core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: core:078aae81726975005340f42ba6dfc8879cd431b4
Branches Tags
core:main core:demo-alpr core:feature/order core:feature/payment core:correct-oc-lib core:chart
..
compare: core:main
Branches Tags
core:main core:demo-alpr core:feature/order core:feature/payment core:correct-oc-lib core:chart

2 Commits
078aae8172 ... main

Author SHA1 Message Date
mr
744caf9a5e Fully Working OAuth2Flow 2026-03-06 10:20:35 +01:00
mr
979747e288 Complete and refine OAuth + Traeffik Restriction 2026-02-20 10:30:34 +01:00
10 changed files with 280 additions and 119 deletions
Expand all files Collapse all files

9
conf/config.go
View File

@@ -30,6 +30,15 @@ type Config struct {
PermissionConnectorPort string
PermissionConnectorAdminPort string
// OAuthRedirectURI is the registered OAuth2 redirect_uri (frontend callback URL).
// After a successful login, Hydra redirects here with the authorization code.
// The original protected URL is passed as the state parameter.
AdminOrigin string
Origin string
OAuthRedirectURI string
OAdminAuthRedirectURI string
Local bool
}

140
controllers/oauth2.go
View File

@@ -14,6 +14,7 @@ import (
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/dbs"
"cloud.o-forge.io/core/oc-lib/models/peer"
model "cloud.o-forge.io/core/oc-lib/models/peer"
beego "github.com/beego/beego/v2/server/web"
@@ -27,6 +28,8 @@ type OAuthController struct {
// @Title GetLogin
// @Description Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.
// @Param login_challenge query string true "The login challenge from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.LoginChallenge
// @Failure 400 missing login_challenge
// @Failure 500 internal error
@@ -73,8 +76,9 @@ func (o *OAuthController) GetLogin() {
o.Data["json"] = redirect
o.ServeJSON()
return
}
return
}
// Return challenge info so frontend can render login form
o.Data["json"] = loginChallenge
o.ServeJSON()
@@ -82,13 +86,17 @@ func (o *OAuthController) GetLogin() {
// @Title PostLogin
// @Description Authenticate user via LDAP and accept Hydra login challenge
// @Param redirect query string true "explicit redirect by passed"
// @Param body body auth_connectors.LoginRequest true "Login credentials and challenge"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 401 invalid credentials
// @Failure 500 internal error
// @router /login [post]
func (o *OAuthController) Login() {
logger := oclib.GetLogger()
red := o.Ctx.Input.Query("redirect")
var req auth_connectors.LoginRequest
if err := json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &req); err != nil {
o.Ctx.ResponseWriter.WriteHeader(400)
@@ -159,13 +167,18 @@ func (o *OAuthController) Login() {
}
// Return redirect_to so the frontend follows the OAuth2 flow
o.Data["json"] = redirect
o.ServeJSON()
if red == "false" {
o.Data["json"] = redirect
o.ServeJSON()
return
}
o.Redirect(redirect.RedirectTo, 303)
}
// @Title Consent
// @Description Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.
// @Param consent_challenge query string true "The consent challenge from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 400 missing consent_challenge
// @Failure 500 internal error
@@ -191,8 +204,13 @@ func (o *OAuthController) Consent() {
}
// Get self peer for signing
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
pp := oclib.NewRequestAdmin(oclib.LibDataEnum(oclib.PEER), nil).Search(
&dbs.Filters{
Or: map[string][]dbs.Filter{ // search by name if no filters are provided
"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
},
}, strconv.Itoa(peer.SELF.EnumIndex()), false)
fmt.Println(pp.Err, pp.Data)
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
logger.Error().Msg("Self peer not found")
o.Ctx.ResponseWriter.WriteHeader(500)
@@ -231,12 +249,16 @@ func (o *OAuthController) Consent() {
// @Title GetLogout
// @Description Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.
// @Param logout_challenge query string true "The logout challenge from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 400 missing logout_challenge
// @Failure 500 internal error
// @router /logout [get]
func (o *OAuthController) GetLogout() {
logger := oclib.GetLogger()
red := o.Ctx.Input.Query("redirect")
challenge := o.Ctx.Input.Query("logout_challenge")
if challenge == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
@@ -268,15 +290,19 @@ func (o *OAuthController) GetLogout() {
o.ServeJSON()
return
}
o.Data["json"] = redirect
o.ServeJSON()
if red == "false" {
o.Data["json"] = redirect
o.ServeJSON()
return
}
o.Redirect(redirect.RedirectTo, 303)
}
// @Title Logout
// @Description Revoke an OAuth2 token
// @Param Authorization header string false "Bearer token"
// @Param client_id query string true "The client_id"
// @Success 200 {object} auth_connectors.Token
// @router /logout [delete]
func (o *OAuthController) LogOut() {
@@ -374,48 +400,104 @@ func (o *OAuthController) Introspect() {
o.ServeJSON()
}
// whitelist lists path segments of oc-auth's own challenge endpoints.
// These require no token — the challenge is passed as a query parameter by Hydra.
var whitelist = []string{
"/public/",
"/version",
"/status",
"/login",
"/logout",
"/refresh",
"/introspect",
"/consent",
}
// @Title AuthForward
// @Description Forward auth for Traefik — validates JWT via Hydra introspection
// @Description Forward auth for Traefik — validates JWT via Hydra introspection.
// Only requests from our own peer (SELF) are authorized.
// Routes in pathWhitelist bypass all checks (with or without token).
// Routes in whitelist bypass the token check (oc-auth own challenge endpoints).
// On missing/invalid token: 302 to Hydra authorization URL (restart OAuth2 flow).
// On wrong peer: 401 (network/config issue, no redirect).
// On valid token but insufficient permissions: 403.
// On success: 200 so Traefik forwards the request to the target route.
// @Param Authorization header string false "Bearer token"
// @Success 200 {string}
// @router /forward [get]
func (o *OAuthController) InternalAuthForward() {
fmt.Println("InternalAuthForward")
uri := o.Ctx.Request.Header.Get("X-Forwarded-Uri")
for _, w := range whitelist {
if strings.Contains(uri, w) {
fmt.Println("WHITELIST", w)
o.Ctx.ResponseWriter.WriteHeader(http.StatusOK)
return
}
}
origin, publicKey, external := o.extractOrigin(o.Ctx.Request)
reqToken := o.Ctx.Request.Header.Get("Authorization")
if reqToken == "" {
for _, w := range whitelist {
if strings.Contains(o.Ctx.Request.Header.Get("X-Forwarded-Uri"), w) {
o.Ctx.ResponseWriter.WriteHeader(200)
o.ServeJSON()
return
}
}
o.Ctx.ResponseWriter.WriteHeader(401)
o.ServeJSON()
// Step 1: no token — allow oc-auth's own challenge endpoints (no token needed).
// No token and not a whitelisted path → restart OAuth2 flow.
fmt.Println("NO TOKEN")
o.redirectToLogin(origin)
return
}
// Step 2: extract Bearer token — malformed header treated as missing token.
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 {
reqToken = ""
} else {
reqToken = splitToken[1]
if len(splitToken) < 2 || splitToken[1] == "" {
fmt.Println("MALFORMED BEARER")
o.redirectToLogin(origin)
return
}
origin, publicKey, external := o.extractOrigin(o.Ctx.Request)
if !infrastructure.GetAuthConnector().CheckAuthForward(
reqToken = splitToken[1]
// Step 3: resolve the calling peer — only our own peer (SELF) is authorized.
// A non-SELF or unknown peer is a network/config issue, not a login problem → 401.
if external || origin == "" || publicKey == "" {
fmt.Println("Unauthorized", external, origin, publicKey)
o.Ctx.ResponseWriter.WriteHeader(http.StatusUnauthorized)
return
}
// Step 4: introspect via Hydra then check permissions via Keto.
// 401 → token inactive/invalid, user must re-authenticate → restart OAuth2 flow.
// 403 → token valid, but permissions denied → forbidden.
// 200 → all good, let Traefik forward to the target route.
switch infrastructure.GetAuthConnector().CheckAuthForward(
reqToken, publicKey, origin,
o.Ctx.Request.Header.Get("X-Forwarded-Method"),
o.Ctx.Request.Header.Get("X-Forwarded-Uri"), external) && origin != "" && publicKey != "" {
o.Ctx.ResponseWriter.WriteHeader(401)
o.ServeJSON()
return
uri, external) {
case http.StatusOK:
fmt.Println("OK")
o.Ctx.ResponseWriter.WriteHeader(http.StatusOK)
case http.StatusForbidden:
fmt.Println("StatusForbidden")
o.Ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
default:
fmt.Println("redirectToLogin UNAUTHORIZED")
// 401 or unexpected status → token likely expired, restart the OAuth2 flow.
o.redirectToLogin(origin)
}
o.ServeJSON()
}
// redirectToLogin redirects the client to Hydra's authorization endpoint to start a fresh
// OAuth2 flow. The original request URL is passed as the state parameter so the frontend
// can redirect back after successful authentication.
func (o *OAuthController) redirectToLogin(origin string) {
cfg := conf.GetConfig()
if strings.Contains(origin, cfg.AdminOrigin) {
o.Ctx.ResponseWriter.Header().Set("Location", cfg.OAdminAuthRedirectURI)
} else {
o.Ctx.ResponseWriter.Header().Set("Location", cfg.OAuthRedirectURI)
}
o.Ctx.ResponseWriter.WriteHeader(http.StatusFound)
}
func (o *OAuthController) extractOrigin(request *http.Request) (string, string, bool) {

