{- Ory Hydra API Documentation for all of Ory Hydra's APIs. OpenAPI Version: 3.0.3 Ory Hydra API API version: Contact: hi@ory.sh Generated by OpenAPI Generator (https://openapi-generator.tech) -} {-| Module : OryHydra.Model -} {-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveFoldable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DeriveTraversable #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-} {-# LANGUAGE LambdaCase #-} {-# LANGUAGE MultiParamTypeClasses #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TupleSections #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-matches -fno-warn-unused-binds -fno-warn-unused-imports #-} module OryHydra.Model where import OryHydra.Core import OryHydra.MimeTypes import Data.Aeson ((.:),(.:!),(.:?),(.=)) import qualified Control.Arrow as P (left) import qualified Data.Aeson as A import qualified Data.ByteString as B import qualified Data.ByteString.Base64 as B64 import qualified Data.ByteString.Char8 as BC import qualified Data.ByteString.Lazy as BL import qualified Data.Data as P (Typeable, TypeRep, typeOf, typeRep) import qualified Data.Foldable as P import qualified Data.HashMap.Lazy as HM import qualified Data.Map as Map import qualified Data.Maybe as P import qualified Data.Set as Set import qualified Data.Text as T import qualified Data.Text.Encoding as T import qualified Data.Time as TI import qualified Lens.Micro as L import qualified Web.FormUrlEncoded as WH import qualified Web.HttpApiData as WH import Control.Applicative ((<|>)) import Control.Applicative (Alternative) import Data.Function ((&)) import Data.Monoid ((<>)) import Data.Text (Text) import Prelude (($),(/=),(.),(<$>),(<*>),(>>=),(=<<),Maybe(..),Bool(..),Char,Double,FilePath,Float,Int,Integer,String,fmap,undefined,mempty,maybe,pure,Monad,Applicative,Functor) import qualified Prelude as P -- * Parameter newtypes -- ** All newtype All = All { unAll :: Bool } deriving (P.Eq, P.Show) -- ** Client newtype Client = Client { unClient :: Text } deriving (P.Eq, P.Show) -- ** ClientId newtype ClientId = ClientId { unClientId :: Text } deriving (P.Eq, P.Show) -- ** ClientName newtype ClientName = ClientName { unClientName :: Text } deriving (P.Eq, P.Show) -- ** ClientSecret newtype ClientSecret = ClientSecret { unClientSecret :: Text } deriving (P.Eq, P.Show) -- ** Code newtype Code = Code { unCode :: Text } deriving (P.Eq, P.Show) -- ** ConsentChallenge newtype ConsentChallenge = ConsentChallenge { unConsentChallenge :: Text } deriving (P.Eq, P.Show) -- ** DefaultItems newtype DefaultItems = DefaultItems { unDefaultItems :: Integer } deriving (P.Eq, P.Show) -- ** GrantType newtype GrantType = GrantType { unGrantType :: Text } deriving (P.Eq, P.Show) -- ** Id newtype Id = Id { unId :: Text } deriving (P.Eq, P.Show) -- ** Issuer newtype Issuer = Issuer { unIssuer :: Text } deriving (P.Eq, P.Show) -- ** JsonPatch2 newtype JsonPatch2 = JsonPatch2 { unJsonPatch2 :: [JsonPatch] } deriving (P.Eq, P.Show, A.ToJSON) -- ** Kid newtype Kid = Kid { unKid :: Text } deriving (P.Eq, P.Show) -- ** LoginChallenge newtype LoginChallenge = LoginChallenge { unLoginChallenge :: Text } deriving (P.Eq, P.Show) -- ** LoginSessionId newtype LoginSessionId = LoginSessionId { unLoginSessionId :: Text } deriving (P.Eq, P.Show) -- ** LogoutChallenge newtype LogoutChallenge = LogoutChallenge { unLogoutChallenge :: Text } deriving (P.Eq, P.Show) -- ** MaxItems newtype MaxItems = MaxItems { unMaxItems :: Integer } deriving (P.Eq, P.Show) -- ** Owner newtype Owner = Owner { unOwner :: Text } deriving (P.Eq, P.Show) -- ** PageSize newtype PageSize = PageSize { unPageSize :: Integer } deriving (P.Eq, P.Show) -- ** PageToken newtype PageToken = PageToken { unPageToken :: Text } deriving (P.Eq, P.Show) -- ** RedirectUri newtype RedirectUri = RedirectUri { unRedirectUri :: Text } deriving (P.Eq, P.Show) -- ** RefreshToken newtype RefreshToken = RefreshToken { unRefreshToken :: Text } deriving (P.Eq, P.Show) -- ** Scope newtype Scope = Scope { unScope :: Text } deriving (P.Eq, P.Show) -- ** Set newtype Set = Set { unSet :: Text } deriving (P.Eq, P.Show) -- ** Subject newtype Subject = Subject { unSubject :: Text } deriving (P.Eq, P.Show) -- ** Token newtype Token = Token { unToken :: Text } deriving (P.Eq, P.Show) -- * Models -- ** AcceptOAuth2ConsentRequest -- | AcceptOAuth2ConsentRequest -- The request payload used to accept a consent request. -- data AcceptOAuth2ConsentRequest = AcceptOAuth2ConsentRequest { acceptOAuth2ConsentRequestGrantAccessTokenAudience :: Maybe [Text] -- ^ "grant_access_token_audience" , acceptOAuth2ConsentRequestGrantScope :: Maybe [Text] -- ^ "grant_scope" , acceptOAuth2ConsentRequestHandledAt :: Maybe DateTime -- ^ "handled_at" , acceptOAuth2ConsentRequestRemember :: Maybe Bool -- ^ "remember" - Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. , acceptOAuth2ConsentRequestRememberFor :: Maybe Integer -- ^ "remember_for" - RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely. , acceptOAuth2ConsentRequestSession :: Maybe AcceptOAuth2ConsentRequestSession -- ^ "session" } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON AcceptOAuth2ConsentRequest instance A.FromJSON AcceptOAuth2ConsentRequest where parseJSON = A.withObject "AcceptOAuth2ConsentRequest" $ \o -> AcceptOAuth2ConsentRequest <$> (o .:? "grant_access_token_audience") <*> (o .:? "grant_scope") <*> (o .:? "handled_at") <*> (o .:? "remember") <*> (o .:? "remember_for") <*> (o .:? "session") -- | ToJSON AcceptOAuth2ConsentRequest instance A.ToJSON AcceptOAuth2ConsentRequest where toJSON AcceptOAuth2ConsentRequest {..} = _omitNulls [ "grant_access_token_audience" .= acceptOAuth2ConsentRequestGrantAccessTokenAudience , "grant_scope" .= acceptOAuth2ConsentRequestGrantScope , "handled_at" .= acceptOAuth2ConsentRequestHandledAt , "remember" .= acceptOAuth2ConsentRequestRemember , "remember_for" .= acceptOAuth2ConsentRequestRememberFor , "session" .= acceptOAuth2ConsentRequestSession ] -- | Construct a value of type 'AcceptOAuth2ConsentRequest' (by applying it's required fields, if any) mkAcceptOAuth2ConsentRequest :: AcceptOAuth2ConsentRequest mkAcceptOAuth2ConsentRequest = AcceptOAuth2ConsentRequest { acceptOAuth2ConsentRequestGrantAccessTokenAudience = Nothing , acceptOAuth2ConsentRequestGrantScope = Nothing , acceptOAuth2ConsentRequestHandledAt = Nothing , acceptOAuth2ConsentRequestRemember = Nothing , acceptOAuth2ConsentRequestRememberFor = Nothing , acceptOAuth2ConsentRequestSession = Nothing } -- ** AcceptOAuth2ConsentRequestSession -- | AcceptOAuth2ConsentRequestSession -- Pass session data to a consent request. -- data AcceptOAuth2ConsentRequestSession = AcceptOAuth2ConsentRequestSession { acceptOAuth2ConsentRequestSessionAccessToken :: Maybe A.Value -- ^ "access_token" - AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection. If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care! , acceptOAuth2ConsentRequestSessionIdToken :: Maybe A.Value -- ^ "id_token" - IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable by anyone that has access to the ID Challenge. Use with care! } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON AcceptOAuth2ConsentRequestSession instance A.FromJSON AcceptOAuth2ConsentRequestSession where parseJSON = A.withObject "AcceptOAuth2ConsentRequestSession" $ \o -> AcceptOAuth2ConsentRequestSession <$> (o .:? "access_token") <*> (o .:? "id_token") -- | ToJSON AcceptOAuth2ConsentRequestSession instance A.ToJSON AcceptOAuth2ConsentRequestSession where toJSON AcceptOAuth2ConsentRequestSession {..} = _omitNulls [ "access_token" .= acceptOAuth2ConsentRequestSessionAccessToken , "id_token" .= acceptOAuth2ConsentRequestSessionIdToken ] -- | Construct a value of type 'AcceptOAuth2ConsentRequestSession' (by applying it's required fields, if any) mkAcceptOAuth2ConsentRequestSession :: AcceptOAuth2ConsentRequestSession mkAcceptOAuth2ConsentRequestSession = AcceptOAuth2ConsentRequestSession { acceptOAuth2ConsentRequestSessionAccessToken = Nothing , acceptOAuth2ConsentRequestSessionIdToken = Nothing } -- ** AcceptOAuth2LoginRequest -- | AcceptOAuth2LoginRequest -- HandledLoginRequest is the request payload used to accept a login request. -- data AcceptOAuth2LoginRequest = AcceptOAuth2LoginRequest { acceptOAuth2LoginRequestAcr :: Maybe Text -- ^ "acr" - ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. , acceptOAuth2LoginRequestAmr :: Maybe [Text] -- ^ "amr" , acceptOAuth2LoginRequestContext :: Maybe A.Value -- ^ "context" , acceptOAuth2LoginRequestForceSubjectIdentifier :: Maybe Text -- ^ "force_subject_identifier" - ForceSubjectIdentifier forces the \"pairwise\" user ID of the end-user that authenticated. The \"pairwise\" user ID refers to the (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID Connect specification. It allows you to set an obfuscated subject (\"user\") identifier that is unique to the client. Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the sub claim in the OAuth 2.0 Introspection. Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's configuration). Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies that you have to compute this value on every authentication process (probably depending on the client ID or some other unique value). If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail. , acceptOAuth2LoginRequestRemember :: Maybe Bool -- ^ "remember" - Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she will not be asked to log in again. , acceptOAuth2LoginRequestRememberFor :: Maybe Integer -- ^ "remember_for" - RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the authorization will be remembered for the duration of the browser session (using a session cookie). , acceptOAuth2LoginRequestSubject :: Text -- ^ /Required/ "subject" - Subject is the user ID of the end-user that authenticated. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON AcceptOAuth2LoginRequest instance A.FromJSON AcceptOAuth2LoginRequest where parseJSON = A.withObject "AcceptOAuth2LoginRequest" $ \o -> AcceptOAuth2LoginRequest <$> (o .:? "acr") <*> (o .:? "amr") <*> (o .:? "context") <*> (o .:? "force_subject_identifier") <*> (o .:? "remember") <*> (o .:? "remember_for") <*> (o .: "subject") -- | ToJSON AcceptOAuth2LoginRequest instance A.ToJSON AcceptOAuth2LoginRequest where toJSON AcceptOAuth2LoginRequest {..} = _omitNulls [ "acr" .= acceptOAuth2LoginRequestAcr , "amr" .= acceptOAuth2LoginRequestAmr , "context" .= acceptOAuth2LoginRequestContext , "force_subject_identifier" .= acceptOAuth2LoginRequestForceSubjectIdentifier , "remember" .= acceptOAuth2LoginRequestRemember , "remember_for" .= acceptOAuth2LoginRequestRememberFor , "subject" .= acceptOAuth2LoginRequestSubject ] -- | Construct a value of type 'AcceptOAuth2LoginRequest' (by applying it's required fields, if any) mkAcceptOAuth2LoginRequest :: Text -- ^ 'acceptOAuth2LoginRequestSubject': Subject is the user ID of the end-user that authenticated. -> AcceptOAuth2LoginRequest mkAcceptOAuth2LoginRequest acceptOAuth2LoginRequestSubject = AcceptOAuth2LoginRequest { acceptOAuth2LoginRequestAcr = Nothing , acceptOAuth2LoginRequestAmr = Nothing , acceptOAuth2LoginRequestContext = Nothing , acceptOAuth2LoginRequestForceSubjectIdentifier = Nothing , acceptOAuth2LoginRequestRemember = Nothing , acceptOAuth2LoginRequestRememberFor = Nothing , acceptOAuth2LoginRequestSubject } -- ** CreateJsonWebKeySet -- | CreateJsonWebKeySet -- Create JSON Web Key Set Request Body data CreateJsonWebKeySet = CreateJsonWebKeySet { createJsonWebKeySetAlg :: Text -- ^ /Required/ "alg" - JSON Web Key Algorithm The algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`. , createJsonWebKeySetKid :: Text -- ^ /Required/ "kid" - JSON Web Key ID The Key ID of the key to be created. , createJsonWebKeySetUse :: Text -- ^ /Required/ "use" - JSON Web Key Use The \"use\" (public key use) parameter identifies the intended use of the public key. The \"use\" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Valid values are \"enc\" and \"sig\". } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON CreateJsonWebKeySet instance A.FromJSON CreateJsonWebKeySet where parseJSON = A.withObject "CreateJsonWebKeySet" $ \o -> CreateJsonWebKeySet <$> (o .: "alg") <*> (o .: "kid") <*> (o .: "use") -- | ToJSON CreateJsonWebKeySet instance A.ToJSON CreateJsonWebKeySet where toJSON CreateJsonWebKeySet {..} = _omitNulls [ "alg" .= createJsonWebKeySetAlg , "kid" .= createJsonWebKeySetKid , "use" .= createJsonWebKeySetUse ] -- | Construct a value of type 'CreateJsonWebKeySet' (by applying it's required fields, if any) mkCreateJsonWebKeySet :: Text -- ^ 'createJsonWebKeySetAlg': JSON Web Key Algorithm The algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`. -> Text -- ^ 'createJsonWebKeySetKid': JSON Web Key ID The Key ID of the key to be created. -> Text -- ^ 'createJsonWebKeySetUse': JSON Web Key Use The \"use\" (public key use) parameter identifies the intended use of the public key. The \"use\" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Valid values are \"enc\" and \"sig\". -> CreateJsonWebKeySet mkCreateJsonWebKeySet createJsonWebKeySetAlg createJsonWebKeySetKid createJsonWebKeySetUse = CreateJsonWebKeySet { createJsonWebKeySetAlg , createJsonWebKeySetKid , createJsonWebKeySetUse } -- ** ErrorOAuth2 -- | ErrorOAuth2 -- Error data ErrorOAuth2 = ErrorOAuth2 { errorOAuth2Error :: Maybe Text -- ^ "error" - Error , errorOAuth2ErrorDebug :: Maybe Text -- ^ "error_debug" - Error Debug Information Only available in dev mode. , errorOAuth2ErrorDescription :: Maybe Text -- ^ "error_description" - Error Description , errorOAuth2ErrorHint :: Maybe Text -- ^ "error_hint" - Error Hint Helps the user identify the error cause. , errorOAuth2StatusCode :: Maybe Integer -- ^ "status_code" - HTTP Status Code } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON ErrorOAuth2 instance A.FromJSON ErrorOAuth2 where parseJSON = A.withObject "ErrorOAuth2" $ \o -> ErrorOAuth2 <$> (o .:? "error") <*> (o .:? "error_debug") <*> (o .:? "error_description") <*> (o .:? "error_hint") <*> (o .:? "status_code") -- | ToJSON ErrorOAuth2 instance A.ToJSON ErrorOAuth2 where toJSON ErrorOAuth2 {..} = _omitNulls [ "error" .= errorOAuth2Error , "error_debug" .= errorOAuth2ErrorDebug , "error_description" .= errorOAuth2ErrorDescription , "error_hint" .= errorOAuth2ErrorHint , "status_code" .= errorOAuth2StatusCode ] -- | Construct a value of type 'ErrorOAuth2' (by applying it's required fields, if any) mkErrorOAuth2 :: ErrorOAuth2 mkErrorOAuth2 = ErrorOAuth2 { errorOAuth2Error = Nothing , errorOAuth2ErrorDebug = Nothing , errorOAuth2ErrorDescription = Nothing , errorOAuth2ErrorHint = Nothing , errorOAuth2StatusCode = Nothing } -- ** GenericError -- | GenericError data GenericError = GenericError { genericErrorCode :: Maybe Integer -- ^ "code" - The status code , genericErrorDebug :: Maybe Text -- ^ "debug" - Debug information This field is often not exposed to protect against leaking sensitive information. , genericErrorDetails :: Maybe A.Value -- ^ "details" - Further error details , genericErrorId :: Maybe Text -- ^ "id" - The error ID Useful when trying to identify various errors in application logic. , genericErrorMessage :: Text -- ^ /Required/ "message" - Error message The error's message. , genericErrorReason :: Maybe Text -- ^ "reason" - A human-readable reason for the error , genericErrorRequest :: Maybe Text -- ^ "request" - The request ID The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID. , genericErrorStatus :: Maybe Text -- ^ "status" - The status description } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON GenericError instance A.FromJSON GenericError where parseJSON = A.withObject "GenericError" $ \o -> GenericError <$> (o .:? "code") <*> (o .:? "debug") <*> (o .:? "details") <*> (o .:? "id") <*> (o .: "message") <*> (o .:? "reason") <*> (o .:? "request") <*> (o .:? "status") -- | ToJSON GenericError instance A.ToJSON GenericError where toJSON GenericError {..} = _omitNulls [ "code" .= genericErrorCode , "debug" .= genericErrorDebug , "details" .= genericErrorDetails , "id" .= genericErrorId , "message" .= genericErrorMessage , "reason" .= genericErrorReason , "request" .= genericErrorRequest , "status" .= genericErrorStatus ] -- | Construct a value of type 'GenericError' (by applying it's required fields, if any) mkGenericError :: Text -- ^ 'genericErrorMessage': Error message The error's message. -> GenericError mkGenericError genericErrorMessage = GenericError { genericErrorCode = Nothing , genericErrorDebug = Nothing , genericErrorDetails = Nothing , genericErrorId = Nothing , genericErrorMessage , genericErrorReason = Nothing , genericErrorRequest = Nothing , genericErrorStatus = Nothing } -- ** GetVersion200Response -- | GetVersion200Response data GetVersion200Response = GetVersion200Response { getVersion200ResponseVersion :: Maybe Text -- ^ "version" - The version of Ory Hydra. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON GetVersion200Response instance A.FromJSON GetVersion200Response where parseJSON = A.withObject "GetVersion200Response" $ \o -> GetVersion200Response <$> (o .:? "version") -- | ToJSON GetVersion200Response instance A.ToJSON GetVersion200Response where toJSON GetVersion200Response {..} = _omitNulls [ "version" .= getVersion200ResponseVersion ] -- | Construct a value of type 'GetVersion200Response' (by applying it's required fields, if any) mkGetVersion200Response :: GetVersion200Response mkGetVersion200Response = GetVersion200Response { getVersion200ResponseVersion = Nothing } -- ** HealthNotReadyStatus -- | HealthNotReadyStatus data HealthNotReadyStatus = HealthNotReadyStatus { healthNotReadyStatusErrors :: Maybe (Map.Map String Text) -- ^ "errors" - Errors contains a list of errors that caused the not ready status. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON HealthNotReadyStatus instance A.FromJSON HealthNotReadyStatus where parseJSON = A.withObject "HealthNotReadyStatus" $ \o -> HealthNotReadyStatus <$> (o .:? "errors") -- | ToJSON HealthNotReadyStatus instance A.ToJSON HealthNotReadyStatus where toJSON HealthNotReadyStatus {..} = _omitNulls [ "errors" .= healthNotReadyStatusErrors ] -- | Construct a value of type 'HealthNotReadyStatus' (by applying it's required fields, if any) mkHealthNotReadyStatus :: HealthNotReadyStatus mkHealthNotReadyStatus = HealthNotReadyStatus { healthNotReadyStatusErrors = Nothing } -- ** HealthStatus -- | HealthStatus data HealthStatus = HealthStatus { healthStatusStatus :: Maybe Text -- ^ "status" - Status always contains \"ok\". } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON HealthStatus instance A.FromJSON HealthStatus where parseJSON = A.withObject "HealthStatus" $ \o -> HealthStatus <$> (o .:? "status") -- | ToJSON HealthStatus instance A.ToJSON HealthStatus where toJSON HealthStatus {..} = _omitNulls [ "status" .