diff --git a/.editorconfig b/.editorconfig index 76d8b6ca..00abbc36 100644 --- a/.editorconfig +++ b/.editorconfig @@ -6,3 +6,8 @@ max_line_length=120 end_of_line=lf ij_any_line_comment_add_space = true ij_any_line_comment_at_first_column = false + +# Disable wildcard imports entirely +ij_kotlin_name_count_to_use_star_import = 2147483647 +ij_kotlin_name_count_to_use_star_import_for_members = 2147483647 +ij_kotlin_packages_to_use_import_on_demand = unset \ No newline at end of file diff --git a/generate-hydra-model.sh b/generate-hydra-model.sh index 266a3182..a8ab205a 100755 --- a/generate-hydra-model.sh +++ b/generate-hydra-model.sh @@ -1,11 +1,11 @@ #!/bin/sh -HYDRA_VERSION="v1.10.2" +HYDRA_VERSION="v2.2.0" mkdir -p hydra-generated docker run --user 1000 --rm -v "${PWD}/hydra-generated:/local" openapitools/openapi-generator-cli generate \ -i "https://raw.githubusercontent.com/ory/hydra/${HYDRA_VERSION}/spec/api.json" \ -g kotlin \ - --additional-properties modelPackage=sh.ory.hydra.model,serializationLibrary=jackson,swaggerAnnotations=false,hideGenerationTimestamp=true \ + --additional-properties modelPackage=sh.ory.hydra.model,serializationLibrary=jackson \ -o /local diff --git a/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraClient.kt b/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraClient.kt index 3e4107ae..390e0e90 100644 --- a/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraClient.kt +++ b/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraClient.kt @@ -14,14 +14,16 @@ import jakarta.ws.rs.QueryParam import jakarta.ws.rs.core.MediaType import jakarta.ws.rs.core.Response import org.eclipse.microprofile.rest.client.inject.RegisterRestClient -import sh.ory.hydra.model.AcceptConsentRequest -import sh.ory.hydra.model.AcceptLoginRequest -import sh.ory.hydra.model.ConsentRequest +import sh.ory.hydra.model.AcceptOAuth2ConsentRequest +import sh.ory.hydra.model.AcceptOAuth2LoginRequest import sh.ory.hydra.model.GenericError -import sh.ory.hydra.model.LoginRequest -import sh.ory.hydra.model.OAuth2TokenIntrospection +import sh.ory.hydra.model.IntrospectedOAuth2Token +import sh.ory.hydra.model.OAuth2ConsentRequest +import sh.ory.hydra.model.OAuth2LoginRequest +import sh.ory.hydra.model.OAuth2RedirectTo +import sh.ory.hydra.model.RejectOAuth2Request -@Path("/") +@Path("/admin") @ApplicationScoped @RegisterRestClient(configKey = "faf-ory-hydra") interface HydraClient { @@ -41,34 +43,34 @@ interface HydraClient { // requesting a handled challenge throws HTTP 410 - Gone @GET @Path("/oauth2/auth/requests/login") - fun getLoginRequest(@QueryParam("login_challenge") @NotBlank challenge: String): LoginRequest + fun getLoginRequest(@QueryParam("login_challenge") @NotBlank challenge: String): OAuth2LoginRequest @GET @Path("/oauth2/auth/requests/consent") - fun getConsentRequest(@QueryParam("consent_challenge") @NotBlank challenge: String): ConsentRequest + fun getConsentRequest(@QueryParam("consent_challenge") @NotBlank challenge: String): OAuth2ConsentRequest // accepting login request more than once throws HTTP 409 - Conflict @PUT @Path("/oauth2/auth/requests/login/accept") fun acceptLoginRequest( @QueryParam("login_challenge") @NotBlank challenge: String, - acceptLoginRequest: AcceptLoginRequest, - ): RedirectResponse + acceptLoginRequest: AcceptOAuth2LoginRequest, + ): OAuth2RedirectTo @PUT @Path("/oauth2/auth/requests/login/reject") fun rejectLoginRequest( @QueryParam("login_challenge") @NotBlank challenge: String, - error: GenericError, - ): RedirectResponse + payload: RejectOAuth2Request, + ): OAuth2RedirectTo // accepting consent more than once does not cause an error @PUT @Path("/oauth2/auth/requests/consent/accept") fun acceptConsentRequest( @QueryParam("consent_challenge") @NotBlank challenge: String, - acceptConsentRequest: AcceptConsentRequest, - ): RedirectResponse + acceptConsentRequest: AcceptOAuth2ConsentRequest, + ): OAuth2RedirectTo // rejecting consent more than once does not cause an error @PUT @@ -76,7 +78,7 @@ interface HydraClient { fun rejectConsentRequest( @QueryParam("consent_challenge") @NotBlank challenge: String, error: GenericError, - ): RedirectResponse + ): OAuth2RedirectTo @DELETE @Path("/oauth2/auth/sessions/consent") @@ -92,7 +94,7 @@ interface HydraClient { fun introspectToken( @FormParam("token") @NotBlank token: String, @FormParam("scope") scope: String?, - ): OAuth2TokenIntrospection + ): IntrospectedOAuth2Token } class GoneException(override val message: String?) : RuntimeException(message) diff --git a/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt b/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt index b9b4981d..83eb3353 100644 --- a/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt +++ b/src/main/kotlin/com/faforever/userservice/backend/hydra/HydraService.kt @@ -9,12 +9,13 @@ import jakarta.enterprise.context.ApplicationScoped import jakarta.enterprise.inject.Produces import jakarta.transaction.Transactional import org.eclipse.microprofile.rest.client.inject.RestClient -import sh.ory.hydra.model.AcceptConsentRequest -import sh.ory.hydra.model.AcceptLoginRequest -import sh.ory.hydra.model.ConsentRequest -import sh.ory.hydra.model.ConsentRequestSession +import sh.ory.hydra.model.AcceptOAuth2ConsentRequest +import sh.ory.hydra.model.AcceptOAuth2ConsentRequestSession +import sh.ory.hydra.model.AcceptOAuth2LoginRequest import sh.ory.hydra.model.GenericError -import sh.ory.hydra.model.LoginRequest +import sh.ory.hydra.model.OAuth2ConsentRequest +import sh.ory.hydra.model.OAuth2LoginRequest +import sh.ory.hydra.model.RejectOAuth2Request import java.net.URI import java.net.http.HttpClient import java.net.http.HttpRequest @@ -53,14 +54,14 @@ class HydraService( private const val HYDRA_ERROR_TECHNICAL_ERROR = "technical_error" } - fun getLoginRequest(challenge: String): LoginRequest = hydraClient.getLoginRequest(challenge) + fun getLoginRequest(challenge: String): OAuth2LoginRequest = hydraClient.getLoginRequest(challenge) @Transactional fun login(challenge: String, usernameOrEmail: String, password: String, ip: IpAddress): LoginResponse { - val loginRequest = hydraClient.getLoginRequest(challenge) - val lobbyRequested = loginRequest.requestedScope.contains(OAuthScope.LOBBY) - val lobbyDefault = - loginRequest.requestedScope.isEmpty() && loginRequest.client.scope?.contains(OAuthScope.LOBBY) ?: false + val loginRequest = getLoginRequest(challenge) + val lobbyRequested = loginRequest.requestedScope?.contains(OAuthScope.LOBBY) ?: false + val lobbyDefault = loginRequest.requestedScope.isNullOrEmpty() && + loginRequest.client.scope?.contains(OAuthScope.LOBBY) ?: false val requiresGameOwnership = lobbyRequested || lobbyDefault return when (val loginResult = loginService.login(usernameOrEmail, password, ip, requiresGameOwnership)) { @@ -69,7 +70,7 @@ class HydraService( is LoginResult.UserNoGameOwnership -> { rejectLoginRequest( challenge, - GenericError( + RejectOAuth2Request( error = HYDRA_ERROR_NO_OWNERSHIP_VERIFICATION, errorDescription = "You must prove game ownership to play", statusCode = 403, @@ -83,7 +84,7 @@ class HydraService( "You are banned from FAF ${loginResult.expiresAt?.let { "until $it" } ?: "forever"}" rejectLoginRequest( challenge, - GenericError( + RejectOAuth2Request( error = HYDRA_ERROR_USER_BANNED, errorDescription = errorDescription, statusCode = 403, @@ -95,7 +96,7 @@ class