
name: client_id
type: string
required: true
description: ID of the client
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'403':
description: Access forbidden
'200':
description: Claims about the registred client.
schema:
$ref: '#/definitions/ClientRegistrationResponse'
patch:
tags:
- OpenID Connect
summary: Patch a registred client.
description: Update information about a registred client.
consumes:
- application/json
produces:
- application/json
parameters:
- in: header
name: Authorization
description: Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
type: string
required: true
- in: path
name: client_id
type: string
required: true
description: ID of the client
- in: body
name: request
schema:
$ref: '#/definitions/ClientRegistrationRequest'
required: true
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'403':
description: Access forbidden
'200':
description: Claims about the updated client.
schema:
$ref: '#/definitions/ClientRegistrationResponse'
delete:
tags:
- OpenID Connect
summary: Delete a registred client.
description: Delete a registred client.
parameters:
- in: header
name: Authorization
description: Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
type: string
required: true
- in: path
name: client_id
type: string
required: true
description: ID of the client
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'403':
description: Access forbidden
'204':
description: Client deleted
schema:
$ref: '#/definitions/ClientRegistrationResponse'
/register/{client_id}/renew_secret:
post:
tags:
- OpenID Connect
summary: Renew the client secret of a registred client.
description: Renew the client secret of a registred client.
produces:
- application/json
parameters:
- in: header
name: Authorization
description: Bearer token obtained on the register process through the registration_access_token property giving access only to one client matching the client_id path parameter. An admin token can be also obtained through the client crendentials flow with as mandatory scope "dcr_admin".
type: string
required: true
- in: path
name: client_id
type: string
required: true
description: ID of the client
responses:
'400':
description: Invalid Request
'401':
description: Invalid Token
'403':
description: Access forbidden
'200':
description: Claims about the updated client.
schema:
$ref: '#/definitions/ClientRegistrationResponse'
securityDefinitions:
client_auth:
type: basic
description: Base64(clientId:clientSecret)
definitions:
OpenIDProviderMetadataResponse:
type: object
properties:
issuer:
type: string
description: REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier
authorization_endpoint:
type: string
description: REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint
token_endpoint:
type: string
description: URL of the OP's OAuth 2.0 Token Endpoint
userinfo_endpoint:
type: string
description: RECOMMENDED. URL of the OP's UserInfo Endpoint
jwks_uri:
type: string
description: REQUIRED. URL of the OP's JSON Web Key Set [JWK] document.
registration_endpoint:
type: string
description: RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
scopes_supported:
type: string
description: RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports
response_types_supported:
type: string
description: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports
response_modes_supported:
type: string
description: OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports
grant_types_supported:
type: string
description: OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports
acr_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports
subject_types_supported:
type: string
description: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports
id_token_signing_alg_values_supported:
type: string
description: REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
id_token_encryption_alg_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
id_token_encryption_enc_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT
userinfo_signing_alg_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
userinfo_encryption_alg_values_supported:
type: string
description: ROPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
userinfo_encryption_enc_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
request_object_signing_alg_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects
request_object_encryption_alg_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects
request_object_encryption_enc_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects
token_endpoint_auth_methods_supported:
type: string
description: OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint
token_endpoint_auth_signing_alg_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT
display_values_supported:
type: string
description: OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports
claim_types_supported:
type: string
description: OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports
claims_supported:
type: string
description: RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for
service_documentation:
type: string
description: OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider
claims_locales_supported:
type: string
description: OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values
ui_locales_supported:
type: string
description: OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values
claims_parameter_supported:
type: boolean
description: OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false
request_parameter_supported:
type: boolean
description: OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false
request_uri_parameter_supported:
type: boolean
description: OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true
require_request_uri_registration:
type: boolean
description: OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter
op_policy_uri:
type: string
description: OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP
op_tos_uri:
type: boolean
description: OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service
UserInfoResponse:
type: object
properties:
sub:
type: string
description: Subject - Identifier for the End-User at the Issuer
name:
type: string
description: End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences
given_name:
type: string
description: Given name(s) or first name(s) of the End-User
family_name:
type: string
description: Surname(s) or last name(s) of the End-User
middle_name:
type: string
description: Middle name(s) of the End-User
nickname:
type: string
description: Casual name of the End-User that may or may not be the same as the given_name
preferred_username:
type: string
description: Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe
profile:
type: string
description: URL of the End-User's profile page
picture:
type: string
description: URL of the End-User's profile picture
website:
type: string
description: URL of the End-User's Web page or blog
email:
type: string
description: End-User's preferred e-mail address
email_verified:
type: boolean
description: User at the time the verification was performed
gender:
type: string
description: End-User's gender
birthdate:
type: string
description: End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format
zoneinfo:
type: string
description: String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone
locale:
type: string
description: End-User's locale, represented as a BCP47 [RFC5646] language tag
phone_number:
type: string
description: End-User's preferred telephone number
phone_number_verified:
type: boolean
description: User at the time the verification was performed
address:
type: string
description: End-User's preferred postal address
updated_at:
type: integer
description: Time the End-User's information was last updated
JWKSetResponse:
type: object
properties:
keys:
type: array
description: The value of the "keys" parameter is an array of JWK values
items:
$ref: '#/definitions/JWKResponse'
JWKResponse:
type: object
properties:
kty:
type: string
description: The "kty" (key type) parameter identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
use:
type: string
description: The "use" (public key use) parameter identifies the intended use of the public key
key_ops:
type: string
description: The "key_ops" (key operations) parameter identifies the operation(s) for which the key is intended to be used
alg:
type: string
description: The "alg" (algorithm) parameter identifies the algorithm intended for use with the key
kid:
type: string
description: The "kid" (key ID) parameter is used to match a specific key
x5u:
type: string
description: The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a resource for an X.509 public key certificate or certificate chain [RFC5280]
x5c:
type: string
description: The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]
x5t:
type: string
description: The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
x5t#S256:
type: string
description: The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]
ClientRegistrationRequest:
type: object
required:
- redirect_uris
properties:
redirect_uris:
type: array
description: REQUIRED. Array of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request
items:
type: string
response_types:
type: array
description: JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
items:
type: string
grant_types:
type: array
description: JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Values used by OpenID Connect are authorization_code, implicit and refresh_token
items:
type: string
application_type:
type: string
description: Kind of the application. The default, if omitted, is web. The defined values are native or web.
contacts:
type: array
description: Array of e-mail addresses of people responsible for this Client. This might be used by some providers to enable a Web user interface to modify the Client information.
items:
type: string
client_name:
type: string
description: Name of the Client to be presented to the End-User.
logo_uri:
type: string
description: URL that references a logo for the Client application.
client_uri:
type: string
description: URL of the home page of the Client. The value of this field MUST point to a valid Web page.
policy_uri:
type: string
description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
tos_uri:
type: string
description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
jwks_uri:
type: string
description: URL for the Client's JSON Web Key Set [JWK] document.
jwks:
$ref: '#/definitions/JWKSetResponse'
description: Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference.
sector_identifier_uri:
type: string
description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values.
subject_type:
type: string
description: subject_type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public.
id_token_signed_response_alg:
type: string
description: JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
id_token_encrypted_response_alg:
type: string
description: JWE alg algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If this is requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that no encryption is performed.
id_token_encrypted_response_enc:
type: string
description: JWE enc algorithm [JWA] REQUIRED for encrypting the ID Token issued to this Client. If id_token_encrypted_response_alg is specified, the default for this value is A128CBC-HS256. When id_token_encrypted_response_enc is included, id_token_encrypted_response_alg MUST also be provided.
userinfo_signed_response_alg:
type: string