Documentation
¶
Overview ¶
ORY Hydra
Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here.
Schemes: http, https
Host:
BasePath: /
Version: latest
Consumes:
- application/json
- application/x-www-form-urlencoded
Produces:
- application/json
SecurityDefinitions:
oauth2:
type: oauth2
authorizationUrl: https://hydra.demo.ory.sh/oauth2/auth
tokenUrl: https://hydra.demo.ory.sh/oauth2/token
flow: accessCode
scopes:
offline: "A scope required when requesting refresh tokens (alias for `offline_access`)"
offline_access: "A scope required when requesting refresh tokens"
openid: "Request an OpenID Connect ID Token"
basic:
type: basic
bearer:
type: basic
Extensions:
---
x-request-id: string
x-forwarded-proto: string
---
swagger:meta
Index ¶
- Constants
- Variables
- func BasicAuth(username, password string) string
- func BytesToInt(b []byte) (int64, error)
- func CleanSQLPop(t *testing.T, c *pop.Connection)
- func DecodeSegment(seg string) ([]byte, error)
- func DeleteHydraRows(t *testing.T, c *pop.Connection)
- func ErrorEnhancer(r *http.Request, err error) interface{}
- func FositeStore() *storage.MemoryStore
- func GenerateSecret(length int) ([]byte, error)
- func HashByteSecret(secret []byte) []byte
- func HashStringSecret(secret string) []byte
- func IntToBytes(i int64) []byte
- func IsRedirectURISecure(rc redirectConfiguration) func(context.Context, *url.URL) bool
- func LogAudit(r *http.Request, message interface{}, logger *logrusx.Logger)
- func LogError(r *http.Request, err error, logger *logrusx.Logger)
- func MatchesRange(r *http.Request, ranges []string) error
- func Must[T any](t T, err error) T
- func NewRouterAdmin(f func(context.Context) *url.URL) *httprouterx.RouterAdmin
- func NewRouterPublic() *httprouterx.RouterPublic
- func PaginationHeader(w http.ResponseWriter, u *url.URL, total int64, page, itemsPerPage int)
- func ParsePagination(r *http.Request) (page, itemsPerPage int)
- func RejectInsecureRequests(reg tlsRegistry, c tlsConfig) negroni.HandlerFunc
- type ClientAuthenticator
- type ClientAuthenticatorProvider
- type CookieConfigProvider
- type Duration
- type FositeStorer
- type HTTPClientProvider
- type HashAlgorithm
- type Hasher
- type JSONWebKey
- type JoseJSONWebKeySet
- type NullDuration
- type PaginationHeaders
- type PaginationParams
- type RegistryCookieStore
- type RegistryLogger
- type RegistryWriter
- type TracingProvider
Constants ¶
View Source
const ( OpenIDConnectKeyName = "hydra.openid.id-token" OAuth2JWTKeyName = "hydra.jwt.access-token" )
View Source
const ( HashAlgorithmBCrypt = HashAlgorithm("bcrypt") HashAlgorithmPBKDF2 = HashAlgorithm("pbkdf2") )
Variables ¶
View Source
var ( ErrNotFound = &fosite.RFC6749Error{ CodeField: http.StatusNotFound, ErrorField: http.StatusText(http.StatusNotFound), DescriptionField: "Unable to locate the requested resource", } ErrConflict = &fosite.RFC6749Error{ CodeField: http.StatusConflict, ErrorField: http.StatusText(http.StatusConflict), DescriptionField: "Unable to process the requested resource because of conflict in the current state", } )
Functions ¶
func BytesToInt ¶ added in v2.2.0
BytesToInt converts a byte slice to an int64. It is the inverse of IntToBytes.
func CleanSQLPop ¶
func DecodeSegment ¶
Decode JWT specific base64url encoding with padding stripped
func DeleteHydraRows ¶
func ErrorEnhancer ¶
func FositeStore ¶
func FositeStore() *storage.MemoryStore
func GenerateSecret ¶
func HashByteSecret ¶
HashByteSecret hashes the secret for consumption by the AEAD encryption algorithm which expects exactly 32 bytes.
