core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

oc-auth OAUTH2

Browse Source
This commit is contained in:
mr
2026-02-19 14:56:15 +01:00
parent 048707bfe5
commit 078aae8172
14 changed files with 1360 additions and 610 deletions
Download Patch File Download Diff File Expand all files Collapse all files

332
swagger/swagger.json
View File

@@ -15,18 +15,50 @@
},
"basePath": "/oc/",
"paths": {
"/consent": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.\n\u003cbr\u003e",
"operationId": "OAuthController.Consent",
"parameters": [
{
"in": "query",
"name": "consent_challenge",
"description": "The consent challenge from Hydra",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"400": {
"description": "missing consent_challenge"
},
"500": {
"description": "internal error"
}
}
}
},
"/forward": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "auth forward\n\u003cbr\u003e",
"description": "Forward auth for Traefik — validates JWT via Hydra introspection\n\u003cbr\u003e",
"operationId": "OAuthController.AuthForward",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "auth token",
"description": "Bearer token",
"type": "string"
}
],
@@ -216,80 +248,148 @@
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "introspect token\n\u003cbr\u003e",
"operationId": "OAuthController.Introspection",
"description": "Introspect a token — respects Hydra's response\n\u003cbr\u003e",
"operationId": "OAuthController.Introspect",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "auth token",
"description": "Bearer token",
"type": "string"
}
],
"responses": {
"200": {
"description": "{string}"
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.IntrospectResult"
}
}
}
}
},
"/login": {
"post": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "authenticate user\n\u003cbr\u003e",
"operationId": "OAuthController.Login",
"description": "Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.\n\u003cbr\u003e",
"operationId": "OAuthController.GetLogin",
"parameters": [
{
"in": "body",
"name": "body",
"description": "The workflow content",
"required": true,
"schema": {
"$ref": "#/definitions/models.workflow"
}
},
{
"in": "query",
"name": "client_id",
"description": "the client_id you want to get",
"name": "login_challenge",
"description": "The login challenge from Hydra",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "{string}"
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.LoginChallenge"
}
},
"400": {
"description": "missing login_challenge"
},
"500": {
"description": "internal error"
}
}
},
"post": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Authenticate user via LDAP and accept Hydra login challenge\n\u003cbr\u003e",
"operationId": "OAuthController.PostLogin",
"parameters": [
{
"in": "body",
"name": "body",
"description": "Login credentials and challenge",
"required": true,
"schema": {
"$ref": "#/definitions/auth_connectors.LoginRequest"
}
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"401": {
"description": "invalid credentials"
},
"500": {
"description": "internal error"
}
}
}
},
"/logout": {
"delete": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "unauthenticate user\n\u003cbr\u003e",
"operationId": "OAuthController.Logout",
"description": "Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.\n\u003cbr\u003e",
"operationId": "OAuthController.GetLogout",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "auth token",
"type": "string"
},
{
"in": "query",
"name": "client_id",
"description": "the client_id you want to get",
"name": "logout_challenge",
"description": "The logout challenge from Hydra",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "{string}"
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"400": {
"description": "missing logout_challenge"
},
"500": {
"description": "internal error"
}
}
},
"delete": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Revoke an OAuth2 token\n\u003cbr\u003e",
"operationId": "OAuthController.Logout",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "Bearer token",
"type": "string"
},
{
"in": "query",
"name": "client_id",
"description": "The client_id",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Token"
}
}
}
}
@@ -468,29 +568,28 @@
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "introspect token\n\u003cbr\u003e",
"operationId": "OAuthController.Introspection",
"description": "Exchange a refresh_token for a new token set\n\u003cbr\u003e",
"operationId": "OAuthController.Refresh",
"parameters": [
{
"in": "body",
"name": "body",
"description": "The token info",
"description": "refresh_token and client_id",
"required": true,
"schema": {
"$ref": "#/definitions/models.Token"
"$ref": "#/definitions/object"
}
},
{
"in": "query",
"name": "client_id",
"description": "the client_id you want to get",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "{string}"
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.TokenResponse"
}
},
"401": {
"description": "invalid refresh token"
}
}
}
@@ -699,19 +798,152 @@
}
},
"definitions": {
"models.Token": {
"title": "Token",
"2111.0xc0004ce750.false": {
"title": "false",
"type": "object"
},
"models.workflow": {
"title": "workflow",
"3850.0xc0004ce930.false": {
"title": "false",
"type": "object"
},
"auth_connectors.IntrospectResult": {
"title": "IntrospectResult",
"type": "object",
"properties": {
"active": {
"type": "boolean"
},
"client_id": {
"type": "string"
},
"exp": {
"type": "integer",
"format": "int64"
},
"ext": {
"$ref": "#/definitions/3850.0xc0004ce930.false"
},
"scope": {
"type": "string"
},
"sub": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
},
"auth_connectors.LoginChallenge": {
"title": "LoginChallenge",
"type": "object",
"properties": {
"challenge": {
"type": "string"
},
"client": {
"$ref": "#/definitions/2111.0xc0004ce750.false"
},
"request_url": {
"type": "string"
},
"session_id": {
"type": "string"
},
"skip": {
"type": "boolean"
},
"subject": {
"type": "string"
}
}
},
"auth_connectors.LoginRequest": {
"title": "LoginRequest",
"type": "object",
"properties": {
"login_challenge": {
"type": "string"
},
"password": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"auth_connectors.Redirect": {
"title": "Redirect",
"type": "object",
"properties": {
"redirect_to": {
"type": "string"
}
}
},
"auth_connectors.Token": {
"title": "Token",
"type": "object",
"properties": {
"access_token": {
"type": "string"
},
"active": {
"type": "boolean"
},
"expires_in": {
"type": "integer",
"format": "int64"
},
"id_token": {
"type": "string"
},
"refresh_token": {
"type": "string"
},
"scope": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
},
"auth_connectors.TokenResponse": {
"title": "TokenResponse",
"type": "object",
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "integer",
"format": "int64"
},
"id_token": {
"type": "string"
},
"refresh_token": {
"type": "string"
},
"scope": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
},
"object": {
"title": "object",
"type": "object"
}
},
"tags": [
{
"name": "oc-auth/controllersOAuthController",
"description": "Operations about auth\n"
"description": "OAuthController handles OAuth2 login/consent provider endpoints\n"
},
{
"name": "group",

