openapi.yml

---
openapi: 3.1.0
info:
  title: Authelia API
  description: >
    Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access
    management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for
    your applications via a web portal. Authelia is an OpenID Connect 1.0 Provider which is OpenID Certified™ allowing
    comprehensive integrations, and acts as a companion for common reverse proxies.
  contact:
    name: Support
    url: https://www.authelia.com/contact/
    email: team@authelia.com
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
  version: 1.0.0
servers:
  - url: '{{ .BaseURL | default "https://auth.example.com/" }}'
    description: Authelia API
tags:
  - name: State
    description: Configuration, health and state endpoints
  - name: Authentication
    description: Authentication endpoints
  - name: Authorization
    description: Authorization endpoints
  {{- if .PasswordReset }}
  - name: Password Reset
    description: Password reset endpoints
  - name: User Information
    description: User configuration endpoints
  {{- end }}
  {{- if .PasswordChange }}
  - name: Password Change
    description: Password change endpoint
  {{- end }}
  {{- if (or .TOTP .WebAuthn .Duo) }}
  - name: Second Factor
    description: TOTP, WebAuthn and Duo endpoints
    externalDocs:
      url: https://www.authelia.com/configuration/second-factor/introduction/
  {{- end }}
  {{- if .OpenIDConnect }}
  - name: OAuth 2.0
    description: OAuth 2.0 Endpoints
    externalDocs:
      url: https://www.authelia.com/integration/openid-connect/introduction/
  - name: OpenID Connect 1.0
    description: OpenID Connect 1.0 Endpoints
    externalDocs:
      url: https://www.authelia.com/integration/openid-connect/introduction/
  {{- end }}
paths:
  /api/configuration:
    get:
      tags:
        - State
      summary: Application Configuration
      description: >
        The configuration endpoint provides detailed information including available second factor methods, if any
        second factor policies exist and the TOTP period configuration.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.configuration.ConfigurationBody'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
  /api/configuration/password-policy:
    get:
      tags:
        - State
      summary: Password Policy Configuration
      description: >
        The password policy configuration endpoint provides a password policy for resetting passwords.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody'
  /api/health:
    head:
      tags:
        - State
      summary: Application Health
      description: The health check endpoint provides information about the health of Authelia.
      responses:
        "200":
          description: Successful Operation
    get:
      tags:
        - State
      summary: Application Health
      description: The health check endpoint provides information about the health of Authelia.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
  /api/state:
    get:
      tags:
        - State
      summary: User Application State
      description: >
        The state endpoint provides detailed information including the user, current authenticate level and Authelia's
        configured default redirection URL.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.StateResponse'
  {{- $app := "" }}{{ if .Domain }}{{ $app = printf "https://%s/" .Domain }}{{ else if .BaseURL }}{{ $app = .BaseURL }}{{ else }}{{ $app = "https://app.example.com" }}{{ end }}
  {{- $redir := printf "%s?rd=%s&rm=GET" (.BaseURL | default "https://auth.example.com/") (urlquery $app) }}
  {{- range $name, $config := .EndpointsAuthz }}
  {{- $uri := printf "/api/authz/%s" $name }}
  {{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
  {{ $uri }}:
    {{- if (eq $config.Implementation "Legacy") }}
    {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
    {{ $method }}:
      tags:
        - Authorization
      summary: Authorization Verification (Legacy)
      description: >
        The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
        permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
        specific endpoint instead.
      parameters:
        - name: X-Original-URL
          in: header
          description: Redirection URL
          required: false
          style: simple
          explode: true
          schema:
            type: string
        - $ref: '#/components/parameters/forwardedMethodParam'
        - name: X-Forwarded-Proto
          in: header
          description: Redirection URL (Scheme / Protocol)
          required: false
          style: simple
          explode: true
          example: 'https'
          schema:
            type: string
        - name: X-Forwarded-Host
          in: header
          description: Redirection URL (Host)
          required: false
          style: simple
          explode: true
          example: '{{ $.Domain | default "example.com" }}'
          schema:
            type: string
        - name: X-Forwarded-URI
          in: header
          description: Redirection URL (URI)
          required: false
          style: simple
          explode: true
          example: '/path/example'
          schema:
            type: string
        - $ref: '#/components/parameters/forwardedForParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "302":
          description: Found
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "303":
          description: See Other
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "401":
          description: Unauthorized
          headers:
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
      security:
        - authelia_auth: []
    {{- end }}
    {{- else if (eq $config.Implementation "ExtAuthz") }}
    {{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
    {{ $method }}:
      tags:
        - Authorization
      summary: Authorization Verification (ExtAuthz)
      description: >
        The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
        permissions to access a specified resource with the Envoy proxy.
      parameters:
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/forwardedHostParam'
        - $ref: '#/components/parameters/forwardedURIParam'
        - $ref: '#/components/parameters/forwardedForParam'
        - $ref: '#/components/parameters/autheliaURLParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "302":
          description: Found
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "303":
          description: See Other
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "400":
          description: Bad Request
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    {{- end }}
    {{- else if (eq $config.Implementation "ForwardAuth") }}
    {{- range $method := list "get" "head" }}
    {{ $method }}:
      tags:
        - Authorization
      summary: Authorization Verification (ForwardAuth)
      description: >
        The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
        permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
      parameters:
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/forwardedHostParam'
        - $ref: '#/components/parameters/forwardedURIParam'
        - $ref: '#/components/parameters/forwardedForParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "302":
          description: Found
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "303":
          description: See Other
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "400":
          description: Bad Request
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    {{- end }}
    {{- else if (eq $config.Implementation "AuthRequest") }}
    {{- range $method := list "get" "head" }}
    {{ $method }}:
      tags:
        - Authorization
      summary: Authorization Verification (AuthRequest)
      description: >
        The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
        permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
      parameters:
        - $ref: '#/components/parameters/originalMethodParam'
        - $ref: '#/components/parameters/originalURLParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
        "400":
          description: Bad Request
        "401":
          description: Unauthorized
          headers:
            location:
              description: Redirect Location for user authorization
              example: '{{ $redir }}'
              schema:
                type: string
                format: uri
            set-cookie:
              description: Sets a new cookie value
              schema:
                type: string
      security:
        - authelia_auth: []
    {{- end }}
    {{- end }}
    {{- end }}
  /api/firstfactor:
    post:
      tags:
        - Authentication
      summary: Login
      description: >
        The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.bodyFirstFactorRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.redirectResponse'
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
  {{- if .Passkeys }}
  /api/firstfactor/passkey:
    get:
      tags:
        - First Factor
      summary: First Factor Authentication - Passkey
      description: >
        The WebAuthn endpoint starts the first factor authentication process with the
        FIDO2 WebAuthn credential.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - First Factor
      summary: First Factor Authentication - Passkey
      description: >
        The WebAuthn endpoint completes the first factor authentication process with the
        FIDO2 WebAuthn credential.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/webauthn.PasskeyCredentialAssertionResponse"
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.redirectResponse'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  {{- end }}
  /api/checks/safe-redirection:
    post:
      tags:
        - Authentication
      summary: Check whether URI is safe to redirect to.
      description: >
        End users usually needs to be redirected to a target website after authentication. This endpoint aims to check
        if target URL is safe to redirect to. This prevents open redirect attacks.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody'
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
  /api/logout:
    post:
      tags:
        - Authentication
      summary: Logout
      description: The logout endpoint allows a user to logout and destroy a session.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.logoutRequestBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.logoutResponseBody'
      security:
        - authelia_auth: []
  {{- if .PasswordChange }}
  /api/change-password:
    post:
      tags:
        - Password Change
      summary: Password Change
      description: >
        The password change endpoint validates the user session, validates, and changes the password.
        The same session cookie must be used for all steps in this process.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.PasswordChangeRequestBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
      security:
        - authelia_auth: []
  {{- end }}
  {{- if .PasswordReset }}
  /api/reset-password/identity/start:
    post:
      tags:
        - Password Reset
      summary: Identity Verification Token Creation
      description: >
        This endpoint is step 1 of 3 in the password reset process.

        It validates the user session and sends the user an email with a token and a link to reset their password. This
        step also generates a session cookie for the rest of the process.

        The same session cookie must be used for all steps in this process.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
  /api/reset-password/identity/finish:
    post:
      tags:
        - Password Reset
      summary: Identity Verification Token Validation
      description: >
        This endpoint is step 2 of 3 in the password reset process.

        It validates the user session and reset token.

        The same session cookie must be used for all steps in this process.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
  /api/reset-password:
    post:
      tags:
        - Password Reset
      summary: Password Reset
      description: >
        The password reset endpoint validates the user session and changes the password.
        The same session cookie must be used for all steps in this process.

        This endpoint is step 3 of 3 in the password reset process.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
    delete:
      tags:
        - Password Reset
      summary: Password Reset
      description: >
        The password reset endpoint revokes a JWT associated with a password reset
        operation.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.PasswordResetBodyDELETE'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.API'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
  {{- end }}
  /api/user/info:
    get:
      tags:
        - User Information
      summary: User Configuration
      description: >
        The user info endpoint provides detailed information including a users display name, preferred and registered
        second factor method(s).
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.UserInfo'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
    post:
      tags:
        - User Information
      summary: User Configuration
      description: >
        The user info endpoint provides detailed information including a users display name, preferred and registered
        second factor method(s). The POST method also ensures the preferred method is configured correctly.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.UserInfo'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
  /api/user/info/2fa_method:
    post:
      tags:
        - User Information
      summary: User Configuration
      description: The user info 2fa_method endpoint sets the users preferred second factor method.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.UserInfo.MethodBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
  /api/user/session/elevation:
    get:
      tags:
        - User Elevation
      summary: User Session Elevation
      description: >
        The user session elevation endpoint returns information indicating if the current
        user session has elevated privileges from identity verification.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.ElevationStatus.Response'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
    post:
      tags:
        - User Elevation
      summary: User Session Elevation
      description: >
        The user session elevation endpoint generates a new One-Time Code for the purpose
        of elevating a user session. The One-Time Code is sent to a users email.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.ElevationVerify.Request'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
    put:
      tags:
        - User Elevation
      summary: User Session Elevation
      description: >
        The user session elevation endpoint verifies and consumes a One-Time Code, and
        configures the session elevation.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.ElevationStart.Response'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
  /api/user/session/elevation/{id}:
    delete:
      tags:
        - User Elevation
      summary: User Session Elevation
      description: >
        The user session elevation endpoint deletes a pending One-Time Code from the
        database so that it can't be used. This can be invoked by a user either by cancelling the One-Time Code window
        or via the revoke link in the generated email.
      parameters:
        - in: path
          name: id
          description: The Delete ID of the pending User Session Elevation.
          required: true
          schema:
            type: string
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.API'
      security:
        - authelia_auth: []
  {{- if .TOTP }}
  /api/secondfactor/totp/register:
    get:
      tags:
        - Second Factor
      summary: TOTP Configuration Register
      description: >
        The TOTP register endpoint provides information important for registering the TOTP
        configuration for the user. This endpoint only returns information used for this same endpoint when utilizing
        the PUT method verb.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.TOTPOptions'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    put:
      tags:
        - Second Factor
      summary: TOTP Configuration Register
      description: >
        The TOTP register endpoint creates a temporary TOTP configuration which must then
        be validated by the user using the POST method verb variant of this endpoint. Without validation the TOTP
        configuration is not committed to the database and is instead temporarily stored in the session backend. This
        action can also be followed by using the DELETE method verb for the same endpoint which will delete the
        temporary configuration from the session.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.TOTPRegisterStartRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.TOTPRegisterStartResponse'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - Second Factor
      summary: TOTP Configuration Register
      description: >
        The TOTP register endpoint provides the validation step for the endpoint where the
        user provides the TOTP configuration generated token. If successful the configuration is saved to the database.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.TOTPRegisterFinishRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    delete:
      tags:
        - Second Factor
      summary: TOTP Configuration Register
      description: >
        The TOTP register endpoint removes the temporary TOTP configuration from the
        session. It does NOT affect the TOTP configuration saved to the database.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  /api/secondfactor/totp:
    get:
      tags:
        - Second Factor
      summary: TOTP Configuration
      description: >
        The TOTP endpoint provides information necessary to display the TOTP component to
        validate their TOTP input such as the period and number of digits.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.TOTPConfiguration'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "404":
          description: Not Found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - Second Factor
      summary: Second Factor Authentication - TOTP
      description: >
        The TOTP endpoint performs second factor authentication with a TOTP configuration.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.bodySignTOTPRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.redirectResponse'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
    delete:
      tags:
        - Second Factor
      summary: Second Factor Authentication - TOTP
      description: >
        The TOTP endpoint deletes the TOTP configuration for the user from the database.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  {{- end }}
  {{- if .WebAuthn }}
  /api/secondfactor/webauthn:
    get:
      tags:
        - Second Factor
      summary: Second Factor Authentication - WebAuthn
      description: >
        The WebAuthn endpoint starts the second factor authentication process with the
        FIDO2 WebAuthn credential.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - Second Factor
      summary: Second Factor Authentication - WebAuthn
      description: >
        The WebAuthn endpoint completes the second factor authentication process with the
        FIDO2 WebAuthn credential.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/webauthn.CredentialAssertionResponse"
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.redirectResponse'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  /api/secondfactor/webauthn/register:
    put:
      tags:
        - Second Factor
      summary: WebAuthn Credential Registration (Attestation)
      description: >
        The WebAuthn Register endpoint checks the intended description is okay and provides
        the relevant credential creation options, and stores the creation options for a validation via the same endpoint
        with the POST method verb.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/webauthn.RegisterRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "409":
          description: Conflict
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - Second Factor
      summary: WebAuthn Credential Registration (Attestation)
      description: >
        The WebAuthn Register endpoint validates the authenticators response and finalizes
        the WebAuthn registration.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/webauthn.CredentialAttestationResponse'
      responses:
        "201":
          description: Created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    delete:
      tags:
        - Second Factor
      summary: WebAuthn Credential Registration (Attestation)
      description: >
        The WebAuthn Register endpoint removes all WebAuthn registration data from the
        session.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  /api/secondfactor/webauthn/credential/{credentialID}:
    put:
      tags:
        - Second Factor
      summary: WebAuthn Credential
      description: >
        The WebAuthn credential endpoint updates the description of the specified WebAuthn
        credential.
