oxAuthSwagger.yaml

# raw swagger spec link:
# https://raw.githubusercontent.com/GluuFederation/oxAuth/master/docs/oxAuthSwagger.yaml
# https://gluu.org/swagger-ui/?url=https://raw.githubusercontent.com/GluuFederation/oxAuth/master/docs/oxAuthSwagger.yaml
openapi: 3.0.1
info:
  title: oxAuth
  description: oxAuth - OAuth 2.0 server; OpenID Connect Provider (OP) & UMA Authorization Server (AS)
  contact:
    email: yuriyz@gluu.org
  license:
    name: License
    url: https://github.com/GluuFederation/oxAuth/blob/master/LICENSE
  version: "4.2"
servers:

  # Added by API Auto Mocking Plugin
  - description: SwaggerHub API Auto Mocking
    url: https://virtserver.swaggerhub.com/yuriyz1/oxauth/4.2
  - url: https://gluu.org/
tags:
  - name: developers
    description: oxAuth is an open source OpenID Connect Provider (OP) and UMA Authorization Server (AS). The project also includes OpenID Connect Client code which can be used by websites to validate tokens.oxAuth currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.oxAuth is tightly coupled with oxTrust.

paths:
  /authorize:
    get:
      tags:
        - Authorization
      summary: The Authorization Endpoint performs Authentication of the End-User.
      description: End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect.
      operationId: get_authorize
      parameters:
        - name: scope
          in: query
          required: true
          description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present.
          schema:
            type: string
        - name: response_type
          in: query
          required: true
          description: OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used.
          schema:
            type: string
        - name: client_id
          in: query
          required: true
          description: OAuth 2.0 Client Identifier valid at the Authorization Server.
          schema:
            type: string
        - name: redirect_uri
          in: query
          required: true
          description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.
          schema:
            type: string
        - name: state
          in: query
          required: false
          description: Opaque value used to maintain state between the request and the callback.
          schema:
            type: string
        - name: response_mode
          in: query
          required: false
          description: Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.
          schema:
            type: string
        - name: nonce
          in: query
          required: false
          description: String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
          schema:
            type: string
        - name: display
          in: query
          required: false
          description: ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
          schema:
            type: string
        - name: prompt
          in: query
          required: false
          description: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are - none, login, consent, select_account.
          schema:
            type: string
        - name: max_age
          in: query
          required: false
          description: Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
          schema:
            type: integer
        - name: ui_locales
          in: query
          required: false
          description: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.
          #example: \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation).
          schema:
            type: string
        - name: id_token_hint
          in: query
          required: false
          description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response.
          schema:
            type: string
        - name: login_hint
          in: query
          required: false
          description: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
          schema:
            type: string
        - name: acr_values
          in: query
          required: false
          description: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
          schema:
            type: string
        - name: amr_values
          in: query
          required: false
          description: AMR Values.
          schema:
            type: string
        - name: request
          in: query
          required: false
          description: This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters.
          schema:
            type: string
        - name: request_uri
          in: query
          required: false
          description: This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.
          schema:
            type: string
        - name: request_session_id
          in: query
          required: false
          description: Request session id.
          schema:
            type: string
        - name: session_id
          in: query
          required: false
          description: Session id of this call.
          schema:
            type: string
        - name: origin_headers
          in: query
          required: false
          description: Origin headers. Used in custom workflows.
          schema:
            type: string
        - name: code_challenge
          in: query
          required: false
          description: PKCE code challenge.
          schema:
            type: string
        - name: code_challenge_method
          in: query
          required: false
          description: PKCE code challenge method.
          schema:
            type: string
        - name: custom_response_headers
          in: query
          required: false
          description: Custom Response Headers.
          schema:
            type: string
        - name: claims
          in: query
          required: false
          description: Requested Claims.
          schema:
            type: string
        - name: auth_req_id
          in: query
          required: false
          description: CIBA authentication request Id.
          schema:
            type: string
      responses:
        200:
          description: OK
          content: {}
        302:
          description: Error codes for authorization endpoint.
          content:
            application/json:
              schema:
                title: AuthorizeError
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - unauthorized_client
                      - disabled_client
                      - access_denied
                      - retry
                      - unsupported_response_type
                      - invalid_scope
                      - server_error
                      - temporarily_unavailable
                      - invalid_request_redirect_uri
                      - login_required
                      - session_selection_required
                      - consent_required
                      - user_mismatched
                      - invalid_request_uri
                      - invalid_request_object
                      - authentication_session_invalid
                      - invalid_authentication_method
                  error_description:
                    type: string
                  details:
                    type: string
        400:
          $ref: '#/components/responses/InvalidRequest'
        401:
          $ref: '#/components/responses/Unauthorized'
        500:
          $ref: '#/components/responses/InternalServerError'
    post:
      tags:
        - Authorization
      summary: The Authorization Endpoint performs Authentication of the End-User.
      description: End-User Authentication and Authorization done by sending the User Agent to the Authorization Endpoint using request parameters defined by OAuth 2.0 and OpenID Connect.
      operationId: post_authorize
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - scope
                - response_type
                - client_id
                - redirect_uri
              properties:
                scope:
                  type: string
                  description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present.
                response_type:
                  type: string
                  description: OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used.
                client_id:
                  type: string
                  description: OAuth 2.0 Client Identifier valid at the Authorization Server.
                redirect_uri:
                  type: string
                  description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.
                state:
                  type: string
                  description: Opaque value used to maintain state between the request and the callback.
                response_mode:
                  type: string
                  description: Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.
                nonce:
                  type: string
                  description: String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
                display:
                  type: string
                  description: ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
                prompt:
                  type: string
                  description: Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
                max_age:
                  type: integer
                  description: Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
                ui_locales:
                  type: string
                  description: End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.
                  example: \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation).
                id_token_hint:
                  type: string
                  description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response.
                login_hint:
                  type: string
                  description: Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
                acr_values:
                  type: string
                  description: Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
                amr_values:
                  type: string
                  description: AMR Values.
                request:
                  type: string
                  description: This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value. It represents the request as a JWT whose Claims are the request parameters.
                request_uri:
                  type: string
                  description: This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.
                request_session_id:
                  type: string
                  description: Request session id.
                session_id:
                  type: string
                  description: Session id of this call.
                origin_headers:
                  type: string
                  description: Origin headers. Used in custom workflows.
                code_challenge:
                  type: string
                  description: PKCE code challenge.
                code_challenge_method:
                  type: string
                  description: PKCE code challenge method.
                custom_response_headers:
                  type: string
                  description: Custom Response Headers.
                claims:
                  type: string
                  description: Requested Claims.
      responses:
        200:
          description: OK
          content: {}
        302:
          description: Error codes for authorization endpoint.
          content:
            application/json:
              schema:
                title: AuthorizeError
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - unauthorized_client
                      - disabled_client
                      - access_denied
                      - retry
                      - unsupported_response_type
                      - invalid_scope
                      - server_error
                      - temporarily_unavailable
                      - invalid_request_redirect_uri
                      - login_required
                      - session_selection_required
                      - consent_required
                      - user_mismatched
                      - invalid_request_uri
                      - invalid_request_object
                      - authentication_session_invalid
                      - invalid_authentication_method
                  error_description:
                    type: string
                  details:
                    type: string
        400:
          $ref: '#/components/responses/InvalidRequest'
        401:
          $ref: '#/components/responses/Unauthorized'
        500:
          $ref: '#/components/responses/InternalServerError'
  /bc-authorize:
    post:
      tags:
        - Authorization
      summary: Performs backchannel authorization of the end-user.
      description: The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user.
      operationId: bc-authorize
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - client_id
                - scope
                - client_notification_token
              properties:
                client_id:
                  type: string
                  description: OAuth 2.0 Client Identifier valid at the Authorization Server.
                scope:
                  type: string
                  description: CIBA authentication requests must contain the openid scope value.
                client_notification_token:
                  type: string
                  description: It is a bearer token provided by the Client that will be used by the OpenID Provider to authenticate the callback request to the Client. It is required if the Client is registered to use Ping or Push modes.
                acr_values:
                  type: string
                  description: Requested Authentication Context Class Reference values.
                login_hint_token:
                  type: string
                  description: A token containing information identifying the end-user for whom authentication is being requested.
                id_token_hint:
                  type: string
                  description: An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested.
                login_hint:
                  type: string
                  description: A hint to the OpenID Provider regarding the end-user for whom authentication is being requested.
                binding_message:
                  type: string
                  description: A human readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user.
                user_code:
                  type: string
                  description: A secret code, such as password or pin, known only to the user but verifiable by the OP.
                requested_expiry:
                  type: integer
                  description: A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return.
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: Backchannel Authorization
                required:
                  - AUTH_REQ_ID
                  - EXPIRES_IN
                  - INTERVAL
                type: object
                properties:
                  AUTH_REQ_ID:
                    type: string
                  EXPIRES_IN:
                    type: integer
                  INTERVAL:
                    type: integer
        400:
          $ref: '#/components/responses/InvalidRequest'
        401:
          description: Unauthorized CIBA (Client Initiated Backchannel Authentication) access.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - invalid_scope
                      - expired_login_hint_token
                      - unknown_user_id
                      - unauthorized_client
                      - missing_user_code
                      - invalid_user_code
                      - invalid_binding_message
                      - invalid_client
                      - unauthorized_end_user_device
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        403:
          $ref: '#/components/responses/AccessDenied'
  /bc-deviceRegistration:
    post:
      tags:
        - Registration
      summary: Performs backchannel device registration.
      description: Performs backchannel device registration.
      operationId: bc-deviceRegistration
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - id_token_hint
                - device_registration_token
              properties:
                id_token_hint:
                  type: string
                  description: An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom the device registration is being requested.
                device_registration_token:
                  type: string
                  description: OAuth 2.0 Client Identifier valid at the Authorization Serve
      responses:
        200:
          description: OK
          content: {}
        400:
          description: Invalid parameters are provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - invalid_scope
                      - expired_login_hint_token
                      - unknown_user_id
                      - unauthorized_client
                      - missing_user_code
                      - invalid_user_code
                      - invalid_binding_message
                      - invalid_client
                      - unauthorized_end_user_device
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        403:
          $ref: '#/components/responses/AccessDenied'
  /clientinfo:
    get:
      tags:
        - Client Info
      summary: To get Claims details about the registered client.
      description: The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client.
      operationId: get_clientinfo
      parameters:
        - name: access_token
          in: query
          schema:
            type: string
            description: Client-specific access token.