16
docker-compose.yml
View File

@@ -8,13 +8,15 @@ services:
container_name: oc-auth
labels:
- "traefik.enable=true"
- "traefik.http.routers.auth.entrypoints=web"
- "traefik.http.routers.auth.rule=PathPrefix(`/auth`)"
- "traefik.http.middlewares.auth-rewrite.replacepathregex.regex=^/auth(.*)"
- "traefik.http.middlewares.auth-rewrite.replacepathregex.replacement=/oc$$1"
- "traefik.http.routers.auth.middlewares=auth-rewrite"
- "traefik.http.services.auth.loadbalancer.server.port=8080"
- "traefik.http.middlewares.auth.forwardauth.address=http://oc-auth:8080/oc/forward"
- "traefik.http.routers.auth-sec.entrypoints=web"
- "traefik.http.routers.auth-sec.rule=PathPrefix(`/auth/`)"
- "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.regex=^/auth(.*)"
- "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.replacement=/oc$$1"
- "traefik.http.services.auth-sec.loadbalancer.server.port=8080"
- "traefik.http.routers.auth-sec.middlewares=auth-sec-rewrite,auth-auth-sec"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.address=http://oc-auth:8080/oc/forward"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
environment:
LDAP_ENDPOINTS: ldap:389
LDAP_BINDDN: cn=admin,dc=example,dc=com

8
infrastructure/auth_connector/auth_connector.go
View File

@@ -27,8 +27,12 @@ type AuthConnector interface {
RevokeToken(token string, clientID string) error
RefreshToken(refreshToken string, clientID string) (*TokenResponse, error)
// Forward auth
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool
// CheckAuthForward validates the token and permissions for a forward auth request.
// Returns an HTTP status code:
// 200 — token active and permissions granted
// 401 — token missing, invalid, or inactive → caller should redirect to login
// 403 — token valid but permissions denied → caller should return forbidden
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) int
}
// Token is the unified token response returned to clients

54
infrastructure/auth_connector/hydra_connector.go
View File

@@ -299,61 +299,61 @@ func (h *HydraConnector) RefreshToken(refreshToken string, clientID string) (*To
return &result, nil
}
// CheckAuthForward validates a JWT token for forward auth (Traefik integration)
// It introspects the token via Hydra and checks permissions from the token's extra claims
func (h *HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool {
// CheckAuthForward validates a JWT token for forward auth (Traefik integration).
// It introspects the token via Hydra then checks permissions via Keto.
// Only requests from our own peer (external == false) are accepted.
// Returns 200 (OK), 401 (token inactive/invalid → redirect to login), or 403 (permission denied).
func (h *HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) int {
if forward == "" || method == "" {
return false
return http.StatusUnauthorized
}
// Defense in depth: only SELF peer requests are allowed.
if external {
return http.StatusUnauthorized
}
logger := oclib.GetLogger()
// Introspect the token via Hydra to get claims
// Introspect the token via Hydra.
// An inactive or invalid token means the user must re-authenticate → 401.
result, err := h.Introspect(reqToken)
if err != nil || !result.Active {
if err != nil {
logger.Error().Msg("Forward auth introspect failed: " + err.Error())
}
return false
return http.StatusUnauthorized
}
// Extract claims from the introspection result's extra data
// Hydra puts consent session's access_token data in the "ext" field of introspection
// Build session claims from Hydra's introspection "ext" field.
// Hydra injects the consent session's access_token data there.
var sessionClaims claims.Claims
sessionClaims.Session.AccessToken = make(map[string]interface{})
sessionClaims.Session.IDToken = make(map[string]interface{})
if result.Extra != nil {
sessionClaims.Session.AccessToken = make(map[string]interface{})
sessionClaims.Session.IDToken = make(map[string]interface{})
for k, v := range result.Extra {
sessionClaims.Session.AccessToken[k] = v
}
}
// Also try to get id_token claims from the token if it's a JWT
// For now, use the introspected extra claims and the peer signature verification
if sessionClaims.Session.IDToken == nil {
sessionClaims.Session.IDToken = make(map[string]interface{})
}
// Get self peer for signature verification
// For SELF peer requests skip the signature check (internal traffic).
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false)
if len(pp.Data) > 0 {
p := pp.Data[0].(*peer.Peer)
// Re-sign for local verification if this is our own peer
if !external && p.PublicKey == publicKey {
if p.PublicKey == publicKey {
sessionClaims.Session.IDToken["signature"] = ""
// For internal requests, skip signature check by using the claims decoder directly
ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, sessionClaims, publicKey, external)
if err != nil {
logger.Error().Msg("Failed to decode claims: " + err.Error())
}
return ok
}
}
// Check permissions via Keto.
// A valid token with insufficient permissions → 403 (authenticated, not authorized).
ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, sessionClaims, publicKey, external)
if err != nil {
logger.Error().Msg("Failed to decode claims: " + err.Error())
logger.Error().Msg("Failed to decode claims in forward auth: " + err.Error())
return http.StatusForbidden
}
return ok
if !ok {
return http.StatusForbidden
}
return http.StatusOK
}
// extractBearerToken extracts the token from a "Bearer xxx" Authorization header value