      parameters:
        - $ref: '#/components/parameters/credentialID'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/webauthn.CredentialUpdateRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "409":
          description: Conflict
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    delete:
      tags:
        - Second Factor
      summary: WebAuthn Credential
      description: >
        The WebAuthn credential endpoint deletes the specified WebAuthn credential from
        the database.
      parameters:
        - $ref: '#/components/parameters/credentialID'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
  {{- end }}
  {{- if .Duo }}
  /api/secondfactor/duo:
    get:
      tags:
        - Second Factor
      summary: Second Factor Authentication - Duo Mobile Push
      description: This endpoint retrieves the users preferred Duo device and method.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.DuoDevicesResponse'
        "403":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
      security:
        - authelia_auth: []
    post:
      tags:
        - Second Factor
      summary: Second Factor Authentication - Duo Mobile Push
      description: This endpoint performs second factor authentication with a Duo Mobile Push.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.bodySignDuoRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.redirectResponse'
        "401":
          description: Unauthorized
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.KO'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
      security:
        - authelia_auth: []
  /api/secondfactor/duo_devices:
    get:
      tags:
        - Second Factor
      summary: Second Factor Authentication - Duo Mobile Push
      description: This endpoint retrieves a users available devices and capabilities from Duo.
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/handlers.DuoDevicesResponse'
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
  /api/secondfactor/duo_device:
    post:
      tags:
        - Second Factor
      summary: Second Factor Authentication - Duo Mobile Push
      description: This endpoint updates the users preferred Duo device and method.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.DuoDeviceBody'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
  {{- end }}
  {{- if .Passkeys }}
  /api/secondfactor/password:
    post:
      tags:
        - Second Factor
      summary: Second Factor Authentication - Password
      description: This endpoint performs 2FA via the users password.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/handlers.bodyPasswordRequest'
      responses:
        "200":
          description: Successful Operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/middlewares.Response.OK'
        "401":
          description: Unauthorized
      security:
        - authelia_auth: [ ]
  {{- end }}
  {{- if .OpenIDConnect }}
  /.well-known/openid-configuration:
    get:
      tags:
        - OpenID Connect 1.0
      summary: OpenID Connect Discovery 1.0 Document
      description: >
        This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
        an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
        "400":
          description: Bad Request
        "500":
          description: Internal Server Error
  /.well-known/oauth-authorization-server:
    get:
      tags:
        - OAuth 2.0
      summary: OAuth 2.0 Authorization Server Metadata
      description: >
        This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
        perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
        "400":
          description: Bad Request
        "500":
          description: Internal Server Error
  /jwks.json:
    get:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 JSON Web Key Set Document
      description: >
        This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
        information from this OpenID Connect 1.0 Provider.
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/jose.spec.JWKs'
  /api/oidc/authorization:
    get:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 Authorization Endpoint
      description: >
        This endpoint performs OpenID Connect 1.0 Authorization.
      parameters:
        - in: query
          name: id
          required: false
          description: The OpenID Connect 1.0 consent workflow ID.
          schema:
            type: string
            format: uuid
            pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
            example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
        - in: query
          name: scope
          description: The requested scope.
          required: true
          schema:
            type: string
            example: 'openid profile groups'
        - in: query
          name: response_type
          description: The OAuth 2.0 response type.
          required: true
          schema:
            $ref: '#/components/schemas/openid.spec.ResponseType'
        - in: query
          name: client_id
          description: The OAuth 2.0 client identifier.
          required: true
          schema:
            type: string
            example: 'app'
        - in: query
          name: redirect_uri
          description: >
            Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
            values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
            Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
            the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
            defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
            case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
            into a native application.
          required: true
          schema:
            type: string
            format: uri
            example: 'https://app.{{ .Domain | default "example.com" }}'
        - in: query
          name: state
          description: >
            Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
            Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
            browser cookie.
          required: false
          schema:
            type: string
            example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
        - in: query
          name: response_mode
          description: >
            Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
            Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
            the default mode specified for the Response Type.
          required: false
          schema:
            $ref: '#/components/schemas/openid.spec.ResponseMode'
        - in: query
          name: nonce
          description: >
            String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
            is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
            present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
            Section 15.5.2.
          required: false
          schema:
            type: string
            example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
        - in: query
          name: display
          description: >
            Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
            and consent user interface pages to the End-User.
          required: false
          schema:
            $ref: '#/components/schemas/openid.spec.DisplayType'
        - in: query
          name: prompt
          description: >
            Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
            Authorization Server prompts the End-User for reauthentication and consent.
          required: false
          schema:
            $ref: '#/components/schemas/openid.spec.Prompt'
        - in: query
          name: max_age
          description: >
            Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
            was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
            actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
            [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
            auth_time Claim Value.
          required: false
          schema:
            type: integer
            example: 3600
        - in: query
          name: ui_locales
          description: >
            Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
            space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
            "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
            designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
            of the requested locales are not supported by the OpenID Provider.
          required: false
          schema:
            type: string
            example: 'en-US'
        - in: query
          name: claims_locales
          description: >
            Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
            space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
            result if some or all of the requested locales are not supported by the OpenID Provider.
          required: false
          schema:
            type: string
            example: 'en-US'
        - in: query
          name: id_token_hint
          required: false
          description: >
            Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
            End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
            is logged in or is logged in by the request, then the Authorization Server returns a positive response;
            otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
            present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
            server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
            not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
            received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
            signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
            the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
            re-encrypted ID token as the id_token_hint value.
          schema:
            type: string
        - in: query
          name: login_hint
          description: >
            Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
            (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
            (or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
            It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
            number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
            discretion.
          required: false
          schema:
            type: string
        - in: query
          name: acr_values
          description: >
            Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
            specifies the acr values that the Authorization Server is being requested to use for processing this
            Authentication Request, with the values appearing in order of preference. The Authentication Context Class
            satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
            The acr Claim is requested as a Voluntary Claim by this parameter.
          required: false
          schema:
            type: string
        - in: query
          name: claims
          description: >
            Not Supported: The claims parameter value, as specified in Section 5.5.
          required: false
          schema:
            type: string
        - in: query
          name: registration
          description: >
            Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
            that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
          required: false
          schema:
            type: string
        - in: query
          name: request
          description: >
            Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
            the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
            Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
            supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
          required: false
          schema:
            type: string
        - in: query
          name: code_challenge
          description: >
            RFC7636 Code Challenge.
          required: false
          schema:
            type: string
        - in: query
          name: code_challenge_method
          required: false
          description: >
            RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
            Code verifier transformation method is "S256" or "plain".
          schema:
            $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
      responses:
        "200":
          description: >
            OK Response. It should be noted that it is not possible to properly describe responses for this endpoint.
          content:
            text/html:
              schema:
                type: string
                description: The Form Post Response Mode content.
        "303":
          description: >
            See Other. It should be noted that it is not possible to properly describe responses for this endpoint.
          headers:
            Location:
              schema:
                type: string
              description: >
                Redirection location for the consent flow, or the authorization response callback location when using
                the Query or Fragment Response Modes.
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 Authorization Endpoint
      description: >
        This endpoint performs OpenID Connect 1.0 Authorization.
      requestBody:
        description: Authorize Request Parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/openid.spec.AuthorizeRequest'
      responses:
        "200":
          description: OK
          content:
            text/html:
              schema:
                type: string
                description: The Form Post Response Mode content.
        "303":
          description: See Other
          headers:
            Location:
              schema:
                type: string
              description: >
                Redirection location for the consent flow, or the authorization response callback location when using
                the Query or Fragment Response Modes.
        "400":
          description: Bad Request
        "500":
          description: Internal Server Error
      security:
        - authelia_auth: []
  /api/oidc/device-authorization:
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: RFC8628 OAuth 2.0 Device Authorization Grant Endpoint
      description: >
        This endpoint performs the client interaction for the Device Authorization Flow.
      requestBody:
        description: Device Authorize Request (Device Code Flow) Parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/openid.spec.DeviceAuthorizeRequest'
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  device_code:
                    type: string
                    example: 'authelia_dc_oqLXXUv2pvCDgBJLBav63ZduL4CxKP7JpYZ6ldHp39Y.u3XxwV3O-uYOA5TSv44iQyB27YjUGawJLlwOMuC770E'
                  user_code:
                    type: string
                    example: 'XGQWWFMM'
                  verification_uri:
                    type: string
                    format: uri
                    example: '{{ printf "%sconsent/openid/device-authorization" (.BaseURL | default "https://auth.example.com/") }}'
                  verification_uri_complete:
                    type: string
                    format: uri
                    example: '{{ printf "%sconsent/openid/device-authorization?user_code=XGQWWFMM" (.BaseURL | default "https://auth.example.com/") }}'
                  expires_in:
                    type: integer
                    example: 600
                  interval:
                    type: integer
                    example: 10
        "400":
          description: Bad Request
        "500":
          description: Internal Server Error
      security:
        - authelia_auth: []
    put:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: RFC8628 OAuth 2.0 Device Authorization Grant Endpoint
      description: >
        This endpoint performs the user interaction for the Device Authorization Flow.
      requestBody:
        description: Device Authorize Request (User Code Flow) Parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                flow_id:
                  type: string
                  description: This is the field of the same name returned by the consent endpoint.
                user_code:
                  type: string
                  description: This is the user code submitted by the user during the Device Authorization Flow.
      responses:
        "200":
          description: OK
        "400":
          description: Bad Request
        "500":
          description: Internal Server Error
      security:
        - authelia_auth: []
  /api/oidc/pushed-authorization-request:
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OAuth 2.0 Pushed Authorization Endpoint
      description: >
        This endpoint performs OAuth 2.0 Pushed Authorization.
      requestBody:
        description: Pushed Authorize Request Parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              allOf:
                - $ref: '#/components/schemas/openid.spec.AuthorizeRequest'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                type: object
                description: The Pushed Authorize Request Successful Response.
                properties:
                  request_uri:
                    type: string
                    format: uri
                    description: >
                      The request URI corresponding to the authorization request posted. This URI is a single-use
                      reference to the respective request data in the subsequent authorization request. The way the
                      authorization process obtains the authorization request data is at the discretion of the
                      authorization server and is out of scope of this specification. There is no need to make the
                      authorization request data available to other parties via this URI.
                    example: 'urn:ietf:params:oauth:request_uri:lXtUUGsLrMxI5cogDk6Zk1pc5-Zw95lT4fzY0eAbdiU'
                  expires_in:
                    type: integer
                    description: >
                      A JSON number that represents the lifetime of the request URI in seconds as a positive integer.
                      The request URI lifetime is at the discretion of the authorization server but will typically be
                      relatively short (e.g., between 5 and 600 seconds).
                    example: 300
        "400":
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "413":
          description: Content Too Large
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "429":
          description: Too Many Requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
          headers:
            Retry-After:
              schema:
                type: string
                format: http-date
              description: The date time that the request can be retried.