        - name: Authorization
          in: header
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: ClientInfoResponse
                description: Client details in response.
                type: object
                properties:
                  displayName:
                    type: string
                  inum:
                    type: string
                    description: XRI i-number
                  oxAuthAppType:
                    type: string
                    description: oxAuth Appication type
                  oxAuthIdTokenSignedResponseAlg:
                    type: string
                    description: oxAuth ID Token Signed Response Algorithm
                  oxAuthRedirectURI:
                    type: array
                    description: Array of redirect URIs values used in the Authorization
                    items:
                      type: string
                  oxId:
                    type: string
                    example:
                    description: oxAuth Attribute Scope Id
                  custom_attributes:
                    type: array
                    items:
                      type: string
        400:
          description: Invalid Request are provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
    post:
      tags:
        - Client Info
      summary: To get Claims details about the registered client.
      description: The ClientInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the registered client.
      operationId: post_clientinfo
      parameters:
        - name: Authorization
          in: header
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - access_token
              properties:
                access_token:
                  type: string
                  description: Client-specific access token.
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: ClientInfoResponse
                description: Client details in response.
                type: object
                properties:
                  displayName:
                    type: string
                  inum:
                    type: string
                    description: XRI i-number
                  oxAuthAppType:
                    type: string
                    description: oxAuth Appication type
                  oxAuthIdTokenSignedResponseAlg:
                    type: string
                    description: oxAuth ID Token Signed Response Algorithm
                  oxAuthRedirectURI:
                    type: array
                    description: Array of redirect URIs values used in the Authorization
                    items:
                      type: string
                  oxId:
                    type: string
                    example:
                    description: oxAuth Attribute Scope Id
                  custom_attributes:
                    type: array
                    items:
                      type: string
        400:
          description: Invalid Request are provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
  /.well-known/gluu-configuration:
    post:
      tags:
        - Server Configuration
      summary:  Gets GluuServer configuration data that contains non-standard OpenID Connect discovery metadata.
      description: Gets GluuServer configuration data that contains non-standard OpenID Connect discovery metadata.
      operationId: well-known-gluu-configuration
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: GluuConfigurationResponse
                description: Client GluuAttribute by Dn(Distinguished Name) based on Authorization Scope.
                required:
                  - id_generation_endpoint
                  - introspection_endpoint
                type: object
                properties:
                  id_generation_endpoint:
                    type: string
                  introspection_endpoint:
                    type: string
                  auth_level_mapping:
                    type: object
                    additionalProperties:
                      type: string
                      description: Additional Custom Acr's map object
                  scope_to_claims_mapping:
                    type: object
                    additionalProperties:
                      type: string
                      description: Scope map object
        500:
          $ref: '#/components/responses/InternalServerError'
  /introspection:
    get:
      tags:
        - Token
      summary: The Introspection OAuth 2 Endpoint.
      description: The Introspection OAuth 2 Endpoint.
      operationId: get-introspection
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
          example: Bearer 23410913-abewfq.123483
        - name: token
          in: query
          required: true
          schema:
            type: string
          example: token=2YotnFZFEjr1zCsicMWpAA
        - name: token_type_hint
          in: query
          description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User.
          schema:
            type: string
        - name: response_as_jwt
          in: query
          description: OPTIONAL. Boolean value with default value false. If true, returns introspection response as JWT (signed based on client configuration used for authentication to Introspection Endpoint).
          schema:
            type: boolean
          example: response_as_jwt=false
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: IntrospectionResponse
                description: meta-information about token
                required:
                  - active
                type: object
                properties:
                  active:
                    type: boolean
                    description: Boolean indicator of whether or not the presented token is currently active.
                    example: true
                  scope:
                    type: array
                    description: Provide list of scopes to which access was granted for this resource.
                    example:
                      - read write dolphin
                    items:
                      type: string
                  client_id:
                    type: string
                    description:  Client identifier for the OAuth 2.0 client that requested this token.
                    example: 1238j323ds-23ij4
                  username:
                    type: string
                    description: Human-readable identifier for the resource owner who authorized this token.
                    example: jdoe
                  token_type:
                    type: string
                    description: Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].
                    example: bearer, mac
                  exp:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire.
                  iat:
                    type: integer
                    example: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued.
                  sub:
                    type: string
                    description: Subject of the token, as defined in JWT [RFC7519].
                    example: Z5O3upPC88QrAjx00dis
                  aud:
                    type: string
                    description: Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].
                    example: https://protected.example.net/resource
                  iss:
                    type: string
                    description: String representing the issuer of this token, as defined in JWT [RFC7519].
                    example: https://server.example.com/
                  acr_values:
                    type: string
                    description: Authentication Context Class Reference values.
                  jti:
                    type: string
                    description: String identifier for the token, as defined in JWT.

        400:
          description: Error codes for introspection endpoint.
          content:
            application/json:
              schema:
                title: AuthorizeError
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - unauthorized_client
                      - disabled_client
                      - access_denied
                      - retry
                      - unsupported_response_type
                      - invalid_scope
                      - server_error
                      - temporarily_unavailable
                      - invalid_request_redirect_uri
                      - login_required
                      - session_selection_required
                      - consent_required
                      - user_mismatched
                      - invalid_request_uri
                      - invalid_request_object
                      - authentication_session_invalid
                      - invalid_authentication_method
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          $ref: '#/components/responses/Unauthorized'
        500:
          $ref: '#/components/responses/InternalServerError'
    post:
      tags:
        - Token
      summary: The Introspection OAuth 2 Endpoint.
      description: The Introspection OAuth 2 Endpoint.
      operationId: post-introspection
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
          example: Bearer 23410913-abewfq.123483
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: Client access token.
                  example: token=2YotnFZFEjr1zCsicMWpAA
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: IntrospectionResponse
                description: meta-information about token
                required:
                  - active
                type: object
                properties:
                  active:
                    type: boolean
                    description: Boolean indicator of whether or not the presented token is currently active.
                    example: true
                  scope:
                    type: array
                    description: Provide list of scopes to which access was granted for this resource.
                    example:
                      - read write dolphin
                    items:
                      type: string
                  client_id:
                    type: string
                    description:  Client identifier for the OAuth 2.0 client that requested this token.
                    example: 1238j323ds-23ij4
                  username:
                    type: string
                    description: Human-readable identifier for the resource owner who authorized this token.
                    example: jdoe
                  token_type:
                    type: string
                    description: Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].
                    example: bearer, mac
                  exp:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission will expire.
                  iat:
                    type: integer
                    example: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued.
                  sub:
                    type: string
                    description: Subject of the token, as defined in JWT [RFC7519].
                    example: Z5O3upPC88QrAjx00dis
                  aud:
                    type: string
                    description: Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].
                    example: https://protected.example.net/resource
                  iss:
                    type: string
                    description: String representing the issuer of this token, as defined in JWT [RFC7519].
                    example: https://server.example.com/
                  acr_values:
                    type: string
                    description: Authentication Context Class Reference values.
                  jti:
                    type: string
                    description: String identifier for the token, as defined in JWT.
        400:
          description: Error codes for introspection endpoint.
          content:
            application/json:
              schema:
                title: AuthorizeError
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                      - unauthorized_client
                      - disabled_client
                      - access_denied
                      - retry
                      - unsupported_response_type
                      - invalid_scope
                      - server_error
                      - temporarily_unavailable
                      - invalid_request_redirect_uri
                      - login_required
                      - session_selection_required
                      - consent_required
                      - user_mismatched
                      - invalid_request_uri
                      - invalid_request_object
                      - authentication_session_invalid
                      - invalid_authentication_method
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          $ref: '#/components/responses/Unauthorized'
        500:
          $ref: '#/components/responses/InternalServerError'
  /jwks:
    get:
      tags:
        - JWK - JSON Web Key Set (JWKs)
      summary: A JSON Web Key (JWK) used by server. JWK is a JSON data structure that represents a set of public keys as a JSON object [RFC4627].
      description: Provides list of JWK used by server.
      operationId: jwks
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: WebKeysConfiguration
                required:
                  - keys
                type: object
                description: JSON Web Key Set (JWKS) - A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs.
                properties:
                  keys:
                    type: array
                    description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
                    items:
                      $ref: '#/components/schemas/JsonWebKey'
        500:
          $ref: '#/components/responses/InternalServerError'
  /register:
    post:
      tags:
        - Registration
      summary: Registers new client dynamically.
      description: The Client Registration Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested.
      operationId: post-register
      requestBody:
        content:
          application/json:
            schema:
              title: RegisterParams
              required:
                - redirect_uris
              type: object
              properties:
                redirect_uris:
                  type: array
                  description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match
                    the redirect_uri parameter value used in each Authorization Request
                  items:
                    type: string
                  example:
                    - https://client.example.org/cb
                claims_redirect_uri:
                  type: array
                  description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct
                    the requesting party's user agent after completing its interaction.
                  items:
                    type: string
                response_types:
                  type: array
                  description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using.
                    If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token.
                  items:
                    type: string
                grant_types:
                  type: array
                  description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using.
                  items:
                    type: string
                contacts:
                  type: array
                  description: e-mail addresses of people responsible for this Client.
                  items:
                    type: string
                client_name:
                  type: string
                  description: Name of the Client to be presented to the user.
                logo_uri:
                  type: string
                  description: URL that references a logo for the Client application
                client_uri:
                  type: string
                  description: URL of the home page of the Client. The value of this field must point to a valid Web page.
                policy_uri:
                  type: string
                  description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
                tos_uri:
                  type: string
                  description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
                jwks_uri:
                  type: string
                  description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests
                    to the OP. The JWK Set may also contain the Client's encryption
                    keys(s) that are used by the OP to encrypt the responses to the
                    Client. When both signing and encryption keys are made available,
                    a use (Key Use) parameter value is required for all keys in the
                    document to indicate each key's intended usage .
                jwks:
                  type: array
                  description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
                  items:
                    $ref: '#/components/schemas/JsonWebKey'
                  example: '{ "keys" : [ { "e" : "AQAB", "n" : "gmlDX_mgMcHX.." ] }'
                sector_identifier_uri:
                  type: string
                  description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP.
                subject_type:
                  type: string
                  description: Subject type requested for the Client ID. Valid types include pairwise and public.
                rpt_as_jwt:
                  type: boolean
                  description: Specifies whether RPT should be return as signed JWT.
                access_token_as_jwt:
                  type: boolean
                  description: Specifies whether access token as signed JWT.
                access_token_signing_alg:
                  type: string
                  description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified,
                    then the default OP signing algorithm will be used .
                id_token_signed_response_alg:
                  type: string
                  description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client.
                id_token_encrypted_response_alg:
                  type: string
                  description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client.
                id_token_encrypted_response_enc:
                  type: string
                  description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client.
                userinfo_signed_response_alg:
                  type: string
                  description: JWS alg algorithm (JWA) required for signing UserInfo Responses.
                userinfo_encrypted_response_alg:
                  type: string
                  description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses.