25
infrastructure/perms_connectors/keto_connector.go
View File

@@ -370,17 +370,20 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
log.Error().Msgf("createRelationShip unmarshal error: %s, err=%v", string(b), err)
return nil, 500, err
}
perm := &Permission{
Object: data["object"].(string),
Relation: data["relation"].(string),
Subject: data["subject_id"].(string),
}
if data["subject_set"] != nil {
sub := data["subject_set"].(map[string]interface{})
perm.SubPermission = &Permission{
Object: sub["object"].(string),
Relation: sub["relation"].(string),
Subject: sub["subject_id"].(string),
perm := &Permission{}
if data != nil {
perm = &Permission{
Object: data["object"].(string),
Relation: data["relation"].(string),
Subject: data["subject_id"].(string),
}
if data["subject_set"] != nil {
sub := data["subject_set"].(map[string]interface{})
perm.SubPermission = &Permission{
Object: sub["object"].(string),
Relation: sub["relation"].(string),
Subject: sub["subject_id"].(string),
}
}
}
return perm, 200, nil

25
main.go
View File

@@ -7,6 +7,7 @@ import (
"oc-auth/infrastructure"
auth_connectors "oc-auth/infrastructure/auth_connector"
_ "oc-auth/routers"
"strings"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
@@ -40,9 +41,15 @@ func main() {
conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
conf.GetConfig().PermissionConnectorPort = o.GetStringDefault("PERMISSION_CONNECTOR_PORT", "4466")
conf.GetConfig().PermissionConnectorAdminPort = o.GetStringDefault("PERMISSION_CONNECTOR_ADMIN_PORT", "4467")
conf.GetConfig().Origin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8000")
conf.GetConfig().AdminOrigin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8001")
conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://localhost:8000/l")
conf.GetConfig().OAdminAuthRedirectURI = o.GetStringDefault("ADMIN_OAUTH_REDIRECT_URI", "http://localhost:8000/l")
conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
// config LDAP
// config LDAPauth
conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
conf.GetConfig().LDAPEndpoints = o.GetStringDefault("LDAP_ENDPOINTS", "ldap:389")
conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
@@ -100,17 +107,23 @@ func discovery() {
logger.Info().Msg("Starting permission discovery")
_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
if err != nil {
logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
time.Sleep(10 * time.Second)
continue
if !strings.Contains(err.Error(), "already exist") {
logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
time.Sleep(10 * time.Second)
continue
}
}
if _, _, err := conn.BindRole(conf.GetConfig().AdminRole, "admin"); err != nil {
logger.Error().Msg("Failed to admin bind role: " + err.Error())
}
conn.BindRole(conf.GetConfig().AdminRole, "admin")
addPermissions := func(m tools.NATSResponse) {
var resp map[string][]interface{}
json.Unmarshal(m.Payload, &resp)
for k, v := range resp {
for _, p := range v {
conn.CreatePermission(k, p.(string), true)
if _, _, err := conn.CreatePermission(k, p.(string), true); err != nil {
logger.Error().Msg("Failed to admin create permission: " + err.Error())
}
}
}
}

BIN
oc-auth
View File

Binary file not shown.