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
      security:
        - openid: []
  /api/oidc/token:
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 Token Endpoint
      description: >
        This endpoint performs OpenID Connect 1.0 Token Access Requests.
      requestBody:
        description: Access Request Parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              oneOf:
                - $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientCredentialsFlow'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/openid.spec.AccessResponse'
        "401":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "403":
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
      security:
        - openid: []
  /api/oidc/revocation:
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OAuth 2.0 Token Revocation Endpoint
      description: >
        This endpoint performs OAuth 2.0 Token Revocation Requests.
      requestBody:
        description: Required OAuth 2.0 revocation parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              allOf:
                - $ref: '#/components/schemas/openid.spec.AccessServerTokenAssertionRequest'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
      responses:
        "200":
          description: OK
        "401":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "403":
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
      security:
        - openid: []
  /api/oidc/introspection:
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OAuth 2.0 Token Introspection Endpoint
      description: >
        This endpoint performs OAuth 2.0 Token Introspection Requests.
      requestBody:
        description: Required OAuth 2.0 introspection parameters.
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              allOf:
                - $ref: '#/components/schemas/openid.spec.AccessServerTokenAssertionRequest'
                - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.IntrospectionResponse'
            application/token-introspection+jwt:
              schema:
                description: |
                  The RFC7519 encoded JWT with the nested 'token_introspection' claim which contains the same structure
                  as the openid.spec.IntrospectionResponse described in this OpenAPI 3.0 specification.
                type: string
                example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20vIiwiYXVkIjoiaHR0cHM6Ly9hcHAuZXhhbXBsZS5jb20vcmVzb3VyY2UiLCJpYXQiOjE1MTQ3OTc4OTIsInRva2VuX2ludHJvc3BlY3Rpb24iOnsiYWN0aXZlIjp0cnVlLCJleHAiOjE1MTQ3OTc5NDIsImNsaWVudF9pZCI6ImV4YW1wbGUiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiaWF0IjoxNTE0Nzk3ODIyLCJzdWIiOiI5Y2JhMzJhMC02M2EyLTQyZDUtODNlYi1kZmM3NTc4OGEyMjIiLCJhdWQiOiJodHRwczovL2FwcC5leGFtcGxlLmNvbS9yZXNvdXJjZSIsInVzZXJuYW1lIjoiam9obiJ9fQ.9rN-G3uaj28Geiktfvknl-G6EnZxOGJjpXcemvsllYA'
        "401":
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "403":
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
        "500":
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.spec.ErrorResponseGeneric'
      security:
        - openid: []
  /api/oidc/userinfo:
    get:
      tags:
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 UserInfo Endpoint
      description: >
        This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
      parameters:
        - in: query
          name: access_token
          description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
          schema:
            type: string
            example: 'authelia_at_6-8jeA8y9Y744pAHCRwGtJrsD9ABOVWyzL3uWB1ntbI.foaDPNLT0T7VVQ9on5F1rOfHs0Lbc09FGO2xF_pzmNY'
      responses:
        "200":
          description: OK
          content:
            application/jwt: {}
            application/json:
              schema:
                $ref: '#/components/schemas/openid.implementation.Claims.Object'
        "401":
          description: Forbidden
        "403":
          description: Unauthorized
        "500":
          description: Internal Server Error
      security:
        - openid: []
    post:
      tags:
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 UserInfo Endpoint
      description: >
        This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
      parameters:
        - in: query
          name: access_token
          description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
          schema:
            type: string
            example: 'authelia_at_6-8jeA8y9Y744pAHCRwGtJrsD9ABOVWyzL3uWB1ntbI.foaDPNLT0T7VVQ9on5F1rOfHs0Lbc09FGO2xF_pzmNY'
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                access_token:
                  description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
                  type: string
                  example: 'authelia_at_6-8jeA8y9Y744pAHCRwGtJrsD9ABOVWyzL3uWB1ntbI.foaDPNLT0T7VVQ9on5F1rOfHs0Lbc09FGO2xF_pzmNY'
      responses:
        "200":
          description: OK
          content:
            application/jwt: {}
            application/json:
              schema:
                $ref: '#/components/schemas/openid.implementation.Claims.Object'
        "401":
          description: Forbidden
        "403":
          description: Unauthorized
        "500":
          description: Internal Server Error
      security:
        - openid: []
  /api/oidc/consent:
    get:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 Consent Information
      description: >
        This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
      parameters:
        - $ref: '#/components/parameters/flowIDRequiredParam'
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.request.consent'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
    post:
      tags:
        - OAuth 2.0
        - OpenID Connect 1.0
      summary: OpenID Connect 1.0 Consent Response
      description: >
        This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
      responses:
        "200":
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openid.response.consent'
        "403":
          description: Forbidden
      security:
        - authelia_auth: []
  {{- end }}
components:
  parameters:
    credentialID:
      in: path
      name: credentialID
      schema:
        type: integer
      required: true
      description: Numeric WebAuthn Credential ID
    originalMethodParam:
      name: X-Original-Method
      in: header
      description: Request Method
      required: true
      style: simple
      explode: true
      schema:
        type: string
        enum:
          - 'GET'
          - 'HEAD'
          - 'POST'
          - 'PUT'
          - 'PATCH'
          - 'DELETE'
          - 'TRACE'
          - 'CONNECT'
          - 'OPTIONS'
          - 'COPY'
          - 'LOCK'
          - 'MKCOL'
          - 'MOVE'
          - 'PROPFIND'
          - 'PROPPATCH'
          - 'UNLOCK'
    originalURLParam:
      name: X-Original-URL
      in: header
      description: Redirection URL
      required: true
      style: simple
      explode: true
      schema:
        type: string
    forwardedMethodParam:
      name: X-Forwarded-Method
      in: header
      description: Request Method
      required: false
      style: simple
      explode: true
      schema:
        type: string
        enum:
          - 'GET'
          - 'HEAD'
          - 'POST'
          - 'PUT'
          - 'PATCH'
          - 'DELETE'
          - 'TRACE'
          - 'CONNECT'
          - 'OPTIONS'
          - 'COPY'
          - 'LOCK'
          - 'MKCOL'
          - 'MOVE'
          - 'PROPFIND'
          - 'PROPPATCH'
          - 'UNLOCK'
    forwardedProtoParam:
      name: X-Forwarded-Proto
      in: header
      description: Redirection URL (Scheme / Protocol)
      required: true
      style: simple
      explode: true
      example: 'https'
      schema:
        type: string
    forwardedHostParam:
      name: X-Forwarded-Host
      in: header
      description: Redirection URL (Host)
      required: true
      style: simple
      explode: true
      example: '{{ .Domain | default "example.com" }}'
      schema:
        type: string
    forwardedURIParam:
      name: X-Forwarded-URI
      in: header
      description: Redirection URL (URI)
      required: true
      style: simple
      explode: true
      example: '/path/example'
      schema:
        type: string
    forwardedForParam:
      name: X-Forwarded-For
      in: header
      description: Clients IP address or IP address chain
      required: false
      style: simple
      explode: true
      example: '192.168.0.55,192.168.0.20'
      schema:
        type: string
    autheliaURLParam:
      name: X-Authelia-URL
      in: header
      description: Authelia Portal URL
      required: false
      style: simple
      explode: true
      example: '{{ .BaseURL | default "https://auth.example.com/" }}'
      schema:
        type: string
    authParam:
      name: auth
      in: query
      description: Switch authorization header and prompt for basic auth
      required: false
      schema:
        type: string
        enum:
          - 'basic'
    flowIDRequiredParam:
      name: flow_id
      in: query
      description: The Flow ID that's being requested
      required: true
      schema:
        type: string
  schemas:
    handlers.checkURIWithinDomainRequestBody:
      type: object
      properties:
        uri:
          type: string
          example: 'https://secure.{{ .Domain | default "example.com" }}'
    handlers.checkURIWithinDomainResponseBody:
      type: object
      properties:
        ok:
          type: boolean
          example: true
          description: If redirection URL is safe.
    handlers.configuration.ConfigurationBody:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            available_methods:
              type: array
              description: List of available 2FA methods. If no methods exist 2FA is disabled.
              items:
                enum:
                  - 'totp'
                  - 'webauthn'
                  - 'mobile_push'
              example: [totp, webauthn, mobile_push]
            passkey_login:
              type: boolean
              description: Value which indicates if Passkey logins are enabled.
            password_change_disabled:
              type: boolean
              description: Value which indicates if users are allowed to change their password from account settings.
            password_reset_disabled:
              type: boolean
              description: Value which indicates if users are allowed to reset their password.
    handlers.configuration.PasswordPolicyConfigurationBody:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            mode:
              type: string
              description: The password policy mode.
              enum:
                - 'disabled'
                - 'standard'
                - 'zxcvbn'
            min_length:
              type: integer
              description: The minimum password length when using the standard mode.
            max_length:
              type: integer
              description: The maximum password length when using the standard mode.
            min_score:
              type: integer
              description: The minimum password score when using the zxcvbn mode.
            require_uppercase:
              type: boolean
              description: If uppercase characters are required when using the standard mode.
            require_lowercase:
              type: boolean
              description: If uppercase characters are required when using the standard mode.
            require_number:
              type: boolean
              description: If numeric characters are required when using the standard mode.
            require_special:
              type: boolean
              description: If special characters are required when using the standard mode.
    handlers.DuoDeviceBody:
      required:
        - 'device'
        - 'method'
      type: object
      properties:
        device:
          type: string
          example: ABCDE123456789FGHIJK
        method:
          type: string
          example: push
    handlers.DuoDevicesResponse:
      type: object
      properties:
        result:
          type: string
          example: auth
        devices:
          type: array
          items:
            type: object
            properties:
              device:
                type: string
                example: ABCDE123456789FGHIJK
              display_name:
                type: string
                example: iOS (+XX XXX XXX 123)
              capabilities:
                type: array
                items:
                  type: string
                  example: push
        enroll_url:
          type: string
        preferred_device:
          type: string
          example: ABCDE123456789FGHIJK
        preferred_method:
          type: string
          example: push
    handlers.bodyPasswordRequest:
      required:
        - 'password'
      type: object
      properties:
        password:
          type: string
          example: password
        targetURL:
          type: string
          example: 'https://home.{{ .Domain | default "example.com" }}'
        flowID:
          type: string
          format: uuid
          pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
          example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
        flow:
          type: string
          example: 'openid_connect'
          enum:
            - 'openid_connect'
        subflow:
          description: The name of the subflow if applicable.
          type: string
          example: 'device_authorization'
          enum:
            - 'device_authorization'
        userCode:
          description: The user code from the Device Authorization Flow if applicable.
          type: string
          example: 'XGQWWFMM'
    handlers.bodyFirstFactorRequest:
      required:
        - 'username'
        - 'password'
      type: object
      properties:
        username:
          type: string
          example: john
        password:
          type: string
          example: password
        targetURL:
          type: string
          example: 'https://home.{{ .Domain | default "example.com" }}'
        flowID:
          type: string
          format: uuid
          pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
          example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
        flow:
          type: string
          example: 'openid_connect'
          enum:
            - 'openid_connect'
        subflow:
          description: The name of the subflow if applicable.
          type: string
          example: 'device_authorization'
          enum:
            - 'device_authorization'
        userCode:
          description: The user code from the Device Authorization Flow if applicable.
          type: string
          example: 'XGQWWFMM'
        requestMethod:
          type: string
          example: GET
        keepMeLoggedIn:
          type: boolean
          example: true
    handlers.logoutRequestBody:
      type: object
      properties:
        targetURL:
          type: string
          example: 'https://redirect.{{ .Domain | default "example.com" }}'
    handlers.logoutResponseBody:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            safeTargetURL:
              type: boolean
              example: true
    handlers.redirectResponse:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            redirect:
              type: string
              example: 'https://home.{{ .Domain | default "example.com" }}'
    {{- if .PasswordChange }}
    handlers.PasswordChangeRequestBody:
      required:
        - 'username'
        - 'old_password'
        - 'new_password'
      type: object
      properties:
        username:
          type: string
          example: john
        old_password:
          type: string
          example: old_password123
        new_password:
          type: string
          example: new_password456
    {{- end }}
    {{- if .PasswordReset }}
    handlers.PasswordResetStep1RequestBody:
      required:
        - 'username'
      type: object
      properties:
        username:
          type: string
          example: john
    handlers.PasswordResetStep2RequestBody:
      required:
        - 'password'
      type: object
      properties:
        password:
          type: string
          example: password
    handlers.PasswordResetBodyDELETE:
      required:
        - 'token'
      type: object
      properties:
        token:
          type: string
    {{- end }}
    {{- if .Duo }}
    handlers.bodySignDuoRequest:
      type: object
      properties:
        targetURL:
          type: string
          example: 'https://secure.{{ .Domain | default "example.com" }}'
        passcode:
          type: string
        flowID:
          type: string
          format: uuid
          pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
          example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
        flow:
          type: string
          example: 'openid_connect'
          enum:
            - 'openid_connect'
        subflow:
          description: The name of the subflow if applicable.
          type: string
          example: 'device_authorization'
          enum:
            - 'device_authorization'
        userCode:
          description: The user code from the Device Authorization Flow if applicable.