                userinfo_encrypted_response_enc:
                  type: string
                  description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses.
                request_object_signing_alg:
                  type: string
                  description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP.
                request_object_encryption_alg:
                  type: string
                  description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                request_object_encryption_enc:
                  type: string
                  description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                token_endpoint_auth_method:
                  type: string
                  description: Requested Client Authentication method for the Token Endpoint.
                token_endpoint_auth_signing_alg:
                  type: string
                  description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint
                    for the private_key_jwt and client_secret_jwt authentication methods.
                default_max_age:
                  type: integer
                  description: Specifies the Default Maximum Authentication Age.
                  example: 1000000
                require_auth_time:
                  type: boolean
                  description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true.
                default_acr_values:
                  type: array
                  description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for
                    processing requests from the Client.
                  items:
                    type: string
                initiate_login_uri:
                  type: string
                  description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client.
                post_logout_redirect_uris:
                  type: array
                  description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been
                    performed.
                  example:
                    - https://client.example.org/logout/page1
                    - https://client.example.org/logout/page2
                    - https://client.example.org/logout/page3
                  items:
                    type: string
                frontchannel_logout_uri:
                  type: string
                  description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP.
                frontchannel_logout_session_required:
                  type: boolean
                  description: Boolean value specifying whether the RP requires that a session ID query parameter be included
                    to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false.
                backchannel_logout_uri:
                  type: string
                  description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
                backchannel_logout_session_required:
                  type: boolean
                  description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token
                    to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.
                request_uris:
                  type: array
                  description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server.
                  items:
                    type: string
                scopes:
                  type: string
                  deprecated: true
                  description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591).
                claims:
                  type: string
                  description: String containing a space-separated list of claims that can be requested individually.
                id_token_token_binding_cnf:
                  type: string
                  description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects
                    when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party
                    supports Token Binding of ID Tokens.
                    If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens.
                tls_client_auth_subject_dn:
                  type: string
                  description: An string representation of the expected subject distinguished name of the certificate,
                    which the OAuth client will use in mutual TLS authentication.
                allow_spontaneous_scopes:
                  type: boolean
                  description: Specifies whether to allow spontaneous scopes for client. The default value is false.
                  example: false
                spontaneous_scopes:
                  type: array
                  description: List of spontaneous scopes
                  items:
                    type: string
                run_introspection_script_before_access_token_as_jwt_creation_and_include_claims:
                  type: boolean
                  description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script
                    and transfer claims into JWT.
                keep_client_authorization_after_expiration:
                  type: boolean
                  description: Boolean value indicating if the client authorization will not be removed afer expiration
                    (expiration date is same as client's expiration that created it). The default value is false.
                scope:
                  type: array
                  description: Provide list of scope which are used during authentication to authorize access to resource.
                  example:
                    - openid
                  items:
                    type: string
                authorized_origins:
                  type: array
                  description: specifies authorized JavaScript origins.
                  items:
                    type: string
                access_token_lifetime:
                  type: integer
                  description: Specifies the Client-specific access token expiration.
                  example: 100000000
                software_id:
                  type: string
                  description: Specifies a unique identifier string (UUID) assigned
                    by the client developer or software publisher used by registration
                    endpoints to identify the client software to be dynamically registered.
                  example: 4NRB1-0XZABZI9E6-5SM3R
                software_version:
                  type: string
                  description: Specifies a version identifier string for the client
                    software identified by 'software_id'. The value of the 'software_version'
                    should change on any update to the client software identified
                    by the same 'software_id'.
                  example: "2.1"
                software_statement:
                  type: string
                  description: specifies a software statement containing client metadata
                    values about the client software as claims. This is a string value
                    containing the entire signed JWT.
                backchannel_token_delivery_mode:
                  type: string
                  description: specifies how backchannel token will be deliveried.
                  example: push, poll, ping
                backchannel_client_notification_endpoint:
                  type: string
                  description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens.
                backchannel_authentication_request_signing_alg:
                  type: string
                  description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests.
                backchannel_user_code_parameter:
                  type: boolean
                  description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false.
                additional_audience:
                  type: array
                  description: Additional audiences.
                  items:
                    type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RegisterResponseParam
                type: object
                required:
                  - client_id
                properties:
                  client_id:
                    type: string
                    description: Unique Client Identifier. It MUST NOT be currently valid for any other registered Client.
                  client_secret:
                    type: string
                    description: This value is used by Confidential Clients to authenticate to the Token Endpoint
                  registration_access_token:
                    type: string
                    description: Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent
                      operations upon the Client registration.
                  registration_client_uri:
                    type: string
                    description: Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration.
                  client_id_issued_at:
                    type: integer
                    description: Time at which the Client Identifier was issued.
                  client_secret_expires_at:
                    type: integer
                    description: Time at which the client_secret will expire or 0 if it will not expire.
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_redirect_uri
                      - invalid_claims_redirect_uri
                      - invalid_client_metadata
                      - invalid_token
                      - invalid_logout_uri
                      - invalid_software_statement
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
    put:
      tags:
        - Registration
      summary: Updates Client Metadata for a registered client.
      description: Updates Client Metadata for a registered client.
      operationId: put-register
      parameters:
        - name: client_id
          in: query
          required: true
          description: Client ID that identifies client that must be updated by this request.
          schema:
            type: string
        - name: Authorization
          in: header
          required: true
          description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              title: RegisterParams
              required:
                - redirect_uris
              type: object
              properties:
                redirect_uris:
                  type: array
                  description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match
                    the redirect_uri parameter value used in each Authorization Request
                  items:
                    type: string
                  example:
                    - https://client.example.org/cb
                claims_redirect_uri:
                  type: array
                  description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct
                    the requesting party's user agent after completing its interaction.
                  items:
                    type: string
                response_types:
                  type: array
                  description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using.
                    If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token.
                  items:
                    type: string
                grant_types:
                  type: array
                  description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using.
                  items:
                    type: string
                contacts:
                  type: array
                  description: e-mail addresses of people responsible for this Client.
                  items:
                    type: string
                client_name:
                  type: string
                  description: Name of the Client to be presented to the user.
                logo_uri:
                  type: string
                  description: URL that references a logo for the Client application
                client_uri:
                  type: string
                  description: URL of the home page of the Client. The value of this field must point to a valid Web page.
                policy_uri:
                  type: string
                  description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
                tos_uri:
                  type: string
                  description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
                jwks_uri:
                  type: string
                  description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests
                    to the OP. The JWK Set may also contain the Client's encryption
                    keys(s) that are used by the OP to encrypt the responses to the
                    Client. When both signing and encryption keys are made available,
                    a use (Key Use) parameter value is required for all keys in the
                    document to indicate each key's intended usage .
                jwks:
                  type: array
                  description: List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
                  items:
                    $ref: '#/components/schemas/JsonWebKey'
                    example: '{ "keys" : [ { "e" : "AQAB", "n" : "gmlDX_mgMcHX.." ] }'
                sector_identifier_uri:
                  type: string
                  description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP.
                subject_type:
                  type: string
                  description: Subject type requested for the Client ID. Valid types include pairwise and public.
                rpt_as_jwt:
                  type: boolean
                  description: Specifies whether RPT should be return as signed JWT.
                access_token_as_jwt:
                  type: boolean
                  description: Specifies whether access token as signed JWT.
                access_token_signing_alg:
                  type: string
                  description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified,
                    then the default OP signing algorithm will be used .
                id_token_signed_response_alg:
                  type: string
                  description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client.
                id_token_encrypted_response_alg:
                  type: string
                  description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client.
                id_token_encrypted_response_enc:
                  type: string
                  description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client.
                userinfo_signed_response_alg:
                  type: string
                  description: JWS alg algorithm (JWA) required for signing UserInfo Responses.
                userinfo_encrypted_response_alg:
                  type: string
                  description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses.
                userinfo_encrypted_response_enc:
                  type: string
                  description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses.
                request_object_signing_alg:
                  type: string
                  description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP.
                request_object_encryption_alg:
                  type: string
                  description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                request_object_encryption_enc:
                  type: string
                  description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                token_endpoint_auth_method:
                  type: string
                  description: Requested Client Authentication method for the Token Endpoint.
                token_endpoint_auth_signing_alg:
                  type: string
                  description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint
                    for the private_key_jwt and client_secret_jwt authentication methods.
                default_max_age:
                  type: integer
                  description: Specifies the Default Maximum Authentication Age.
                  example: 1000000
                require_auth_time:
                  type: boolean
                  description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true.
                default_acr_values:
                  type: array
                  description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for
                    processing requests from the Client.
                  items:
                    type: string
                initiate_login_uri:
                  type: string
                  description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client.
                post_logout_redirect_uris:
                  type: array
                  description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been
                    performed.
                  example:
                    - https://client.example.org/logout/page1
                    - https://client.example.org/logout/page2
                    - https://client.example.org/logout/page3
                  items:
                    type: string
                frontchannel_logout_uri:
                  type: string
                  description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP.
                frontchannel_logout_session_required:
                  type: boolean
                  description: Boolean value specifying whether the RP requires that a session ID query parameter be included
                    to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false.
                backchannel_logout_uri:
                  type: string
                  description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
                backchannel_logout_session_required:
                  type: boolean
                  description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token
                    to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.
                request_uris:
                  type: array
                  description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server.
                  items:
                    type: string
                scopes:
                  type: string
                  deprecated: true
                  description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591).
                claims:
                  type: string
                  description: String containing a space-separated list of claims that can be requested individually.
                id_token_token_binding_cnf:
                  type: string
                  description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects
                    when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party
                    supports Token Binding of ID Tokens.