= healthStatusStatus ] -- | Construct a value of type 'HealthStatus' (by applying it's required fields, if any) mkHealthStatus :: HealthStatus mkHealthStatus = HealthStatus { healthStatusStatus = Nothing } -- ** IntrospectedOAuth2Token -- | IntrospectedOAuth2Token -- Introspection contains an access token's session data as specified by [IETF RFC 7662](https://tools.ietf.org/html/rfc7662) data IntrospectedOAuth2Token = IntrospectedOAuth2Token { introspectedOAuth2TokenActive :: Bool -- ^ /Required/ "active" - Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's \"active\" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a \"true\" value return for the \"active\" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). , introspectedOAuth2TokenAud :: Maybe [Text] -- ^ "aud" - Audience contains a list of the token's intended audiences. , introspectedOAuth2TokenClientId :: Maybe Text -- ^ "client_id" - ID is aclient identifier for the OAuth 2.0 client that requested this token. , introspectedOAuth2TokenExp :: Maybe Integer -- ^ "exp" - Expires at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire. , introspectedOAuth2TokenExt :: Maybe (Map.Map String A.Value) -- ^ "ext" - Extra is arbitrary data set by the session. , introspectedOAuth2TokenIat :: Maybe Integer -- ^ "iat" - Issued at is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token was originally issued. , introspectedOAuth2TokenIss :: Maybe Text -- ^ "iss" - IssuerURL is a string representing the issuer of this token , introspectedOAuth2TokenNbf :: Maybe Integer -- ^ "nbf" - NotBefore is an integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token is not to be used before. , introspectedOAuth2TokenObfuscatedSubject :: Maybe Text -- ^ "obfuscated_subject" - ObfuscatedSubject is set when the subject identifier algorithm was set to \"pairwise\" during authorization. It is the `sub` value of the ID Token that was issued. , introspectedOAuth2TokenScope :: Maybe Text -- ^ "scope" - Scope is a JSON string containing a space-separated list of scopes associated with this token. , introspectedOAuth2TokenSub :: Maybe Text -- ^ "sub" - Subject of the token, as defined in JWT [RFC7519]. Usually a machine-readable identifier of the resource owner who authorized this token. , introspectedOAuth2TokenTokenType :: Maybe Text -- ^ "token_type" - TokenType is the introspected token's type, typically `Bearer`. , introspectedOAuth2TokenTokenUse :: Maybe Text -- ^ "token_use" - TokenUse is the introspected token's use, for example `access_token` or `refresh_token`. , introspectedOAuth2TokenUsername :: Maybe Text -- ^ "username" - Username is a human-readable identifier for the resource owner who authorized this token. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON IntrospectedOAuth2Token instance A.FromJSON IntrospectedOAuth2Token where parseJSON = A.withObject "IntrospectedOAuth2Token" $ \o -> IntrospectedOAuth2Token <$> (o .: "active") <*> (o .:? "aud") <*> (o .:? "client_id") <*> (o .:? "exp") <*> (o .:? "ext") <*> (o .:? "iat") <*> (o .:? "iss") <*> (o .:? "nbf") <*> (o .:? "obfuscated_subject") <*> (o .:? "scope") <*> (o .:? "sub") <*> (o .:? "token_type") <*> (o .:? "token_use") <*> (o .:? "username") -- | ToJSON IntrospectedOAuth2Token instance A.ToJSON IntrospectedOAuth2Token where toJSON IntrospectedOAuth2Token {..} = _omitNulls [ "active" .= introspectedOAuth2TokenActive , "aud" .= introspectedOAuth2TokenAud , "client_id" .= introspectedOAuth2TokenClientId , "exp" .= introspectedOAuth2TokenExp , "ext" .= introspectedOAuth2TokenExt , "iat" .= introspectedOAuth2TokenIat , "iss" .= introspectedOAuth2TokenIss , "nbf" .= introspectedOAuth2TokenNbf , "obfuscated_subject" .= introspectedOAuth2TokenObfuscatedSubject , "scope" .= introspectedOAuth2TokenScope , "sub" .= introspectedOAuth2TokenSub , "token_type" .= introspectedOAuth2TokenTokenType , "token_use" .= introspectedOAuth2TokenTokenUse , "username" .= introspectedOAuth2TokenUsername ] -- | Construct a value of type 'IntrospectedOAuth2Token' (by applying it's required fields, if any) mkIntrospectedOAuth2Token :: Bool -- ^ 'introspectedOAuth2TokenActive': Active is a boolean indicator of whether or not the presented token is currently active. The specifics of a token's \"active\" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a \"true\" value return for the \"active\" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time). -> IntrospectedOAuth2Token mkIntrospectedOAuth2Token introspectedOAuth2TokenActive = IntrospectedOAuth2Token { introspectedOAuth2TokenActive , introspectedOAuth2TokenAud = Nothing , introspectedOAuth2TokenClientId = Nothing , introspectedOAuth2TokenExp = Nothing , introspectedOAuth2TokenExt = Nothing , introspectedOAuth2TokenIat = Nothing , introspectedOAuth2TokenIss = Nothing , introspectedOAuth2TokenNbf = Nothing , introspectedOAuth2TokenObfuscatedSubject = Nothing , introspectedOAuth2TokenScope = Nothing , introspectedOAuth2TokenSub = Nothing , introspectedOAuth2TokenTokenType = Nothing , introspectedOAuth2TokenTokenUse = Nothing , introspectedOAuth2TokenUsername = Nothing } -- ** IsReady200Response -- | IsReady200Response data IsReady200Response = IsReady200Response { isReady200ResponseStatus :: Maybe Text -- ^ "status" - Always \"ok\". } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON IsReady200Response instance A.FromJSON IsReady200Response where parseJSON = A.withObject "IsReady200Response" $ \o -> IsReady200Response <$> (o .:? "status") -- | ToJSON IsReady200Response instance A.ToJSON IsReady200Response where toJSON IsReady200Response {..} = _omitNulls [ "status" .= isReady200ResponseStatus ] -- | Construct a value of type 'IsReady200Response' (by applying it's required fields, if any) mkIsReady200Response :: IsReady200Response mkIsReady200Response = IsReady200Response { isReady200ResponseStatus = Nothing } -- ** IsReady503Response -- | IsReady503Response data IsReady503Response = IsReady503Response { isReady503ResponseErrors :: Maybe (Map.Map String Text) -- ^ "errors" - Errors contains a list of errors that caused the not ready status. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON IsReady503Response instance A.FromJSON IsReady503Response where parseJSON = A.withObject "IsReady503Response" $ \o -> IsReady503Response <$> (o .:? "errors") -- | ToJSON IsReady503Response instance A.ToJSON IsReady503Response where toJSON IsReady503Response {..} = _omitNulls [ "errors" .= isReady503ResponseErrors ] -- | Construct a value of type 'IsReady503Response' (by applying it's required fields, if any) mkIsReady503Response :: IsReady503Response mkIsReady503Response = IsReady503Response { isReady503ResponseErrors = Nothing } -- ** JsonPatch -- | JsonPatch -- A JSONPatch document as defined by RFC 6902 data JsonPatch = JsonPatch { jsonPatchFrom :: Maybe Text -- ^ "from" - This field is used together with operation \"move\" and uses JSON Pointer notation. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). , jsonPatchOp :: Text -- ^ /Required/ "op" - The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". , jsonPatchPath :: Text -- ^ /Required/ "path" - The path to the target path. Uses JSON pointer notation. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). , jsonPatchValue :: Maybe A.Value -- ^ "value" - The value to be used within the operations. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON JsonPatch instance A.FromJSON JsonPatch where parseJSON = A.withObject "JsonPatch" $ \o -> JsonPatch <$> (o .:? "from") <*> (o .: "op") <*> (o .: "path") <*> (o .:? "value") -- | ToJSON JsonPatch instance A.ToJSON JsonPatch where toJSON JsonPatch {..} = _omitNulls [ "from" .= jsonPatchFrom , "op" .= jsonPatchOp , "path" .= jsonPatchPath , "value" .= jsonPatchValue ] -- | Construct a value of type 'JsonPatch' (by applying it's required fields, if any) mkJsonPatch :: Text -- ^ 'jsonPatchOp': The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". -> Text -- ^ 'jsonPatchPath': The path to the target path. Uses JSON pointer notation. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). -> JsonPatch mkJsonPatch jsonPatchOp jsonPatchPath = JsonPatch { jsonPatchFrom = Nothing , jsonPatchOp , jsonPatchPath , jsonPatchValue = Nothing } -- ** JsonWebKey -- | JsonWebKey data JsonWebKey = JsonWebKey { jsonWebKeyAlg :: Text -- ^ /Required/ "alg" - The \"alg\" (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA \"JSON Web Signature and Encryption Algorithms\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. , jsonWebKeyCrv :: Maybe Text -- ^ "crv" , jsonWebKeyD :: Maybe Text -- ^ "d" , jsonWebKeyDp :: Maybe Text -- ^ "dp" , jsonWebKeyDq :: Maybe Text -- ^ "dq" , jsonWebKeyE :: Maybe Text -- ^ "e" , jsonWebKeyK :: Maybe Text -- ^ "k" , jsonWebKeyKid :: Text -- ^ /Required/ "kid" - The \"kid\" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the \"kid\" value is unspecified. When \"kid\" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct \"kid\" values. (One example in which different keys might use the same \"kid\" value is if they have different \"kty\" (key type) values but are considered to be equivalent alternatives by the application using them.) The \"kid\" value is a case-sensitive string. , jsonWebKeyKty :: Text -- ^ /Required/ "kty" - The \"kty\" (key type) parameter identifies the cryptographic algorithm family used with the key, such as \"RSA\" or \"EC\". \"kty\" values should either be registered in the IANA \"JSON Web Key Types\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. The \"kty\" value is a case-sensitive string. , jsonWebKeyN :: Maybe Text -- ^ "n" , jsonWebKeyP :: Maybe Text -- ^ "p" , jsonWebKeyQ :: Maybe Text -- ^ "q" , jsonWebKeyQi :: Maybe Text -- ^ "qi" , jsonWebKeyUse :: Text -- ^ /Required/ "use" - Use (\"public key use\") identifies the intended use of the public key. The \"use\" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly \"sig\" (signature) or \"enc\" (encryption). , jsonWebKeyX :: Maybe Text -- ^ "x" , jsonWebKeyX5c :: Maybe [Text] -- ^ "x5c" - The \"x5c\" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. , jsonWebKeyY :: Maybe Text -- ^ "y" } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON JsonWebKey instance A.FromJSON JsonWebKey where parseJSON = A.withObject "JsonWebKey" $ \o -> JsonWebKey <$> (o .: "alg") <*> (o .:? "crv") <*> (o .:? "d") <*> (o .:? "dp") <*> (o .:? "dq") <*> (o .:? "e") <*> (o .:? "k") <*> (o .: "kid") <*> (o .: "kty") <*> (o .:? "n") <*> (o .:? "p") <*> (o .:? "q") <*> (o .:? "qi") <*> (o .: "use") <*> (o .:? "x") <*> (o .:? "x5c") <*> (o .:? "y") -- | ToJSON JsonWebKey instance A.ToJSON JsonWebKey where toJSON JsonWebKey {..