All URIs are relative to http://localhost
Method | HTTP request | Description |
---|---|---|
AcceptConsentRequest | Put /oauth2/auth/requests/consent/{challenge}/accept | Accept an consent request |
AcceptLoginRequest | Put /oauth2/auth/requests/login/{challenge}/accept | Accept an login request |
CreateOAuth2Client | Post /clients | Create an OAuth 2.0 client |
DeleteOAuth2Client | Delete /clients/{id} | Deletes an OAuth 2.0 Client |
FlushInactiveOAuth2Tokens | Post /oauth2/flush | Flush Expired OAuth2 Access Tokens |
GetConsentRequest | Get /oauth2/auth/requests/consent/{challenge} | Get consent request information |
GetLoginRequest | Get /oauth2/auth/requests/login/{challenge} | Get an login request |
GetOAuth2Client | Get /clients/{id} | Get an OAuth 2.0 Client. |
GetWellKnown | Get /.well-known/openid-configuration | Server well known configuration |
IntrospectOAuth2Token | Post /oauth2/introspect | Introspect OAuth2 tokens |
ListOAuth2Clients | Get /clients | List OAuth 2.0 Clients |
OauthAuth | Get /oauth2/auth | The OAuth 2.0 authorize endpoint |
OauthToken | Post /oauth2/token | The OAuth 2.0 token endpoint |
RejectConsentRequest | Put /oauth2/auth/requests/consent/{challenge}/reject | Reject an consent request |
RejectLoginRequest | Put /oauth2/auth/requests/login/{challenge}/reject | Reject an logout request |
RevokeOAuth2Token | Post /oauth2/revoke | Revoke OAuth2 tokens |
UpdateOAuth2Client | Put /clients/{id} | Update an OAuth 2.0 Client |
Userinfo | Post /userinfo | OpenID Connect Userinfo |
WellKnown | Get /.well-known/jwks.json | Get Well-Known JSON Web Keys |
CompletedRequest AcceptConsentRequest($challenge, $body)
Accept an consent request
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf. The consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files"). The consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted or rejected the request. This endpoint tells ORY Hydra that the user has authorized the OAuth 2.0 client to access resources on his/her behalf. The consent provider includes additional information, such as session data for access and ID tokens, and if the consent request should be used as basis for future requests. The response contains a redirect URL which the consent provider should redirect the user-agent to.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string | ||
body | AcceptConsentRequest | [optional] |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CompletedRequest AcceptLoginRequest($challenge, $body)
Accept an login request
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the user and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the user a login screen") a user (in OAuth2 the proper name for user is "resource owner"). The authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process. This endpoint tells ORY Hydra that the user has successfully authenticated and includes additional information such as the user's ID and if ORY Hydra should remember the user's user agent for future authentication attempts by setting a cookie. The response contains a redirect URL which the login provider should redirect the user-agent to.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string | ||
body | AcceptLoginRequest | [optional] |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client CreateOAuth2Client($body)
Create an OAuth 2.0 client
Create a new OAuth 2.0 client If you pass client_secret
the secret will be used, otherwise a random secret will be generated. The secret will be returned in the response and you will not be able to retrieve it later on. Write the secret down and keep it somwhere safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Name | Type | Description | Notes |
---|---|---|---|
body | OAuth2Client |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
DeleteOAuth2Client($id)
Deletes an OAuth 2.0 Client
Delete an existing OAuth 2.0 Client by its ID. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Name | Type | Description | Notes |
---|---|---|---|
id | string | The id of the OAuth 2.0 Client. |
void (empty response body)
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
FlushInactiveOAuth2Tokens($body)
Flush Expired OAuth2 Access Tokens
This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow.
Name | Type | Description | Notes |
---|---|---|---|
body | FlushInactiveOAuth2TokensRequest | [optional] |
void (empty response body)
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
ConsentRequest GetConsentRequest($challenge)
Get consent request information
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf. The consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files"). The consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted or rejected the request.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
LoginRequest GetLoginRequest($challenge)
Get an login request
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the user and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the user a login screen") a user (in OAuth2 the proper name for user is "resource owner"). The authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client GetOAuth2Client($id)
Get an OAuth 2.0 Client.
Get an OAUth 2.0 client by its ID. This endpoint never returns passwords. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Name | Type | Description | Notes |
---|---|---|---|
id | string | The id of the OAuth 2.0 Client. |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
WellKnown GetWellKnown()
Server well known configuration
The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html
This endpoint does not need any parameter.
No authorization required
- Content-Type: application/json, application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2TokenIntrospection IntrospectOAuth2Token($token, $scope)
Introspect OAuth2 tokens
The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting accessTokenExtra
during the consent flow.
Name | Type | Description | Notes |
---|---|---|---|
token | string | The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. This endpoint DOES NOT accept refresh tokens for validation. | |
scope | string | An optional, space separated list of required scopes. If the access token was not granted one of the scopes, the result of active will be false. | [optional] |
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
[]OAuth2Client ListOAuth2Clients($limit, $offset)
List OAuth 2.0 Clients
This endpoint lists all clients in the database, and never returns client secrets. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Name | Type | Description | Notes |
---|---|---|---|
limit | int64 | The maximum amount of policies returned. | [optional] |
offset | int64 | The offset from where to start looking. | [optional] |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OauthAuth()
The OAuth 2.0 authorize endpoint
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
This endpoint does not need any parameter.
void (empty response body)
No authorization required
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OauthTokenResponse OauthToken()
The OAuth 2.0 token endpoint
This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists. To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749
This endpoint does not need any parameter.
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CompletedRequest RejectConsentRequest($challenge, $body)
Reject an consent request
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider to authenticate the user and then tell ORY Hydra now about it. If the user authenticated, he/she must now be asked if the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the user's behalf. The consent provider which handles this request and is a web app implemented and hosted by you. It shows a user interface which asks the user to grant or deny the client access to the requested scope ("Application my-dropbox-app wants write access to all your private files"). The consent challenge is appended to the consent provider's URL to which the user's user-agent (browser) is redirected to. The consent provider uses that challenge to fetch information on the OAuth2 request and then tells ORY Hydra if the user accepted or rejected the request. This endpoint tells ORY Hydra that the user has not authorized the OAuth 2.0 client to access resources on his/her behalf. The consent provider must include a reason why the consent was not granted. The response contains a redirect URL which the consent provider should redirect the user-agent to.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string | ||
body | RejectRequest | [optional] |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
CompletedRequest RejectLoginRequest($challenge, $body)
Reject an logout request
When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, ORY Hydra asks the login provider (sometimes called "identity provider") to authenticate the user and then tell ORY Hydra now about it. The login provider is an web-app you write and host, and it must be able to authenticate ("show the user a login screen") a user (in OAuth2 the proper name for user is "resource owner"). The authentication challenge is appended to the login provider URL to which the user's user-agent (browser) is redirected to. The login provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process. This endpoint tells ORY Hydra that the user has not authenticated and includes a reason why the authentication was be denied. The response contains a redirect URL which the login provider should redirect the user-agent to.
Name | Type | Description | Notes |
---|---|---|---|
challenge | string | ||
body | RejectRequest | [optional] |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
RevokeOAuth2Token($token)
Revoke OAuth2 tokens
Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it.
Name | Type | Description | Notes |
---|---|---|---|
token | string |
void (empty response body)
- Content-Type: application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
OAuth2Client UpdateOAuth2Client($id, $body)
Update an OAuth 2.0 Client
Update an existing OAuth 2.0 Client. If you pass client_secret
the secret will be updated and returned via the API. This is the only time you will be able to retrieve the client secret, so write it down and keep it safe. OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. To manage ORY Hydra, you will need an OAuth 2.0 Client as well. Make sure that this endpoint is well protected and only callable by first-party components.
Name | Type | Description | Notes |
---|---|---|---|
id | string | ||
body | OAuth2Client |
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
UserinfoResponse Userinfo()
OpenID Connect Userinfo
This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token. The endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo .
This endpoint does not need any parameter.
- Content-Type: application/json, application/x-www-form-urlencoded
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]
JsonWebKeySet WellKnown()
Get Well-Known JSON Web Keys
Returns metadata for discovering important JSON Web Keys. Currently, this endpoint returns the public key for verifying OpenID Connect ID Tokens. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
This endpoint does not need any parameter.
No authorization required
- Content-Type: application/json
- Accept: application/json
[Back to top] [Back to API list] [Back to Model list] [Back to README]