70
swagger/swagger.json
View File

@@ -29,6 +29,13 @@
"description": "The consent challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
@@ -52,7 +59,7 @@
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Forward auth for Traefik — validates JWT via Hydra introspection\n\u003cbr\u003e",
"description": "Forward auth for Traefik — validates JWT via Hydra introspection.\n\u003cbr\u003e",
"operationId": "OAuthController.AuthForward",
"parameters": [
{
@@ -282,6 +289,13 @@
"description": "The login challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
@@ -304,8 +318,15 @@
"oc-auth/controllersOAuthController"
],
"description": "Authenticate user via LDAP and accept Hydra login challenge\n\u003cbr\u003e",
"operationId": "OAuthController.PostLogin",
"operationId": "OAuthController.Login",
"parameters": [
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
},
{
"in": "body",
"name": "body",
@@ -346,6 +367,13 @@
"description": "The logout challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
@@ -798,14 +826,29 @@
}
},
"definitions": {
"2111.0xc0004ce750.false": {
"2432.0xc0004a0630.false": {
"title": "false",
"type": "object"
},
"3850.0xc0004ce930.false": {
"4171.0xc0004a0810.false": {
"title": "false",
"type": "object"
},
"auth_connectors.LoginRequest": {
"title": "LoginRequest",
"type": "object",
"properties": {
"username": {
"type": "string"
},
"password": {
"type": "string"
},
"login_challenge": {
"type": "string"
}
}
},
"auth_connectors.IntrospectResult": {
"title": "IntrospectResult",
"type": "object",
@@ -821,7 +864,7 @@
"format": "int64"
},
"ext": {
"$ref": "#/definitions/3850.0xc0004ce930.false"
"$ref": "#/definitions/4171.0xc0004a0810.false"
},
"scope": {
"type": "string"
@@ -842,7 +885,7 @@
"type": "string"
},
"client": {
"$ref": "#/definitions/2111.0xc0004ce750.false"
"$ref": "#/definitions/2432.0xc0004a0630.false"
},
"request_url": {
"type": "string"
@@ -858,21 +901,6 @@
}
}
},
"auth_connectors.LoginRequest": {
"title": "LoginRequest",
"type": "object",
"properties": {
"login_challenge": {
"type": "string"
},
"password": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"auth_connectors.Redirect": {
"title": "Redirect",
"type": "object",

52
swagger/swagger.yml
View File

@@ -26,6 +26,11 @@ paths:
description: The consent challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
@@ -40,7 +45,7 @@ paths:
tags:
- oc-auth/controllersOAuthController
description: |-
Forward auth for Traefik validates JWT via Hydra introspection
Forward auth for Traefik validates JWT via Hydra introspection.
<br>
operationId: OAuthController.AuthForward
parameters:
@@ -214,6 +219,11 @@ paths:
description: The login challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
@@ -229,8 +239,13 @@ paths:
description: |-
Authenticate user via LDAP and accept Hydra login challenge
<br>
operationId: OAuthController.PostLogin
operationId: OAuthController.Login
parameters:
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
- in: body
name: body
description: Login credentials and challenge
@@ -260,6 +275,11 @@ paths:
description: The logout challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
@@ -593,12 +613,22 @@ paths:
"200":
description: ""
definitions:
2111.0xc0004ce750.false:
2432.0xc0004a0630.false:
title: "false"
type: object
3850.0xc0004ce930.false:
4171.0xc0004a0810.false:
title: "false"
type: object
auth_connectors.LoginRequest:
title: LoginRequest
type: object
properties:
username:
type: string
password:
type: string
login_challenge:
type: string
auth_connectors.IntrospectResult:
title: IntrospectResult
type: object
@@ -611,7 +641,7 @@ definitions:
type: integer
format: int64
ext:
$ref: '#/definitions/3850.0xc0004ce930.false'
$ref: '#/definitions/4171.0xc0004a0810.false'
scope:
type: string
sub:
@@ -625,7 +655,7 @@ definitions:
challenge:
type: string
client:
$ref: '#/definitions/2111.0xc0004ce750.false'
$ref: '#/definitions/2432.0xc0004a0630.false'
request_url:
type: string
session_id:
@@ -634,16 +664,6 @@ definitions:
type: boolean
subject:
type: string
auth_connectors.LoginRequest:
title: LoginRequest
type: object
properties:
login_challenge:
type: string
password:
type: string
username:
type: string
auth_connectors.Redirect:
title: Redirect
type: object