          type: string
          example: 'XGQWWFMM'
    {{- end }}
    handlers.StateResponse:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            username:
              type: string
              example: john
            authentication_level:
              type: integer
              example: 1
            factor_knowledge:
              type: boolean
              description: Indicates the knowledge factor has been satisfied.
              example: true
            default_redirection_url:
              type: string
              example: 'https://home.{{ .Domain | default "example.com" }}'
    middlewares.ErrorResponse:
      type: object
      properties:
        status:
          type: string
          example: KO
        message:
          type: string
          example: Authentication failed, please retry later.
    middlewares.IdentityVerificationFinishBody:
      required:
        - 'token'
      type: object
      properties:
        token:
          type: string
          example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
    middlewares.Response.API:
      oneOf:
        - $ref: '#/components/schemas/middlewares.Response.OK'
        - $ref: '#/components/schemas/middlewares.Response.KO'
    middlewares.Response.OK:
      type: object
      properties:
        status:
          enum:
            - 'OK'
          type: string
          example: 'OK'
        data:
          type: object
          description: 'The data content for the response.'
    middlewares.Response.KO:
      type: object
      properties:
        status:
          enum:
            - 'KO'
          type: string
          example: 'KO'
        message:
          type: string
          example: 'Operation Failed.'
    handlers.UserInfo:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            display_name:
              type: string
              example: John Doe
            method:
              type: string
              enum:
                - 'totp'
                - 'webauthn'
                - 'mobile_push'
              example: totp
            has_webauthn:
              type: boolean
              example: false
            has_totp:
              type: boolean
              example: true
            has_duo:
              type: boolean
              example: true
    handlers.UserInfo.MethodBody:
      required:
        - 'method'
      type: object
      properties:
        method:
          type: string
          enum:
            - 'totp'
            - 'webauthn'
            - 'mobile_push'
          example: totp
    handlers.ElevationStatus.Response:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            require_second_factor:
              description: Indicates if the elevation requires a second factor.
              type: boolean
            skip_second_factor:
              description: Indicates if the requirement for a One-Time Code can be skipped if satisfying the 2FA rule.
              type: boolean
            factor_knowledge:
              description: Indicates if the knowledge factor of 2FA has been satisfied.
              type: boolean
            elevated:
              description: Indicates if the session is elevated.
              type: boolean
            expires:
              description: The number of seconds the elevation is still valid for.
              type: integer
              example: 300
    handlers.ElevationStart.Response:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            delete_id:
              description: The value required to delete the pending elevation.
              type: string
    handlers.ElevationVerify.Request:
      type: object
      properties:
        otc:
          description: The One-Time Code sent to the users email address.
          type: string
    {{- if .TOTP }}
    handlers.TOTPOptions:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            algorithm:
              default: 'SHA1'
              description: The default algorithm for the generated configuration.
              type: string
              example: 'SHA1'
            algorithms:
              default:
                - 'SHA1'
              description: The allowed algorithm values for the generated configuration.
              example:
                - 'SHA1'
              type: array
              items:
                type: string
            length:
              default: 30
              description: The default length value for the generated configuration.
              type: integer
              example: 30
            lengths:
              default:
                - 6
              description: The allowed length values for the generated configuration.
              example:
                - 6
              type: array
              items:
                type: integer
            period:
              default: 30
              description: The default period value for the generated configuration.
              type: integer
              example: 30
            periods:
              default:
                - 30
              description: The allowed period values for the generated configuration.
              example:
                - 30
              type: array
              items:
                type: integer
    handlers.TOTPRegisterStartRequest:
      type: object
      properties:
        algorithm:
          default: 'SHA1'
          description: The algorithm for the generated configuration.
          type: string
          example: 'SHA1'
        length:
          default: 30
          description: The period or length of time for the generated configuration.
          type: integer
          example: 30
        digits:
          default: 6
          description: The digits for the generated configuration.
          type: integer
          example: 6
    handlers.TOTPRegisterStartResponse:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            base32_secret:
              description: The base32 encoded secret for the TOTP configuration.
              type: string
            otpauth_url:
              description: The TOTP scheme URL for the TOTP configuration used to generate the QR code.
              type: string
    handlers.TOTPRegisterFinishRequest:
      type: object
      properties:
        token:
          description: The value generated by the authenticator.
          type: string
          example: '123456'
    handlers.TOTPConfiguration:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            period:
              default: 30
              description: The period defined in the users TOTP configuration
              type: integer
              example: 30
            digits:
              default: 6
              description: The number of digits defined in the users TOTP configuration
              type: integer
              example: 6
    handlers.bodySignTOTPRequest:
      type: object
      properties:
        token:
          type: string
          example: '123456'
        targetURL:
          type: string
          example: 'https://secure.{{ .Domain | default "example.com" }}'
        flowID:
          type: string
          format: uuid
          pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
          example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
        flow:
          type: string
          example: 'openid_connect'
          enum:
            - 'openid_connect'
        subflow:
          description: The name of the subflow if applicable.
          type: string
          example: 'device_authorization'
          enum:
            - 'device_authorization'
        userCode:
          description: The user code from the Device Authorization Flow if applicable.
          type: string
          example: 'XGQWWFMM'
    handlers.TOTPKeyResponse:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            base32_secret:
              type: string
              example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
            otpauth_url:
              type: string
              example: 'otpauth://totp/{{ .Domain | default "example.com" }}:john?algorithm=SHA1&digits=6&issuer=auth.{{ .Domain | default "example.com" }}&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q'
    {{- end }}
    {{- if .WebAuthn }}
    webauthn.PublicKeyCredential:
      type: object
      properties:
        rawId:
          type: string
          format: byte
        id:
          type: string
        type:
          type: string
    webauthn.AuthenticatorResponse:
      type: object
      properties:
        clientDataJSON:
          type: string
          format: byte
    webauthn.CredentialAttestationResponse:
      type: object
      properties:
        credential:
          allOf:
            - $ref: '#/components/schemas/webauthn.PublicKeyCredential'
            - type: object
              properties:
                clientExtensionResults:
                  type: object
                  properties:
                    appidExclude:
                      type: boolean
                response:
                  allOf:
                    - $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
                    - type: object
                      properties:
                        attestationObject:
                          type: string
                          format: byte
        description:
          type: string
    webauthn.PasskeyCredentialAssertionResponse:
      allOf:
        - $ref: '#/components/schemas/webauthn.CredentialAssertionResponse'
        - type: object
          properties:
            requestMethod:
              type: string
              example: GET
            keepMeLoggedIn:
              type: boolean
              example: true
    webauthn.CredentialAssertionResponse:
      allOf:
        - $ref: '#/components/schemas/webauthn.PublicKeyCredential'
        - type: object
          properties:
            response:
              allOf:
                - $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
                - type: object
                  required:
                    - 'authenticatorData'
                    - 'clientDataJSON'
                    - 'signature'
                  properties:
                    authenticatorData:
                      type: string
                      format: byte
                    clientDataJSON:
                      type: string
                      format: byte
                    clientExtensionResults:
                      type: object
                      properties:
                        appid:
                          type: boolean
                          example: false
                    signature:
                      type: string
                      format: byte
                    userHandle:
                      type: string
                      format: byte
                    flowID:
                      type: string
                      format: uuid
                      pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
                      example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
                    flow:
                      type: string
                      example: 'openid_connect'
                      enum:
                        - 'openid_connect'
                    subflow:
                      description: The name of the subflow if applicable.
                      type: string
                      example: 'device_authorization'
                      enum:
                        - 'device_authorization'
                    userCode:
                      description: The user code from the Device Authorization Flow if applicable.
                      type: string
                      example: 'XGQWWFMM'
    webauthn.CredentialUpdateRequest:
      type: object
      properties:
        description:
          type: string
    webauthn.RegisterRequest:
      type: object
      properties:
        description:
          description: The description the registered credential will have.
          type: string
          example: 'My Main Credential'
    webauthn.PublicKeyCredentialCreationOptions:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            publicKey:
              allOf:
                - $ref: '#/components/schemas/webauthn.AttestationType'
                - $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria'
                - $ref: '#/components/schemas/webauthn.CredentialUserEntity'
                - $ref: '#/components/schemas/webauthn.CredentialRPEntity'
                - type: object
                  required:
                    - 'challenge'
                    - 'pubKeyCredParams'
                  properties:
                    challenge:
                      type: string
                      format: byte
                    pubKeyCredParams:
                      type: array
                      items:
                        type: object
                        required:
                          - 'alg'
                          - 'type'
                        properties:
                          alg:
                            type: integer
                          type:
                            type: string
                            example: public-key
                            enum:
                              - 'public-key'
                    timeout:
                      type: integer
                      example: 60000
                    excludeCredentials:
                      type: array
                      items:
                        allOf:
                          - $ref: '#/components/schemas/webauthn.CredentialDescriptor'
                    extensions:
                      type: object
                      properties:
                        appidExclude:
                          type: string
                          example: '{{ .BaseURL | default "https://auth.example.com/" }}'
    webauthn.PublicKeyCredentialRequestOptions:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            publicKey:
              allOf:
                - $ref: '#/components/schemas/webauthn.UserVerification'
                - type: object
                  required:
                    - 'challenge'
                  properties:
                    challenge:
                      type: string
                    timeout:
                      type: integer
                      example: 60000
                    rpId:
                      type: string
                      example: 'auth.{{ .Domain | default "example.com" }}'
                    allowCredentials:
                      type: array
                      items:
                        allOf:
                          - $ref: '#/components/schemas/webauthn.CredentialDescriptor'
                    extensions:
                      type: object
                      properties:
                        appid:
                          type: string
                          example: '{{ .BaseURL | default "https://auth.example.com/" }}'
    webauthn.Transports:
      type: object
      properties:
        transports:
          type: array
          items:
            type: string
            example:
              - 'usb'
              - 'nfc'
            enum:
              - 'usb'
              - 'nfc'
              - 'ble'
              - 'internal'
    webauthn.UserVerification:
      type: object
      properties:
        userVerification:
          type: string
          example: preferred
          enum:
            - 'required'
            - 'preferred'
            - 'discouraged'
    webauthn.AttestationType:
      type: object
      properties:
        attestation:
          type: string
          example: direct
          enum:
            - 'none'
            - 'indirect'
            - 'direct'
    webauthn.AuthenticatorSelectionCriteria:
      type: object
      properties:
        authenticatorSelection:
          type: object
          properties:
            authenticatorAttachment:
              type: string
              example: cross-platform
              enum:
                - 'platform'
                - 'cross-platform'
            residentKey:
              type: string
              example: discouraged
              enum:
                - 'discouraged'
                - 'preferred'
                - 'required'
            requireResidentKey:
              type: boolean
    webauthn.CredentialDescriptor:
      allOf:
        - $ref: '#/components/schemas/webauthn.Transports'
        - type: object
          required:
            - 'id'
            - 'type'
          properties:
            id:
              type: string
              format: byte
            type:
              type: string
              example: public-key
              enum:
                - 'public-key'
    webauthn.CredentialEntity:
      type: object
      required:
        - 'id'
        - 'name'
      properties:
        id:
          type: string
        name:
          type: string
        icon:
          type: string
    webauthn.CredentialRPEntity:
      type: object
      required:
        - 'rp'
      properties:
        rp:
          allOf:
            - $ref: '#/components/schemas/webauthn.CredentialEntity'
    webauthn.CredentialUserEntity:
      type: object
      required:
        - 'user'
      properties:
        user:
          allOf:
            - $ref: '#/components/schemas/webauthn.CredentialEntity'
            - type: object
              required:
                - 'displayName'
              properties:
                displayName:
                  type: string
    webauthn.AuthenticationExtensionsClientOutputs:
      type: object
      properties:
        clientExtensionResults:
          type: object
          properties:
            appid:
              type: boolean
              example: true
            appidExclude:
              type: boolean
              example: false
            uvm:
              type: array
              items:
                type: string
                format: byte
            credProps:
              type: object
              properties:
                rk:
                  type: boolean
                  example: false
            largeBlob:
              type: object
              properties:
                supported:
                  type: boolean
                  example: false
                blob:
                  type: string
                written:
                  type: boolean
                  example: false
    {{- end }}
    {{- if .OpenIDConnect }}
    openid.request.consent:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            client_id:
              type: string
              description: The identifier of the client for the user to provide consent for.
              example: 'app'
            client_description:
              description: The descriptive name of the client for the user to provide consent for.
              type: string
              example: 'App Platform'
            scopes:
              description: The list of the requested scopes for the user to provide consent for.
              type: array
              items:
                type: string
                enum:
                  - 'openid'
                  - 'offline_access'
                  - 'groups'
                  - 'email'
                  - 'profile'
            audience:
              description: The list of the requested audiences for the user to provide consent for.
              type: array
              items:
                type: string
            pre_configuration:
              description: Indicates if this client supports pre-configuration.
              type: boolean
              example: true
            claims:
              description: List of requested optional claims.
              type: array
              items:
                type: string
            essential_claims:
              description: List of requested essential claims.
              type: array
              items:
                type: string
            require_login:
              description: If the user must perform a login event before proceeding to provide consent.
              type: boolean
              example: true
    openid.response.consent:
      type: object
      properties:
        status:
          type: string
          example: OK
        data:
          type: object
          properties:
            flow_id:
              description: The identifier of the consent flow session.
              type: string
              format: uuid
              pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
              example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
            redirect_uri:
              description: The URI the user should be redirected to.
              type: string
              format: uri
    openid.spec.Metadata.OAuth2AuthorizationServer:
      type: object
      required:
        - 'issuer'
        - 'authorization_endpoint'
        - 'subject_types_supported'
        - 'response_types_supported'
        - 'require_pushed_authorization_requests'
      properties:
        authorization_endpoint:
          description: >
            URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
            See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/authorization'
        claims_supported:
          description: >
            JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
            values for. Note that for privacy or other reasons, this might not be an exhaustive list.
          type: array
          example:
            - 'amr'
            - 'aud'
            - 'azp'
            - 'client_id'
            - 'exp'
            - 'iat'
            - 'iss'
            - 'jti'
            - 'rat'
            - 'auth_time'
            - 'nonce'
            - 'groups'
            - 'sub'
            - 'name'
            - 'given_name'
            - 'family_name'
            - 'middle_name'
            - 'nickname'
            - 'preferred_username'
            - 'profile'
            - 'picture'
            - 'website'
            - 'email'
            - 'email_verified'
            - 'alt_emails'
            - 'gender'
            - 'birthdate'
            - 'zoneinfo'
            - 'locale'
            - 'phone_number'
            - 'phone_number_verified'
            - 'address'
            - 'updated_at'
          items:
            $ref: '#/components/schemas/openid.implementation.Claims.Array'
        code_challenge_methods_supported:
          description: >
            JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
            server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
            4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
            Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
            PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
          type: array
          example:
            - 'S256'
            - 'none'
          items:
            $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
        grant_types_supported:
          type: array
          description: >
            JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
            Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
            Types. If omitted, the default value is ["authorization_code", "implicit"].
          example:
            - 'authorization_code'
            - 'implicit'
            - 'client_credentials'
            - 'refresh_token'
            - 'urn:ietf:params:oauth:grant-type:device_code'
          items:
            $ref: '#/components/schemas/openid.spec.GrantType'
        device_authorization_endpoint:
          description: >
            URL of the authorization server's device authorization endpoint, as defined in Section 3.1.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/device-authorization'
        introspection_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
            Introspection: https://datatracker.ietf.org/doc/html/rfc7662
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/introspection'
        introspection_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of client authentication methods supported by this introspection endpoint. The
            valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
            Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
            Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
            omitted, the set of supported authentication methods MUST be determined by other means. See Also:
            IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
            OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
            https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
          type: array
          example:
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        introspection_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
            endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
            for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
            present if either of these authentication methods are specified in the
            "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
            omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'none'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        issuer:
          description:
            URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
            If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
            by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
          type: string
          example: '{{ .BaseURL | default "https://auth.example.com/" }}'
        jwks_uri:
          description: >
            URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
            signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
            to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
            parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
            Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
            RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
            keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}jwks.json'
        op_policy_uri:
          description:
            URL that the OpenID Provider provides to the person registering the Client to read about the OP's
            requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
            display this URL to the person registering the Client if it is given.
          type: string
          format: uri
        op_tos_uri:
          description: >
            URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
            terms of service. The registration process SHOULD display this URL to the person registering the Client if
            it is given.
          type: string
          format: uri
        pushed_authorization_request_endpoint:
          description: >
            The URL of the pushed authorization request endpoint at which a client can post an authorization request to
            exchange for a "request_uri" value usable at the authorization server.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/par'
        registration_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
            OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/registration'
        require_pushed_authorization_requests:
          description: >
            Boolean parameter indicating whether the authorization server accepts authorization request data only via
            PAR. If omitted, the default value is "false".
          type: boolean
          example: false
        response_modes_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
            OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
            OpenID Providers is ["query", "fragment"].
          type: array
          example:
            - 'form_post'
            - 'query'
            - 'fragment'
            - 'jwt'
            - 'form_post.jwt'
            - 'query.jwt'
            - 'fragment.jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ResponseMode'
        response_types_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
            Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
          type: array
          example:
            - 'code'
            - 'id_token'
            - 'token'
            - 'id_token token'
            - 'code id_token'
            - 'code token'
            - 'code id_token token'
          items:
            $ref: '#/components/schemas/openid.spec.ResponseType'
        revocation_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
            See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/revocation'
        revocation_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of client authentication methods supported by this revocation endpoint. The
            valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
            Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
            -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
            IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
            OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
          type: array
          example:
            - 'none'
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        revocation_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
            endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
            the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
            either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
            entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
            See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        scopes_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
            MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
            when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
            See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: array
          example:
            - 'openid'
            - 'offline_access'
            - 'profile'
            - 'email'
            - 'address'
            - 'phone'
            - 'groups'
          items:
            $ref: '#/components/schemas/openid.implementation.Scopes.Object'
        service_documentation:
          description: >
            URL of a page containing human-readable information that developers might want or need to know when using
            the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
            then information on how to register Clients needs to be provided in this documentation.
          type: string
          example: 'https://authelia.com'
        subject_types_supported:
          description: >
            JSON array containing a list of the Subject Identifier types that this OP supports.
            Valid types include pairwise and public.
          type: array
          example:
            - 'public'
            - 'pairwise'
          items:
            $ref: '#/components/schemas/openid.spec.SubjectIdentifier'
        token_endpoint:
          description: >
            URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
            used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/token'
        token_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
            are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
            9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
            omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
            2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
            OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
          type: array
          example:
            - 'none'
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        token_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
            the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
            and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
            See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'none'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        ui_locales_supported:
          type: array
          description: >
            Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
            language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
          example:
            - 'en-US'
          items:
            type: string
        authorization_response_iss_parameter_supported:
          description: >
            Boolean parameter indicating whether the authorization server provides the iss parameter in the
            authorization response as defined in Section 2. If omitted, the default value is false.
          type: boolean
          example: true
    openid.spec.Metadata.OpenIDConfiguration:
      type: object
      required:
        - 'issuer'
        - 'authorization_endpoint'
        - 'subject_types_supported'
        - 'response_types_supported'
        - 'require_pushed_authorization_requests'
        - 'request_uri_parameter_supported'
        - 'require_request_uri_registration'
        - 'claims_parameter_supported'
        - 'frontchannel_logout_supported'
        - 'frontchannel_logout_session_supported'
        - 'backchannel_logout_supported'
        - 'backchannel_logout_session_supported'
      properties:
        acr_values_supported:
          description:
            JSON array containing a list of the Authentication Context Class References that this OP supports.
          type: array
          items:
            type: string
        authorization_endpoint:
          description: >
            URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
            See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/authorization'
        backchannel_logout_session_supported:
          description: >
            Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
            the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
            If omitted, the default value is false.
          type: boolean
          example: false
        backchannel_logout_supported:
          description: >
            Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
            omitted, the default value is false.
          type: boolean
          example: false
        claims_parameter_supported:
          description: >
            Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
            If omitted, the default value is false.
          type: boolean
          example: false
        claim_types_supported:
          description: >
            JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
            described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
            normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
            OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
          type: array
          example:
            - 'normal'
          items:
            $ref: '#/components/schemas/openid.spec.ClaimType'
        claims_locales_supported:
          description: >
            Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
            [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
            See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
          type: array
          example:
            - 'en-US'
          items:
            type: string
        claims_supported:
          description: >
            JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
            values for. Note that for privacy or other reasons, this might not be an exhaustive list.
          type: array
          example:
            - 'amr'
            - 'aud'
            - 'azp'
            - 'client_id'
            - 'exp'
            - 'iat'
            - 'iss'
            - 'jti'
            - 'rat'
            - 'auth_time'
            - 'nonce'
            - 'groups'
            - 'sub'
            - 'name'
            - 'given_name'
            - 'family_name'
            - 'middle_name'
            - 'nickname'
            - 'preferred_username'
            - 'profile'
            - 'picture'
            - 'website'
            - 'email'
            - 'email_verified'
            - 'alt_emails'
            - 'gender'
            - 'birthdate'
            - 'zoneinfo'
            - 'locale'
            - 'phone_number'
            - 'phone_number_verified'
            - 'address'
            - 'updated_at'
          items:
            $ref: '#/components/schemas/openid.implementation.Claims.Array'
        prompt_values_supported:
          description: >
            OPTIONAL. JSON array containing the list of prompt values that this OP supports.
          type: array
          items:
            $ref: '#/components/schemas/openid.spec.Prompt'
        code_challenge_methods_supported:
          description: >
            JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
            server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
            4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
            Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
            PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
            https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
          type: array
          example:
            - 'S256'
            - 'plain'
          items:
            $ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
        display_values_supported:
          description: >
            JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
            are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
            3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
          type: array
          example:
            - 'page'
          items:
            $ref: '#/components/schemas/openid.spec.DisplayType'
        frontchannel_logout_session_supported:
          description: >
            Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
            identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
            also included in ID Tokens issued by the OP. If omitted, the default value is false.
          type: boolean
          example: false
        frontchannel_logout_supported:
          description: >
            Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
            omitted, the default value is false.
          type: boolean
          example: false
        grant_types_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
            Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
            Types. If omitted, the default value is ["authorization_code", "implicit"].
          type: array
          example:
            - 'authorization_code'
            - 'implicit'
            - 'client_credentials'
            - 'refresh_token'
            - 'urn:ietf:params:oauth:grant-type:device_code'
          items:
            $ref: '#/components/schemas/openid.spec.GrantType'
        id_token_encryption_alg_values_supported:
          description: >
            JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
            Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
            https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'RSA1_5'
            - 'RSA-OAEP'
            - 'RSA-OAEP-256'
            - 'A128KW'
            - 'A192KW'
            - 'A256KW'
            - 'dir'
            - 'ECDH-ES'
            - 'ECDH-ES+A128KW'
            - 'ECDH-ES+A192KW'
            - 'ECDH-ES+A256KW'
            - 'A128GCMKW'
            - 'A192GCMKW'
            - 'A256GCMKW'
            - 'PBES2-HS256+A128KW'
            - 'PBES2-HS384+A192KW'
            - 'PBES2-HS512+A256KW'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.alg'
        id_token_encryption_enc_values_supported:
          description: >
            JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
            Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
            JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'A128CBC-HS256'
            - 'A192CBC-HS384'
            - 'A256CBC-HS512'
            - 'A128GCM'
            - 'A192GCM'
            - 'A256GCM'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.enc'
        id_token_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
            to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
            but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
            (such as when using the Authorization Code Flow).
            See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        device_authorization_endpoint:
          description: >
            URL of the authorization server's device authorization endpoint, as defined in Section 3.1.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/device-authorization'
        introspection_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
            Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/introspection'
        introspection_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of client authentication methods supported by this introspection endpoint. The
            valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
            Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
            Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
            7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
            IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
            OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
            https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
          type: array
          example:
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        introspection_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
            endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
            for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
            present if either of these authentication methods are specified in the
            "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
            omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'none'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        issuer:
          description: >
            URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
            If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
            by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}'
        jwks_uri:
          description: >
            URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
            signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
            to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
            parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
            Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
            RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
            keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}jwks.json'
        op_policy_uri:
          description: >
            URL that the OpenID Provider provides to the person registering the Client to read about the OP's
            requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
            display this URL to the person registering the Client if it is given.
          type: string
          format: uri
        op_tos_uri:
          description: >
            URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
            terms of service. The registration process SHOULD display this URL to the person registering the Client
            if it is given.
          type: string
          format: uri
        pushed_authorization_request_endpoint:
          description: >
            The URL of the pushed authorization request endpoint at which a client can post an authorization request to
            exchange for a "request_uri" value usable at the authorization server.
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/par'
        registration_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
            OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/registration'
        request_object_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
            Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
            used both when the Request Object is passed by value (using the request parameter) and when it is passed by
            reference (using the request_uri parameter). Servers SHOULD support none and RS256.