225
swagger/swagger.yml
View File

@@ -12,18 +12,41 @@ info:
url: https://www.gnu.org/licenses/agpl-3.0.html
basePath: /oc/
paths:
/consent:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.
<br>
operationId: OAuthController.Consent
parameters:
- in: query
name: consent_challenge
description: The consent challenge from Hydra
required: true
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"400":
description: missing consent_challenge
"500":
description: internal error
/forward:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
auth forward
Forward auth for Traefik validates JWT via Hydra introspection
<br>
operationId: OAuthController.AuthForward
parameters:
- in: header
name: Authorization
description: auth token
description: Bearer token
type: string
responses:
"200":
@@ -164,61 +187,110 @@ paths:
tags:
- oc-auth/controllersOAuthController
description: |-
introspect token
Introspect a token respects Hydra's response
<br>
operationId: OAuthController.Introspection
operationId: OAuthController.Introspect
parameters:
- in: header
name: Authorization
description: auth token
description: Bearer token
type: string
responses:
"200":
description: '{string}'
description: ""
schema:
$ref: '#/definitions/auth_connectors.IntrospectResult'
/login:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.
<br>
operationId: OAuthController.GetLogin
parameters:
- in: query
name: login_challenge
description: The login challenge from Hydra
required: true
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.LoginChallenge'
"400":
description: missing login_challenge
"500":
description: internal error
post:
tags:
- oc-auth/controllersOAuthController
description: |-
authenticate user
Authenticate user via LDAP and accept Hydra login challenge
<br>
operationId: OAuthController.Login
operationId: OAuthController.PostLogin
parameters:
- in: body
name: body
description: The workflow content
description: Login credentials and challenge
required: true
schema:
$ref: '#/definitions/models.workflow'
$ref: '#/definitions/auth_connectors.LoginRequest'
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"401":
description: invalid credentials
"500":
description: internal error
/logout:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.
<br>
operationId: OAuthController.GetLogout
parameters:
- in: query
name: client_id
description: the client_id you want to get
name: logout_challenge
description: The logout challenge from Hydra
required: true
type: string
responses:
"200":
description: '{string}'
/logout:
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"400":
description: missing logout_challenge
"500":
description: internal error
delete:
tags:
- oc-auth/controllersOAuthController
description: |-
unauthenticate user
Revoke an OAuth2 token
<br>
operationId: OAuthController.Logout
parameters:
- in: header
name: Authorization
description: auth token
description: Bearer token
type: string
- in: query
name: client_id
description: the client_id you want to get
description: The client_id
required: true
type: string
responses:
"200":
description: '{string}'
description: ""
schema:
$ref: '#/definitions/auth_connectors.Token'
/permission/:
get:
tags:
@@ -350,24 +422,23 @@ paths:
tags:
- oc-auth/controllersOAuthController
description: |-
introspect token
Exchange a refresh_token for a new token set
<br>
operationId: OAuthController.Introspection
operationId: OAuthController.Refresh
parameters:
- in: body
name: body
description: The token info
description: refresh_token and client_id
required: true
schema:
$ref: '#/definitions/models.Token'
- in: query
name: client_id
description: the client_id you want to get
required: true
type: string
$ref: '#/definitions/object'
responses:
"200":
description: '{string}'
description: ""
schema:
$ref: '#/definitions/auth_connectors.TokenResponse'
"401":
description: invalid refresh token
/role/:
get:
tags:
@@ -522,16 +593,106 @@ paths:
"200":
description: ""
definitions:
models.Token:
2111.0xc0004ce750.false:
title: "false"
type: object
3850.0xc0004ce930.false:
title: "false"
type: object
auth_connectors.IntrospectResult:
title: IntrospectResult
type: object
properties:
active:
type: boolean
client_id:
type: string
exp:
type: integer
format: int64
ext:
$ref: '#/definitions/3850.0xc0004ce930.false'
scope:
type: string
sub:
type: string
token_type:
type: string
auth_connectors.LoginChallenge:
title: LoginChallenge
type: object
properties:
challenge:
type: string
client:
$ref: '#/definitions/2111.0xc0004ce750.false'
request_url:
type: string
session_id:
type: string
skip:
type: boolean
subject:
type: string
auth_connectors.LoginRequest:
title: LoginRequest
type: object
properties:
login_challenge:
type: string
password:
type: string
username:
type: string
auth_connectors.Redirect:
title: Redirect
type: object
properties:
redirect_to:
type: string
auth_connectors.Token:
title: Token
type: object
models.workflow:
title: workflow
properties:
access_token:
type: string
active:
type: boolean
expires_in:
type: integer
format: int64
id_token:
type: string
refresh_token:
type: string
scope:
type: string
token_type:
type: string
auth_connectors.TokenResponse:
title: TokenResponse
type: object
properties:
access_token:
type: string
expires_in:
type: integer
format: int64
id_token:
type: string
refresh_token:
type: string
scope:
type: string
token_type:
type: string
object:
title: object
type: object
tags:
- name: oc-auth/controllersOAuthController
description: |
Operations about auth
OAuthController handles OAuth2 login/consent provider endpoints
- name: group
description: |
Operations about auth