The system secret is being hashed to always match exactly the 32 bytes required by AEAD, even if the secret is long or shorter.
func HashStringSecret ¶
HashStringSecret hashes the secret for consumption by the AEAD encryption algorithm which expects exactly 32 bytes.
The system secret is being hashed to always match exactly the 32 bytes required by AEAD, even if the secret is long or shorter.
func IntToBytes ¶ added in v2.2.0
IntToBytes converts an int64 to a byte slice. It is the inverse of BytesToInt.
func IsRedirectURISecure ¶
func NewRouterAdmin ¶
func NewRouterAdmin(f func(context.Context) *url.URL) *httprouterx.RouterAdmin
func NewRouterPublic ¶
func NewRouterPublic() *httprouterx.RouterPublic
func PaginationHeader ¶
func ParsePagination ¶
ParsePagination parses limit and page from *http.Request with given limits and defaults.
func RejectInsecureRequests ¶
func RejectInsecureRequests(reg tlsRegistry, c tlsConfig) negroni.HandlerFunc
Types ¶
type ClientAuthenticator ¶
type ClientAuthenticatorProvider ¶
type ClientAuthenticatorProvider interface {
ClientAuthenticator() ClientAuthenticator
}
type CookieConfigProvider ¶
type Duration ¶
func (Duration) MarshalJSON ¶
MarshalJSON returns m as the JSON encoding of m.
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON sets *m to a copy of data.
type FositeStorer ¶
type FositeStorer interface {
fosite.Storage
oauth2.CoreStorage
openid.OpenIDConnectRequestStorage
pkce.PKCERequestStorage
rfc7523.RFC7523KeyStorage
verifiable.NonceManager
oauth2.ResourceOwnerPasswordCredentialsGrantStorage
RevokeRefreshToken(ctx context.Context, requestID string) error
RevokeAccessToken(ctx context.Context, requestID string) error
// flush the access token requests from the database.
// no data will be deleted after the 'notAfter' timeframe.
FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time, limit int, batchSize int) error
// flush the login requests from the database.
// this will address the database long-term growth issues discussed in https://github.com/ory/hydra/issues/1574.
// no data will be deleted after the 'notAfter' timeframe.
FlushInactiveLoginConsentRequests(ctx context.Context, notAfter time.Time, limit int, batchSize int) error
DeleteAccessTokens(ctx context.Context, clientID string) error
FlushInactiveRefreshTokens(ctx context.Context, notAfter time.Time, limit int, batchSize int) error
// DeleteOpenIDConnectSession deletes an OpenID Connect session.
// This is duplicated from Ory Fosite to help against deprecation linting errors.
DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
}
type HTTPClientProvider ¶
type HTTPClientProvider interface {
HTTPClient(ctx context.Context, opts ...httpx.ResilientOptions) *retryablehttp.Client
}
type HashAlgorithm ¶
type HashAlgorithm string
func (HashAlgorithm) String ¶
func (a HashAlgorithm) String() string
type Hasher ¶
type Hasher struct {
// contains filtered or unexported fields
}
Hasher implements fosite.Hasher.
type JSONWebKey ¶
type JSONWebKey struct {
// Use ("public key use") identifies the intended use of
// the public key. The "use" parameter is employed to indicate whether
// a public key is used for encrypting data or verifying the signature
// on data. Values are commonly "sig" (signature) or "enc" (encryption).
//
// required: true
// example: sig
Use string `json:"use,omitempty"`
// The "kty" (key type) parameter identifies the cryptographic algorithm
// family used with the key, such as "RSA" or "EC". "kty" values should
// either be registered in the IANA "JSON Web Key Types" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name. The "kty" value is a case-sensitive string.