                    If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens.
                tls_client_auth_subject_dn:
                  type: string
                  description: An string representation of the expected subject distinguished name of the certificate,
                    which the OAuth client will use in mutual TLS authentication.
                allow_spontaneous_scopes:
                  type: boolean
                  description: Specifies whether to allow spontaneous scopes for client. The default value is false.
                  example: false
                spontaneous_scopes:
                  type: array
                  description: List of spontaneous scopes
                  items:
                    type: string
                run_introspection_script_before_access_token_as_jwt_creation_and_include_claims:
                  type: boolean
                  description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script
                    and transfer claims into JWT.
                keep_client_authorization_after_expiration:
                  type: boolean
                  description: Boolean value indicating if the client authorization will not be removed afer expiration
                    (expiration date is same as client's expiration that created it). The default value is false.
                scope:
                  type: array
                  description: Provide list of scope which are used during authentication to authorize access to resource.
                  example:
                    - openid
                  items:
                    type: string
                authorized_origins:
                  type: array
                  description: specifies authorized JavaScript origins.
                  items:
                    type: string
                access_token_lifetime:
                  type: integer
                  description: Specifies the Client-specific access token expiration.
                  example: 100000000
                software_id:
                  type: string
                  description: Specifies a unique identifier string (UUID) assigned
                    by the client developer or software publisher used by registration
                    endpoints to identify the client software to be dynamically registered.
                  example: 4NRB1-0XZABZI9E6-5SM3R
                software_version:
                  type: string
                  description: Specifies a version identifier string for the client
                    software identified by 'software_id'. The value of the 'software_version'
                    should change on any update to the client software identified
                    by the same 'software_id'.
                  example: "2.1"
                software_statement:
                  type: string
                  description: specifies a software statement containing client metadata
                    values about the client software as claims. This is a string value
                    containing the entire signed JWT.
                backchannel_token_delivery_mode:
                  type: string
                  description: specifies how backchannel token will be deliveried.
                  example: push, poll, ping
                backchannel_client_notification_endpoint:
                  type: string
                  description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens.
                backchannel_authentication_request_signing_alg:
                  type: string
                  description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests.
                backchannel_user_code_parameter:
                  type: boolean
                  description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false.
                additional_audience:
                  type: array
                  description: Additional audiences.
                  items:
                    type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RegisterResponseParam
                type: object
                required:
                  - client_id
                properties:
                  client_id:
                    type: string
                    description: Unique Client Identifier. It MUST NOT be currently valid for any other registered Client.
                  client_secret:
                    type: string
                    description: This value is used by Confidential Clients to authenticate to the Token Endpoint
                  registration_access_token:
                    type: string
                    description: Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent
                      operations upon the Client registration.
                  registration_client_uri:
                    type: string
                    description: Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration.
                  client_id_issued_at:
                    type: integer
                    description: Time at which the Client Identifier was issued.
                  client_secret_expires_at:
                    type: integer
                    description: Time at which the client_secret will expire or 0 if it will not expire.
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_client_metadata
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
    get:
      tags:
        - Registration
      summary: Get client information for a previously registered client.
      description: Get client information for a previously registered client.
      operationId: get-register
      parameters:
        - name: client_id
          in: query
          required: true
          description: Client ID that identifies client.
          schema:
            type: string
        - name: Authorization
          in: header
          required: true
          description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: ClientResponse
                type: object
                properties:
                  redirect_uris:
                    type: array
                    description: Redirection URI values used by the Client. One of these registered Redirection URI values must exactly match
                      the redirect_uri parameter value used in each Authorization Request
                    items:
                      type: string
                    example:
                      - https://client.example.org/cb
                  claims_redirect_uri:
                    type: array
                    description: Array of The Claims Redirect URIs to which the client wishes the authorization server to direct
                      the requesting party's user agent after completing its interaction.
                    items:
                      type: string
                  response_types:
                    type: array
                    description: A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using.
                      If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token.
                    items:
                      type: string
                  grant_types:
                    type: array
                    description: A list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using.
                    items:
                      type: string
                  contacts:
                    type: array
                    description: e-mail addresses of people responsible for this Client.
                    items:
                      type: string
                  client_name:
                    type: string
                    description: Name of the Client to be presented to the user.
                  logo_uri:
                    type: string
                    description: URL that references a logo for the Client application
                  client_uri:
                    type: string
                    description: URL of the home page of the Client. The value of this field must point to a valid Web page.
                  policy_uri:
                    type: string
                    description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.
                  tos_uri:
                    type: string
                    description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.
                  jwks_uri:
                    type: string
                    description: URL for the Client's JSON Web Key Set (JWK) document containing key(s) that are used for signing requests
                      to the OP. The JWK Set may also contain the Client's encryption
                      keys(s) that are used by the OP to encrypt the responses to the
                      Client. When both signing and encryption keys are made available,
                      a use (Key Use) parameter value is required for all keys in the
                      document to indicate each key's intended usage .
                  jwks:
                    type: string
                    description: Client's JSON Web Key Set (JWK) document, passed by
                      value. The semantics of the jwks parameter are the same as the
                      jwks_uri parameter, other than that the JWK Set is passed by value,
                      rather than by reference. This parameter is intended only to be
                      used by Clients that, for some reason, are unable to use the jwks_uri
                      parameter, for instance, by native applications that might not
                      have a location to host the contents of the JWK Set. If a Client
                      can use jwks_uri, it must not use jwks. One significant downside
                      of jwks is that it does not enable key rotation. The jwks_uri
                      and jwks parameters must not be used together.
                    example: '{"key1": "value1", "key2": "value2"}'
                  sector_identifier_uri:
                    type: string
                    description: URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP.
                  subject_type:
                    type: string
                    description: Subject type requested for the Client ID. Valid types include pairwise and public.
                  rpt_as_jwt:
                    type: boolean
                    description: Specifies whether RPT should be return as signed JWT.
                  access_token_as_jwt:
                    type: boolean
                    description: Specifies whether access token as signed JWT.
                  access_token_signing_alg:
                    type: string
                    description: Specifies signing algorithm that has to be used during JWT signing. If it's not specified,
                      then the default OP signing algorithm will be used .
                  id_token_signed_response_alg:
                    type: string
                    description: JWS alg algorithm (JWA) required for signing the ID Token issued to this Client.
                  id_token_encrypted_response_alg:
                    type: string
                    description: JWE alg algorithm (JWA) required for encrypting the ID Token issued to this Client.
                  id_token_encrypted_response_enc:
                    type: string
                    description: JWE enc algorithm (JWA) required for encrypting the ID Token issued to this Client.
                  userinfo_signed_response_alg:
                    type: string
                    description: JWS alg algorithm (JWA) required for signing UserInfo Responses.
                  userinfo_encrypted_response_alg:
                    type: string
                    description: JWE alg algorithm (JWA) required for encrypting UserInfo Responses.
                  userinfo_encrypted_response_enc:
                    type: string
                    description: JWE enc algorithm (JWA) required for encrypting UserInfo Responses.
                  request_object_signing_alg:
                    type: string
                    description: JWS alg algorithm (JWA) that must be used for signing Request Objects sent to the OP.
                  request_object_encryption_alg:
                    type: string
                    description: JWE alg algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                  request_object_encryption_enc:
                    type: string
                    description: JWE enc algorithm (JWA) the RP is declaring that it may use for encrypting Request Objects sent to the OP.
                  token_endpoint_auth_method:
                    type: string
                    description: Requested Client Authentication method for the Token Endpoint.
                  token_endpoint_auth_signing_alg:
                    type: string
                    description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint
                      for the private_key_jwt and client_secret_jwt authentication methods.
                  default_max_age:
                    type: integer
                    description: Specifies the Default Maximum Authentication Age.
                    example: 1000000
                  require_auth_time:
                    type: boolean
                    description: Boolean value specifying whether the auth_time Claim in the ID Token is required. It is required when the value is true.
                  default_acr_values:
                    type: array
                    description: Array of default requested Authentication Context Class Reference values that the Authorization Server must use for
                      processing requests from the Client.
                    items:
                      type: string
                  initiate_login_uri:
                    type: string
                    description: Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client.
                  post_logout_redirect_uris:
                    type: array
                    description: Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been
                      performed.
                    example:
                      - https://client.example.org/logout/page1
                      - https://client.example.org/logout/page2
                      - https://client.example.org/logout/page3
                    items:
                      type: string
                  frontchannel_logout_uri:
                    type: string
                    description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP.
                  frontchannel_logout_session_required:
                    type: boolean
                    description: Boolean value specifying whether the RP requires that a session ID query parameter be included
                      to identify the RP session at the OP when the logout_uri is used. If omitted, the default value is false.
                  backchannel_logout_uri:
                    type: string
                    description: RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
                  backchannel_logout_session_required:
                    type: boolean
                    description: Boolean value specifying whether the RP requires that a session ID Claim be included in the Logout Token
                      to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false.
                  request_uris:
                    type: array
                    description: Provide a list of request_uri values that are pre-registered by the Client for use at the Authorization Server.
                    items:
                      type: string
                  scopes:
                    type: string
                    deprecated: true
                    description: This param will be removed in a future version because the correct is 'scope' not 'scopes', see (rfc7591).
                  claims:
                    type: string
                    description: String containing a space-separated list of claims that can be requested individually.
                  id_token_token_binding_cnf:
                    type: string
                    description: Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects
                      when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party
                      supports Token Binding of ID Tokens.
                      If omitted, the default is that the Relying Party does not support Token Binding of ID Tokens.
                  tls_client_auth_subject_dn:
                    type: string
                    description: An string representation of the expected subject distinguished name of the certificate,
                      which the OAuth client will use in mutual TLS authentication.
                  allow_spontaneous_scopes:
                    type: boolean
                    description: Specifies whether to allow spontaneous scopes for client. The default value is false.
                    example: false
                  spontaneous_scopes:
                    type: array
                    description: List of spontaneous scopes
                    items:
                      type: string
                  run_introspection_script_before_access_token_as_jwt_creation_and_include_claims:
                    type: boolean
                    description: Boolean value with default value false. If true and access_token_as_jwt=true then run introspection script
                      and transfer claims into JWT.
                  keep_client_authorization_after_expiration:
                    type: boolean
                    description: Boolean value indicating if the client authorization will not be removed afer expiration
                      (expiration date is same as client's expiration that created it). The default value is false.
                  scope:
                    type: array
                    description: Provide list of scope which are used during authentication to authorize access to resource.
                    example:
                      - openid
                    items:
                      type: string
                  authorized_origins:
                    type: array
                    description: specifies authorized JavaScript origins.
                    items:
                      type: string
                  access_token_lifetime:
                    type: integer
                    description: Specifies the Client-specific access token expiration.
                    example: 100000000
                  software_id:
                    type: string
                    description: Specifies a unique identifier string (UUID) assigned
                      by the client developer or software publisher used by registration
                      endpoints to identify the client software to be dynamically registered.
                    example: 4NRB1-0XZABZI9E6-5SM3R
                  software_version:
                    type: string
                    description: Specifies a version identifier string for the client
                      software identified by 'software_id'. The value of the 'software_version'
                      should change on any update to the client software identified
                      by the same 'software_id'.
                    example: "2.1"
                  software_statement:
                    type: string
                    description: specifies a software statement containing client metadata
                      values about the client software as claims. This is a string value
                      containing the entire signed JWT.
                  backchannel_token_delivery_mode:
                    type: string
                    description: specifies how backchannel token will be deliveried.
                    example: push, poll, ping
                  backchannel_client_notification_endpoint:
                    type: string
                    description: Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens.
                  backchannel_authentication_request_signing_alg:
                    type: string
                    description: The JWS algorithm alg value that the Client will use for signing authentication request, as described in Section 7.1.1. of OAuth 2.0 [RFC6749]. When omitted, the Client will not send signed authentication requests.
                  backchannel_user_code_parameter:
                    type: boolean
                    description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false.
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_token
                      - invalid_client_metadata
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          $ref: '#/components/responses/InvalidRequest'
        500:
          $ref: '#/components/responses/InternalServerError'
    delete:
      tags:
        - Client Registration
      summary: Deletes the client info for a previously registered client.
      description: The Client Registration Endpoint removes the Client Metadata for a previously registered client.
      operationId: delete-register
      parameters:
        - name: client_id
          in: query
          required: true
          description: Client ID that identifies client.
          schema:
            type: string
        - name: Authorization
          in: header
          required: true
          description: Authorization header carrying \"registration_access_token\" issued before as a Bearer token
          schema:
            type: string
      responses:
        204:
          description: OK
          content: {}
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_token
                      - invalid_client_metadata
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_token
                      - invalid_client_metadata
                      - access_denied
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
  /revoke:
    post:
      tags:
        - Token
      summary: Revoke an Access Token or a Refresh Token, the RP (Client).
      description: Revoke an Access Token or a Refresh Token, the RP (Client).
      operationId: revoke
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: The token that the client wants to get revoked.
                token_type_hint:
                  type: string
                  description: A hint about the type of the token submitted for revocation.
      responses:
        200:
          description: OK
          content:
            content: {}
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - unsupported_token_type
                      - invalid_client
                      - invalid_request
                  error_description:
                    type: string
                  details:
                    type: string
  /session_status:
    get:
      tags:
        - Session Management
      summary: Determine current sesion status.
      description: Determine current sesion status.
      operationId: session_status
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: SessionStateObject
                type: object
                properties:
                  state:
                    type: string
                    description: String that represents the End-User's login state at the OP. It MUST NOT contain the space (\" \") character.
                  auth_time:
                    type: string
                    format: date
                    description: specifies the time at which session was authenticated.
                    example: 100000000
                  custom_state:
                    type: string
  /revoke_session:
    post:
      tags:
        - Session Management
      summary: Revoke all sessions for user.
      description: Revoke all sessions for user (requires revoke_session scope).
      operationId: revoke-session
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - user_criterion_key
                - user_criterion_value
              properties:
                user_criterion_key:
                  type: string
                  description: user criterion key (e.g. uid)
                user_criterion_value:
                  type: string
                  description: user criterion value (e.g. chris)
      responses:
        200:
          description: OK - Returned if request was processed successfully. Means it will return in case sessions are found as well as in case sessions are not found (error is not returned to not disclose internal information).
        401:
          $ref: '#/components/responses/Unauthorized'
        500:
          $ref: '#/components/responses/InternalServerError'
  /end_session:
    get:
      tags:
        - Session Management
      summary: End current session.
      description: End current session.
      operationId: end_session
      parameters:
        - name: id_token_hint
          in: query
          description: Previously issued ID Token (id_token) passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value.
          schema:
            type: string
        - name: post_logout_redirect_uri
          in: query
          description: URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.
          schema:
            type: string
        - name: state
          in: query
          description: Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP.
          schema:
            type: string
        - name: session_id
          in: query
          description: Session Id
          schema:
            type: string
      responses:
        200:
          description: OK - User redirected to logout page
          content: {}
        302:
          $ref: '#/components/responses/Found'
        400:
          description: Error codes for end session endpoint.
          content:
            application/json:
              schema:
                title: EndSessionError
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_grant
                      - invalid_request
                      - invalid_grant_and_session
                      - session_not_passed
                      - post_logout_uri_not_passed
                      - post_logout_uri_not_associated_with_client
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
  /token:
    post:
      tags:
        - Token
      summary: To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client).
      description: To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client).
      operationId: post-token
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
              properties:
                grant_type:
                  type: array
                  description: Provide a list of the OAuth 2.0 grant types that the
                    Client is declaring that it will restrict itself to using.
                  example:
                    - authorization_code
                    - client_credentials
                  items:
                    type: string
                code:
                  type: string
                  description: Code which is returned by authorization endpoint. (For grant_type=authorization_code)
                redirect_uri:
                  type: string
                  description: Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.
                username:
                  type: string
                  description: End-User username.
                password:
                  type: string
                  description: End-User password.
                scope:
                  type: array
                  description: OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.
                  items:
                    type: string
                assertion:
                  type: string
                  description: Assertion.
                refresh_token:
                  type: string
                  description: Refresh token.
                client_id:
                  type: string
                  description: OAuth 2.0 Client Identifier valid at the Authorization Server.
                client_secret:
                  type: string
                  description: The client secret.  The client MAY omit the parameter if the client secret is an empty string.
                code_verifier:
                  type: string
                  description: The client's PKCE code verifier.
                ticket:
                  type: string
                claim_token:
                  type: string
                claim_token_format:
                  type: string
                pct:
                  type: string
                rpt:
                  type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: object
                description: AccessTokenResponse.
                required:
                  - access_token
                  - token_type
                properties:
                  access_token:
                    type: string
                    description: The access token issued by the authorization server.
                  token_type:
                    type: string
                    description: The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes).
                  expires_in:
                    type: integer
                    description: The lifetime in seconds of the access token. For example, the value \"3600\" denotes that the access token will expire in one hour from the time the response was generated.
                  refresh_token:
                    type: string
                    description: The refresh token, which can be used to obtain new access tokens using the same authorization grant
                  scope:
                    type: array
                    example:
                      - openid
                      - oxd
                    items:
                      type: string
                  id_token:
                    type: string
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_client_metadata
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          $ref: '#/components/responses/Unauthorized'
        403:
          $ref: '#/components/responses/AccessDenied'
        500:
          $ref: '#/components/responses/InternalServerError'
  /uma/gather_claims:
    get:
      tags:
        - UMA (User Managed Access)
      summary: UMA Claims Gathering Endpoint.
      description: UMA Claims Gathering Endpoint.
      operationId: get-uma-gather_claims
      parameters:
        - name: client_id
          in: query
          description:  OAuth 2.0 Client Identifier valid at the Authorization Server.
          schema:
            type: string
        - name: ticket
          in: query
          schema:
            type: string
        - name: claims_redirect_uri
          in: query
          schema:
            type: string
        - name: state
          in: query
          schema:
            type: string
        - name: reset
          in: query
          schema:
            type: boolean
        - name: authentication
          in: query
          schema:
            type: boolean
      responses:
        302:
          $ref: '#/components/responses/Found'
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_session
                      - invalid_claims_gathering_script_name
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    post:
      tags:
        - UMA (User Managed Access)
      summary: UMA Claims Gathering Endpoint
      description: UMA Claims Gathering Endpoint
      operationId: post-uma-gather_claims
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                client_id:
                  type: string
                  description:  OAuth 2.0 Client Identifier valid at the Authorization Server.
                ticket:
                  type: string
                claims_redirect_uri:
                  type: string
                state:
                  type: string
                reset:
                  type: boolean
                authentication:
                  type: boolean
      responses:
        302:
          $ref: '#/components/responses/Found'
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_session
                      - invalid_claims_gathering_script_name
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /uma2-configuration:
    get:
      tags:
        - UMA (User Managed Access)
      summary: Gets UMA configuration data.
      description: Gets UMA configuration data.
      operationId: uma2-configuration
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: object
                description: UmaMetadata
                required:
                  - issuer
                  - authorization_endpoint
                  - token_endpoint
                  - response_types_supported
                properties:
                  issuer:
                    type: string
                    description: The authorization server's issuer identifier, which is\n a URL that uses the \"https\" scheme and has no query or fragment\n components.  This is the location where \".well-known\" RFC 5785\n [RFC5785] resources containing information about the authorization\n server are published.  Using these well-known resources is\n described in Section 3.  The issuer identifier is used to prevent\n authorization server mix-up attacks, as described in \"OAuth 2.0 Mix-Up Mitigation\"
                    example: https://sample.com
                  authorization_endpoint:
                    type: string
                    description: "URL of the authorization server's authorization endpoint.
                    example: https://sample.com/oxauth/restv1/authorize
                  token_endpoint:
                    type: string
                    description: URL of the authorization server's token endpoint [RFC6749].  This is REQUIRED unless only the implicit grant type is used.
                    example: https://sample.com/oxauth/restv1/token
                  jwks_uri:
                    type: string
                    description: URL of the authorization server's JWK Set [JWK] document.  The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the \"https\" scheme.  The JWK Set MAY also contain the server's encryption key(s), which are used by clients to encrypt requests to the server.  When both signing and encryption keys are made available, a \"use\" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
                    example: https://sample.com/oxauth/restv1/jwks
                  registration_endpoint:
                    type: string
                    description: URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]
                    example: https://sample.com/oxauth/restv1/register
                  response_types_supported:
                    type: array
                    items:
                      type: string
                    description: JSON array containing a list of the OAuth 2.0 \"response_type\" values that this authorization server supports. The array values used are the same as those used with the \"response_types\" parameter defined by \"OAuth 2.0 Dynamic Client Registration Protocol\" [RFC7591].
                    example:
                    - code
                    - id_token
                    - token
                  grant_types_supported:
                    type: array
                    items:
                      type: string
                    description: JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports.  The array values used are the same as those used with the \"grant_types\" parameter defined by \"OAuth 2.0 Dynamic Client Registration Protocol\" [RFC7591].  If omitted, the default value is \"[\"authorization_code\", \"implicit\"]\".
                    example:
                    - authorization_code
                    - implicit
                    - client_credentials
                  token_endpoint_auth_methods_supported:
                    type: array
                    items:
                      type: string
                    description: JSON array containing a list of client authentication methods supported by this token endpoint.  Client authentication method values are used in the \"token_endpoint_auth_method\" parameter defined in Section 2 of [RFC7591].  If omitted, the default is \"client_secret_basic\" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
                    example:
                    - client_secret_basic
                    - client_secret_post
                    - client_secret_jwt
                    - private_key_jwt
                  token_endpoint_auth_signing_alg_values_supported:
                    type: array
                    items:
                      type: string
                    description: JSON array containing a list of the JWS signing algorithms (\"alg\" values) supported by the token endpoint for the signature on the JWT [JWT] used to authenticate the client at the token endpoint for the \"private_key_jwt\" and \"client_secret_jwt\" authentication methods.  Servers SHOULD support \"RS256\".  The value \"none\" MUST NOT be used.
                    example:
                    - HS256
                    - HS384
                    - HS512
                    - RS256
                    - RS384
                    - RS512
                    - ES256
                    - ES384
                    - ES512
                  service_documentation:
                    type: string
                    description: URL of a page containing human-readable information that developers might want or need to know when using the authorization server.  In particular, if the authorization server does not support Dynamic Client Registration, then information on how to register clients needs to be provided in this documentation.
                    example: http://<op_docs>
                  ui_locales_supported:
                    type: array
                    items:
                      type: string
                    description: Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values.
