Version: v1.11.8 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2022 License: Apache-2.0 Imports: 36 Imported by: 32



ORY Hydra

Welcome to the ORY Hydra HTTP API documentation. You will find documentation for all HTTP APIs here.

Schemes: http, https
BasePath: /
Version: latest

- application/json
- application/x-www-form-urlencoded

- application/json

    type: oauth2
    authorizationUrl: https://hydra.demo.ory.sh/oauth2/auth
    tokenUrl: https://hydra.demo.ory.sh/oauth2/token
    flow: accessCode
      offline: "A scope required when requesting refresh tokens (alias for `offline_access`)"
      offline_access: "A scope required when requesting refresh tokens"
      openid: "Request an OpenID Connect ID Token"
    type: basic

x-request-id: string
x-forwarded-proto: string


  • Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io> *
  • Licensed under the Apache License, Version 2.0 (the "License");
  • you may not use this file except in compliance with the License.
  • You may obtain a copy of the License at *
  • http://www.apache.org/licenses/LICENSE-2.0 *
  • Unless required by applicable law or agreed to in writing, software
  • distributed under the License is distributed on an "AS IS" BASIS,
  • WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  • See the License for the specific language governing permissions and
  • limitations under the License. *
  • @author Aeneas Rekkas <aeneas+oss@aeneas.io>
  • @copyright 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
  • @license Apache-2.0 *



View Source
const (
	OpenIDConnectKeyName = "hydra.openid.id-token"
	OAuth2JWTKeyName     = "hydra.jwt.access-token"


View Source
var (
	ErrNotFound = &fosite.RFC6749Error{
		CodeField:        http.StatusNotFound,
		ErrorField:       http.StatusText(http.StatusNotFound),
		DescriptionField: "Unable to locate the requested resource",
	ErrConflict = &fosite.RFC6749Error{
		CodeField:        http.StatusConflict,
		ErrorField:       http.StatusText(http.StatusConflict),
		DescriptionField: "Unable to process the requested resource because of conflict in the current state",


func ApplyJSONPatch added in v1.10.2

func ApplyJSONPatch(p json.RawMessage, object interface{}, denyPaths ...string) error

func BasicAuth

func BasicAuth(username, password string) string

func CleanSQL

func CleanSQL(t *testing.T, db *sqlx.DB)

func CleanSQLPop added in v1.5.0

func CleanSQLPop(t *testing.T, c *pop.Connection)

func DecodeSegment added in v1.10.3

func DecodeSegment(seg string) ([]byte, error)

Decode JWT specific base64url encoding with padding stripped

func ErrorEnhancer added in v1.9.0

func ErrorEnhancer(r *http.Request, err error) interface{}

func FositeStore

func FositeStore() *storage.MemoryStore

func GenerateSecret

func GenerateSecret(length int) ([]byte, error)

func HashByteSecret

func HashByteSecret(secret []byte) []byte

HashByteSecret hashes the secret for consumption by the AEAD encryption algorithm which expects exactly 32 bytes.

The system secret is being hashed to always match exactly the 32 bytes required by AEAD, even if the secret is long or shorter.

func HashStringSecret

func HashStringSecret(secret string) []byte

HashStringSecret hashes the secret for consumption by the AEAD encryption algorithm which expects exactly 32 bytes.

The system secret is being hashed to always match exactly the 32 bytes required by AEAD, even if the secret is long or shorter.

func IsRedirectURISecure

func IsRedirectURISecure(rc redirectConfiguration) func(redirectURI *url.URL) bool

func LogAudit added in v1.5.2

func LogAudit(r *http.Request, message interface{}, logger *logrusx.Logger)

func LogError

func LogError(r *http.Request, err error, logger *logrusx.Logger)

func MatchesRange

func MatchesRange(r *http.Request, ranges []string) error

func RejectInsecureRequests

func RejectInsecureRequests(reg tlsRegistry, c tlsConfig) negroni.HandlerFunc


type BCrypt

type BCrypt struct {
	// contains filtered or unexported fields

BCrypt implements a BCrypt hasher.

func NewBCrypt

func NewBCrypt(c config) *BCrypt

NewBCrypt returns a new BCrypt instance.

func (*BCrypt) Compare

func (b *BCrypt) Compare(ctx context.Context, hash, data []byte) error

func (*BCrypt) Hash

func (b *BCrypt) Hash(ctx context.Context, data []byte) ([]byte, error)

type ClientAuthenticator added in v1.11.0

type ClientAuthenticator interface {
	AuthenticateClient(ctx context.Context, r *http.Request, form url.Values) (fosite.Client, error)

type ClientAuthenticatorProvider added in v1.11.0

type ClientAuthenticatorProvider interface {
	ClientAuthenticator() ClientAuthenticator

type FositeStorer

type FositeStorer interface {

	RevokeRefreshToken(ctx context.Context, requestID string) error

	RevokeAccessToken(ctx context.Context, requestID string) error

	// flush the access token requests from the database.
	// no data will be deleted after the 'notAfter' timeframe.
	FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time, limit int, batchSize int) error