} = _omitNulls [ "alg" .= jsonWebKeyAlg , "crv" .= jsonWebKeyCrv , "d" .= jsonWebKeyD , "dp" .= jsonWebKeyDp , "dq" .= jsonWebKeyDq , "e" .= jsonWebKeyE , "k" .= jsonWebKeyK , "kid" .= jsonWebKeyKid , "kty" .= jsonWebKeyKty , "n" .= jsonWebKeyN , "p" .= jsonWebKeyP , "q" .= jsonWebKeyQ , "qi" .= jsonWebKeyQi , "use" .= jsonWebKeyUse , "x" .= jsonWebKeyX , "x5c" .= jsonWebKeyX5c , "y" .= jsonWebKeyY ] -- | Construct a value of type 'JsonWebKey' (by applying it's required fields, if any) mkJsonWebKey :: Text -- ^ 'jsonWebKeyAlg': The \"alg\" (algorithm) parameter identifies the algorithm intended for use with the key. The values used should either be registered in the IANA \"JSON Web Signature and Encryption Algorithms\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. -> Text -- ^ 'jsonWebKeyKid': The \"kid\" (key ID) parameter is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the \"kid\" value is unspecified. When \"kid\" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct \"kid\" values. (One example in which different keys might use the same \"kid\" value is if they have different \"kty\" (key type) values but are considered to be equivalent alternatives by the application using them.) The \"kid\" value is a case-sensitive string. -> Text -- ^ 'jsonWebKeyKty': The \"kty\" (key type) parameter identifies the cryptographic algorithm family used with the key, such as \"RSA\" or \"EC\". \"kty\" values should either be registered in the IANA \"JSON Web Key Types\" registry established by [JWA] or be a value that contains a Collision- Resistant Name. The \"kty\" value is a case-sensitive string. -> Text -- ^ 'jsonWebKeyUse': Use (\"public key use\") identifies the intended use of the public key. The \"use\" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values are commonly \"sig\" (signature) or \"enc\" (encryption). -> JsonWebKey mkJsonWebKey jsonWebKeyAlg jsonWebKeyKid jsonWebKeyKty jsonWebKeyUse = JsonWebKey { jsonWebKeyAlg , jsonWebKeyCrv = Nothing , jsonWebKeyD = Nothing , jsonWebKeyDp = Nothing , jsonWebKeyDq = Nothing , jsonWebKeyE = Nothing , jsonWebKeyK = Nothing , jsonWebKeyKid , jsonWebKeyKty , jsonWebKeyN = Nothing , jsonWebKeyP = Nothing , jsonWebKeyQ = Nothing , jsonWebKeyQi = Nothing , jsonWebKeyUse , jsonWebKeyX = Nothing , jsonWebKeyX5c = Nothing , jsonWebKeyY = Nothing } -- ** JsonWebKeySet -- | JsonWebKeySet -- JSON Web Key Set data JsonWebKeySet = JsonWebKeySet { jsonWebKeySetKeys :: Maybe [JsonWebKey] -- ^ "keys" - List of JSON Web Keys The value of the \"keys\" parameter is an array of JSON Web Key (JWK) values. By default, the order of the JWK values within the array does not imply an order of preference among them, although applications of JWK Sets can choose to assign a meaning to the order for their purposes, if desired. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON JsonWebKeySet instance A.FromJSON JsonWebKeySet where parseJSON = A.withObject "JsonWebKeySet" $ \o -> JsonWebKeySet <$> (o .:? "keys") -- | ToJSON JsonWebKeySet instance A.ToJSON JsonWebKeySet where toJSON JsonWebKeySet {..} = _omitNulls [ "keys" .= jsonWebKeySetKeys ] -- | Construct a value of type 'JsonWebKeySet' (by applying it's required fields, if any) mkJsonWebKeySet :: JsonWebKeySet mkJsonWebKeySet = JsonWebKeySet { jsonWebKeySetKeys = Nothing } -- ** OAuth2Client -- | OAuth2Client -- OAuth 2.0 Client -- -- OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities. data OAuth2Client = OAuth2Client { oAuth2ClientAllowedCorsOrigins :: Maybe [Text] -- ^ "allowed_cors_origins" , oAuth2ClientAudience :: Maybe [Text] -- ^ "audience" , oAuth2ClientAuthorizationCodeGrantAccessTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientAuthorizationCodeGrantIdTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientAuthorizationCodeGrantRefreshTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_refresh_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientBackchannelLogoutSessionRequired :: Maybe Bool -- ^ "backchannel_logout_session_required" - OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. , oAuth2ClientBackchannelLogoutUri :: Maybe Text -- ^ "backchannel_logout_uri" - OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. , oAuth2ClientClientCredentialsGrantAccessTokenLifespan :: Maybe Text -- ^ "client_credentials_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientClientId :: Maybe Text -- ^ "client_id" - OAuth 2.0 Client ID The ID is autogenerated and immutable. , oAuth2ClientClientName :: Maybe Text -- ^ "client_name" - OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization. , oAuth2ClientClientSecret :: Maybe Text -- ^ "client_secret" - OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost. , oAuth2ClientClientSecretExpiresAt :: Maybe Integer -- ^ "client_secret_expires_at" - OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0. , oAuth2ClientClientUri :: Maybe Text -- ^ "client_uri" - OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. , oAuth2ClientContacts :: Maybe [Text] -- ^ "contacts" , oAuth2ClientCreatedAt :: Maybe DateTime -- ^ "created_at" - OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client's creation. , oAuth2ClientFrontchannelLogoutSessionRequired :: Maybe Bool -- ^ "frontchannel_logout_session_required" - OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. , oAuth2ClientFrontchannelLogoutUri :: Maybe Text -- ^ "frontchannel_logout_uri" - OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. , oAuth2ClientGrantTypes :: Maybe [Text] -- ^ "grant_types" , oAuth2ClientImplicitGrantAccessTokenLifespan :: Maybe Text -- ^ "implicit_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientImplicitGrantIdTokenLifespan :: Maybe Text -- ^ "implicit_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientJwks :: Maybe A.Value -- ^ "jwks" - OAuth 2.0 Client JSON Web Key Set Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together. , oAuth2ClientJwksUri :: Maybe Text -- ^ "jwks_uri" - OAuth 2.0 Client JSON Web Key Set URL URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. , oAuth2ClientJwtBearerGrantAccessTokenLifespan :: Maybe Text -- ^ "jwt_bearer_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientLogoUri :: Maybe Text -- ^ "logo_uri" - OAuth 2.0 Client Logo URI A URL string referencing the client's logo. , oAuth2ClientMetadata :: Maybe A.Value -- ^ "metadata" , oAuth2ClientOwner :: Maybe Text -- ^ "owner" - OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client. , oAuth2ClientPolicyUri :: Maybe Text -- ^ "policy_uri" - OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. , oAuth2ClientPostLogoutRedirectUris :: Maybe [Text] -- ^ "post_logout_redirect_uris" , oAuth2ClientRedirectUris :: Maybe [Text] -- ^ "redirect_uris" , oAuth2ClientRefreshTokenGrantAccessTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientRefreshTokenGrantIdTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientRefreshTokenGrantRefreshTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_refresh_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientRegistrationAccessToken :: Maybe Text -- ^ "registration_access_token" - OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration. , oAuth2ClientRegistrationClientUri :: Maybe Text -- ^ "registration_client_uri" - OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client. , oAuth2ClientRequestObjectSigningAlg :: Maybe Text -- ^ "request_object_signing_alg" - OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. , oAuth2ClientRequestUris :: Maybe [Text] -- ^ "request_uris" , oAuth2ClientResponseTypes :: Maybe [Text] -- ^ "response_types" , oAuth2ClientScope :: Maybe Text -- ^ "scope" - OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. , oAuth2ClientSectorIdentifierUri :: Maybe Text -- ^ "sector_identifier_uri" - OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. , oAuth2ClientSubjectType :: Maybe Text -- ^ "subject_type" - OpenID Connect Subject Type The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. , oAuth2ClientTokenEndpointAuthMethod :: Maybe Text -- ^ "token_endpoint_auth_method" - OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: `client_secret_post`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `client_secret_basic`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets. , oAuth2ClientTokenEndpointAuthSigningAlg :: Maybe Text -- ^ "token_endpoint_auth_signing_alg" - OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint. , oAuth2ClientTosUri :: Maybe Text -- ^ "tos_uri" - OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. , oAuth2ClientUpdatedAt :: Maybe DateTime -- ^ "updated_at" - OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update. , oAuth2ClientUserinfoSignedResponseAlg :: Maybe Text -- ^ "userinfo_signed_response_alg" - OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2Client instance A.FromJSON OAuth2Client where parseJSON = A.withObject "OAuth2Client" $ \o -> OAuth2Client <$> (o .:? "allowed_cors_origins") <*> (o .:? "audience") <*> (o .:? "authorization_code_grant_access_token_lifespan") <*> (o .:? "authorization_code_grant_id_token_lifespan") <*> (o .:? "authorization_code_grant_refresh_token_lifespan") <*> (o .:? "backchannel_logout_session_required") <*> (o .:? "backchannel_logout_uri") <*> (o .:? "client_credentials_grant_access_token_lifespan") <*> (o .:? "client_id") <*> (o .:? "client_name") <*> (o .:? "client_secret") <*> (o .:? "client_secret_expires_at") <*> (o .:? "client_uri") <*> (o .:? "contacts") <*> (o .:? "created_at") <*> (o .:? "frontchannel_logout_session_required") <*> (o .:? "frontchannel_logout_uri") <*> (o .:? "grant_types") <*> (o .:? "implicit_grant_access_token_lifespan") <*> (o .:? "implicit_grant_id_token_lifespan") <*> (o .:? "jwks") <*> (o .:? "jwks_uri") <*> (o .:? "jwt_bearer_grant_access_token_lifespan") <*> (o .:? "logo_uri") <*> (o .:? "metadata") <*> (o .:? "owner") <*> (o .:? "policy_uri") <*> (o .:? "post_logout_redirect_uris") <*> (o .:? "redirect_uris") <*> (o .:? "refresh_token_grant_access_token_lifespan") <*> (o .:? "refresh_token_grant_id_token_lifespan") <*> (o .:? "refresh_token_grant_refresh_token_lifespan") <*> (o .:? "registration_access_token") <*> (o .:? "registration_client_uri") <*> (o .:? "request_object_signing_alg") <*> (o .:? "request_uris") <*> (o .:? "response_types") <*> (o .:? "scope") <*> (o .:? "sector_identifier_uri") <*> (o .:? "subject_type") <*> (o .:? "token_endpoint_auth_method") <*> (o .:? "token_endpoint_auth_signing_alg") <*> (o .:? "tos_uri") <*> (o .:? "updated_at") <*> (o .:? "userinfo_signed_response_alg") -- | ToJSON OAuth2Client instance A.ToJSON OAuth2Client where toJSON OAuth2Client {..