                    example:
                    - en
                    - es
                  op_policy_uri:
                    type: string
                    description: URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server.  The registration process SHOULD display this URL to the person registering the client if it is given.  As described in Section 5, despite the identifier \"op_policy_uri\", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.
                    example: http://ox.sample.com/doku.php?id=oxauth:policy
                  op_tos_uri:
                    type: string
                    description: URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service.  The registration process SHOULD display this URL to the person registering the client if it is given.  As described in Section 5, despite the identifier \"op_tos_uri\", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.
                    example: http://ox.sample.com/doku.php?id=oxauth:tos
                  introspection_endpoint:
                    type: string
                    description: URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662].
                    example: https://sample.com/oxauth/restv1/rpt/status
                  code_challenge_methods_supported:
                    type: array
                    items:
                      type: string
                    description: JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization server.  Code challenge method values are used in the \"code_challenge_method\" parameter defined in Section 4.3 of [RFC7636].  The valid code challenge method values are those registered in the IANA \"PKCE Code Challenge Methods\" registry [IANA.OAuth.Parameters]
                  claims_interaction_endpoint:
                    type: string
                    description: Static endpoint URI at which the authorization server declares that it interacts with end-user requesting parties to gather claims. If the authorization server also provides a claims interaction endpoint URI as part of its redirect_user hint in a need_info response to a client on authorization failure (see Section 3.3.6), that value overrides this metadata value. Providing the static endpoint URI is useful for enabling interactive claims gathering prior to any pushed-claims flows taking place, so that, for example, it is possible to gather requesting party authorization interactively for collecting all other claims in a \"silent\" fashion."
                    example: https://sample.com/oxauth/restv1/uma/gather_claims
                  uma_profiles_supported:
                    type: array
                    items:
                      type: string
                    description: UMA profiles supported by this authorization server. The value is an array of string values, where each string value is a URI identifying an UMA profile
                  permission_endpoint:
                    type: string
                    description: The endpoint URI at which the resource server requests permissions on the client's behalf.
                    example: https://sample.com/oxauth/restv1/host/rsrc_pr
                  resource_registration_endpoint:
                    type: string
                    description: The endpoint URI at which the resource server registers resources to put them under authorization manager protection.
                    example: https://sample.com/oxauth/restv1/host/rsrc/resource_set
                  scope_endpoint:
                    type: string
                    description: The Scope endpoint URI.
                    example: https://sample.com/oxauth/restv1/uma/scopes
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /host/rsrc_pr:
    post:
      tags:
        - UMA (User Managed Access)
      summary: Registers permission.
      description: Registers permission.
      operationId: host-rsrc_pr
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              title: UmaPermissiona
              description: A permission is (requested or granted) authorized access to a particular resource with some number of scopes
                bound to that resource.
              type: object
              required:
                - resource_id
                - resource_scopes
              properties:
                resource_id:
                  type: string
                  description: The identifier for a resource to which this client is seeking access.
                    The identifier MUST correspond to a resource that was previously registered.
                  example: 112210f47de98100
                resource_scopes:
                  type: array
                  description: An array referencing zero or more strings representing scopes to which access was granted for this resource.
                    Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.
                  items:
                    type: string
                params:
                  type: object
                  description: A key/value map that can contain custom parameters.
                  additionalProperties:
                    type: string
      responses:
        201:
          description: OK
          content:
            application/json:
              schema:
                title: UmaPermissionList
                type: array
                description: List of Uma Permission.
                items:
                  type: object
                  required:
                    - resource_id
                    - resource_scopes
                  properties:
                    resource_id:
                      type: string
                      description: The identifier for a resource to which this client is seeking access.
                        The identifier MUST correspond to a resource that was previously registered.
                      example: 112210f47de98100
                    resource_scopes:
                      type: array
                      description: An array referencing zero or more strings representing scopes to which access was granted for this resource.
                        Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.
                      items:
                        type: string
                      example:
                        - http://photoz.example.com/dev/actions/add
                        - http://photoz.example.com/dev/actions/internalClient
                    params:
                      type: object
                      description: A key/value map that can contain custom parameters.
                      additionalProperties:
                        type: string
                    exp:
                      type: integer
                      description: Number of seconds since January 1 1970 UTC, indicating when this token will expire.
                      format: int64
                      example: 1256953732
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /host/rsrc/resource_set:
    post:
      tags:
        - UMA 2 Resource
      summary: Adds a new resource description.
      description: Adds a new resource description.
      operationId: post-host-rsrc-resource_set
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              title: UmaResource
              description: Resource description
              type: object
              required:
                - resource_scopes
              properties:
                name:
                  type: string
                  description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner.
                icon_uri:
                  type: string
                  description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner.
                  example: http://www.example.com/icons/sharesocial.png
                type:
                  type: string
                  description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim.
                resource_scopes:
                  type: array
                  items:
                    type: string
                  description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions.
                  example: \"read-public\", \"post-updates"\,\"read-private"\
                scope_expression:
                  type: string
                description:
                  type: string
                  description: A human-readable string describing the resource
                iat:
                  type: integer
                  description: number of seconds since January 1 1970 UTC, indicating when the token was issued at
                  format: int64
                  example: 1535709072
                exp:
                  type: integer
                  description: number of seconds since January 1 1970 UTC, indicating when this token will expire.
                  format: int64
                  example: 1419356238
      responses:
        201:
          description: OK
          content:
            application/json:
              schema:
                title: UmaResourceResponse
                description: UmaResourceResponse Resource created.
                type: object
                required:
                  - _id
                properties:
                  _id:
                    type: string
                    description: UMA Resource identifier
                    example: KX3A-39WE
                  user_access_policy_uri:
                    type: string
                    example: http://as.example.com/rs/222/resource/22/policy
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    put:
      tags:
        - UMA 2 Resource
      summary: Updates a previously registered resource.
      description: Updates a previously registered resource.
      operationId: put-host-rsrc-resource_set{rsid}
      parameters:
        - name: Authorization
          in: header
          required: true
          schema:
            type: string
        - name: rsid
          in: path
          required: true
          description: Resource ID.
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              title: UmaResource
              description: Resource description
              type: object
              required:
                - resource_scopes
              properties:
                name:
                  type: string
                  description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner.
                icon_uri:
                  type: string
                  description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner.
                  example: http://www.example.com/icons/sharesocial.png
                type:
                  type: string
                  description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim.
                resource_scopes:
                  type: array
                  items:
                    type: string
                  description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions.
                  example: \"read-public\", \"post-updates"\,\"read-private"\
                scope_expression:
                  type: string
                description:
                  type: string
                  description: A human-readable string describing the resource
                iat:
                  type: integer
                  description: number of seconds since January 1 1970 UTC, indicating when the token was issued at
                  format: int64
                  example: 1535709072
                exp:
                  type: integer
                  description: number of seconds since January 1 1970 UTC, indicating when this token will expire.
                  format: int64
                  example: 1419356238
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: UmaResourceResponse
                description: UmaResourceResponse Resource created.
                type: object
                required:
                  - _id
                properties:
                  _id:
                    type: string
                    description: UMA Resource identifier
                    example: KX3A-39WE
                  user_access_policy_uri:
                    type: string
                    example: http://as.example.com/rs/222/resource/22/policy
        404:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - not_found
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    get:
      tags:
        - UMA 2 Resource
      summary: Lists all previously registered resource.
      description: Lists all previously registered resource.
      operationId: get-host-rsrc-resource_set
      parameters:
        - name: Authorization
          in: header
          required: true
          schema:
            type: string
        - name: scope
          in: query
          description: Scope uri.
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: Uma Resource indetifiers
                description: Uma Resource details
                type: array
                items:
                  type: string
                  description: List of resource identifers
                  example: [ '11','22']
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    delete:
      tags:
        - UMA 2 Resource
      summary: Deletes a previously registered resource.
      description: Deletes a previously registered resource.
      operationId: delete-host-rsrc-resource_set
      parameters:
        - name: Authorization
          in: header
          required: true
          schema:
            type: string
        - name: rsid
          in: path
          required: true
          description: Resource ID
          schema:
            type: string
      responses:
        204:
          description: OK
          content: {}
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /host/rsrc/resource_set/{rsid}:
    get:
      tags:
        - UMA 2 Resource
      summary: Reads a previously registered resource.
      description: Reads a previously registered resource.
      operationId: get-host-rsrc-resource_set/{rsid}
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
        - name: rsid
          in: path
          required: true
          description: Resource description ID.
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: UmaResourceWithId
                description: Uma Resource details
                type: object
                required:
                  - _id
                  - iat
                  - exp
                properties:
                  _id:
                    type: string
                    description: UMA Resource identifier
                    example: KX3A-39WE
                  name:
                    type: string
                    description: A human-readable string describing a set of one or more resources. This name MAY be used by the authorization server in its resource owner user interface for the resource owner.
                  uri:
                    type: string
                    description: A human-readable string describing the resource
                  type:
                    type: string
                    description: A string uniquely identifying the semantics of the resource set. For example, if the resource set consists of a single resource that is an identity claim that leverages standardized claim semantics for \"verified email address\", the value of this property could be an identifying URI for this claim.
                  scopes:
                    type: array
                    items:
                      type: string
                    description: An array of strings, any of which MAY be a URI, indicating the available scopes for this resource set. URIs MUST resolve to scope descriptions as defined in Section 2.1. Published scope descriptions MAY reside anywhere on the web; a resource server is not required to self-host scope descriptions and may wish to point to standardized scope descriptions residing elsewhere. It is the resource server's responsibility to ensure that scope description documents are accessible to authorization servers through GET calls to support any user interface requirements. The resource server and authorization server are presumed to have separately negotiated any required interpretation of scope handling not conveyed through scope descriptions.
                  scope_expression:
                    type: string
                  description:
                    type: string
                    description: A human-readable string describing the resource
                  icon_uri:
                    type: string
                    description: A URI for a graphic icon representing the resource set. The referenced icon MAY be used by the authorization server in its resource owner user interface for the resource owner.
                    example: http://www.example.com/icons/sharesocial.png
                  iat:
                    type: integer
                    description: number of seconds since January 1 1970 UTC, indicating when the token was issued at
                    format: int64
                    example: 1535709072
                  exp:
                    type: integer
                    description: number of seconds since January 1 1970 UTC, indicating when this token will expire.
                    format: int64
                    example: 1419356238
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /rpt/status:
    get:
      tags:
        - Token Introspection
      summary: The Introspection OAuth 2 Endpoint for RPT.
      description: The Introspection OAuth 2 Endpoint for RPT.
      operationId: get-rpt-status
      parameters:
        - name: Authorization
          in: header
          required: true
          schema:
            type: string
        - name: token
          in: query
          required: true
          schema:
            type: string
        - name: token_type_hint
          in: query
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RptIntrospectionResponse
                type: object
                required:
                  - active
                  - permissions
                  - resource_id
                  - resource_scopes
                properties:
                  active:
                    type: boolean
                    description: Boolean indicator of whether or not the presented token is currently active.
                  exp:
                    type: integer
                    description: Integer timestamp, in seconds since January 1 1970 UTC, indicating when this token will expire.
                    format: int64
                    example: 1256953732
                  iat:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued.
                    example: 1256953732
                  clientId:
                    type: string
                    description: Client id used to obtain RPT.
                  sub:
                    type: string
                    description: Subject of the token. Usually a machine-readable identifier of the resource owner who authorized this token.
                  aud:
                    type: string
                    description: Service-specific string identifier or list of string identifiers representing the intended audience for this token.
                  permissions:
                    type: array
                    items:
                      type: object
                      description: List of UmaPermission granted to RPT. A permission is (requested or granted) authorized access to a
                        particular resource with some number of scopes  bound to that resource.
                      required:
                        - resource_id
                        - resource_scopes
                      properties:
                        resource_id:
                          type: string
                          description: A string that uniquely identifies the protected resource, access to which has been granted to this client on
                            behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected.