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'none'
          items:
            $ref: '#/components/schemas/jose.spec.JWS.None'
        request_object_encryption_alg_values_supported:
          description: >
            JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
            Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
            reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
          type: array
          example:
            - 'RSA1_5'
            - 'RSA-OAEP'
            - 'RSA-OAEP-256'
            - 'A128KW'
            - 'A192KW'
            - 'A256KW'
            - 'dir'
            - 'ECDH-ES'
            - 'ECDH-ES+A128KW'
            - 'ECDH-ES+A192KW'
            - 'ECDH-ES+A256KW'
            - 'A128GCMKW'
            - 'A192GCMKW'
            - 'A256GCMKW'
            - 'PBES2-HS256+A128KW'
            - 'PBES2-HS384+A192KW'
            - 'PBES2-HS512+A256KW'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.alg'
        request_object_encryption_enc_values_supported:
          description: >
            JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
            Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
            reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
            JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'A128CBC-HS256'
            - 'A192CBC-HS384'
            - 'A256CBC-HS512'
            - 'A128GCM'
            - 'A192GCM'
            - 'A256GCM'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.enc'
        request_parameter_supported:
          description: >
            OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true
            indicating support. If omitted, the default value is false.
          type: boolean
          example: true
        request_uri_parameter_supported:
          description: >
            Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
            support. If omitted, the default value is true.
          type: boolean
          example: true
        require_pushed_authorization_requests:
          description: >
            Boolean parameter indicating whether the authorization server accepts authorization request data only via
            PAR. If omitted, the default value is "false".
          type: boolean
          example: false
        require_request_uri_registration:
          description: >
            Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
            request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
            default value is false.
          type: boolean
          example: false
        response_modes_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
            OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
            OpenID Providers is ["query", "fragment"].
          type: array
          example:
            - 'form_post'
            - 'query'
            - 'fragment'
            - 'jwt'
            - 'form_post.jwt'
            - 'query.jwt'
            - 'fragment.jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ResponseMode'
        response_types_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
            Providers MUST support the code, id_token, and the token id_token Response Type values.
          type: array
          example:
            - 'code'
            - 'id_token'
            - 'token'
            - 'id_token token'
            - 'code id_token'
            - 'code token'
            - 'code id_token token'
          items:
            $ref: '#/components/schemas/openid.spec.ResponseType'
        revocation_endpoint:
          description: >
            URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
            OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/revocation'
        revocation_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of client authentication methods supported by this revocation endpoint. The
            valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
            Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
            -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
            See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
            OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
          type: array
          example:
            - 'none'
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        revocation_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
            endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
            the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
            either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
            entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
            See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        scopes_supported:
          description: >
            JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
            The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
            values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
            supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
            https://openid.net/specs/openid-connect-core-1_0.html
          type: array
          example:
            - 'openid'
            - 'offline_access'
            - 'profile'
            - 'email'
            - 'address'
            - 'phone'
            - 'groups'
          items:
            $ref: '#/components/schemas/openid.implementation.Scopes.Object'
        service_documentation:
          description: >
            URL of a page containing human-readable information that developers might want or need to know when using
            the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
            then information on how to register Clients needs to be provided in this documentation.
          type: string
          example: 'https://www.authelia.com'
        subject_types_supported:
          description: >
            JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
            pairwise and public.
          type: array
          example:
            - 'public'
            - 'pairwise'
          items:
            $ref: '#/components/schemas/openid.spec.SubjectIdentifier'
        token_endpoint:
          description: >
            URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
            used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/token'
        token_endpoint_auth_methods_supported:
          description: >
            JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
            are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
            9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
            omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
            2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
            OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
          type: array
          example:
            - 'none'
            - 'client_secret_post'
            - 'client_secret_basic'
            - 'client_secret_jwt'
            - 'private_key_jwt'
          items:
            $ref: '#/components/schemas/openid.spec.ClientAuthMethod'
        token_endpoint_auth_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
            for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
            private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
            The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        ui_locales_supported:
          description: >
            Languages and scripts supported for the user interface, represented as a JSON array of BCP47
            [RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
          type: array
          example:
            - 'en-US'
          items:
            type: string
        userinfo_endpoint:
          description: >
            URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
            path, and query parameter components.
            See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
          type: string
          format: uri
          example: '{{ .BaseURL | default "https://auth.example.com/" }}api/oidc/userinfo'
        userinfo_signing_alg_values_supported:
          description: >
            JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
            UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
            JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
            JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'none'
          items:
            $ref: '#/components/schemas/jose.spec.JWS.None'
        userinfo_encryption_alg_values_supported:
          description: >
            JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
            UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
            https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
            JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'RSA1_5'
            - 'RSA-OAEP'
            - 'RSA-OAEP-256'
            - 'A128KW'
            - 'A192KW'
            - 'A256KW'
            - 'dir'
            - 'ECDH-ES'
            - 'ECDH-ES+A128KW'
            - 'ECDH-ES+A192KW'
            - 'ECDH-ES+A256KW'
            - 'A128GCMKW'
            - 'A192GCMKW'
            - 'A256GCMKW'
            - 'PBES2-HS256+A128KW'
            - 'PBES2-HS384+A192KW'
            - 'PBES2-HS512+A256KW'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.alg'
        userinfo_encryption_enc_values_supported:
          description: >
            JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
            Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
            JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
          type: array
          example:
            - 'A128CBC-HS256'
            - 'A192CBC-HS384'
            - 'A256CBC-HS512'
            - 'A128GCM'
            - 'A192GCM'
            - 'A256GCM'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.enc'
        authorization_signing_alg_values_supported:
          description: >
            OPTIONAL. A JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) supported by
            the authorization endpoint to sign the response.
          type: array
          example: ["RS256"]
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        authorization_encryption_alg_values_supported:
          description: >
            OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) supported
            by the authorization endpoint to encrypt the response.
          type: array
          example:
            - 'RSA1_5'
            - 'RSA-OAEP'
            - 'RSA-OAEP-256'
            - 'A128KW'
            - 'A192KW'
            - 'A256KW'
            - 'dir'
            - 'ECDH-ES'
            - 'ECDH-ES+A128KW'
            - 'ECDH-ES+A192KW'
            - 'ECDH-ES+A256KW'
            - 'A128GCMKW'
            - 'A192GCMKW'
            - 'A256GCMKW'
            - 'PBES2-HS256+A128KW'
            - 'PBES2-HS384+A192KW'
            - 'PBES2-HS512+A256KW'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.alg'
        authorization_encryption_enc_values_supported:
          description: >
            OPTIONAL. A JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) supported
            by the authorization endpoint to encrypt the response.
          type: array
          example:
            - 'A128CBC-HS256'
            - 'A192CBC-HS384'
            - 'A256CBC-HS512'
            - 'A128GCM'
            - 'A192GCM'
            - 'A256GCM'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.enc'
        authorization_response_iss_parameter_supported:
          description: >
            Boolean parameter indicating whether the authorization server provides the iss parameter in the
            authorization response as defined in Section 2. If omitted, the default value is false.
          type: boolean
          example: true
        introspection_signing_alg_values_supported:
          description: >
            OPTIONAL. JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values), as defined in
            JWA [RFC7518], supported by the introspection endpoint to sign the response.
          type: array
          example:
            - 'HS256'
            - 'HS384'
            - 'HS512'
            - 'RS256'
            - 'RS384'
            - 'RS512'
            - 'ES256'
            - 'ES384'
            - 'ES512'
            - 'PS256'
            - 'PS384'
            - 'PS512'
          items:
            $ref: '#/components/schemas/jose.spec.JWS'
        introspection_encryption_alg_values_supported:
          description: >
            OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values), as defined
            in JWA [RFC7518], supported by the introspection endpoint to encrypt the content encryption key for
            introspection responses (content key encryption).
          type: array
          example:
            - 'RSA1_5'
            - 'RSA-OAEP'
            - 'RSA-OAEP-256'
            - 'A128KW'
            - 'A192KW'
            - 'A256KW'
            - 'dir'
            - 'ECDH-ES'
            - 'ECDH-ES+A128KW'
            - 'ECDH-ES+A192KW'
            - 'ECDH-ES+A256KW'
            - 'A128GCMKW'
            - 'A192GCMKW'
            - 'A256GCMKW'
            - 'PBES2-HS256+A128KW'
            - 'PBES2-HS384+A192KW'
            - 'PBES2-HS512+A256KW'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.alg'
        introspection_encryption_enc_values_supported:
          description: >
            OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values), as defined
            in JWA [RFC7518], supported by the introspection endpoint to encrypt the response (content encryption).
          type: array
          example:
            - 'A128CBC-HS256'
            - 'A192CBC-HS384'
            - 'A256CBC-HS512'
            - 'A128GCM'
            - 'A192GCM'
            - 'A256GCM'
          items:
            $ref: '#/components/schemas/jose.spec.JWE.enc'
    openid.spec.IntrospectionResponse:
      type: object
      required:
        - 'active'
      properties:
        active:
          type: boolean
          description: >
            REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a
            token's "active" state will vary depending on the implementation of the authorization server and the
            information it keeps about its tokens, but a "true" value return for the "active" property will generally
            indicate that a given token has been issued by this authorization server, has not been revoked by the
            resource owner, and is within its given time window of validity (e.g., after its issuance time and before
            its expiration time).  See Section 4 for information on implementation of such checks.
        scope:
          type: string
          description: >
            OPTIONAL. A JSON string containing a space-separated list of scopes associated with this token, in the
            format described in Section 3.3 of OAuth 2.0 [RFC6749].
        client_id:
          type: string
          description: 'OPTIONAL. Client identifier for the OAuth 2.0 client that requested this token.'
        username:
          type: string
          description: 'OPTIONAL. Human-readable identifier for the resource owner who authorized this token.'
        token_type:
          type: string
          enum:
            - 'bearer'
          example: 'bearer'
          description: 'OPTIONAL. Type of the token as defined in Section 5.1 of OAuth 2.0 [RFC6749].'
        exp:
          type: integer
          description: >
            OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
            this token will expire, as defined in JWT [RFC7519].
        iat:
          type: integer
          description: >
            OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
            this token was originally issued, as defined in JWT [RFC7519].
        nbf:
          type: integer
          description: >
            OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when
            this token is not to be used before, as defined in JWT [RFC7519].
        sub:
          type: string
          description: >
            OPTIONAL. Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the
            resource owner who authorized this token.
        aud:
          oneOf:
            - type: array
              items:
                type: string
                description: >
                  OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended
                  audience for this token, as defined in JWT [RFC7519].
            - type: string
              description: >
                OPTIONAL. Service-specific string identifier or list of string identifiers representing the intended
                audience for this token, as defined in JWT [RFC7519].
        iss:
          type: string
          description: 'OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].'
        jti:
          type: string
          description: 'OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].'
    openid.implementation.Claims.Array:
      type: array
      items:
        type: string
        enum:
          - 'amr'
          - 'aud'
          - 'azp'
          - 'client_id'
          - 'exp'
          - 'iat'
          - 'iss'
          - 'jti'
          - 'rat'
          - 'auth_time'
          - 'nonce'
          - 'groups'
          - 'sub'
          - 'name'
          - 'given_name'
          - 'family_name'
          - 'middle_name'
          - 'nickname'
          - 'preferred_username'
          - 'profile'
          - 'picture'
          - 'website'
          - 'email'
          - 'email_verified'
          - 'alt_emails'
          - 'gender'
          - 'birthdate'
          - 'zoneinfo'
          - 'locale'
          - 'phone_number'
          - 'phone_number_verified'
          - 'address'
          - 'updated_at'
    openid.implementation.Claims.Object:
      description: OpenID Connect 1.0 User Claims.
      type: object
      properties:
        sub:
          type: string
        name:
          type: string
        given_name:
          type: string
        family_name:
          type: string
        middle_name:
          type: string
        nickname:
          type: string
        preferred_username:
          type: string
        profile:
          type: string
          format: uri
        picture:
          type: string
          format: uri
        website:
          type: string
          format: uri
        email:
          type: string
        alt_emails:
          type: array
          items:
            type: string
        email_verified:
          type: boolean
        gender:
          type: string
        birthdate:
          type: string
        zoneinfo:
          type: string
        locale:
          type: string
        phone_number:
          type: string
        phone_number_verified:
          type: boolean
        address:
          type: object
          properties:
            formatted:
              type: string
            street_address:
              type: string
            locality:
              type: string
            region:
              type: string
            postal_code:
              type: string
            country:
              type: string
        updated_at:
          type: integer
        groups:
          type: array
          items:
            type: string
        amr:
          type: array
          items:
            type: string
            enum:
              - 'mfa'
              - 'mca'
              - 'user'
              - 'pin'
              - 'pwd'
              - 'otp'
              - 'hwk'
              - 'sms'
        aud:
          type: array
          items:
            type: string
        azp:
          type: string
        client_id:
          type: string
        scope:
          type: string
        scp:
          type: array
          items:
            type: string
        rat:
          type: integer
        auth_time:
          type: integer
    openid.implementation.Scopes.Object:
      description: The scope.