} = _omitNulls [ "allowed_cors_origins" .= oAuth2ClientAllowedCorsOrigins , "audience" .= oAuth2ClientAudience , "authorization_code_grant_access_token_lifespan" .= oAuth2ClientAuthorizationCodeGrantAccessTokenLifespan , "authorization_code_grant_id_token_lifespan" .= oAuth2ClientAuthorizationCodeGrantIdTokenLifespan , "authorization_code_grant_refresh_token_lifespan" .= oAuth2ClientAuthorizationCodeGrantRefreshTokenLifespan , "backchannel_logout_session_required" .= oAuth2ClientBackchannelLogoutSessionRequired , "backchannel_logout_uri" .= oAuth2ClientBackchannelLogoutUri , "client_credentials_grant_access_token_lifespan" .= oAuth2ClientClientCredentialsGrantAccessTokenLifespan , "client_id" .= oAuth2ClientClientId , "client_name" .= oAuth2ClientClientName , "client_secret" .= oAuth2ClientClientSecret , "client_secret_expires_at" .= oAuth2ClientClientSecretExpiresAt , "client_uri" .= oAuth2ClientClientUri , "contacts" .= oAuth2ClientContacts , "created_at" .= oAuth2ClientCreatedAt , "frontchannel_logout_session_required" .= oAuth2ClientFrontchannelLogoutSessionRequired , "frontchannel_logout_uri" .= oAuth2ClientFrontchannelLogoutUri , "grant_types" .= oAuth2ClientGrantTypes , "implicit_grant_access_token_lifespan" .= oAuth2ClientImplicitGrantAccessTokenLifespan , "implicit_grant_id_token_lifespan" .= oAuth2ClientImplicitGrantIdTokenLifespan , "jwks" .= oAuth2ClientJwks , "jwks_uri" .= oAuth2ClientJwksUri , "jwt_bearer_grant_access_token_lifespan" .= oAuth2ClientJwtBearerGrantAccessTokenLifespan , "logo_uri" .= oAuth2ClientLogoUri , "metadata" .= oAuth2ClientMetadata , "owner" .= oAuth2ClientOwner , "policy_uri" .= oAuth2ClientPolicyUri , "post_logout_redirect_uris" .= oAuth2ClientPostLogoutRedirectUris , "redirect_uris" .= oAuth2ClientRedirectUris , "refresh_token_grant_access_token_lifespan" .= oAuth2ClientRefreshTokenGrantAccessTokenLifespan , "refresh_token_grant_id_token_lifespan" .= oAuth2ClientRefreshTokenGrantIdTokenLifespan , "refresh_token_grant_refresh_token_lifespan" .= oAuth2ClientRefreshTokenGrantRefreshTokenLifespan , "registration_access_token" .= oAuth2ClientRegistrationAccessToken , "registration_client_uri" .= oAuth2ClientRegistrationClientUri , "request_object_signing_alg" .= oAuth2ClientRequestObjectSigningAlg , "request_uris" .= oAuth2ClientRequestUris , "response_types" .= oAuth2ClientResponseTypes , "scope" .= oAuth2ClientScope , "sector_identifier_uri" .= oAuth2ClientSectorIdentifierUri , "subject_type" .= oAuth2ClientSubjectType , "token_endpoint_auth_method" .= oAuth2ClientTokenEndpointAuthMethod , "token_endpoint_auth_signing_alg" .= oAuth2ClientTokenEndpointAuthSigningAlg , "tos_uri" .= oAuth2ClientTosUri , "updated_at" .= oAuth2ClientUpdatedAt , "userinfo_signed_response_alg" .= oAuth2ClientUserinfoSignedResponseAlg ] -- | Construct a value of type 'OAuth2Client' (by applying it's required fields, if any) mkOAuth2Client :: OAuth2Client mkOAuth2Client = OAuth2Client { oAuth2ClientAllowedCorsOrigins = Nothing , oAuth2ClientAudience = Nothing , oAuth2ClientAuthorizationCodeGrantAccessTokenLifespan = Nothing , oAuth2ClientAuthorizationCodeGrantIdTokenLifespan = Nothing , oAuth2ClientAuthorizationCodeGrantRefreshTokenLifespan = Nothing , oAuth2ClientBackchannelLogoutSessionRequired = Nothing , oAuth2ClientBackchannelLogoutUri = Nothing , oAuth2ClientClientCredentialsGrantAccessTokenLifespan = Nothing , oAuth2ClientClientId = Nothing , oAuth2ClientClientName = Nothing , oAuth2ClientClientSecret = Nothing , oAuth2ClientClientSecretExpiresAt = Nothing , oAuth2ClientClientUri = Nothing , oAuth2ClientContacts = Nothing , oAuth2ClientCreatedAt = Nothing , oAuth2ClientFrontchannelLogoutSessionRequired = Nothing , oAuth2ClientFrontchannelLogoutUri = Nothing , oAuth2ClientGrantTypes = Nothing , oAuth2ClientImplicitGrantAccessTokenLifespan = Nothing , oAuth2ClientImplicitGrantIdTokenLifespan = Nothing , oAuth2ClientJwks = Nothing , oAuth2ClientJwksUri = Nothing , oAuth2ClientJwtBearerGrantAccessTokenLifespan = Nothing , oAuth2ClientLogoUri = Nothing , oAuth2ClientMetadata = Nothing , oAuth2ClientOwner = Nothing , oAuth2ClientPolicyUri = Nothing , oAuth2ClientPostLogoutRedirectUris = Nothing , oAuth2ClientRedirectUris = Nothing , oAuth2ClientRefreshTokenGrantAccessTokenLifespan = Nothing , oAuth2ClientRefreshTokenGrantIdTokenLifespan = Nothing , oAuth2ClientRefreshTokenGrantRefreshTokenLifespan = Nothing , oAuth2ClientRegistrationAccessToken = Nothing , oAuth2ClientRegistrationClientUri = Nothing , oAuth2ClientRequestObjectSigningAlg = Nothing , oAuth2ClientRequestUris = Nothing , oAuth2ClientResponseTypes = Nothing , oAuth2ClientScope = Nothing , oAuth2ClientSectorIdentifierUri = Nothing , oAuth2ClientSubjectType = Nothing , oAuth2ClientTokenEndpointAuthMethod = Nothing , oAuth2ClientTokenEndpointAuthSigningAlg = Nothing , oAuth2ClientTosUri = Nothing , oAuth2ClientUpdatedAt = Nothing , oAuth2ClientUserinfoSignedResponseAlg = Nothing } -- ** OAuth2ClientTokenLifespans -- | OAuth2ClientTokenLifespans -- OAuth 2.0 Client Token Lifespans -- -- Lifespans of different token types issued for this OAuth 2.0 Client. data OAuth2ClientTokenLifespans = OAuth2ClientTokenLifespans { oAuth2ClientTokenLifespansAuthorizationCodeGrantAccessTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansAuthorizationCodeGrantIdTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansAuthorizationCodeGrantRefreshTokenLifespan :: Maybe Text -- ^ "authorization_code_grant_refresh_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansClientCredentialsGrantAccessTokenLifespan :: Maybe Text -- ^ "client_credentials_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansImplicitGrantAccessTokenLifespan :: Maybe Text -- ^ "implicit_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansImplicitGrantIdTokenLifespan :: Maybe Text -- ^ "implicit_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansJwtBearerGrantAccessTokenLifespan :: Maybe Text -- ^ "jwt_bearer_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansRefreshTokenGrantAccessTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_access_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansRefreshTokenGrantIdTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_id_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. , oAuth2ClientTokenLifespansRefreshTokenGrantRefreshTokenLifespan :: Maybe Text -- ^ "refresh_token_grant_refresh_token_lifespan" - Specify a time duration in milliseconds, seconds, minutes, hours. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2ClientTokenLifespans instance A.FromJSON OAuth2ClientTokenLifespans where parseJSON = A.withObject "OAuth2ClientTokenLifespans" $ \o -> OAuth2ClientTokenLifespans <$> (o .:? "authorization_code_grant_access_token_lifespan") <*> (o .:? "authorization_code_grant_id_token_lifespan") <*> (o .:? "authorization_code_grant_refresh_token_lifespan") <*> (o .:? "client_credentials_grant_access_token_lifespan") <*> (o .:? "implicit_grant_access_token_lifespan") <*> (o .:? "implicit_grant_id_token_lifespan") <*> (o .:? "jwt_bearer_grant_access_token_lifespan") <*> (o .:? "refresh_token_grant_access_token_lifespan") <*> (o .:? "refresh_token_grant_id_token_lifespan") <*> (o .:? "refresh_token_grant_refresh_token_lifespan") -- | ToJSON OAuth2ClientTokenLifespans instance A.ToJSON OAuth2ClientTokenLifespans where toJSON OAuth2ClientTokenLifespans {..} = _omitNulls [ "authorization_code_grant_access_token_lifespan" .= oAuth2ClientTokenLifespansAuthorizationCodeGrantAccessTokenLifespan , "authorization_code_grant_id_token_lifespan" .= oAuth2ClientTokenLifespansAuthorizationCodeGrantIdTokenLifespan , "authorization_code_grant_refresh_token_lifespan" .= oAuth2ClientTokenLifespansAuthorizationCodeGrantRefreshTokenLifespan , "client_credentials_grant_access_token_lifespan" .= oAuth2ClientTokenLifespansClientCredentialsGrantAccessTokenLifespan , "implicit_grant_access_token_lifespan" .= oAuth2ClientTokenLifespansImplicitGrantAccessTokenLifespan , "implicit_grant_id_token_lifespan" .= oAuth2ClientTokenLifespansImplicitGrantIdTokenLifespan , "jwt_bearer_grant_access_token_lifespan" .= oAuth2ClientTokenLifespansJwtBearerGrantAccessTokenLifespan , "refresh_token_grant_access_token_lifespan" .= oAuth2ClientTokenLifespansRefreshTokenGrantAccessTokenLifespan , "refresh_token_grant_id_token_lifespan" .= oAuth2ClientTokenLifespansRefreshTokenGrantIdTokenLifespan , "refresh_token_grant_refresh_token_lifespan" .= oAuth2ClientTokenLifespansRefreshTokenGrantRefreshTokenLifespan ] -- | Construct a value of type 'OAuth2ClientTokenLifespans' (by applying it's required fields, if any) mkOAuth2ClientTokenLifespans :: OAuth2ClientTokenLifespans mkOAuth2ClientTokenLifespans = OAuth2ClientTokenLifespans { oAuth2ClientTokenLifespansAuthorizationCodeGrantAccessTokenLifespan = Nothing , oAuth2ClientTokenLifespansAuthorizationCodeGrantIdTokenLifespan = Nothing , oAuth2ClientTokenLifespansAuthorizationCodeGrantRefreshTokenLifespan = Nothing , oAuth2ClientTokenLifespansClientCredentialsGrantAccessTokenLifespan = Nothing , oAuth2ClientTokenLifespansImplicitGrantAccessTokenLifespan = Nothing , oAuth2ClientTokenLifespansImplicitGrantIdTokenLifespan = Nothing , oAuth2ClientTokenLifespansJwtBearerGrantAccessTokenLifespan = Nothing , oAuth2ClientTokenLifespansRefreshTokenGrantAccessTokenLifespan = Nothing , oAuth2ClientTokenLifespansRefreshTokenGrantIdTokenLifespan = Nothing , oAuth2ClientTokenLifespansRefreshTokenGrantRefreshTokenLifespan = Nothing } -- ** OAuth2ConsentRequest -- | OAuth2ConsentRequest -- Contains information on an ongoing consent request. -- data OAuth2ConsentRequest = OAuth2ConsentRequest { oAuth2ConsentRequestAcr :: Maybe Text -- ^ "acr" - ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it to express that, for example, a user authenticated using two factor authentication. , oAuth2ConsentRequestAmr :: Maybe [Text] -- ^ "amr" , oAuth2ConsentRequestChallenge :: Text -- ^ /Required/ "challenge" - ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. , oAuth2ConsentRequestClient :: Maybe OAuth2Client -- ^ "client" , oAuth2ConsentRequestContext :: Maybe A.Value -- ^ "context" , oAuth2ConsentRequestLoginChallenge :: Maybe Text -- ^ "login_challenge" - LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate a login and consent request in the login & consent app. , oAuth2ConsentRequestLoginSessionId :: Maybe Text -- ^ "login_session_id" - LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. , oAuth2ConsentRequestOidcContext :: Maybe OAuth2ConsentRequestOpenIDConnectContext -- ^ "oidc_context" , oAuth2ConsentRequestRequestUrl :: Maybe Text -- ^ "request_url" - RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. , oAuth2ConsentRequestRequestedAccessTokenAudience :: Maybe [Text] -- ^ "requested_access_token_audience" , oAuth2ConsentRequestRequestedScope :: Maybe [Text] -- ^ "requested_scope" , oAuth2ConsentRequestSkip :: Maybe Bool -- ^ "skip" - Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the consent request using the usual API call. , oAuth2ConsentRequestSubject :: Maybe Text -- ^ "subject" - Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2ConsentRequest instance A.FromJSON OAuth2ConsentRequest where parseJSON = A.withObject "OAuth2ConsentRequest" $ \o -> OAuth2ConsentRequest <$> (o .:? "acr") <*> (o .:? "amr") <*> (o .: "challenge") <*> (o .:? "client") <*> (o .:? "context") <*> (o .:? "login_challenge") <*> (o .:? "login_session_id") <*> (o .:? "oidc_context") <*> (o .:? "request_url") <*> (o .:? "requested_access_token_audience") <*> (o .:? "requested_scope") <*> (o .:? "skip") <*> (o .:? "subject") -- | ToJSON OAuth2ConsentRequest instance A.ToJSON OAuth2ConsentRequest where toJSON OAuth2ConsentRequest {..} = _omitNulls [ "acr" .= oAuth2ConsentRequestAcr , "amr" .= oAuth2ConsentRequestAmr , "challenge" .= oAuth2ConsentRequestChallenge , "client" .= oAuth2ConsentRequestClient , "context" .= oAuth2ConsentRequestContext , "login_challenge" .= oAuth2ConsentRequestLoginChallenge , "login_session_id" .= oAuth2ConsentRequestLoginSessionId , "oidc_context" .= oAuth2ConsentRequestOidcContext , "request_url" .= oAuth2ConsentRequestRequestUrl , "requested_access_token_audience" .= oAuth2ConsentRequestRequestedAccessTokenAudience , "requested_scope" .= oAuth2ConsentRequestRequestedScope , "skip" .= oAuth2ConsentRequestSkip , "subject" .= oAuth2ConsentRequestSubject ] -- | Construct a value of type 'OAuth2ConsentRequest' (by applying it's required fields, if any) mkOAuth2ConsentRequest :: Text -- ^ 'oAuth2ConsentRequestChallenge': ID is the identifier (\"authorization challenge\") of the consent authorization request. It is used to identify the session. -> OAuth2ConsentRequest mkOAuth2ConsentRequest oAuth2ConsentRequestChallenge = OAuth2ConsentRequest { oAuth2ConsentRequestAcr = Nothing , oAuth2ConsentRequestAmr = Nothing , oAuth2ConsentRequestChallenge , oAuth2ConsentRequestClient = Nothing , oAuth2ConsentRequestContext = Nothing , oAuth2ConsentRequestLoginChallenge = Nothing , oAuth2ConsentRequestLoginSessionId = Nothing , oAuth2ConsentRequestOidcContext = Nothing , oAuth2ConsentRequestRequestUrl = Nothing , oAuth2ConsentRequestRequestedAccessTokenAudience = Nothing , oAuth2ConsentRequestRequestedScope = Nothing , oAuth2ConsentRequestSkip = Nothing , oAuth2ConsentRequestSubject = Nothing } -- ** OAuth2ConsentRequestOpenIDConnectContext -- | OAuth2ConsentRequestOpenIDConnectContext -- Contains optional information about the OpenID Connect request. -- data OAuth2ConsentRequestOpenIDConnectContext = OAuth2ConsentRequestOpenIDConnectContext { oAuth2ConsentRequestOpenIDConnectContextAcrValues :: Maybe [Text] -- ^ "acr_values" - ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. , oAuth2ConsentRequestOpenIDConnectContextDisplay :: Maybe Text -- ^ "display" - Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \"feature phone\" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. , oAuth2ConsentRequestOpenIDConnectContextIdTokenHintClaims :: Maybe (Map.Map String A.Value) -- ^ "id_token_hint_claims" - IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. , oAuth2ConsentRequestOpenIDConnectContextLoginHint :: Maybe Text -- ^ "login_hint" - LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. , oAuth2ConsentRequestOpenIDConnectContextUiLocales :: Maybe [Text] -- ^ "ui_locales" - UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value \"fr-CA fr en\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2ConsentRequestOpenIDConnectContext instance A.FromJSON OAuth2ConsentRequestOpenIDConnectContext where parseJSON = A.withObject "OAuth2ConsentRequestOpenIDConnectContext" $ \o -> OAuth2ConsentRequestOpenIDConnectContext <$> (o .:? "acr_values") <*> (o .:? "display") <*> (o .:? "id_token_hint_claims") <*> (o .:? "login_hint") <*> (o .:? "ui_locales") -- | ToJSON OAuth2ConsentRequestOpenIDConnectContext instance A.ToJSON OAuth2ConsentRequestOpenIDConnectContext where toJSON OAuth2ConsentRequestOpenIDConnectContext {..} = _omitNulls [ "acr_values" .= oAuth2ConsentRequestOpenIDConnectContextAcrValues , "display" .= oAuth2ConsentRequestOpenIDConnectContextDisplay , "id_token_hint_claims" .= oAuth2ConsentRequestOpenIDConnectContextIdTokenHintClaims , "login_hint" .= oAuth2ConsentRequestOpenIDConnectContextLoginHint , "ui_locales" .= oAuth2ConsentRequestOpenIDConnectContextUiLocales ] -- | Construct a value of type 'OAuth2ConsentRequestOpenIDConnectContext' (by applying it's required fields, if any) mkOAuth2ConsentRequestOpenIDConnectContext :: OAuth2ConsentRequestOpenIDConnectContext mkOAuth2ConsentRequestOpenIDConnectContext = OAuth2ConsentRequestOpenIDConnectContext { oAuth2ConsentRequestOpenIDConnectContextAcrValues = Nothing , oAuth2ConsentRequestOpenIDConnectContextDisplay = Nothing , oAuth2ConsentRequestOpenIDConnectContextIdTokenHintClaims = Nothing , oAuth2ConsentRequestOpenIDConnectContextLoginHint = Nothing , oAuth2ConsentRequestOpenIDConnectContextUiLocales = Nothing } -- ** OAuth2ConsentSession -- | OAuth2ConsentSession -- OAuth 2.0 Consent Session -- -- A completed OAuth 2.0 Consent Session. data OAuth2ConsentSession = OAuth2ConsentSession { oAuth2ConsentSessionConsentRequest :: Maybe OAuth2ConsentRequest -- ^ "consent_request" , oAuth2ConsentSessionExpiresAt :: Maybe OAuth2ConsentSessionExpiresAt -- ^ "expires_at" , oAuth2ConsentSessionGrantAccessTokenAudience :: Maybe [Text] -- ^ "grant_access_token_audience" , oAuth2ConsentSessionGrantScope :: Maybe [Text] -- ^ "grant_scope" , oAuth2ConsentSessionHandledAt :: Maybe DateTime -- ^ "handled_at" , oAuth2ConsentSessionRemember :: Maybe Bool -- ^ "remember" - Remember Consent Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same client asks the same user for the same, or a subset of, scope. , oAuth2ConsentSessionRememberFor :: Maybe Integer -- ^ "remember_for" - Remember Consent For RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the authorization will be remembered indefinitely. , oAuth2ConsentSessionSession :: Maybe AcceptOAuth2ConsentRequestSession -- ^ "session" } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2ConsentSession instance A.FromJSON OAuth2ConsentSession where parseJSON = A.withObject "OAuth2ConsentSession" $ \o -> OAuth2ConsentSession <$> (o .:? "consent_request") <*> (o .:? "expires_at") <*> (o .:? "grant_access_token_audience") <*> (o .:? "grant_scope") <*> (o .:? "handled_at") <*> (o .:? "remember") <*> (o .:? "remember_for") <*> (o .:? "session") -- | ToJSON OAuth2ConsentSession instance A.ToJSON OAuth2ConsentSession where toJSON OAuth2ConsentSession {..} = _omitNulls [ "consent_request" .= oAuth2ConsentSessionConsentRequest , "expires_at" .= oAuth2ConsentSessionExpiresAt , "grant_access_token_audience" .= oAuth2ConsentSessionGrantAccessTokenAudience , "grant_scope" .= oAuth2ConsentSessionGrantScope , "handled_at" .= oAuth2ConsentSessionHandledAt , "remember" .= oAuth2ConsentSessionRemember , "remember_for" .= oAuth2ConsentSessionRememberFor , "session" .= oAuth2ConsentSessionSession ] -- | Construct a value of type 'OAuth2ConsentSession' (by applying it's required fields, if any) mkOAuth2ConsentSession :: OAuth2ConsentSession mkOAuth2ConsentSession = OAuth2ConsentSession { oAuth2ConsentSessionConsentRequest = Nothing , oAuth2ConsentSessionExpiresAt = Nothing , oAuth2ConsentSessionGrantAccessTokenAudience = Nothing , oAuth2ConsentSessionGrantScope = Nothing , oAuth2ConsentSessionHandledAt = Nothing , oAuth2ConsentSessionRemember = Nothing , oAuth2ConsentSessionRememberFor = Nothing , oAuth2ConsentSessionSession = Nothing } -- ** OAuth2ConsentSessionExpiresAt -- | OAuth2ConsentSessionExpiresAt data OAuth2ConsentSessionExpiresAt = OAuth2ConsentSessionExpiresAt { oAuth2ConsentSessionExpiresAtAccessToken :: Maybe DateTime -- ^ "access_token" , oAuth2ConsentSessionExpiresAtAuthorizeCode :: Maybe DateTime -- ^ "authorize_code" , oAuth2ConsentSessionExpiresAtIdToken :: Maybe DateTime -- ^ "id_token" , oAuth2ConsentSessionExpiresAtParContext :: Maybe DateTime -- ^ "par_context" , oAuth2ConsentSessionExpiresAtRefreshToken :: Maybe DateTime -- ^ "refresh_token" } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2ConsentSessionExpiresAt instance A.FromJSON OAuth2ConsentSessionExpiresAt where parseJSON = A.withObject "OAuth2ConsentSessionExpiresAt" $ \o -> OAuth2ConsentSessionExpiresAt <$> (o .:? "access_token") <*> (o .:? "authorize_code") <*> (o .:? "id_token") <*> (o .:? "par_context") <*> (o .:? "refresh_token") -- | ToJSON OAuth2ConsentSessionExpiresAt instance A.ToJSON OAuth2ConsentSessionExpiresAt where toJSON OAuth2ConsentSessionExpiresAt {..} = _omitNulls [ "access_token" .= oAuth2ConsentSessionExpiresAtAccessToken , "authorize_code" .= oAuth2ConsentSessionExpiresAtAuthorizeCode , "id_token" .= oAuth2ConsentSessionExpiresAtIdToken , "par_context" .= oAuth2ConsentSessionExpiresAtParContext , "refresh_token" .= oAuth2ConsentSessionExpiresAtRefreshToken ] -- | Construct a value of type 'OAuth2ConsentSessionExpiresAt' (by applying it's required fields, if any) mkOAuth2ConsentSessionExpiresAt :: OAuth2ConsentSessionExpiresAt mkOAuth2ConsentSessionExpiresAt = OAuth2ConsentSessionExpiresAt { oAuth2ConsentSessionExpiresAtAccessToken = Nothing , oAuth2ConsentSessionExpiresAtAuthorizeCode = Nothing , oAuth2ConsentSessionExpiresAtIdToken = Nothing , oAuth2ConsentSessionExpiresAtParContext = Nothing , oAuth2ConsentSessionExpiresAtRefreshToken = Nothing } -- ** OAuth2LoginRequest -- | OAuth2LoginRequest -- Contains information on an ongoing login request. -- data OAuth2LoginRequest = OAuth2LoginRequest { oAuth2LoginRequestChallenge :: Text -- ^ /Required/ "challenge" - ID is the identifier (\"login challenge\") of the login request. It is used to identify the session. , oAuth2LoginRequestClient :: OAuth2Client -- ^ /Required/ "client" , oAuth2LoginRequestOidcContext :: Maybe OAuth2ConsentRequestOpenIDConnectContext -- ^ "oidc_context" , oAuth2LoginRequestRequestUrl :: Text -- ^ /Required/ "request_url" - RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. , oAuth2LoginRequestRequestedAccessTokenAudience :: [Text] -- ^ /Required/ "requested_access_token_audience" , oAuth2LoginRequestRequestedScope :: [Text] -- ^ /Required/ "requested_scope" , oAuth2LoginRequestSessionId :: Maybe Text -- ^ "session_id" - SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. , oAuth2LoginRequestSkip :: Bool -- ^ /Required/ "skip" - Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. , oAuth2LoginRequestSubject :: Text -- ^ /Required/ "subject" - Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2LoginRequest instance A.FromJSON OAuth2LoginRequest where parseJSON = A.withObject "OAuth2LoginRequest" $ \o -> OAuth2LoginRequest <$> (o .: "challenge") <*> (o .: "client") <*> (o .:? "oidc_context") <*> (o .: "request_url") <*> (o .: "requested_access_token_audience") <*> (o .: "requested_scope") <*> (o .:? "session_id") <*> (o .: "skip") <*> (o .: "subject") -- | ToJSON OAuth2LoginRequest instance A.ToJSON OAuth2LoginRequest where toJSON OAuth2LoginRequest {..} = _omitNulls [ "challenge" .= oAuth2LoginRequestChallenge , "client" .= oAuth2LoginRequestClient , "oidc_context" .= oAuth2LoginRequestOidcContext , "request_url" .= oAuth2LoginRequestRequestUrl , "requested_access_token_audience" .= oAuth2LoginRequestRequestedAccessTokenAudience , "requested_scope" .= oAuth2LoginRequestRequestedScope , "session_id" .= oAuth2LoginRequestSessionId , "skip" .= oAuth2LoginRequestSkip , "subject" .= oAuth2LoginRequestSubject ] -- | Construct a value of type 'OAuth2LoginRequest' (by applying it's required fields, if any) mkOAuth2LoginRequest :: Text -- ^ 'oAuth2LoginRequestChallenge': ID is the identifier (\"login challenge\") of the login request. It is used to identify the session. -> OAuth2Client -- ^ 'oAuth2LoginRequestClient' -> Text -- ^ 'oAuth2LoginRequestRequestUrl': RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. -> [Text] -- ^ 'oAuth2LoginRequestRequestedAccessTokenAudience' -> [Text] -- ^ 'oAuth2LoginRequestRequestedScope' -> Bool -- ^ 'oAuth2LoginRequestSkip': Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. -> Text -- ^ 'oAuth2LoginRequestSubject': Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. -> OAuth2LoginRequest mkOAuth2LoginRequest oAuth2LoginRequestChallenge oAuth2LoginRequestClient oAuth2LoginRequestRequestUrl oAuth2LoginRequestRequestedAccessTokenAudience oAuth2LoginRequestRequestedScope oAuth2LoginRequestSkip oAuth2LoginRequestSubject = OAuth2LoginRequest { oAuth2LoginRequestChallenge , oAuth2LoginRequestClient , oAuth2LoginRequestOidcContext = Nothing , oAuth2LoginRequestRequestUrl , oAuth2LoginRequestRequestedAccessTokenAudience , oAuth2LoginRequestRequestedScope , oAuth2LoginRequestSessionId = Nothing , oAuth2LoginRequestSkip , oAuth2LoginRequestSubject } -- ** OAuth2LogoutRequest -- | OAuth2LogoutRequest -- Contains information about an ongoing logout request. -- data OAuth2LogoutRequest = OAuth2LogoutRequest { oAuth2LogoutRequestChallenge :: Maybe Text -- ^ "challenge" - Challenge is the identifier (\"logout challenge\") of the logout authentication request. It is used to identify the session. , oAuth2LogoutRequestClient :: Maybe OAuth2Client -- ^ "client" , oAuth2LogoutRequestRequestUrl :: Maybe Text -- ^ "request_url" - RequestURL is the original Logout URL requested. , oAuth2LogoutRequestRpInitiated :: Maybe Bool -- ^ "rp_initiated" - RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client. , oAuth2LogoutRequestSid :: Maybe Text -- ^ "sid" - SessionID is the login session ID that was requested to log out. , oAuth2LogoutRequestSubject :: Maybe Text -- ^ "subject" - Subject is the user for whom the logout was request. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2LogoutRequest instance A.FromJSON OAuth2LogoutRequest where parseJSON = A.withObject "OAuth2LogoutRequest" $ \o -> OAuth2LogoutRequest <$> (o .:? "challenge") <*> (o .:? "client") <*> (o .:? "request_url") <*> (o .:? "rp_initiated") <*> (o .:? "sid") <*> (o .:? "subject") -- | ToJSON OAuth2LogoutRequest instance A.ToJSON OAuth2LogoutRequest where toJSON OAuth2LogoutRequest {..} = _omitNulls [ "challenge" .= oAuth2LogoutRequestChallenge , "client" .= oAuth2LogoutRequestClient , "request_url" .= oAuth2LogoutRequestRequestUrl , "rp_initiated" .= oAuth2LogoutRequestRpInitiated , "sid" .= oAuth2LogoutRequestSid , "subject" .= oAuth2LogoutRequestSubject ] -- | Construct a value of type 'OAuth2LogoutRequest' (by applying it's required fields, if any) mkOAuth2LogoutRequest :: OAuth2LogoutRequest mkOAuth2LogoutRequest = OAuth2LogoutRequest { oAuth2LogoutRequestChallenge = Nothing , oAuth2LogoutRequestClient = Nothing , oAuth2LogoutRequestRequestUrl = Nothing , oAuth2LogoutRequestRpInitiated = Nothing , oAuth2LogoutRequestSid = Nothing , oAuth2LogoutRequestSubject = Nothing } -- ** OAuth2RedirectTo -- | OAuth2RedirectTo -- OAuth 2.0 Redirect Browser To -- -- Contains a redirect URL used to complete a login, consent, or logout request. data OAuth2RedirectTo = OAuth2RedirectTo { oAuth2RedirectToRedirectTo :: Text -- ^ /Required/ "redirect_to" - RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2RedirectTo instance A.FromJSON OAuth2RedirectTo where parseJSON = A.withObject "OAuth2RedirectTo" $ \o -> OAuth2RedirectTo <$> (o .: "redirect_to") -- | ToJSON OAuth2RedirectTo instance A.ToJSON OAuth2RedirectTo where toJSON OAuth2RedirectTo {..} = _omitNulls [ "redirect_to" .= oAuth2RedirectToRedirectTo ] -- | Construct a value of type 'OAuth2RedirectTo' (by applying it's required fields, if any) mkOAuth2RedirectTo :: Text -- ^ 'oAuth2RedirectToRedirectTo': RedirectURL is the URL which you should redirect the user's browser to once the authentication process is completed. -> OAuth2RedirectTo mkOAuth2RedirectTo oAuth2RedirectToRedirectTo = OAuth2RedirectTo { oAuth2RedirectToRedirectTo } -- ** OAuth2TokenExchange -- | OAuth2TokenExchange -- OAuth2 Token Exchange Result data OAuth2TokenExchange = OAuth2TokenExchange { oAuth2TokenExchangeAccessToken :: Maybe Text -- ^ "access_token" - The access token issued by the authorization server. , oAuth2TokenExchangeExpiresIn :: Maybe Integer -- ^ "expires_in" - The lifetime in seconds of the access token. For example, the value \"3600\" denotes that the access token will expire in one hour from the time the response was generated. , oAuth2TokenExchangeIdToken :: Maybe Integer -- ^ "id_token" - To retrieve a refresh token request the id_token scope. , oAuth2TokenExchangeRefreshToken :: Maybe Text -- ^ "refresh_token" - The refresh token, which can be used to obtain new access tokens. To retrieve it add the scope \"offline\" to your access token request. , oAuth2TokenExchangeScope :: Maybe Text -- ^ "scope" - The scope of the access token , oAuth2TokenExchangeTokenType :: Maybe Text -- ^ "token_type" - The type of the token issued } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OAuth2TokenExchange instance A.FromJSON OAuth2TokenExchange where parseJSON = A.withObject "OAuth2TokenExchange" $ \o -> OAuth2TokenExchange <$> (o .:? "access_token") <*> (o .:? "expires_in") <*> (o .:? "id_token") <*> (o .:? "refresh_token") <*> (o .:? "scope") <*> (o .:? "token_type") -- | ToJSON OAuth2TokenExchange instance A.ToJSON OAuth2TokenExchange where toJSON OAuth2TokenExchange {..