	// flush the login requests from the database.
	// this will address the database long-term growth issues discussed in https://github.com/ory/hydra/issues/1574.
	// no data will be deleted after the 'notAfter' timeframe.
	FlushInactiveLoginConsentRequests(ctx context.Context, notAfter time.Time, limit int, batchSize int) error

	DeleteAccessTokens(ctx context.Context, clientID string) error

	FlushInactiveRefreshTokens(ctx context.Context, notAfter time.Time, limit int, batchSize int) error

	// DeleteOpenIDConnectSession deletes an OpenID Connect session.
	// This is duplicated from Ory Fosite to help against deprecation linting errors.
	DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error

type JSONWebKey added in v1.4.0

type JSONWebKey struct {
	// Use ("public key use") identifies the intended use of
	// the public key. The "use" parameter is employed to indicate whether
	// a public key is used for encrypting data or verifying the signature
	// on data. Values are commonly "sig" (signature) or "enc" (encryption).
	// required: true
	// example: sig
	Use string `json:"use,omitempty"`

	// The "kty" (key type) parameter identifies the cryptographic algorithm
	// family used with the key, such as "RSA" or "EC". "kty" values should
	// either be registered in the IANA "JSON Web Key Types" registry
	// established by [JWA] or be a value that contains a Collision-
	// Resistant Name.  The "kty" value is a case-sensitive string.
	// required: true
	// example: RSA
	Kty string `json:"kty,omitempty"`

	// The "kid" (key ID) parameter is used to match a specific key.  This
	// is used, for instance, to choose among a set of keys within a JWK Set
	// during key rollover.  The structure of the "kid" value is
	// unspecified.  When "kid" values are used within a JWK Set, different
	// keys within the JWK Set SHOULD use distinct "kid" values.  (One
	// example in which different keys might use the same "kid" value is if
	// they have different "kty" (key type) values but are considered to be
	// equivalent alternatives by the application using them.)  The "kid"
	// value is a case-sensitive string.
	// required: true
	// example: 1603dfe0af8f4596
	Kid string `json:"kid,omitempty"`

	//  The "alg" (algorithm) parameter identifies the algorithm intended for
	// use with the key.  The values used should either be registered in the
	// IANA "JSON Web Signature and Encryption Algorithms" registry
	// established by [JWA] or be a value that contains a Collision-
	// Resistant Name.
	// required: true
	// example: RS256
	Alg string `json:"alg,omitempty"`

	// The "x5c" (X.509 certificate chain) parameter contains a chain of one
	// or more PKIX certificates [RFC5280].  The certificate chain is
	// represented as a JSON array of certificate value strings.  Each
	// string in the array is a base64-encoded (Section 4 of [RFC4648] --
	// not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
	// The PKIX certificate containing the key value MUST be the first
	// certificate.
	X5c []string `json:"x5c,omitempty"`

	// example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
	N string `json:"n,omitempty"`

	// example: AQAB
	E string `json:"e,omitempty"`

	// example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
	D string `json:"d,omitempty"`

	// example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
	P string `json:"p,omitempty"`

	// example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
	Q string `json:"q,omitempty"`

	// example: P-256
	Crv string `json:"crv,omitempty"`

	// example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
	Dp string `json:"dp,omitempty"`

	// example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
	Dq string `json:"dq,omitempty"`

	// example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
	Qi string `json:"qi,omitempty"`

	// example: GawgguFyGrWKav7AX4VKUg
	K string `json:"k,omitempty"`

	// example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
	X string `json:"x,omitempty"`

	// example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
	Y string `json:"y,omitempty"`

It is important that this model object is named JSONWebKey for "swagger generate spec" to generate only on definition of a JSONWebKey.

swagger:model JSONWebKey

type JoseJSONWebKeySet added in v1.4.0

type JoseJSONWebKeySet struct {
	// swagger:ignore

swagger:type JSONWebKeySet

func (*JoseJSONWebKeySet) Scan added in v1.4.0

func (n *JoseJSONWebKeySet) Scan(value interface{}) error

func (*JoseJSONWebKeySet) Value added in v1.4.0

func (n *JoseJSONWebKeySet) Value() (driver.Value, error)

type RegistryCookieStore

type RegistryCookieStore interface {
	CookieStore() sessions.Store

type RegistryLogger

type RegistryLogger interface {
	Logger() *logrusx.Logger
	AuditLogger() *logrusx.Logger

type RegistryWriter

type RegistryWriter interface {
	Writer() herodot.Writer

type RouterAdmin

type RouterAdmin struct {

func NewRouterAdmin

func NewRouterAdmin() *RouterAdmin

func (*RouterAdmin) RouterPublic

func (r *RouterAdmin) RouterPublic() *RouterPublic

type RouterPublic

type RouterPublic struct {

func NewRouterPublic

func NewRouterPublic() *RouterPublic

func (*RouterPublic) RouterAdmin

func (r *RouterPublic) RouterAdmin() *RouterAdmin

type TracingProvider added in v1.10.0

type TracingProvider interface {
	Tracer(ctx context.Context) *tracing.Tracer


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL