OAuth and OpenID Connect

openapi: 3.0.0 info: version: '0.0' title: OIDC Provider servers: - url: 'https://login.jackhenry.com' tags: - name: Provider Info - name: Token - name: Authorization paths: /.well-known/openid-configuration: get: tags: - Provider Info description: Gets a JSON listing of the OpenID/OAuth enpoints, supported scopes, supported claims, and other details. Clients can use this information in order to build a request to the OpenID server. responses: '200': description: OK '500': description: Internal Server Error /a/oidc-provider/api/v0/jwks: get: tags: - Provider Info summary: Gets the JSON Web Key Set (JWKS) for verifying JWTs received from the authentication server. responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/certsResponse' '500': description: Internal Server Error /a/oidc-provider/api/v0/token: post: tags: - Token summary: Issues access tokens and refresh tokens description: | This endpoint requires client authentication using either CLIENT_ID & CLIENT_SECRET in the AUTHORIZATION header, CLIENT_ID and CLIENT_SECRET as parameters in the body or CLIENT_ID, CLIENT_ASSERTION and CLIENT_ASSERTION_TYPE as parameters in the body. parameters: - name: DPoP in: header schema: type: string required: false description: | OPTIONAL: A valid Demonstrate Proof of Possession (DPoP) JWT used to bind the access token to the client. This is an advanced technique to prevent token theft. When an access token is bound, all API requests to a resource server must also present a valid DPoP header. requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/tokenRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/tokenResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/tokenFailure' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error /a/oidc-provider/api/v0/token/revocation: post: tags: - Token summary: Revokes a refresh token. description: See the [OAuth Token Revocation specs](https://tools.ietf.org/html/rfc7009). requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/tokenRevocationRequest' responses: '200': description: OK (no content) '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/tokenFailure' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error /a/oidc-provider/api/v0/auth: get: summary: Sends authentication request using query string parameters. description: 'Utilizing query string parameters, the `/auth` route will redirect to the specified `redirect_uri` with the result of the call found in the URL.' tags: - Authorization parameters: - name: client_id in: query description: ID of the client required: true schema: type: string example: 00000000-0000-0000-0000-000000000000 - name: response_type in: query description: | The authorization type. Must be set to `code`. This parameter is required unless a `request_uri` parameter is present. required: false schema: type: string enum: - code example: code - name: redirect_uri in: query description: | The redirect URI as registered by the client. This parameter is required unless a `request_uri` parameter is present. required: false schema: type: string example: https://localhost/cb - name: scope in: query description: The possible scope of the request required: false schema: type: string example: openid - name: claims in: query description: Claims to return in the id_token or from the userinfo endpoint required: false schema: type: string example: "{\"id_token\":{\"email\":null}}" - name: state in: query description: Any client state that needs to be passed onto the redirect URI required: false schema: type: string example: 00000000-0000-0000-0000-000000000000 - name: prompt in: query description: Specific prompts a user must be presented with required: false schema: type: string enum: - login - consent example: consent - name: code_challenge in: query description: PKCE code challenge required: false schema: type: string example: base64UrlEncoded(sha256(code_verifier)) - name: code_challenge_method in: query description: PKCE code challenge method required: false schema: type: string enum: - S256 example: S256 - name: login_hint in: query description: Prefill the username during the login flow. required: false schema: type: string example: janedoe@company.com - name: request_uri in: query required: false schema: type: string example: urn:ietf:params:oauth:request_uri:_siAdMv6nl32bg-aARi-7 description: | URI obtained from the /request endpoint to continue an authorization code flow which was started with a Pushed Authorization Request. When a `request_uri` is provided, the only other parameter utilized is `client_id`. responses: '200': description: OK '400': description: Bad Request '500': description: Internal Server Error /a/oidc-provider/api/v0/request: post: tags: - Authorization summary: Start the authorization code flow with a Pushed Authorization Request (PAR). description: | Starts the authorization code flow without exposing the request parameters to the end user. This provides additional security over the traditional authorization code flow. This endpoint requires client authentication using either CLIENT_ID & CLIENT_SECRET in the AUTHORIZATION header, CLIENT_ID and CLIENT_SECRET as parameters in the body or CLIENT_ID, CLIENT_ASSERTION and CLIENT_ASSERTION_TYPE as parameters in the body. requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/basePushedAuthRequest' responses: '200': description: OK content: application/json: schema: type: object properties: expires_in: type: number example: 60 request_uri: type: string example: urn:ietf:params:oauth:request_uri:_siAdMv6nl32bg-aARi-7 '400': description: Bad Request content: text/html: schema: type: string '500': description: Internal Server Error /a/oidc-provider/api/v0/logout: get: tags: - Logout summary: Logout the current user description: | Allows the user to logout of both the client app and the identity provider. The identity provider may prompt the user for confirmation that this is intended. The client app may pre-register a logout url and redirect the user to it after the identity provider session has been destroyed. parameters: - name: client_id in: query required: false schema: type: string example: 00000000-0000-0000-0000-000000000000 description: | ID of the client. Either a `client_id` or an `id_token_hint` parameter is required. - name: id_token_hint in: query required: false schema: type: string description: | An identity token for the user provided by the identity provider from the /token endpoint. Either a `client_id` or an `id_token_hint` parameter is required. - name: post_logout_redirect_uri in: query required: false schema: type: string example: https://localhost/custom-logout description: | URL to redirect the user to after logout. The provided state parameter will be appended as a query parameter. This exact URL must be pre-registered as a callback URL for the client. Either a client_id or an id_token_hint parameter must be provided to utilize a post_logout_redirect_uri otherwise the user will be sent to the default logout URL for the identity provider. - name: state in: query description: Any client state that needs to be passed onto the redirect URI required: false schema: type: string example: 00000000-0000-0000-0000-000000000000 responses: '303': description: OK content: text/html: schema: type: string /a/oidc-provider/api/v0/me: get: tags: - User Info summary: Returns info about the authenticated user. description: See the [OpenID Connect Core specs](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). security: - OpenIDEnterprise: - openid responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/userInfo' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error components: securitySchemes: OpenIDEnterprise: $ref: 'https://jackhenry.dev/authentication-framework/security-schemes.swagger.yaml#/components/securitySchemes/OpenIDEnterprise' schemas: certsResponse: type: object properties: keys: type: array items: required: - kid - kty - use type: object properties: kty: type: string example: string kid: type: string example: string use: type: string example: string crv: type: string example: string x: type: string example: string 'y': type: string example: string d: type: string example: string e: type: string example: string 'n': type: string example: string p: type: string example: string q: type: string example: string dp: type: string example: string dq: type: string example: string qi: type: string example: string tokenRequest: required: - grant_type type: object properties: client_assertion: description: Properly signed JWT token (this houses the client id for the request). Test token payload at https://jwt.io/ type: string example: string client_assertion_type: $ref: "#/components/schemas/validClientAssertionTypes" grant_type: $ref: "#/components/schemas/validGrantTypes" scope: $ref: "#/components/schemas/validScopes" code: description: The authorization code received from the authorization endpoint. type: string example: string redirect_uri: description: The redirect URI used in the initial authorization request. type: string example: https://localhost/cb client_id: description: ID of the client type: string example: 00000000-0000-0000-0000-000000000000 code_verifier: description: PKCE code verifier type: string example: string tokenRevocationRequest: required: - client_id - client_secret - token type: object properties: client_id: type: string example: 0cd6b55a-3017-4e16-aa50-f0cbdb1cd12f client_secret: type: string example: b63f559e-1425-41f9-9381-454b64e1981a token: type: string description: ID of the token to revoke token_type_hint: type: string example: refresh_token description: Suggests the type of token passed tokenResponse: required: - access_token - token_type - refresh_token type: object properties: access_token: type: string description: The access token returned from the server example: string token_type: type: string description: the type of access token that was given. example: string expires_in: type: string description: the number of seconds the token will take to expire example: '600' refresh_token: type: string description: A refresh token for when the access token is expired. example: string tokenFailure: type: object properties: error: type: string example: Invalid request error_description: type: string example: no client authentication mechanism provided tokenUnauthorized: type: object properties: error: type: string example: invalid client error_description: type: string example: client authentication failed baseAuthRequest: type: object required: - client_id - response_type - redirect_uri properties: client_id: description: ID of the client type: string example: 00000000-0000-0000-0000-000000000000 response_type: description: The authorization type. Must be set to `code` type: string enum: - code example: code redirect_uri: description: The redirect URI as registered by the client. type: string example: https://localhost/cb scope: description: The possible scope of the request type: string example: openid claims: description: Claims to return in the id_token or from the userinfo endpoint type: string example: "{\"id_token\":{\"email\":null}}" state: description: Any client state that needs to be passed onto the redirect URI type: string example: random+value prompt: description: Specific prompts a user must be presented with type: string enum: - login - consent example: consent code_challenge: description: PKCE code challenge type: string example: base64UrlEncoded(sha256(code_verifier)) code_challenge_method: description: PKCE code challenge method - must be `S256` type: string enum: - S256 example: S256 login_hint: description: Prefill the username during the login flow. type: string example: janedoe@company.com basePushedAuthRequest: allOf: - type: object required: - client_secret properties: client_secret: type: string example: b63f559e-1425-41f9-9381-454b64e1981a description: Secret used to authenticate requests for the given client_id - $ref: '#/components/schemas/baseAuthRequest' pushedAuthRequest: required: - client_id - request_uri type: object properties: client_id: description: ID of the client type: string example: 00000000-0000-0000-0000-000000000000 request_uri: description: | URI obtained from the /request endpoint to continue an authorization code flow which was started with a Pushed Authorization Request. When a request_uri is provided, the only other parameter utilized is `client_id`. type: string example: urn:ietf:params:oauth:request_uri:_siAdMv6nl32bg-aARi-7 authRequest: oneOf: - $ref: '#/components/schemas/baseAuthRequest' - $ref: '#/components/schemas/pushedAuthRequest' validClientAssertionTypes: type: string description: The possible client assertion types for the request enum: - urn:ietf:params:oauth:client-assertion-type:jwt-bearer validGrantTypes: type: string description: The possible grant types for the request enum: - client_credentials validScopes: type: string description: The possible scope of the request enum: - openid userInfo: type: object properties: sub: type: string description: User ID example: cf857130-6d24-11e9-870c-0242b75cad58 institution_id: type: string example: c8b309b0-fc09-11e5-8adf-0e09432615dc family_name: type: string example: John given_name: type: string example: Doe middle_name: type: string nullable: true example: Q name: type: string example: John Doe picture: type: string example: https://login.jackhenry.com/a/sentry/api/users/cf857130-6d24-11e9-870c-0242b75cad58/profile-image email: type: string example: jdoe@example.com phone_number: type: string example: '"+15555556652"' preferred_username: type: string example: jdoe@example.com department: type: string example: retail title: type: string example: teller

Please ignore this field