      type: string
      oneOf:
        - $ref: '#/components/schemas/openid.spec.Scopes'
        - type: string
          enum:
            - 'groups'
    openid.spec.Scopes:
      type: string
      enum:
        - 'openid'
        - 'offline_access'
        - 'profile'
        - 'email'
        - 'address'
        - 'phone'
    openid.spec.ErrorResponseGeneric:
      description: >
        An OpenID Connect 1.0 and OAuth 2.0 error response Note this is a generic error response and may describe a
        possible response for a given endpoint that is not entirely accurate or possible. This is only meant to
        represent all of the potential response typesThe enum may also not be exhaustive as the relevant specifications
        are incredibly vast.
      required:
        - 'error'
      properties:
        error:
          description: REQUIRED. A single ASCII [USASCII] error code from the enum.
          type: string
          enum:
            - 'invalid_request'
            - 'invalid_client'
            - 'invalid_grant'
            - 'invalid_scope'
            - 'invalid_request_uri'
            - 'invalid_request_object'
            - 'unauthorized_client'
            - 'unsupported_grant_type'
            - 'unsupported_response_type'
            - 'unsupported_token_type'
            - 'request_not_supported'
            - 'request_uri_not_supported'
            - 'registration_not_supported'
            - 'access_denied'
            - 'server_error'
            - 'temporarily_unavailable'
            - 'unmet_authentication_requirements'
            - 'interaction_required'
            - 'login_required'
            - 'account_selection_required'
            - 'consent_required'
        error_description:
          description: >
            OPTIONAL. Human-readable ASCII [USASCII] text providing additional information, used to assist the client
            developer in understanding the error that occurred. Values for the "error_description" parameter MUST NOT
            include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
          type: string
        error_uri:
          description: >
            OPTIONAL. A URI identifying a human-readable web page with information about the error, used to provide the
            client developer with additional information about the error. Values for the "error_uri" parameter MUST
            conform to the URI-reference syntax and thus MUST NOT include characters outside the set %x21 / %x23-5B /
            %x5D-7E.
          type: string
        error_hint:
          description: An additional hint about the cause of the error.
          type: string
        error_debug:
          description: Additional debug information about the cause of the error.
          type: string
        state:
          description: >
            OAuth 2.0 state value. REQUIRED if the Authorization Request included the state parameter. Set to the value
            received from the Client.
          type: string
    openid.spec.AccessServerTokenAssertionRequest:
      required:
        - 'token'
      type: object
      properties:
        token:
          description: >
            The string value of the token. For access tokens, this
            is the 'access_token" value returned from the token endpoint
            defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
            this is the "refresh_token" value returned from the token endpoint
            as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
            are outside the scope of this specification.
          example: 'authelia_at_6-8jeA8y9Y744pAHCRwGtJrsD9ABOVWyzL3uWB1ntbI.foaDPNLT0T7VVQ9on5F1rOfHs0Lbc09FGO2xF_pzmNY'
          type: string
        token_type_hint:
          description: >
            A hint about the type of the token submitted for
            introspection. The protected resource MAY pass this parameter to
            help the authorization server optimize the token lookup. If the
            server is unable to locate the token using the given hint, it MUST
            extend its search across all of its supported token types. An
            authorization server MAY ignore this parameter, particularly if it
            is able to detect the token type automatically. Values for this
            field are defined in the "OAuth Token Type Hints" registry defined
            in OAuth Token Revocation [RFC7009].
          enum:
            - 'access_token'
            - 'refresh_token'
          example: 'access_token'
          type: string
    openid.spec.AccessRequest.ClientAuth:
      oneOf:
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret'
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT'
    openid.spec.AccessRequest.ClientAuth.Secret:
      required:
        - 'client_id'
        - 'client_secret'
      type: object
      properties:
        client_id:
          description: >
            REQUIRED if the client is not authenticating with the authorization server as described in
            Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
          example: 'my_client'
          type: string
        client_secret:
          description: >
            REQUIRED. The client secret. The client MAY omit the
            parameter if the client secret is an empty string.
          format: password
          type: string
    openid.spec.AccessRequest.ClientAuth.JWT:
      required:
        - 'client_assertion'
        - 'client_assertion_type'
      properties:
        client_id:
          description: >
            REQUIRED if the client is not authenticating with the authorization server as described in
            Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
          example: 'my_client'
          type: string
        client_assertion:
          description: >
            A JWT signed with HS256 using the client secret value or RS256 using a registered public key.
            Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should
            work but this has not been tested.
          format: password
          type: string
        client_assertion_type:
          description: >
            The value of the client_assertion_type parameter MUST be
            "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
          type: string
          enum:
            - 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
          example: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
    openid.spec.AccessRequest.AuthorizationCodeFlow:
      allOf:
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
        - type: object
          required:
            - 'code'
            - 'grant_type'
          properties:
            grant_type:
              description: Value MUST be set to "code".
              enum:
                - 'authorization_code'
              type: string
            code:
              description: The Authorization Code.
              example: 'authelia_ac_VdQ5Ts3BCDtN4X-aCUW6esVl_PmMklup81bqyZ8PQJc.mQ7qgtwQu6_JdXR_OPJX3YDGOATBK6Bt6BgnsndFJQs'
              type: string
            code_verifier:
              description: The Authorization Code Verifier (PKCE).
              example: '88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3'
              type: string
            redirect_uri:
              description: The original Redirect URI used in the Authorization Request.
              example: 'https://app.{{ .Domain | default "example.com" }}/oidc/callback'
              type: string
    openid.spec.AccessRequest.DeviceCodeFlow:
      allOf:
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
        - type: object
          required:
            - 'grant_type'
            - 'device_code'
          properties:
            grant_type:
              description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
              enum:
                - 'urn:ietf:params:oauth:grant-type:device_code'
              type: string
            device_code:
              description: The Device Authorization Code.
              example: 'authelia_dc_oqLXXUv2pvCDgBJLBav63ZduL4CxKP7JpYZ6ldHp39Y.u3XxwV3O-uYOA5TSv44iQyB27YjUGawJLlwOMuC770E'
              type: string
    openid.spec.AccessRequest.RefreshTokenFlow:
      allOf:
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
        - type: object
          required:
            - 'grant_type'
            - 'refresh_token'
          properties:
            grant_type:
              description: Value MUST be set to "refresh_token".
              enum:
                - 'refresh_token'
              type: string
            refresh_token:
              description: The Refresh Token.
              example: 'authelia_rt_MgALbONdFPIwo3o2QukHry7W451xrO6jza31IS8Vh4M.IArqzOzLwY6HWqom1vmp9DUWBuOQel_fGnRw5MyT-jo'
              type: string
            scope:
              description: >
                The scope of the access request as described by
                Section 3.3. The requested scope MUST NOT include any scope
                not originally granted by the resource owner, and if omitted is
                treated as equal to the scope originally granted by the
                resource owner.
              example: 'openid profile groups'
              type: string
    openid.spec.AccessRequest.ClientCredentialsFlow:
      allOf:
        - $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
        - type: object
          required:
            - 'grant_type'
            - 'refresh_token'
          properties:
            grant_type:
              description: Value MUST be set to "client_credentials".
              enum:
                - 'client_credentials'
              type: string
            scope:
              description: >
                The scope of the access request as described by
                Section 3.3. The requested scope MUST NOT include any scope
                not originally granted by the resource owner, and if omitted is
                treated as equal to the scope originally granted by the
                resource owner.
              example: 'openid profile groups'
              type: string
    openid.spec.AccessResponse:
      type: object
      required:
        - 'access_token'
        - 'token_type'
        - 'expires_in'
      properties:
        access_token:
          description: The access token issued by the authorization server.
          example: 'authelia_at_6-8jeA8y9Y744pAHCRwGtJrsD9ABOVWyzL3uWB1ntbI.foaDPNLT0T7VVQ9on5F1rOfHs0Lbc09FGO2xF_pzmNY'
          type: string
        id_token:
          description: The id token issued by the authorization server.
          example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
          type: string
        refresh_token:
          description: >
            The refresh token, which can be used to obtain new access tokens using the
            same authorization grant as described in Section 6.
          example: 'authelia_rt_MgALbONdFPIwo3o2QukHry7W451xrO6jza31IS8Vh4M.IArqzOzLwY6HWqom1vmp9DUWBuOQel_fGnRw5MyT-jo'
          type: string
        token_type:
          description: >
            The access token type provides the client with the information
            required to successfully utilize the access token to make a protected
            resource request (along with type-specific attributes). The client
            MUST NOT use an access token if it does not understand the token
            type.
          enum:
            - 'bearer'
          example: 'bearer'
          type: string
        expires_in:
          description: >
            The lifetime in seconds of the access token. For
            example, the value "3600" denotes that the access token will
            expire in one hour from the time the response was generated.
            If omitted, the authorization server SHOULD provide the
            expiration time via other means or document the default value.
          example: 3600
          type: integer
        state:
          description: Exactly the state value passed in the authorization request if present.
          example: '5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB'
          type: string
        scope:
          description: >
            The scope of the access token as described by Section 3.3 if it differs from the requested scope.
          example: 'openid profile groups'
          type: string
    openid.spec.AuthorizeRequest:
      type: object
      required:
        - 'scope'
        - 'response_type'
        - 'client_id'
        - 'redirect_uri'
      properties:
        scope:
          description: The requested scope.
          example: 'openid profile groups'
          type: string
        response_type:
          $ref: '#/components/schemas/openid.spec.ResponseType'
        client_id:
          description: The OAuth 2.0 client identifier.
          example: 'app'
          type: string
        redirect_uri:
          description: >
            Redirection URI to which the response will be sent. This URI MUST exactly match one of the
            Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
            performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
            flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
            that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
            allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
            scheme, such as one that is intended to identify a callback into a native application.
          example: 'https://app.{{ .Domain | default "example.com" }}'
          type: string
          format: uri
        state:
          description: >
            Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
            Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
            parameter with a browser cookie.
          example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
          type: string
        response_mode:
          $ref: '#/components/schemas/openid.spec.ResponseMode'
        nonce:
          description: >
            String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
            The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
            entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
            implementation notes, see Section 15.5.2.
          example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
          type: string
        display:
          $ref: '#/components/schemas/openid.spec.DisplayType'
        prompt:
          $ref: '#/components/schemas/openid.spec.Prompt'
        max_age:
          description: >
            Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
            End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
            OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
            to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
            Token returned MUST include an auth_time Claim Value.
          type: integer
        ui_locales:
          description: >
            Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
            space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
            the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
            a region designation), followed by English (without a region designation). An error SHOULD NOT
            result if some or all of the requested locales are not supported by the OpenID Provider.
          type: string
        claims_locales:
          description: >
            Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
            a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
            SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
          type: string
        id_token_hint:
          description: >
            Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
            the End-User's current or past authenticated session with the Client. If the End-User identified by
            the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
            positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
            id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
            returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
            not present. The Authorization Server need not be listed as an audience of the ID Token when it is
            used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
            it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
            ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
            that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
            id_token_hint value.
          type: string
        login_hint:
          description: >
            Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
            log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
            address (or other identifier) and then wants to pass that value as a hint to the discovered
            authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
            This value MAY also be a phone number in the format specified for the phone_number Claim. The use
            of this parameter is left to the OP's discretion.
          type: string
        acr_values:
          description: >
            Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
            specifies the acr values that the Authorization Server is being requested to use for processing this
            Authentication Request, with the values appearing in order of preference. The Authentication Context
            Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
            Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
          type: string
        claims:
          description: >
            The claims parameter value, as specified in Section 5.5.
          type: string
        registration:
          description: >
            Not Supported: This parameter is used by the Client to provide information about itself to a
            Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
            specified in Section 7.2.1.
          type: string
        request:
          description: >
            Request Object value, as specified in Section 6.1. The Request Object MAY be
            encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
            issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
            Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
            algorithm used is RSA1_5.
          type: string
    openid.spec.DeviceAuthorizeRequest:
      type: object
      required:
        - 'client_id'
        - 'client_secret'
        - 'scope'
      properties:
        client_id:
          description: The OAuth 2.0 client identifier.
          example: 'app'
          type: string
        client_secret:
          description: >
            REQUIRED. The client secret. The client MAY omit the
            parameter if the client secret is an empty string.
          format: password
          type: string
        scope:
          description: The requested scope.
          example: 'openid profile groups'
          type: string
        acr_values:
          description: >
            Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
            specifies the acr values that the Authorization Server is being requested to use for processing this
            Authentication Request, with the values appearing in order of preference. The Authentication Context
            Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
            Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
          type: string
        claims:
          description: >
            The claims parameter value, as specified in Section 5.5.
          type: string
        claims_locales:
          description: >
            Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
            a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
            SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
          type: string
        ui_locales:
          description: >
            Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
            space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
            the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
            a region designation), followed by English (without a region designation). An error SHOULD NOT
            result if some or all of the requested locales are not supported by the OpenID Provider.
          type: string
    openid.spec.SubjectIdentifier:
      description: >
        A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
        End-User, which is intended to be consumed by the Client.
      enum:
        - 'public'
        - 'pairwise'
      type: string
    openid.spec.ClientAuthMethod:
      description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
      enum:
        - 'none'
        - 'client_secret_post'
        - 'client_secret_basic'
        - 'client_secret_jwt'
        - 'private_key_jwt'
        - 'tls_client_auth'
        - 'self_signed_tls_client_auth'
      type: string
    openid.spec.DisplayType:
      description: >
        ASCII string value that specifies how the Authorization Server displays the authentication and consent user
        interface pages to the End-User.
      enum:
        - 'page'
        - 'popup'
        - 'touch'
        - 'wap'
      example: 'page'
      type: string
    openid.spec.Prompt:
      description: >
        Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
        Authorization Server prompts the End-User for reauthentication and consent.
      enum:
        - 'none'
        - 'login'
        - 'consent'
        - 'select_account'
        - 'login consent'
        - 'login select_account'
        - 'consent select_account'
      example: 'none'
      type: string
    openid.spec.ResponseType:
      description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
      enum:
        - 'code'
        - 'id_token'
        - 'token'
        - "code token"
        - "code id_token"
        - "token id_token"
        - "code id_token token"
        - 'none'
      example: 'code'
      type: string
    openid.spec.ResponseMode:
      description: >
        Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
        Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
        the default mode specified for the Response Type.
      enum:
        - 'form_post'
        - 'query'
        - 'fragment'
        - 'jwt'
        - 'form_post.jwt'
        - 'query.jwt'
        - 'fragment.jwt'
      example: 'query'
      type: string
    openid.spec.GrantType:
      description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
      enum:
        - 'authorization_code'
        - 'refresh_token'
        - 'implicit'
        - 'password'
        - 'client_credentials'
        - "urn:ietf:params:oauth:grant-type:device_code"
      example: 'authorization_code'
      type: string
    openid.spec.CodeChallengeMethod:
      description: The RFC7636 Code Challenge Verifier Method.
      enum:
        - 'plain'
        - 'S256'
      example: 'S256'
      type: string
    openid.spec.ClaimType:
      description: The representation of claims.
      enum:
        - 'normal'
        - 'aggregated'
        - 'distributed'
      example: 'normal'
      type: string
    jose.spec.None:
      description: The JSON Web Signature Algorithm
      type: string
      enum:
        - 'none'
    jose.spec.JWS.None:
      description: The JSON Web Signature Algorithm
      oneOf:
        - $ref: '#/components/schemas/jose.spec.None'
        - $ref: '#/components/schemas/jose.spec.JWS'
      type: string
    jose.spec.JWS:
      description: The JSON Web Signature Algorithm
      enum:
        - 'HS256'
        - 'HS384'
        - 'HS512'
        - 'RS256'
        - 'RS384'
        - 'RS512'
        - 'ES256'
        - 'ES384'
        - 'ES512'
        - 'PS256'
        - 'PS384'
        - 'PS512'
      type: string
    jose.spec.JWE.alg:
      description: The JSON Web Encryption Algorithm (CEK)
      enum:
        - 'RSA1_5'
        - 'RSA-OAEP'
        - 'RSA-OAEP-256'
        - 'A128KW'
        - 'A192KW'
        - 'A256KW'
        - 'dir'
        - 'ECDH-ES'
        - 'ECDH-ES+A128KW'
        - 'ECDH-ES+A192KW'
        - 'ECDH-ES+A256KW'
        - 'A128GCMKW'
        - 'A192GCMKW'
        - 'A256GCMKW'
        - 'PBES2-HS256+A128KW'
        - 'PBES2-HS384+A192KW'
        - 'PBES2-HS512+A256KW'
      type: string
    jose.spec.JWE.enc:
      description: The JSON Web Encryption Algorithm (Claims)
      enum:
        - 'A128CBC-HS256'
        - 'A192CBC-HS384'
        - 'A256CBC-HS512'
        - 'A128GCM'
        - 'A192GCM'
        - 'A256GCM'
      type: string
    jose.spec.JWK.base:
      type: object
      properties:
        use:
          description: >
            The "use" (public key use) parameter identifies the intended use of
            the public key. The "use" parameter is employed to indicate whether
            a public key is used for encrypting data or verifying the signature
            on data.
          enum:
            - 'sig'
            - 'enc'
          example: 'sig'
          type: string
        key_ops:
          description: >
            The "key_ops" (key operations) parameter identifies the operation(s)
            for which the key is intended to be used. The "key_ops" parameter is
            intended for use cases in which public, private, or symmetric keys
            may be present.
          example: ['sign']
          type: array
          items:
            enum:
              - 'sign'
              - 'verify'
              - 'encrypt'
              - 'decrypt'
              - 'wrapKey'
              - 'unwrapKey'
              - 'deriveKey'
              - 'deriveBits'
            type: string
        kid:
          description: >
            The "kid" (key ID) parameter is used to match a specific key. This
            is used, for instance, to choose among a set of keys within a JWK Set
            during key rollover. The structure of the "kid" value is
            unspecified. When "kid" values are used within a JWK Set, different
            keys within the JWK Set SHOULD use distinct "kid" values. (One
            example in which different keys might use the same "kid" value is if
            they have different "kty" (key type) values but are considered to be
            equivalent alternatives by the application using them.) The "kid"
            value is a case-sensitive string. Use of this member is OPTIONAL.
            When used with JWS or JWE, the "kid" value is used to match a JWS or
            JWE "kid" Header Parameter value.
          type: string
        x5u:
          description: >
            The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
            resource for an X.509 public key certificate or certificate chain
            [RFC5280]. The identified resource MUST provide a representation of
            the certificate or certificate chain that conforms to RFC 5280
            [RFC5280] in PEM-encoded form, with each certificate delimited as
            specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
            certificate MUST match the public key represented by other members of
            the JWK. The protocol used to acquire the resource MUST provide
            integrity protection; an HTTP GET request to retrieve the certificate
            MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
            validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
            member is OPTIONAL.
          type: string
        x5c:
          description: >
            The "x5c" (X.509 certificate chain) parameter contains a chain of one
            or more PKIX certificates [RFC5280]. The certificate chain is
            represented as a JSON array of certificate value strings. Each
            string in the array is a base64-encoded (Section 4 of [RFC4648] --
            not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
            The PKIX certificate containing the key value MUST be the first
            certificate. This MAY be followed by additional certificates, with
            each subsequent certificate being the one used to certify the
            previous one. The key in the first certificate MUST match the public
            key represented by other members of the JWK. Use of this member is
            OPTIONAL.
          type: array
          items:
            format: byte
            type: string
        x5t:
          description: >
            The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
            base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
            encoding of an X.509 certificate [RFC5280]. Note that certificate
            thumbprints are also sometimes known as certificate fingerprints.
            The key in the certificate MUST match the public key represented by
            other members of the JWK. Use of this member is OPTIONAL.
          format: byte
          type: string
        x5t#S256:
          description: >
            The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
            base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
            encoding of an X.509 certificate [RFC5280]. Note that certificate
            thumbprints are also sometimes known as certificate fingerprints.
            The key in the certificate MUST match the public key represented by
            other members of the JWK. Use of this member is OPTIONAL.
          format: byte
          type: string
    jose.spec.JWK.RSA:
      description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
      allOf:
        - $ref: '#/components/schemas/jose.spec.JWK.base'
        - required:
            - 'kty'
            - 'n'
            - 'e'
          type: object
          properties:
            kty:
              description: >
                The "kty" (key type) parameter identifies the cryptographic algorithm
                family used with the key.
              type: string
              example: 'RSA'
              enum:
                - 'RSA'
            alg:
              description: The JSON Web Signature Algorithm
              type: string
              example: 'RS256'
              enum:
                - 'RS256'
                - 'RS384'
                - 'RS512'
                - 'PS256'
                - 'PS384'
                - 'PS512'
            n:
              description: >
                RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
                represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
            e:
              description: >
                RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
                It is represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
    jose.spec.JWK.RSA.Private:
      description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
      allOf:
        - $ref: '#/components/schemas/jose.spec.JWK.base'
        - $ref: '#/components/schemas/jose.spec.JWK.RSA'
        - type: object
          required:
            - 'd'
          properties:
            d:
              description: >
                RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
                private key. It is represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
            p:
              description: >
                RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
                It is represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
            q:
              description: >
                RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
                represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
            dp:
              description: >
                RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
                (CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
              type: string
            dq:
              description: >
                RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
                second factor. It is represented as a Base64urlUInt-encoded value.
              type: string
            qi:
              description: >
                RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
                factor. It is represented as a Base64urlUInt-encoded value.
              type: string
              format: byte
            oth:
              description: >
                The "oth" (other primes info) parameter contains an array of
                information about any third and subsequent primes, should they exist.
              type: array
              items:
                type: object
                required:
                  - 'r'
                  - 'd'
                  - 't'
                properties:
                  r:
                    description: >
                      The "r" (prime factor) parameter within an "oth" array member
                      represents the value of a subsequent prime factor. It is represented
                      as a Base64urlUInt-encoded value.
                    type: string
                    format: byte
                  d:
                    description: >
                      The "d" (factor CRT exponent) parameter within an "oth" array member
                      represents the CRT exponent of the corresponding prime factor. It is
                      represented as a Base64urlUInt-encoded value.
                    type: string
                    format: byte
                  t:
                    description: >
                      The "t" (factor CRT coefficient) parameter within an "oth" array
                      member represents the CRT coefficient of the corresponding prime
                      factor. It is represented as a Base64urlUInt-encoded value.
                    type: string
                    format: byte
    jose.spec.JWK.EC:
      description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
      allOf:
        - $ref: '#/components/schemas/jose.spec.JWK.base'
        - type: object
          required:
            - 'kty'
            - 'crv'
            - 'x'
          properties:
            kty:
              description: >
                The "kty" (key type) parameter identifies the cryptographic algorithm
                family used with the key.
              type: string
              example: 'EC'
              enum:
                - 'EC'
            alg:
              description: The JSON Web Signature Algorithm
              type: string
              example: 'ES256'
              enum:
                - 'ES256'
                - 'ES384'
                - 'ES512'
            x:
              description: >
                EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
                It is represented as the base64url encoding of the octet string representation of the coordinate, as
                defined in Section 2.3.5 of SEC1 [SEC1].
              type: string
              format: byte
            y:
              description: >
                EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
                It is represented as the base64url encoding of the octet string representation of the coordinate, as
                defined in Section 2.3.5 of SEC1 [SEC1].
              type: string
              format: byte
            crv:
              description: >
                The curve parameter identifies the cryptographic curve used with the key. Curve
                values from [DSS] used by this specification.
              type: string
              example: 'P-521'
              enum:
                - 'P-256'
                - 'P-384'
                - 'P-521'
                - 'Ed25519'
                - 'Ed448'
                - 'X25519'
                - 'X448'
                - 'secp256k1'
    jose.spec.JWK.EC.Private:
      description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
      allOf:
        - $ref: '#/components/schemas/jose.spec.JWK.base'
        - $ref: '#/components/schemas/jose.spec.JWK.EC'
        - type: object
          required:
            - 'd'
          properties:
            d:
              description: >
                ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
                is represented as the base64url encoding of the octet string representation of the private key value,
                as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
                ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
              type: string
              format: byte
    jose.spec.JWK.Symmetric:
      description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
      allOf:
        - $ref: '#/components/schemas/jose.spec.JWK.base'
        - type: object
          required:
            - 'k'
          properties:
            kty:
              description: >
                The "kty" (key type) parameter identifies the cryptographic algorithm
                family used with the key.
              type: string
              example: 'oct'
              enum:
                - 'oct'
            k:
              description: >
                The "k" (key value) parameter contains the value of the symmetric (or
                other single-valued) key. It is represented as the base64url
                encoding of the octet sequence containing the key value.
              type: string
              format: byte
    jose.spec.JWK:
      type: string
      anyOf:
        - $ref: '#/components/schemas/jose.spec.JWK.RSA'
        - $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
        - $ref: '#/components/schemas/jose.spec.JWK.EC'
        - $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
        - $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
    jose.spec.JWKs:
      type: object
      description: The JSON Web Key Sets Document as defined by RFC7517.
      properties:
        keys:
          description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
          type: array
          items:
            $ref: '#/components/schemas/jose.spec.JWK'
  {{- end }}
  securitySchemes:
    authelia_auth:
      type: apiKey
      name: '{{ .Session }}'
      in: cookie
    {{- if .OpenIDConnect }}
    openid:
      type: openIdConnect
      openIdConnectUrl: '{{ .BaseURL | default "https://auth.example.com/" }}.well-known/openid-configuration'
    {{- end }}
...