                        resource_scopes:
                          type: array
                          description: An array referencing zero or more strings representing scopes to which access was granted for this resource.
                            Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.
                          items:
                            type: string
                        exp:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission
                            will expire. If the token-level exp value pre-dates a permission-level exp value, the token-level value takes
                            precedence.
                        iat:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this
                            permission was originally issued. If the token-level iat value post-dates a permission-level iat value,
                            the token-level value takes precedence.
                        nbf:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before
                            which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value,
                            the token-level value takes precedence.
                  pct_claims:
                    type: object
                    additionalProperties:
                      type: string
                    description: PCT token claims.
                    #example: {name:['John']}
                  iss:
                    type: string
                    description: String representing the issuer of this token, as defined in JWT [RFC7519].
                  jti:
                    type: string
                    description: String identifier for the token, as defined in JWT [RFC7519].
                  nbf:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid.
                  resource_id:
                    type: string
                    description: Resource ID.
                  resource_scopes:
                    type: array
                    items:
                      type: string
        405:
          description: Introspection of RPT is not allowed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    post:
      tags:
        - Token Introspection
      summary: The Introspection OAuth 2 Endpoint for RPT.
      description: The Introspection OAuth 2 Endpoint for RPT.
      operationId: post-rpt-status
      parameters:
        - name: Authorization
          in: header
          required: true
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: Client access token.
                token_type_hint:
                  type: string
                  description: ID Token previously issued by the Authorization Server being passed as a hint about the End-User.
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RptIntrospectionResponse
                type: object
                required:
                  - active
                  - permissions
                  - resource_id
                  - resource_scopes
                properties:
                  active:
                    type: boolean
                    description: Boolean indicator of whether or not the presented token is currently active.
                  exp:
                    type: integer
                    description: Integer timestamp, in seconds since January 1 1970 UTC, indicating when this token will expire.
                    format: int64
                    example: 1256953732
                  iat:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission was originally issued.
                    example: 1256953732
                  clientId:
                    type: string
                    description: Client id used to obtain RPT.
                  sub:
                    type: string
                    description: Subject of the token. Usually a machine-readable identifier of the resource owner who authorized this token.
                  aud:
                    type: string
                    description: Service-specific string identifier or list of string identifiers representing the intended audience for this token.
                  permissions:
                    type: array
                    items:
                      type: object
                      description: List of UmaPermission granted to RPT. A permission is (requested or granted) authorized access to a
                        particular resource with some number of scopes  bound to that resource.
                      required:
                        - resource_id
                        - resource_scopes
                      properties:
                        resource_id:
                          type: string
                          description: A string that uniquely identifies the protected resource, access to which has been granted to this client on
                            behalf of this requesting party. The identifier MUST correspond to a resource that was previously registered as protected.
                        resource_scopes:
                          type: array
                          description: An array referencing zero or more strings representing scopes to which access was granted for this resource.
                            Each string MUST correspond to a scope that was registered by this resource server for the referenced resource.
                          items:
                            type: string
                        exp:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this permission
                            will expire. If the token-level exp value pre-dates a permission-level exp value, the token-level value takes
                            precedence.
                        iat:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this
                            permission was originally issued. If the token-level iat value post-dates a permission-level iat value,
                            the token-level value takes precedence.
                        nbf:
                          type: integer
                          description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before
                            which this permission is not valid. If the token-level nbf value post-dates a permission-level nbf value,
                            the token-level value takes precedence.
                  pct_claims:
                    type: object
                    additionalProperties:
                      type: string
                      description: PCT token claims.
                      example: '{name:["John"]}'
                  iss:
                    type: string
                    description: String representing the issuer of this token, as defined in JWT [RFC7519].
                  jti:
                    type: string
                    description: String identifier for the token, as defined in JWT [RFC7519].
                  nbf:
                    type: integer
                    description: Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating the time before which this permission is not valid.
                  resource_id:
                    type: string
                    description: Resource ID.
                  resource_scopes:
                    type: array
                    items:
                      type: string
        405:
          description: Introspection of RPT is not allowed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /uma/scopes:
    get:
      tags:
        - UMA Scope
      summary: Provides UMA Scope description by scope id.
      description: Provides UMA Scope description by scope id.
      operationId: get-uma_scopes
      parameters:
        - name: id
          in: path
          required: true
          description: Resource description ID.
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: UmaScopeDescription
                required:
                  - name
                properties:
                  description:
                    type: string
                    description: A human-readable string describing the resource at length. The authorization server MAY use this description in any user interface it presents to a resource owner, for example, for resource protection monitoring or policy setting.
                  iconUri:
                    type: string
                    description: A URI for a graphic icon representing the scope. The referenced icon MAY be used by the authorization server in any user interface it presents to the resource owner.
                  name:
                    type: string
                    description: A human-readable string describing some scope (extent) of access. This name MAY be used by the authorization server in any user interface it presents to the resource owner.
        404:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - not_found
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /userinfo:
    get:
      tags:
        - User Info
      summary: Returns Claims about the authenticated End-User.
      description: Returns Claims about the authenticated End-User.
      operationId: get-userinfo
      parameters:
        - name: access_token
          in: query
          required: true
          description: OAuth 2.0 Access Token.
          schema:
            type: string
        - name: Authorization
          in: header
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/jwt:
              schema:
                title: User Claims details
                properties:
                  sub:
                    type: integer
                    example: 248289761001
                  name:
                    type: string
                    example: Jane Doe
                  given_name:
                    type: string
                    example: Jane
                  family_name:
                    type: string
                    example: Doe
                  preferred_username:
                    type: string
                    example: j.doe
                  email:
                    type: string
                    example: janedoe@example.com
                  picture:
                    type: string
                    example: http://example.com/janedoe/me.jpg
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
        403:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - insufficient_scope
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
    post:
      tags:
        - User Info
      summary: Returns Claims about the authenticated End-User.
      description: Returns Claims about the authenticated End-User.
      operationId: post-userinfo
      parameters:
        - name: Authorization
          in: header
          description: Client Authorization details that contains the access token along with other details.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - access_token
              properties:
                access_token:
                  type: string
                  description: OAuth 2.0 Access Token.
      responses:
        200:
          description: OK
          content:
            application/jwt:
              schema:
                title: User Claims details
                properties:
                  sub:
                    type: integer
                    example: 248289761001
                  name:
                    type: string
                    example: Jane Doe
                  given_name:
                    type: string
                    example: Jane
                  family_name:
                    type: string
                    example: Doe
                  preferred_username:
                    type: string
                    example: j.doe
                  email:
                    type: string
                    example: janedoe@example.com
                  picture:
                    type: string
                    example: http://example.com/janedoe/me.jpg
        400:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_request
                  error_description:
                    type: string
                  details:
                    type: string
        401:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - invalid_token
                  error_description:
                    type: string
                  details:
                    type: string
        403:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - insufficient_scope
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          $ref: '#/components/responses/InternalServerError'
  /fido/u2f/authentication:
    get:
      tags:
        - FIDO U2F
      summary: Performs FIDO U2F authentication of end-user.
      description: Performs FIDO U2F authentication of end-user.
      operationId: get-fido-u2f-authentication
      parameters:
        - name: username
          in: query
          required: true
          schema:
            type: string
        - name: keyhandle
          in: query
          schema:
            type: string
            description: Websafe-base64 encoding of the key handle obtained from the U2F token during registration.
        - name: application
          in: query
          description: The application id that the RP would like to assert.
          schema:
            type: string
        - name: session_id
          in: query
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: AuthenticateRequestMessage
                description: FIDO U2F device authentication request.
                required:
                  - version
                  - challenge
                  - appId
                  - keyHandle
                type: object
                properties:
                  version:
                    type: string
                    description: Version of the protocol that the to-be-registered U2F token must speak.
                    example: U2F_V2
                  challenge:
                    type: string
                    description: The websafe-base64-encoded challenge.
                  appId:
                    type: string
                    description: The application id that the RP would like to assert.
                  keyHandle:
                    type: string
                    description: Websafe-base64 encoding of the key handle obtained from the U2F token during registration.
        403:
          $ref: '#/components/responses/AccessDenied'
        404:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - no_eligable_devices
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    post:
      tags:
        - FIDO U2F
      summary: Performs FIDO U2F authentication of end-user.
      description: Performs FIDO U2F authentication of end-user.
      operationId: post-fido-u2f-authentication
      requestBody:
        content:
          application/json:
            schema:
              title: GetClientTokenParams
              required:
                - username
                - tokenResponse
              type: object
              properties:
                username:
                  type: string
                tokenResponse:
                  type: object
                  properties:
                    clientData:
                      type: string
                      description: base64(UTF8(client data))
                    signatureData:
                      type: string
                      description: base64(raw response from U2F device)
                    keyHandle:
                      type: string
                      description: keyHandle originally passed
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: AuthenticateStatus
                description: FIDO U2F device authentication status.
                required:
                  - status
                  - challenge
                type: object
                properties:
                  status:
                    type: string
                    description: Version of the protocol that the to-be-registered U2F token must speak.
                    example: U2F_V2
                  challenge:
                    type: string
                    description: The websafe-base64-encoded challenge.
