All URIs are relative to http://localhost
Method | HTTP request | Description |
---|---|---|
AcceptOAuth2ConsentRequest | Patch /oauth2/consent/requests/{id}/accept | Accept a consent request |
CreateOAuth2Client | Post /clients | Create an OAuth 2.0 client |
DeleteOAuth2Client | Delete /clients/{id} | Deletes an OAuth 2.0 Client |
FlushInactiveOAuth2Tokens | Post /oauth2/flush | Flush Expired OAuth2 Access Tokens |
GetOAuth2Client | Get /clients/{id} | Get an OAuth 2.0 Client. |
GetOAuth2ConsentRequest | Get /oauth2/consent/requests/{id} | Receive consent request information |
GetWellKnown | Get /.well-known/openid-configuration | Server well known configuration |
IntrospectOAuth2Token | Post /oauth2/introspect | Introspect OAuth2 tokens |
ListOAuth2Clients | Get /clients | List OAuth 2.0 Clients |
OauthAuth | Get /oauth2/auth | The OAuth 2.0 authorize endpoint |
OauthToken | Post /oauth2/token | The OAuth 2.0 token endpoint |
RejectOAuth2ConsentRequest | Patch /oauth2/consent/requests/{id}/reject | Reject a consent request |
RevokeOAuth2Token | Post /oauth2/revoke | Revoke OAuth2 tokens |
UpdateOAuth2Client | Put /clients/{id} | Update an OAuth 2.0 Client |
Userinfo | Post /userinfo | OpenID Connect Userinfo |
WellKnown | Get /.well-known/jwks.json | Get Well-Known JSON Web Keys |
AcceptOAuth2ConsentRequest($id, $body)
Accept a consent request
Call this endpoint to accept a consent request. This usually happens when a user agrees to give access rights to an application. The consent request id is usually transmitted via the URL query consent
. For example: http://consent-app.mydomain.com/?consent=1234abcd
The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"accept\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
id | string | ||
body | ConsentRequestAcceptance |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client CreateOAuth2Client($body)
Create an OAuth 2.0 client
Create a new OAuth 2.0 client If you pass client_secret
the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"create\"], \"effect\": \"allow\" }
Additionally, the context key "owner" is set to the owner of the client, allowing policies such as: { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"create\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } }
Name | Type | Description | Notes |
---|---|---|---|
body | OAuth2Client |
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
DeleteOAuth2Client($id)
Deletes an OAuth 2.0 Client
Delete an existing OAuth 2.0 Client by its ID. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\" }
Additionally, the context key "owner" is set to the owner of the client, allowing policies such as: { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"delete\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } }
Name | Type | Description | Notes |
---|---|---|---|
id | string | The id of the OAuth 2.0 Client. |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
FlushInactiveOAuth2Tokens($body)
Flush Expired OAuth2 Access Tokens
This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow. { \"resources\": [\"rn:hydra:oauth2:tokens\"], \"actions\": [\"flush\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
body | FlushInactiveOAuth2TokensRequest | [optional] |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client GetOAuth2Client($id)
Get an OAuth 2.0 Client.
Get an OAUth 2.0 client by its ID. This endpoint never returns passwords. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\" }
Additionally, the context key "owner" is set to the owner of the client, allowing policies such as: { \"resources\": [\"rn:hydra:clients:<some-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } }
Name | Type | Description | Notes |
---|---|---|---|
id | string | The id of the OAuth 2.0 Client. |
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2ConsentRequest GetOAuth2ConsentRequest($id)
Receive consent request information
Call this endpoint to receive information on consent requests. The consent request id is usually transmitted via the URL query consent
. For example: http://consent-app.mydomain.com/?consent=1234abcd
The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"get\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
id | string | The id of the OAuth 2.0 Consent Request. |
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
WellKnown GetWellKnown()
Server well known configuration
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html
This endpoint does not need any parameter.
No authorization required
- Content-Type: application/json, application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2TokenIntrospection IntrospectOAuth2Token($token, $scope)
Introspect OAuth2 tokens
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting accessTokenExtra
during the consent flow. { \"resources\": [\"rn:hydra:oauth2:tokens\"], \"actions\": [\"introspect\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
token | string | The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. This endpoint DOES NOT accept refresh tokens for validation. | |
scope | string | An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false. | [optional] |
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
[]OAuth2Client ListOAuth2Clients($limit, $offset)
List OAuth 2.0 Clients
This endpoint lists all clients in the database, and never returns client secrets. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"get\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
limit | int64 | The maximum amount of policies returned. | [optional] |
offset | int64 | The offset from where to start looking. | [optional] |
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OauthAuth()
The OAuth 2.0 authorize endpoint
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
This endpoint does not need any parameter.
void (empty response body)
No authorization required
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OauthTokenResponse OauthToken()
The OAuth 2.0 token endpoint
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
This endpoint does not need any parameter.
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
RejectOAuth2ConsentRequest($id, $body)
Reject a consent request
Call this endpoint to reject a consent request. This usually happens when a user denies access rights to an application. The consent request id is usually transmitted via the URL query consent
. For example: http://consent-app.mydomain.com/?consent=1234abcd
The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:oauth2:consent:requests:<request-id>\"], \"actions\": [\"reject\"], \"effect\": \"allow\" }
Name | Type | Description | Notes |
---|---|---|---|
id | string | ||
body | ConsentRequestRejection |
void (empty response body)
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
RevokeOAuth2Token($token)
Revoke OAuth2 tokens
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it.
Name | Type | Description | Notes |
---|---|---|---|
token | string |
void (empty response body)
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client UpdateOAuth2Client($id, $body)
Update an OAuth 2.0 Client
Update an existing OAuth 2.0 Client. If you pass client_secret
the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"update\"], \"effect\": \"allow\" }
Additionally, the context key "owner" is set to the owner of the client, allowing policies such as: { \"resources\": [\"rn:hydra:clients\"], \"actions\": [\"update\"], \"effect\": \"allow\", \"conditions\": { \"owner\": { \"type\": \"EqualsSubjectCondition\" } } }
Name | Type | Description | Notes |
---|---|---|---|
id | string | ||
body | OAuth2Client |
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
UserinfoResponse Userinfo()
OpenID Connect Userinfo
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token. The endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo .
This endpoint does not need any parameter.
- Content-Type: application/json, application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
JsonWebKeySet WellKnown()
Get Well-Known JSON Web Keys
Returns metadata for discovering important JSON Web Keys. Currently, this endpoint returns the public key for verifying OpenID Connect ID Tokens. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well. The subject making the request needs to be assigned to a policy containing: { \"resources\": [\"rn:hydra:keys:hydra.openid.id-token:public\"], \"actions\": [\"GET\"], \"effect\": \"allow\" }
This endpoint does not need any parameter.
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]