HydraService( is LoginResult.TechnicalError -> { rejectLoginRequest( challenge, - GenericError( + RejectOAuth2Request( error = HYDRA_ERROR_TECHNICAL_ERROR, errorDescription = "Something went wrong while logging in. Please try again", statusCode = 500, @@ -107,17 +108,17 @@ class HydraService( is LoginResult.SuccessfulLogin -> { val redirectResponse = hydraClient.acceptLoginRequest( challenge, - AcceptLoginRequest(subject = loginResult.userId.toString()), + AcceptOAuth2LoginRequest(subject = loginResult.userId.toString()), ) LoginResponse.SuccessfulLogin(RedirectTo(redirectResponse.redirectTo)) } } } - fun rejectLoginRequest(challenge: String, error: GenericError) { + fun rejectLoginRequest(challenge: String, request: RejectOAuth2Request) { val redirectResponse = hydraClient.rejectLoginRequest( challenge, - GenericError( + RejectOAuth2Request( error = HYDRA_ERROR_TECHNICAL_ERROR, errorDescription = "Something went wrong while logging in. Please try again", statusCode = 500, @@ -129,7 +130,7 @@ class HydraService( ) } - fun getConsentRequest(challenge: String): ConsentRequest = hydraClient.getConsentRequest(challenge) + fun getConsentRequest(challenge: String): OAuth2ConsentRequest = hydraClient.getConsentRequest(challenge) @Transactional fun acceptConsentRequest(challenge: String): RedirectTo { @@ -155,8 +156,8 @@ class HydraService( val redirectResponse = hydraClient.acceptConsentRequest( challenge, - AcceptConsentRequest( - session = ConsentRequestSession( + AcceptOAuth2ConsentRequest( + session = AcceptOAuth2ConsentRequestSession( accessToken = context, idToken = context, ), diff --git a/src/main/kotlin/com/faforever/userservice/ui/view/oauth2/ConsentView.kt b/src/main/kotlin/com/faforever/userservice/ui/view/oauth2/ConsentView.kt index fc1adba9..13a2e8cf 100644 --- a/src/main/kotlin/com/faforever/userservice/ui/view/oauth2/ConsentView.kt +++ b/src/main/kotlin/com/faforever/userservice/ui/view/oauth2/ConsentView.kt @@ -14,7 +14,7 @@ import com.vaadin.flow.component.orderedlayout.HorizontalLayout import com.vaadin.flow.router.BeforeEnterEvent import com.vaadin.flow.router.BeforeEnterObserver import com.vaadin.flow.router.Route -import sh.ory.hydra.model.ConsentRequest +import sh.ory.hydra.model.OAuth2ConsentRequest @Route("/oauth2/consent", layout = CardLayout::class) class ConsentView( @@ -51,7 +51,7 @@ class ConsentView( add(socialIcons) } - private fun setDetailsFromRequest(consentRequest: ConsentRequest) { + private fun setDetailsFromRequest(consentRequest: OAuth2ConsentRequest) { consentRequest.client?.let { oAuthClientHeader.setClient(it) } if (consentRequest.requestedScope.isNullOrEmpty()) { diff --git a/src/main/kotlin/sh/ory/hydra/model/AcceptConsentRequest.kt b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequest.kt similarity index 73% rename from src/main/kotlin/sh/ory/hydra/model/AcceptConsentRequest.kt rename to src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequest.kt index 733e9a85..b2db5554 100644 --- a/src/main/kotlin/sh/ory/hydra/model/AcceptConsentRequest.kt +++ b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequest.kt @@ -1,21 +1,26 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** * + * + * @param context * @param grantAccessTokenAudience * @param grantScope * @param handledAt @@ -24,20 +29,29 @@ import io.quarkus.runtime.annotations.RegisterForReflection * @param session */ -@RegisterForReflection -data class AcceptConsentRequest( +data class AcceptOAuth2ConsentRequest( + + @JsonProperty("context") + val context: kotlin.Any? = null, + @JsonProperty("grant_access_token_audience") val grantAccessTokenAudience: kotlin.collections.List? = null, + @JsonProperty("grant_scope") val grantScope: kotlin.collections.List? = null, + @JsonProperty("handled_at") val handledAt: java.time.OffsetDateTime? = null, + /* Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. */ @JsonProperty("remember") val remember: kotlin.Boolean? = null, + /* RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely. */ @JsonProperty("remember_for") val rememberFor: kotlin.Long? = null, + @JsonProperty("session") - val session: ConsentRequestSession? = null, + val session: AcceptOAuth2ConsentRequestSession? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/ConsentRequestSession.kt b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequestSession.kt similarity index 77% rename from src/main/kotlin/sh/ory/hydra/model/ConsentRequestSession.kt rename to src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequestSession.kt index fb3ceee9..3fa4a139 100644 --- a/src/main/kotlin/sh/ory/hydra/model/ConsentRequestSession.kt +++ b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2ConsentRequestSession.kt @@ -1,31 +1,37 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * * * @param accessToken AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care! * @param idToken IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! */ -@RegisterForReflection -data class ConsentRequestSession( +data class AcceptOAuth2ConsentRequestSession( + /* AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care! */ @JsonProperty("access_token") val accessToken: kotlin.Any? = null, + /* IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! */ @JsonProperty("id_token") val idToken: kotlin.Any? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/AcceptLoginRequest.kt b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2LoginRequest.kt similarity index 73% rename from src/main/kotlin/sh/ory/hydra/model/AcceptLoginRequest.kt rename to src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2LoginRequest.kt index c35985a5..e198f96a 100644 --- a/src/main/kotlin/sh/ory/hydra/model/AcceptLoginRequest.kt +++ b/src/main/kotlin/sh/ory/hydra/model/AcceptOAuth2LoginRequest.kt @@ -1,46 +1,70 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * * * @param subject Subject is the user ID of the end-user that authenticated. * @param acr ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. + * @param amr * @param context + * @param extendSessionLifespan Extend OAuth2 authentication session lifespan If set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously. This value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`. * @param forceSubjectIdentifier ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID Connect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client. Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the sub claim in the OAuth 2.0 Introspection. Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's configuration). Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies that you have to compute this value on every authentication process (probably depending on the client ID or some other unique value). If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail. + * @param identityProviderSessionId IdentityProviderSessionID is the session ID of the end-user that authenticated. If specified, we will use this value to propagate the logout. * @param remember Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she will not be asked to log in again. * @param rememberFor RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the authorization will be remembered for the duration of the browser session (using a session cookie). */ -@RegisterForReflection -data class AcceptLoginRequest( +data class AcceptOAuth2LoginRequest( + /* Subject is the user ID of the end-user that authenticated. */ @JsonProperty("subject") val subject: kotlin.String, + /* ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. */ @JsonProperty("acr") val acr: kotlin.String? = null, + + @JsonProperty("amr") + val amr: kotlin.collections.List? = null, + @JsonProperty("context") val context: kotlin.Any? = null, + + /* Extend OAuth2 authentication session lifespan If set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously. This value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`. */ + @JsonProperty("extend_session_lifespan") + val extendSessionLifespan: kotlin.Boolean? = null, + /* ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID Connect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client. Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the sub claim in the OAuth 2.0 Introspection. Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's configuration). Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies that you have to compute this value on every authentication process (probably depending on the client ID or some other unique value). If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail. */ @JsonProperty("force_subject_identifier") val forceSubjectIdentifier: kotlin.String? = null, + + /* IdentityProviderSessionID is the session ID of the end-user that authenticated. If specified, we will use this value to propagate the logout. */ + @JsonProperty("identity_provider_session_id") + val identityProviderSessionId: kotlin.String? = null, + /* Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she will not be asked to log in again. */ @JsonProperty("remember") val remember: kotlin.Boolean? = null, + /* RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the authorization will be remembered for the duration of the browser session (using a session cookie). */ @JsonProperty("remember_for") val rememberFor: kotlin.Long? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/ErrorOAuth2.kt b/src/main/kotlin/sh/ory/hydra/model/ErrorOAuth2.kt new file mode 100644 index 00000000..baf51104 --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/ErrorOAuth2.kt @@ -0,0 +1,52 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * Error + * + * @param error Error + * @param errorDebug Error Debug Information Only available in dev mode. + * @param errorDescription Error Description + * @param errorHint Error Hint Helps the user identify the error cause. + * @param statusCode HTTP Status Code + */ + +data class ErrorOAuth2( + + /* Error */ + @JsonProperty("error") + val error: kotlin.String? = null, + + /* Error Debug Information Only available in dev mode. */ + @JsonProperty("error_debug") + val errorDebug: kotlin.String? = null, + + /* Error Description */ + @JsonProperty("error_description") + val errorDescription: kotlin.String? = null, + + /* Error Hint Helps the user identify the error cause. */ + @JsonProperty("error_hint") + val errorHint: kotlin.String? = null, + + /* HTTP Status Code */ + @JsonProperty("status_code") + val statusCode: kotlin.Long? = null, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/GenericError.kt b/src/main/kotlin/sh/ory/hydra/model/GenericError.kt index 0b3f116e..e65d886c 100644 --- a/src/main/kotlin/sh/ory/hydra/model/GenericError.kt +++ b/src/main/kotlin/sh/ory/hydra/model/GenericError.kt @@ -1,43 +1,67 @@ /** - * ORY Hydra - * Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. * - * The version of the OpenAPI document: latest + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. * - * - * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). - * https://openapi-generator.tech - * Do not edit the class manually. */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** - * Error responses are sent when an error (e.g. unauthorized, bad request, ...) occurred. - * @param error Name is the error name. - * @param errorDebug Debug contains debug information. This is usually not available and has to be enabled. - * @param errorDescription Description contains further information on the nature of the error. - * @param errorHint Hint to help resolve the error - * @param statusCode Code represents the error status code (404, 403, 401, ...). + * + * + * @param message Error message The error's message. + * @param code The status code + * @param debug Debug information This field is often not exposed to protect against leaking sensitive information. + * @param details Further error details + * @param id The error ID Useful when trying to identify various errors in application logic. + * @param reason A human-readable reason for the error + * @param request The request ID The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID. + * @param status The status description */ -@RegisterForReflection data class GenericError( - /* Name is the error name. */ - @JsonProperty("error") - val error: kotlin.String, - /* Debug contains debug information. This is usually not available and has to be enabled. */ - @JsonProperty("error_debug") - val errorDebug: kotlin.String? = null, - // /* Description contains further information on the nature of the error. */ - @JsonProperty("error_description") - val errorDescription: kotlin.String? = null, - // /* Hint to help resolve the error - @JsonProperty("error_hint") - val errorHint: kotlin.String? = null, - // /* Code represents the error status code (404, 403, 401, ...). */ - @JsonProperty("status_code") - val statusCode: kotlin.Long? = null, + + /* Error message The error's message. */ + @JsonProperty("message") + val message: kotlin.String, + + /* The status code */ + @JsonProperty("code") + val code: kotlin.Long? = null, + + /* Debug information This field is often not exposed to protect against leaking sensitive information. */ + @JsonProperty("debug") + val debug: kotlin.String? = null, + + /* Further error details */ + @JsonProperty("details") + val details: kotlin.Any? = null, + + /* The error ID Useful when trying to identify various errors in application logic. */ + @JsonProperty("id") + val id: kotlin.String? = null, + + /* A human-readable reason for the error */ + @JsonProperty("reason") + val reason: kotlin.String? = null, + + /* The request ID The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID. */ + @JsonProperty("request") + val request: kotlin.String? = null, + + /* The status description */ + @JsonProperty("status") + val status: kotlin.String? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2TokenIntrospection.kt b/src/main/kotlin/sh/ory/hydra/model/IntrospectedOAuth2Token.kt similarity index 90% rename from src/main/kotlin/sh/ory/hydra/model/OAuth2TokenIntrospection.kt rename to src/main/kotlin/sh/ory/hydra/model/IntrospectedOAuth2Token.kt index e947e0f8..dc84249a 100644 --- a/src/main/kotlin/sh/ory/hydra/model/OAuth2TokenIntrospection.kt +++ b/src/main/kotlin/sh/ory/hydra/model/IntrospectedOAuth2Token.kt @@ -1,21 +1,25 @@ /** - * ORY Hydra - * Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. * - * The version of the OpenAPI document: latest + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. * - * - * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). - * https://openapi-generator.tech - * Do not edit the class manually. */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** - * https://tools.ietf.org/html/rfc7662 + * Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662) + * * @param active Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's \"active\" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a \"true\" value return for the \"active\" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). * @param aud Audience contains a list of the token's intended audiences. * @param clientId ID is aclient identifier for the OAuth 2.0 client that requested this token. @@ -32,48 +36,62 @@ import io.quarkus.runtime.annotations.RegisterForReflection * @param username Username is a human-readable identifier for the resource owner who authorized this token. */ -@RegisterForReflection -data class OAuth2TokenIntrospection( +data class IntrospectedOAuth2Token( + /* Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's \"active\" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a \"true\" value return for the \"active\" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). */ @JsonProperty("active") val active: kotlin.Boolean, + /* Audience contains a list of the token's intended audiences. */ @JsonProperty("aud") val aud: kotlin.collections.List? = null, + /* ID is aclient identifier for the OAuth 2.0 client that requested this token. */ @JsonProperty("client_id") val clientId: kotlin.String? = null, + /* Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. */ @JsonProperty("exp") val exp: kotlin.Long? = null, + /* Extra is arbitrary data set by the session. */ @JsonProperty("ext") - val ext: kotlin.Any? = null, + val ext: kotlin.collections.Map? = null, + /* Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued. */ @JsonProperty("iat") val iat: kotlin.Long? = null, + /* IssuerURL is a string representing the issuer of this token */ @JsonProperty("iss") val iss: kotlin.String? = null, + /* NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before. */ @JsonProperty("nbf") val nbf: kotlin.Long? = null, + /* ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization. It is the `sub` value of the ID Token that was issued. */ @JsonProperty("obfuscated_subject") val obfuscatedSubject: kotlin.String? = null, + /* Scope is a JSON string containing a space-separated list of scopes associated with this token. */ @JsonProperty("scope") val scope: kotlin.String? = null, + /* Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token. */ @JsonProperty("sub") val sub: kotlin.String? = null, + /* TokenType is the introspected token's type, typically `Bearer`. */ @JsonProperty("token_type") val tokenType: kotlin.String? = null, + /* TokenUse is the introspected token's use, for example `access_token` or `refresh_token`. */ @JsonProperty("token_use") val tokenUse: kotlin.String? = null, + /* Username is a human-readable identifier for the resource owner who authorized this token. */ @JsonProperty("username") val username: kotlin.String? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2Client.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2Client.kt index aa7524e9..acfa547a 100644 --- a/src/main/kotlin/sh/ory/hydra/model/OAuth2Client.kt +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2Client.kt @@ -1,145 +1,258 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. * + * @param accessTokenStrategy OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens Setting the stragegy here overrides the global setting in `strategies.access_token`. * @param allowedCorsOrigins * @param audience - * @param backchannelLogoutSessionRequired Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. - * @param backchannelLogoutUri RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. - * @param clientId ID is the id for this client. - * @param clientName Name is the human-readable string name of the client to be presented to the end-user during authorization. - * @param clientSecret Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. - * @param clientSecretExpiresAt SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. - * @param clientUri ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. + * @param authorizationCodeGrantAccessTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param authorizationCodeGrantIdTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param authorizationCodeGrantRefreshTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param backchannelLogoutSessionRequired OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. + * @param backchannelLogoutUri OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. + * @param clientCredentialsGrantAccessTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param clientId OAuth 2.0 Client ID The ID is immutable. If no ID is provided, a UUID4 will be generated. + * @param clientName OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization. + * @param clientSecret OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost. + * @param clientSecretExpiresAt OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0. + * @param clientUri OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. * @param contacts - * @param createdAt CreatedAt returns the timestamp of the client's creation. - * @param frontchannelLogoutSessionRequired Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. - * @param frontchannelLogoutUri RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. + * @param createdAt OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation. + * @param frontchannelLogoutSessionRequired OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. + * @param frontchannelLogoutUri OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. * @param grantTypes - * @param jwks - * @param jwksUri URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. - * @param logoUri LogoURI is an URL string that references a logo for the client. + * @param implicitGrantAccessTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param implicitGrantIdTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param jwks OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together. + * @param jwksUri OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. + * @param jwtBearerGrantAccessTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param logoUri OAuth 2.0 Client Logo URI A URL string referencing the client's logo. * @param metadata - * @param owner Owner is a string identifying the owner of the OAuth 2.0 Client. - * @param policyUri PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. + * @param owner OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client. + * @param policyUri OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. * @param postLogoutRedirectUris * @param redirectUris - * @param requestObjectSigningAlg JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. + * @param refreshTokenGrantAccessTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param refreshTokenGrantIdTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param refreshTokenGrantRefreshTokenLifespan Specify a time duration in milliseconds, seconds, minutes, hours. + * @param registrationAccessToken OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration. + * @param registrationClientUri OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client. + * @param requestObjectSigningAlg OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. * @param requestUris * @param responseTypes - * @param scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. - * @param sectorIdentifierUri URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. - * @param subjectType SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. - * @param tokenEndpointAuthMethod Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none. - * @param tokenEndpointAuthSigningAlg Requested Client Authentication signing algorithm for the Token Endpoint. - * @param tosUri TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. - * @param updatedAt UpdatedAt returns the timestamp of the last update. - * @param userinfoSignedResponseAlg JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. + * @param scope OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. + * @param sectorIdentifierUri OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. + * @param skipConsent SkipConsent skips the consent screen for this client. This field can only be set from the admin API. + * @param skipLogoutConsent SkipLogoutConsent skips the logout consent screen for this client. This field can only be set from the admin API. + * @param subjectType OpenID Connect Subject Type The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. + * @param tokenEndpointAuthMethod OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets. + * @param tokenEndpointAuthSigningAlg OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint. + * @param tosUri OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. + * @param updatedAt OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update. + * @param userinfoSignedResponseAlg OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. */ -@RegisterForReflection data class OAuth2Client( + + /* OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens Setting the stragegy here overrides the global setting in `strategies.access_token`. */ + @JsonProperty("access_token_strategy") + val accessTokenStrategy: kotlin.String? = null, + @JsonProperty("allowed_cors_origins") val allowedCorsOrigins: kotlin.collections.List? = null, + @JsonProperty("audience") val audience: kotlin.collections.List? = null, - /* Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. */ + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("authorization_code_grant_access_token_lifespan") + val authorizationCodeGrantAccessTokenLifespan: kotlin.String? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("authorization_code_grant_id_token_lifespan") + val authorizationCodeGrantIdTokenLifespan: kotlin.String? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("authorization_code_grant_refresh_token_lifespan") + val authorizationCodeGrantRefreshTokenLifespan: kotlin.String? = null, + + /* OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. */ @JsonProperty("backchannel_logout_session_required") val backchannelLogoutSessionRequired: kotlin.Boolean? = null, - /* RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. */ + + /* OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. */ @JsonProperty("backchannel_logout_uri") val backchannelLogoutUri: kotlin.String? = null, - /* ID is the id for this client. */ + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("client_credentials_grant_access_token_lifespan") + val clientCredentialsGrantAccessTokenLifespan: kotlin.String? = null, + + /* OAuth 2.0 Client ID The ID is immutable. If no ID is provided, a UUID4 will be generated. */ @JsonProperty("client_id") val clientId: kotlin.String? = null, - /* Name is the human-readable string name of the client to be presented to the end-user during authorization. */ + + /* OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization. */ @JsonProperty("client_name") val clientName: kotlin.String? = null, - /* Secret is the client's secret. The secret will be included in the create request as cleartext, and then never again. The secret is stored using BCrypt so it is impossible to recover it. Tell your users that they need to write the secret down as it will not be made available again. */ + + /* OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost. */ @JsonProperty("client_secret") val clientSecret: kotlin.String? = null, - /* SecretExpiresAt is an integer holding the time at which the client secret will expire or 0 if it will not expire. The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration. This feature is currently not supported and it's value will always be set to 0. */ + + /* OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0. */ @JsonProperty("client_secret_expires_at") val clientSecretExpiresAt: kotlin.Long? = null, - /* ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. */ + + /* OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. */ @JsonProperty("client_uri") val clientUri: kotlin.String? = null, + @JsonProperty("contacts") val contacts: kotlin.collections.List? = null, - /* CreatedAt returns the timestamp of the client's creation. */ + + /* OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation. */ @JsonProperty("created_at") val createdAt: java.time.OffsetDateTime? = null, - /* Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. */ + + /* OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. */ @JsonProperty("frontchannel_logout_session_required") val frontchannelLogoutSessionRequired: kotlin.Boolean? = null, - /* RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. */ + + /* OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. */ @JsonProperty("frontchannel_logout_uri") val frontchannelLogoutUri: kotlin.String? = null, + @JsonProperty("grant_types") val grantTypes: kotlin.collections.List? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("implicit_grant_access_token_lifespan") + val implicitGrantAccessTokenLifespan: kotlin.String? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("implicit_grant_id_token_lifespan") + val implicitGrantIdTokenLifespan: kotlin.String? = null, + + /* OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together. */ @JsonProperty("jwks") val jwks: kotlin.Any? = null, - /* URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. */ + + /* OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. */ @JsonProperty("jwks_uri") val jwksUri: kotlin.String? = null, - /* LogoURI is an URL string that references a logo for the client. */ + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("jwt_bearer_grant_access_token_lifespan") + val jwtBearerGrantAccessTokenLifespan: kotlin.String? = null, + + /* OAuth 2.0 Client Logo URI A URL string referencing the client's logo. */ @JsonProperty("logo_uri") val logoUri: kotlin.String? = null, + @JsonProperty("metadata") val metadata: kotlin.Any? = null, - /* Owner is a string identifying the owner of the OAuth 2.0 Client. */ + + /* OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client. */ @JsonProperty("owner") val owner: kotlin.String? = null, - /* PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. */ + + /* OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. */ @JsonProperty("policy_uri") val policyUri: kotlin.String? = null, + @JsonProperty("post_logout_redirect_uris") val postLogoutRedirectUris: kotlin.collections.List? = null, + @JsonProperty("redirect_uris") val redirectUris: kotlin.collections.List? = null, - /* JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. */ + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("refresh_token_grant_access_token_lifespan") + val refreshTokenGrantAccessTokenLifespan: kotlin.String? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("refresh_token_grant_id_token_lifespan") + val refreshTokenGrantIdTokenLifespan: kotlin.String? = null, + + /* Specify a time duration in milliseconds, seconds, minutes, hours. */ + @JsonProperty("refresh_token_grant_refresh_token_lifespan") + val refreshTokenGrantRefreshTokenLifespan: kotlin.String? = null, + + /* OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration. */ + @JsonProperty("registration_access_token") + val registrationAccessToken: kotlin.String? = null, + + /* OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client. */ + @JsonProperty("registration_client_uri") + val registrationClientUri: kotlin.String? = null, + + /* OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. */ @JsonProperty("request_object_signing_alg") val requestObjectSigningAlg: kotlin.String? = null, + @JsonProperty("request_uris") val requestUris: kotlin.collections.List? = null, + @JsonProperty("response_types") val responseTypes: kotlin.collections.List? = null, - /* Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. */ + + /* OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. */ @JsonProperty("scope") val scope: kotlin.String? = null, - /* URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. */ + + /* OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. */ @JsonProperty("sector_identifier_uri") val sectorIdentifierUri: kotlin.String? = null, - /* SubjectType requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. */ + + /* SkipConsent skips the consent screen for this client. This field can only be set from the admin API. */ + @JsonProperty("skip_consent") + val skipConsent: kotlin.Boolean? = null, + + /* SkipLogoutConsent skips the logout consent screen for this client. This field can only be set from the admin API. */ + @JsonProperty("skip_logout_consent") + val skipLogoutConsent: kotlin.Boolean? = null, + + /* OpenID Connect Subject Type The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. */ @JsonProperty("subject_type") val subjectType: kotlin.String? = null, - /* Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, private_key_jwt, and none. */ + + /* OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets. */ @JsonProperty("token_endpoint_auth_method") - val tokenEndpointAuthMethod: kotlin.String? = null, - /* Requested Client Authentication signing algorithm for the Token Endpoint. */ + val tokenEndpointAuthMethod: kotlin.String? = "client_secret_basic", + + /* OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint. */ @JsonProperty("token_endpoint_auth_signing_alg") val tokenEndpointAuthSigningAlg: kotlin.String? = null, - /* TermsOfServiceURI is a URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. */ + + /* OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. */ @JsonProperty("tos_uri") val tosUri: kotlin.String? = null, - /* UpdatedAt returns the timestamp of the last update. */ + + /* OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update. */ @JsonProperty("updated_at") val updatedAt: java.time.OffsetDateTime? = null, - /* JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. */ + + /* OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. */ @JsonProperty("userinfo_signed_response_alg") val userinfoSignedResponseAlg: kotlin.String? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/ConsentRequest.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequest.kt similarity index 90% rename from src/main/kotlin/sh/ory/hydra/model/ConsentRequest.kt rename to src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequest.kt index 4dc53456..ab86d6e6 100644 --- a/src/main/kotlin/sh/ory/hydra/model/ConsentRequest.kt +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequest.kt @@ -1,23 +1,28 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * * * @param challenge ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. * @param acr ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. + * @param amr * @param client * @param context * @param loginChallenge LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. @@ -30,37 +35,52 @@ import io.quarkus.runtime.annotations.RegisterForReflection * @param subject Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. */ -@RegisterForReflection -data class ConsentRequest( +data class OAuth2ConsentRequest( + /* ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. */ @JsonProperty("challenge") val challenge: kotlin.String, + /* ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. */ @JsonProperty("acr") val acr: kotlin.String? = null, + + @JsonProperty("amr") + val amr: kotlin.collections.List? = null, + @JsonProperty("client") val client: OAuth2Client? = null, + @JsonProperty("context") val context: kotlin.Any? = null, + /* LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. */ @JsonProperty("login_challenge") val loginChallenge: kotlin.String? = null, + /* LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. */ @JsonProperty("login_session_id") val loginSessionId: kotlin.String? = null, + @JsonProperty("oidc_context") - val oidcContext: OpenIDConnectContext? = null, + val oidcContext: OAuth2ConsentRequestOpenIDConnectContext? = null, + /* RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. */ @JsonProperty("request_url") val requestUrl: kotlin.String? = null, + @JsonProperty("requested_access_token_audience") val requestedAccessTokenAudience: kotlin.collections.List? = null, + @JsonProperty("requested_scope") val requestedScope: kotlin.collections.List? = null, + /* Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the consent request using the usual API call. */ @JsonProperty("skip") val skip: kotlin.Boolean? = null, + /* Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. */ @JsonProperty("subject") val subject: kotlin.String? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/OpenIDConnectContext.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequestOpenIDConnectContext.kt similarity index 92% rename from src/main/kotlin/sh/ory/hydra/model/OpenIDConnectContext.kt rename to src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequestOpenIDConnectContext.kt index 2c114856..c8b47910 100644 --- a/src/main/kotlin/sh/ory/hydra/model/OpenIDConnectContext.kt +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentRequestOpenIDConnectContext.kt @@ -1,20 +1,24 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * * * @param acrValues ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. * @param display Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. @@ -23,21 +27,26 @@ import io.quarkus.runtime.annotations.RegisterForReflection * @param uiLocales UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. */ -@RegisterForReflection -data class OpenIDConnectContext( +data class OAuth2ConsentRequestOpenIDConnectContext( + /* ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. */ @JsonProperty("acr_values") val acrValues: kotlin.collections.List? = null, + /* Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. */ @JsonProperty("display") val display: kotlin.String? = null, + /* IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. */ @JsonProperty("id_token_hint_claims") - val idTokenHintClaims: kotlin.Any? = null, + val idTokenHintClaims: kotlin.collections.Map? = null, + /* LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. */ @JsonProperty("login_hint") val loginHint: kotlin.String? = null, + /* UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. */ @JsonProperty("ui_locales") val uiLocales: kotlin.collections.List? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSession.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSession.kt new file mode 100644 index 00000000..1f45d90d --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSession.kt @@ -0,0 +1,65 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * A completed OAuth 2.0 Consent Session. + * + * @param consentRequest + * @param context + * @param expiresAt + * @param grantAccessTokenAudience + * @param grantScope + * @param handledAt + * @param remember Remember Consent Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. + * @param rememberFor Remember Consent For RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely. + * @param session + */ + +data class OAuth2ConsentSession( + + @JsonProperty("consent_request") + val consentRequest: OAuth2ConsentRequest? = null, + + @JsonProperty("context") + val context: kotlin.Any? = null, + + @JsonProperty("expires_at") + val expiresAt: OAuth2ConsentSessionExpiresAt? = null, + + @JsonProperty("grant_access_token_audience") + val grantAccessTokenAudience: kotlin.collections.List? = null, + + @JsonProperty("grant_scope") + val grantScope: kotlin.collections.List? = null, + + @JsonProperty("handled_at") + val handledAt: java.time.OffsetDateTime? = null, + + /* Remember Consent Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. */ + @JsonProperty("remember") + val remember: kotlin.Boolean? = null, + + /* Remember Consent For RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely. */ + @JsonProperty("remember_for") + val rememberFor: kotlin.Long? = null, + + @JsonProperty("session") + val session: AcceptOAuth2ConsentRequestSession? = null, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSessionExpiresAt.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSessionExpiresAt.kt new file mode 100644 index 00000000..265a6868 --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2ConsentSessionExpiresAt.kt @@ -0,0 +1,47 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * + * + * @param accessToken + * @param authorizeCode + * @param idToken + * @param parContext + * @param refreshToken + */ + +data class OAuth2ConsentSessionExpiresAt( + + @JsonProperty("access_token") + val accessToken: java.time.OffsetDateTime? = null, + + @JsonProperty("authorize_code") + val authorizeCode: java.time.OffsetDateTime? = null, + + @JsonProperty("id_token") + val idToken: java.time.OffsetDateTime? = null, + + @JsonProperty("par_context") + val parContext: java.time.OffsetDateTime? = null, + + @JsonProperty("refresh_token") + val refreshToken: java.time.OffsetDateTime? = null, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/LoginRequest.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2LoginRequest.kt similarity index 86% rename from src/main/kotlin/sh/ory/hydra/model/LoginRequest.kt rename to src/main/kotlin/sh/ory/hydra/model/OAuth2LoginRequest.kt index 1b7ba32e..d922dc7f 100644 --- a/src/main/kotlin/sh/ory/hydra/model/LoginRequest.kt +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2LoginRequest.kt @@ -1,55 +1,68 @@ /** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* -* -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + package sh.ory.hydra.model import com.fasterxml.jackson.annotation.JsonProperty -import io.quarkus.runtime.annotations.RegisterForReflection /** + * * * @param challenge ID is the identifier (\"login challenge\") of the login request. It is used to identify the session. * @param client * @param requestUrl RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. - * @param requestedAccessTokenAudience - * @param requestedScope * @param skip Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. * @param subject Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. * @param oidcContext + * @param requestedAccessTokenAudience + * @param requestedScope * @param sessionId SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. */ -@RegisterForReflection -data class LoginRequest( +data class OAuth2LoginRequest( + /* ID is the identifier (\"login challenge\") of the login request. It is used to identify the session. */ @JsonProperty("challenge") val challenge: kotlin.String, + @JsonProperty("client") val client: OAuth2Client, + /* RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. */ @JsonProperty("request_url") val requestUrl: kotlin.String, - @JsonProperty("requested_access_token_audience") - val requestedAccessTokenAudience: kotlin.collections.List, - @JsonProperty("requested_scope") - val requestedScope: kotlin.collections.List, + /* Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. */ @JsonProperty("skip") val skip: kotlin.Boolean, + /* Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. */ @JsonProperty("subject") val subject: kotlin.String, + @JsonProperty("oidc_context") - val oidcContext: OpenIDConnectContext? = null, + val oidcContext: OAuth2ConsentRequestOpenIDConnectContext? = null, + + @JsonProperty("requested_access_token_audience") + val requestedAccessTokenAudience: kotlin.collections.List? = null, + + @JsonProperty("requested_scope") + val requestedScope: kotlin.collections.List? = null, + /* SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. */ @JsonProperty("session_id") val sessionId: kotlin.String? = null, + ) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2LogoutRequest.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2LogoutRequest.kt new file mode 100644 index 00000000..81b71b9e --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2LogoutRequest.kt @@ -0,0 +1,56 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * + * + * @param challenge Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to identify the session. + * @param client + * @param requestUrl RequestURL is the original Logout URL requested. + * @param rpInitiated RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client. + * @param sid SessionID is the login session ID that was requested to log out. + * @param subject Subject is the user for whom the logout was request. + */ + +data class OAuth2LogoutRequest( + + /* Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to identify the session. */ + @JsonProperty("challenge") + val challenge: kotlin.String? = null, + + @JsonProperty("client") + val client: OAuth2Client? = null, + + /* RequestURL is the original Logout URL requested. */ + @JsonProperty("request_url") + val requestUrl: kotlin.String? = null, + + /* RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client. */ + @JsonProperty("rp_initiated") + val rpInitiated: kotlin.Boolean? = null, + + /* SessionID is the login session ID that was requested to log out. */ + @JsonProperty("sid") + val sid: kotlin.String? = null, + + /* Subject is the user for whom the logout was request. */ + @JsonProperty("subject") + val subject: kotlin.String? = null, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/OAuth2RedirectTo.kt b/src/main/kotlin/sh/ory/hydra/model/OAuth2RedirectTo.kt new file mode 100644 index 00000000..15a173b9 --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/OAuth2RedirectTo.kt @@ -0,0 +1,32 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * Contains a redirect URL used to complete a login, consent, or logout request. + * + * @param redirectTo RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed. + */ + +data class OAuth2RedirectTo( + + /* RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed. */ + @JsonProperty("redirect_to") + val redirectTo: kotlin.String, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/RejectOAuth2Request.kt b/src/main/kotlin/sh/ory/hydra/model/RejectOAuth2Request.kt new file mode 100644 index 00000000..c22f9800 --- /dev/null +++ b/src/main/kotlin/sh/ory/hydra/model/RejectOAuth2Request.kt @@ -0,0 +1,52 @@ +/** + * + * Please note: + * This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * Do not edit this file manually. + * + */ + +@file:Suppress( + "ArrayInDataClass", + "EnumEntryName", + "RemoveRedundantQualifierName", + "UnusedImport", +) + +package sh.ory.hydra.model + +import com.fasterxml.jackson.annotation.JsonProperty + +/** + * + * + * @param error The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`). Defaults to `request_denied`. + * @param errorDebug Debug contains information to help resolve the problem as a developer. Usually not exposed to the public but only in the server logs. + * @param errorDescription Description of the error in a human readable format. + * @param errorHint Hint to help resolve the error. + * @param statusCode Represents the HTTP status code of the error (e.g. 401 or 403) Defaults to 400 + */ + +data class RejectOAuth2Request( + + /* The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`). Defaults to `request_denied`. */ + @JsonProperty("error") + val error: kotlin.String? = null, + + /* Debug contains information to help resolve the problem as a developer. Usually not exposed to the public but only in the server logs. */ + @JsonProperty("error_debug") + val errorDebug: kotlin.String? = null, + + /* Description of the error in a human readable format. */ + @JsonProperty("error_description") + val errorDescription: kotlin.String? = null, + + /* Hint to help resolve the error. */ + @JsonProperty("error_hint") + val errorHint: kotlin.String? = null, + + /* Represents the HTTP status code of the error (e.g. 401 or 403) Defaults to 400 */ + @JsonProperty("status_code") + val statusCode: kotlin.Long? = null, + +) diff --git a/src/main/kotlin/sh/ory/hydra/model/RequestWasHandledResponse.kt b/src/main/kotlin/sh/ory/hydra/model/RequestWasHandledResponse.kt deleted file mode 100644 index 2184af86..00000000 --- a/src/main/kotlin/sh/ory/hydra/model/RequestWasHandledResponse.kt +++ /dev/null @@ -1,23 +0,0 @@ -/** -* ORY Hydra -* Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here. -* -* The version of the OpenAPI document: latest -* * -* NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). -* https://openapi-generator.tech -* Do not edit the class manually. -*/ -package sh.ory.hydra.model - -import com.fasterxml.jackson.annotation.JsonProperty - -/** - * * @param redirectTo Original request URL to which you should redirect the user if request was already handled. - */ - -data class RequestWasHandledResponse( - /* Original request URL to which you should redirect the user if request was already handled. */ - @JsonProperty("redirect_to") - val redirectTo: kotlin.String, -) diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index fa33e882..0c1f474f 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -110,7 +110,7 @@ quarkus: mp: jwt: verify: - issuer: ${HYDRA_TOKEN_ISSUER:http://faf-ory-hydra:4444/} + issuer: ${HYDRA_TOKEN_ISSUER:http://faf-ory-hydra:4444} key-format: JWKS publickey: location: ${HYDRA_JWKS_URL:http://localhost:4444/.well-known/jwks.json} \ No newline at end of file diff --git a/src/test/kotlin/com/faforever/userservice/backend/hydra/HydraServiceTest.kt b/src/test/kotlin/com/faforever/userservice/backend/hydra/HydraServiceTest.kt index 29fbf87b..8fc210aa 100644 --- a/src/test/kotlin/com/faforever/userservice/backend/hydra/HydraServiceTest.kt +++ b/src/test/kotlin/com/faforever/userservice/backend/hydra/HydraServiceTest.kt @@ -17,8 +17,9 @@ import org.mockito.kotlin.any import org.mockito.kotlin.eq import org.mockito.kotlin.verify import org.mockito.kotlin.whenever -import sh.ory.hydra.model.LoginRequest import sh.ory.hydra.model.OAuth2Client +import sh.ory.hydra.model.OAuth2LoginRequest +import sh.ory.hydra.model.OAuth2RedirectTo import java.net.http.HttpClient import java.net.http.HttpResponse.BodyHandler import java.time.OffsetDateTime @@ -27,12 +28,13 @@ import java.time.OffsetDateTime class HydraServiceTest { companion object { val ipAddress = IpAddress("127.0.0.1") - val loginRequest = LoginRequest("", OAuth2Client(), "", listOf(), listOf(), false, "1") - val lobbyLoginRequest = LoginRequest("", OAuth2Client(), "", listOf(), listOf(OAuthScope.LOBBY), false, "1") + val loginRequest = OAuth2LoginRequest("", OAuth2Client(), "", false, "1") + val lobbyLoginRequest = + OAuth2LoginRequest("", OAuth2Client(), "", false, "1", null, null, listOf(OAuthScope.LOBBY)) val implicitLobbyLoginRequest = - LoginRequest("", OAuth2Client(scope = OAuthScope.LOBBY), "", listOf(), listOf(), false, "1") + OAuth2LoginRequest("", OAuth2Client(scope = OAuthScope.LOBBY), "", false, "1") val noLobbyLoginRequest = - LoginRequest("", OAuth2Client(scope = OAuthScope.LOBBY), "", listOf(), listOf("test"), false, "1") + OAuth2LoginRequest("", OAuth2Client(scope = OAuthScope.LOBBY), "", false, "1", null, null, listOf("test")) } @Inject @@ -89,7 +91,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.UserNoGameOwnership, ) - whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) val response = hydraService.login("test", "", "", ipAddress) @@ -108,7 +110,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.UserBanned("", OffsetDateTime.MAX), ) - whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) val response = hydraService.login("test", "", "", ipAddress) @@ -125,7 +127,7 @@ class HydraServiceTest { fun testTechnicalError() { whenever(hydraClient.getLoginRequest(any())).thenReturn(loginRequest) whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn(LoginResult.TechnicalError) - whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.rejectLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) val response = hydraService.login("test", "", "", ipAddress) @@ -144,7 +146,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.SuccessfulLogin(1, "test"), ) - whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) val response = hydraService.login("test", "", "", ipAddress) @@ -157,7 +159,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.SuccessfulLogin(1, ""), ) - whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) hydraService.login("test", "", "", ipAddress) @@ -170,7 +172,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.SuccessfulLogin(1, ""), ) - whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) hydraService.login("test", "", "", ipAddress) @@ -183,7 +185,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.SuccessfulLogin(1, ""), ) - whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) hydraService.login("test", "", "", ipAddress) @@ -196,7 +198,7 @@ class HydraServiceTest { whenever(loginService.login(any(), any(), IpAddress(anyString()), any())).thenReturn( LoginResult.SuccessfulLogin(1, ""), ) - whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(RedirectResponse("http://localhost")) + whenever(hydraClient.acceptLoginRequest(anyString(), any())).thenReturn(OAuth2RedirectTo("http://localhost")) hydraService.login("test", "", "", ipAddress)