        403:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - session_expired
                      - invalid_request
                      - device_compromised
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string

  /fido-configuration:
    get:
      tags:
        - FIDO U2F
      summary: Performs FIDO configuration data.
      description: Performs FIDO configuration data.
      operationId: fido-configuration
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: U2fConfiguration
                description: FIDO U2F Configuration.
                required:
                  - version
                  - issuer
                properties:
                  version:
                    type: string
                    description: The version of the FIDO U2F core protocol to which this server conforms. The value MUST be the string 1.0.
                  issuer:
                    type: string
                    description: A URI indicating the party operating the FIDO U2F server.
                  registration_endpoint:
                    type: string
                  authentication_endpoint:
                    type: string
        403:
          $ref: '#/components/responses/AccessDenied'
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /fido/u2f/registration:
    get:
      tags:
        - FIDO U2F
      summary: U2F device registration.
      description: U2F device registration.
      operationId: get-fido-u2f-registration
      parameters:
        - name: username
          in: query
          required: true
          schema:
            type: string
        - name: application
          in: query
          description: The application id that the RP would like to assert.
          schema:
            type: string
        - name: session_id
          in: query
          schema:
            type: string
        - name: enrollment_code
          in: query
          schema:
            type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RegisterRequestMessage
                description: RegisterRequestMessage
                required:
                  - authenticateRequests
                  - registerRequests
                type: object
                properties:
                  authenticateRequests:
                    type: array
                    items:
                      type: object
                      description: list of AuthenticateRequest
                      properties:
                        version:
                          type: string
                          description: Version of the protocol that the to-be-registered U2F token must speak.
                          example: U2F_V2
                        challenge:
                          type: string
                          description: The websafe-base64-encoded challenge.
                        appId:
                          type: string
                          description: The application id that the RP would like to assert.
                        keyHandle:
                          type: string
                          description: websafe-base64 encoding of the key handle obtained from the U2F token during registration
                  registerRequests:
                    type: array
                    items:
                      type: object
                      description: list of RegisterRequest
                      properties:
                        version:
                          type: string
                          description: Version of the protocol that the to-be-registered U2F token must speak.
                          example: U2F_V2
                        challenge:
                          type: string
                          description: The websafe-base64-encoded challenge.
                        appId:
                          type: string
                          description: The application id that the RP would like to assert.
        403:
          $ref: '#/components/responses/AccessDenied'
        406:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - registration_not_allowed
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
    post:
      tags:
        - FIDO U2F
      summary: U2F device registration.
      description: U2F device registration.
      operationId: post-fido-u2f-registration
      requestBody:
        content:
          application/json:
            schema:
              title: RegisterSiteParams
              required:
                - username
              type: object
              properties:
                username:
                  type: string
                tokenResponse:
                  type: object
                  description: FIDO U2F device registration details
                  properties:
                    registrationData:
                      type: string
                    clientData:
                      type: string
                    deviceData:
                      type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: RegisterStatus
                description: RegisterRequestMessage
                type: object
                properties:
                  status:
                    type: string
                  challenge:
                    type: string
        403:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - session_expired
                      - invalid_request
                  error_description:
                    type: string
                  details:
                    type: string
        406:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - registration_not_allowed
                  error_description:
                    type: string
                  details:
                    type: string
        500:
          description: Invalid parameters provided to endpoint.
          content:
            application/json:
              schema:
                type: object
                required:
                  - error
                  - error_description
                properties:
                  error:
                    type: string
                    format: enum
                    example:
                      - server_error
                  error_description:
                    type: string
                  details:
                    type: string
  /fido2/configuration:
    get:
      tags:
        - FIDO2
      summary: FIDO2 configuration
      description: FIDO2 configuration
      operationId: get-fido2-configuration
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: FIDO2 configuration
                description: FIDO2 configuration.
                required:
                  - version
                  - issuer
                  - attestation
                properties:
                  version:
                    type: string
                    description: The version of the FIDO2 U2F core protocol to which this server conforms. The value MUST be the string 1.0.
                  issuer:
                    type: string
                    description: A URI indicating the party operating the FIDO U2F server.
                  attestation:
                    type: array
                    items:
                      type: object
                      description: list of fido2 attestation endpoints
                      properties:
                        base_path:
                          type: string
                          description: fido2 attestation endpoint
                        options_enpoint:
                          type: string
                          description: fido2 attestation options endpoint
                        result_enpoint:
                          type: string
                          description: fido2 attestation result endpoint
                  assertion:
                    type: array
                    items:
                      type: object
                      description: list of fido2 assertion endpoints
                      properties:
                        base_path:
                          type: string
                          description: fido2 assertion endpoint
                        options_enpoint:
                          type: string
                          description: fido2 assertion options endpoint
                        result_enpoint:
                          type: string
                          description: fido2 assertion result endpoint
        403:
          $ref: '#/components/responses/AccessDenied'
        406:
          $ref: '#/components/responses/NotAcceptable'
        500:
          $ref: '#/components/responses/InternalServerError'
  /fido2/assertion/options:
    post:
      tags:
        - FIDO2
      summary: FIDO2 Assertion Options
      description: FIDO2 Assertion Options
      operationId: options
      requestBody:
        content:
          application/json:
            schema:
              title: AssertionOptions
              type: object
              properties:
                content:
                  type: object
                  description: An object that contains the extensions to enable, and the options to use for each of them.
                  properties:
                    username:
                      type: string
                    authenticatorSelection:
                      type: array
                      items:
                        type: string
                        description: Set of parameters required for FIDO2 assertion option.
                    documentDomain:
                      type: string
                    extensions:
                      type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: AssertionOptionsResponse
                type: object
                required:
                  - challenge
                  - user
                  - allowCredentials
                  - userVerification
                  - extensions
                properties:
                  challenge:
                    type: string
                    description: Websafe-base64 encoding of the challenge.
                  user:
                    type: string
                    description: username
                  allowCredentials:
                    type: array
                    items:
                      type: string
                    example:
                      - type
                      - transports
                      - id
                  userVerification:
                    type: string
                  extensions:
                    type: string
        403:
          $ref: '#/components/responses/AccessDenied'
        500:
          $ref: '#/components/responses/InternalServerError'
  /fido2/assertion/result:
    post:
      tags:
        - FIDO2
      summary: FIDO2 Assertion Result - Parses and validates an assertion response from the client.
      description: FIDO2 Assertion Result.
      operationId: result
      requestBody:
        content:
          application/json:
            schema:
              title: AssertionOptions
              required:
                - clientDataJSON
              type: object
              properties:
                id:
                  type: string
                  description: The base64url encoded id returned by the client
                type:
                  type: array
                  items:
                    type: string
                  example:
                    - public-key
                rawId:
                  type: string
                  description: The base64url encoded rawId returned by the client. If res.rawId is missing, res.id will be used instead. If both are missing an error will be thrown.
                userHandle:
                  type: string
                  description: The base64url encoded userHandle returned by the client. May be null or an empty string.
                clientDataJSON:
                  type: array
                  description: The base64url encoded clientDataJSON returned by the client
                  items:
                    type: string
                  example:
                    - challenge
                    - origin
      responses:
        200:
          description: OK
          content: {}
        403:
          $ref: '#/components/responses/AccessDenied'
        500:
          $ref: '#/components/responses/InternalServerError'
  /fido2/attestation/options:
    post:
      tags:
        - FIDO2
      summary: Created new registration.
      description: Created new registration.
      operationId: attestation-options
      requestBody:
        content:
          application/json:
            schema:
              title: AttestationOptions
              description: An object containing various options for the option creation
              type: object
              properties:
                username:
                  type: string
                displayName:
                  type: string
                documentDomain:
                  type: string
                credentialType:
                  type: string
                authenticatorSelection:
                  type: array
                  items:
                    type: string
                    description: Set of parameters required for FIDO2 attestation option.
                extensions:
                  type: string
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                title: CredentialCreationOptions
                required:
                  - challenge
                  - rp
                  - user
                  - attestation
                  - pubKeyCredParams
                  - authenticatorSelection
                  - excludeCredentials
                  - extensions
                type: object
                properties:
                  challenge:
                    type: string
                    description: The base64url encoded challenge that was sent to the client, as generated by assertionOptions.
                  rp:
                    type: array
                    description: RP credentials
                    items:
                      type: string
                    example:
                      - name
                      - id
                  user:
                    type: object
                    description: User object
                    required:
                      - id
                      - name
                      - displayName
                    properties:
                      id:
                        type: string
                      name:
                        type: string
                      displayName:
                        type: string
                  attestation:
                    type: string
                    format: enum
                  pubKeyCredParams:
                    type: array
                    items:
                      type: string
                      example:
                        - public-key
                        - type
                        - alg
                  authenticatorSelection:
                    type: array
                    items:
                      type: string
                      description: Set of parameters required for FIDO2 attestation option.
                  excludeCredentials:
                    type: array
                    items:
                      type: string
                      description: Set of parameters required for FIDO2 attestation option.
                  extensions:
                    type: string
        403:
          $ref: '#/components/responses/AccessDenied'
        500:
          $ref: '#/components/responses/InternalServerError'
  /fido2/attestation/result:
    post:
      tags:
        - FIDO2
      summary: FIDO2 attestation result.
      description: FIDO2 attestation result
      operationId: attestation-result
      requestBody:
        content:
          application/json:
            schema:
              title: AttestationOptions
              description: An object containing various options for the option creation
              type: object
              required:
                - _type
                - clientDataJSON
              properties:
                type:
                  type: string
                clientDataJSON:
                  type: array
                  description: The base64url encoded clientDataJSON returned by the client
                  items:
                    type: string
                  example:
                    - challenge
                    - origin
                id:
                  type: string

      responses:
        200:
          description: OK
          content: {}
          $ref: '#/components/responses/AccessDenied'
        500:
          $ref: '#/components/responses/InternalServerError'

components:
  responses:
    Found: #302 - FOUND
      description: Resource Found.
      content: {}
    InvalidRequest: #400 - BAD_REQUEST
      description: Invalid parameters are provided to endpoint.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized: #401 - UNAUTHORIZED
      description: Unauthorized access request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    AccessDenied: #403 - FORBIDDEN
      description: Invalid details provided hence access denied.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound: #404 - NOT_FOUND
      description: Resource Not Found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotAcceptable: #406 - NOT_ACCEPTABLE
      description: Request Not Acceptable.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    InternalServerError: #500 - INTERNAL_SERVER_ERROR
      description: Internal error occured. Please check log file for details.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'

  schemas:
    ErrorResponse:
      required:
        - error
        - error_description
      type: object
      properties:
        error:
          type: string
        error_description:
          type: string
        details:
          type: string
    JsonWebKey:
      required:
        - alg
        - exp
        - key_ops
        - kid
        - kty
        - use
        - x5c
      type: object
      properties:
        kid:
          type: string
        kty:
          type: string
        use:
          type: string
        alg:
          type: string
        crv:
          type: string
        exp:
          type: integer
          format: int64
        x5c:
          type: array
          items:
            type: string
        n:
          type: string
        e:
          type: string
        x:
          type: string
        y:
          type: string