//
// required: true
// example: RSA
Kty string `json:"kty,omitempty"`
// The "kid" (key ID) parameter is used to match a specific key. This
// is used, for instance, to choose among a set of keys within a JWK Set
// during key rollover. The structure of the "kid" value is
// unspecified. When "kid" values are used within a JWK Set, different
// keys within the JWK Set SHOULD use distinct "kid" values. (One
// example in which different keys might use the same "kid" value is if
// they have different "kty" (key type) values but are considered to be
// equivalent alternatives by the application using them.) The "kid"
// value is a case-sensitive string.
//
// required: true
// example: 1603dfe0af8f4596
Kid string `json:"kid,omitempty"`
// The "alg" (algorithm) parameter identifies the algorithm intended for
// use with the key. The values used should either be registered in the
// IANA "JSON Web Signature and Encryption Algorithms" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name.
//
// required: true
// example: RS256
Alg string `json:"alg,omitempty"`
// The "x5c" (X.509 certificate chain) parameter contains a chain of one
// or more PKIX certificates [RFC5280]. The certificate chain is
// represented as a JSON array of certificate value strings. Each
// string in the array is a base64-encoded (Section 4 of [RFC4648] --
// not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
// The PKIX certificate containing the key value MUST be the first
// certificate.
X5c []string `json:"x5c,omitempty"`
// example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
N string `json:"n,omitempty"`
// example: AQAB
E string `json:"e,omitempty"`
// example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
D string `json:"d,omitempty"`
// example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
P string `json:"p,omitempty"`
// example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
Q string `json:"q,omitempty"`
// example: P-256
Crv string `json:"crv,omitempty"`
// example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
Dp string `json:"dp,omitempty"`
// example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
Dq string `json:"dq,omitempty"`
// example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
Qi string `json:"qi,omitempty"`
// example: GawgguFyGrWKav7AX4VKUg
K string `json:"k,omitempty"`
// example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
X string `json:"x,omitempty"`
// example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
Y string `json:"y,omitempty"`
}
swagger:model jsonWebKey
type JoseJSONWebKeySet ¶
type JoseJSONWebKeySet struct {
// swagger:ignore
*jose.JSONWebKeySet
}
swagger:type JSONWebKeySet
func (*JoseJSONWebKeySet) Scan ¶
func (n *JoseJSONWebKeySet) Scan(value interface{}) error
type NullDuration ¶
NullDuration represents a nullable JSON and SQL compatible time.Duration.
TODO delete this type and replace it with ory/x/sqlxx/NullDuration when applying the custom client token TTL patch to Hydra 2.x
swagger:ignore
func (NullDuration) MarshalJSON ¶
func (ns NullDuration) MarshalJSON() ([]byte, error)
MarshalJSON returns m as the JSON encoding of m.
func (*NullDuration) Scan ¶
func (ns *NullDuration) Scan(value interface{}) error
Scan implements the Scanner interface.
func (*NullDuration) UnmarshalJSON ¶
func (ns *NullDuration) UnmarshalJSON(data []byte) error
UnmarshalJSON sets *m to a copy of data.
type PaginationHeaders ¶
type PaginationHeaders struct {
// The link header contains pagination links.
//
// For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
//
// in: header
Link string `json:"link"`
// The total number of clients.
//
// in: header
XTotalCount string `json:"x-total-count"`
}
swagger:model paginationHeaders
type PaginationParams ¶
type PaginationParams struct {
// Items per page
//
// This is the number of items per page to return.
// For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
//
// required: false
// in: query
// default: 250
// min: 1
// max: 1000
PageSize int `json:"page_size"`
// Next Page Token
//
// The next page token.
// For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
//
// required: false
// in: query
// default: 1
// min: 1
PageToken string `json:"page_token"`
}
swagger:model pagination
type RegistryCookieStore ¶
type RegistryLogger ¶
type RegistryWriter ¶
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.