} = _omitNulls [ "access_token" .= oAuth2TokenExchangeAccessToken , "expires_in" .= oAuth2TokenExchangeExpiresIn , "id_token" .= oAuth2TokenExchangeIdToken , "refresh_token" .= oAuth2TokenExchangeRefreshToken , "scope" .= oAuth2TokenExchangeScope , "token_type" .= oAuth2TokenExchangeTokenType ] -- | Construct a value of type 'OAuth2TokenExchange' (by applying it's required fields, if any) mkOAuth2TokenExchange :: OAuth2TokenExchange mkOAuth2TokenExchange = OAuth2TokenExchange { oAuth2TokenExchangeAccessToken = Nothing , oAuth2TokenExchangeExpiresIn = Nothing , oAuth2TokenExchangeIdToken = Nothing , oAuth2TokenExchangeRefreshToken = Nothing , oAuth2TokenExchangeScope = Nothing , oAuth2TokenExchangeTokenType = Nothing } -- ** OidcConfiguration -- | OidcConfiguration -- OpenID Connect Discovery Metadata -- -- Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms among others. data OidcConfiguration = OidcConfiguration { oidcConfigurationAuthorizationEndpoint :: Text -- ^ /Required/ "authorization_endpoint" - OAuth 2.0 Authorization Endpoint URL , oidcConfigurationBackchannelLogoutSessionSupported :: Maybe Bool -- ^ "backchannel_logout_session_supported" - OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP , oidcConfigurationBackchannelLogoutSupported :: Maybe Bool -- ^ "backchannel_logout_supported" - OpenID Connect Back-Channel Logout Supported Boolean value specifying whether the OP supports back-channel logout, with true indicating support. , oidcConfigurationClaimsParameterSupported :: Maybe Bool -- ^ "claims_parameter_supported" - OpenID Connect Claims Parameter Parameter Supported Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. , oidcConfigurationClaimsSupported :: Maybe [Text] -- ^ "claims_supported" - OpenID Connect Supported Claims JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. , oidcConfigurationCodeChallengeMethodsSupported :: Maybe [Text] -- ^ "code_challenge_methods_supported" - OAuth 2.0 PKCE Supported Code Challenge Methods JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server. , oidcConfigurationEndSessionEndpoint :: Maybe Text -- ^ "end_session_endpoint" - OpenID Connect End-Session Endpoint URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. , oidcConfigurationFrontchannelLogoutSessionSupported :: Maybe Bool -- ^ "frontchannel_logout_session_supported" - OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. , oidcConfigurationFrontchannelLogoutSupported :: Maybe Bool -- ^ "frontchannel_logout_supported" - OpenID Connect Front-Channel Logout Supported Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. , oidcConfigurationGrantTypesSupported :: Maybe [Text] -- ^ "grant_types_supported" - OAuth 2.0 Supported Grant Types JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. , oidcConfigurationIdTokenSignedResponseAlg :: [Text] -- ^ /Required/ "id_token_signed_response_alg" - OpenID Connect Default ID Token Signing Algorithms Algorithm used to sign OpenID Connect ID Tokens. , oidcConfigurationIdTokenSigningAlgValuesSupported :: [Text] -- ^ /Required/ "id_token_signing_alg_values_supported" - OpenID Connect Supported ID Token Signing Algorithms JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. , oidcConfigurationIssuer :: Text -- ^ /Required/ "issuer" - OpenID Connect Issuer URL An URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL. , oidcConfigurationJwksUri :: Text -- ^ /Required/ "jwks_uri" - OpenID Connect Well-Known JSON Web Keys URL URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. , oidcConfigurationRegistrationEndpoint :: Maybe Text -- ^ "registration_endpoint" - OpenID Connect Dynamic Client Registration Endpoint URL , oidcConfigurationRequestObjectSigningAlgValuesSupported :: Maybe [Text] -- ^ "request_object_signing_alg_values_supported" - OpenID Connect Supported Request Object Signing Algorithms JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). , oidcConfigurationRequestParameterSupported :: Maybe Bool -- ^ "request_parameter_supported" - OpenID Connect Request Parameter Supported Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. , oidcConfigurationRequestUriParameterSupported :: Maybe Bool -- ^ "request_uri_parameter_supported" - OpenID Connect Request URI Parameter Supported Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. , oidcConfigurationRequireRequestUriRegistration :: Maybe Bool -- ^ "require_request_uri_registration" - OpenID Connect Requires Request URI Registration Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. , oidcConfigurationResponseModesSupported :: Maybe [Text] -- ^ "response_modes_supported" - OAuth 2.0 Supported Response Modes JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports. , oidcConfigurationResponseTypesSupported :: [Text] -- ^ /Required/ "response_types_supported" - OAuth 2.0 Supported Response Types JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. , oidcConfigurationRevocationEndpoint :: Maybe Text -- ^ "revocation_endpoint" - OAuth 2.0 Token Revocation URL URL of the authorization server's OAuth 2.0 revocation endpoint. , oidcConfigurationScopesSupported :: Maybe [Text] -- ^ "scopes_supported" - OAuth 2.0 Supported Scope Values JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used , oidcConfigurationSubjectTypesSupported :: [Text] -- ^ /Required/ "subject_types_supported" - OpenID Connect Supported Subject Types JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. , oidcConfigurationTokenEndpoint :: Text -- ^ /Required/ "token_endpoint" - OAuth 2.0 Token Endpoint URL , oidcConfigurationTokenEndpointAuthMethodsSupported :: Maybe [Text] -- ^ "token_endpoint_auth_methods_supported" - OAuth 2.0 Supported Client Authentication Methods JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 , oidcConfigurationUserinfoEndpoint :: Maybe Text -- ^ "userinfo_endpoint" - OpenID Connect Userinfo URL URL of the OP's UserInfo Endpoint. , oidcConfigurationUserinfoSignedResponseAlg :: [Text] -- ^ /Required/ "userinfo_signed_response_alg" - OpenID Connect User Userinfo Signing Algorithm Algorithm used to sign OpenID Connect Userinfo Responses. , oidcConfigurationUserinfoSigningAlgValuesSupported :: Maybe [Text] -- ^ "userinfo_signing_alg_values_supported" - OpenID Connect Supported Userinfo Signing Algorithm JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OidcConfiguration instance A.FromJSON OidcConfiguration where parseJSON = A.withObject "OidcConfiguration" $ \o -> OidcConfiguration <$> (o .: "authorization_endpoint") <*> (o .:? "backchannel_logout_session_supported") <*> (o .:? "backchannel_logout_supported") <*> (o .:? "claims_parameter_supported") <*> (o .:? "claims_supported") <*> (o .:? "code_challenge_methods_supported") <*> (o .:? "end_session_endpoint") <*> (o .:? "frontchannel_logout_session_supported") <*> (o .:? "frontchannel_logout_supported") <*> (o .:? "grant_types_supported") <*> (o .: "id_token_signed_response_alg") <*> (o .: "id_token_signing_alg_values_supported") <*> (o .: "issuer") <*> (o .: "jwks_uri") <*> (o .:? "registration_endpoint") <*> (o .:? "request_object_signing_alg_values_supported") <*> (o .:? "request_parameter_supported") <*> (o .:? "request_uri_parameter_supported") <*> (o .:? "require_request_uri_registration") <*> (o .:? "response_modes_supported") <*> (o .: "response_types_supported") <*> (o .:? "revocation_endpoint") <*> (o .:? "scopes_supported") <*> (o .: "subject_types_supported") <*> (o .: "token_endpoint") <*> (o .:? "token_endpoint_auth_methods_supported") <*> (o .:? "userinfo_endpoint") <*> (o .: "userinfo_signed_response_alg") <*> (o .:? "userinfo_signing_alg_values_supported") -- | ToJSON OidcConfiguration instance A.ToJSON OidcConfiguration where toJSON OidcConfiguration {..} = _omitNulls [ "authorization_endpoint" .= oidcConfigurationAuthorizationEndpoint , "backchannel_logout_session_supported" .= oidcConfigurationBackchannelLogoutSessionSupported , "backchannel_logout_supported" .= oidcConfigurationBackchannelLogoutSupported , "claims_parameter_supported" .= oidcConfigurationClaimsParameterSupported , "claims_supported" .= oidcConfigurationClaimsSupported , "code_challenge_methods_supported" .= oidcConfigurationCodeChallengeMethodsSupported , "end_session_endpoint" .= oidcConfigurationEndSessionEndpoint , "frontchannel_logout_session_supported" .= oidcConfigurationFrontchannelLogoutSessionSupported , "frontchannel_logout_supported" .= oidcConfigurationFrontchannelLogoutSupported , "grant_types_supported" .= oidcConfigurationGrantTypesSupported , "id_token_signed_response_alg" .= oidcConfigurationIdTokenSignedResponseAlg , "id_token_signing_alg_values_supported" .= oidcConfigurationIdTokenSigningAlgValuesSupported , "issuer" .= oidcConfigurationIssuer , "jwks_uri" .= oidcConfigurationJwksUri , "registration_endpoint" .= oidcConfigurationRegistrationEndpoint , "request_object_signing_alg_values_supported" .= oidcConfigurationRequestObjectSigningAlgValuesSupported , "request_parameter_supported" .= oidcConfigurationRequestParameterSupported , "request_uri_parameter_supported" .= oidcConfigurationRequestUriParameterSupported , "require_request_uri_registration" .= oidcConfigurationRequireRequestUriRegistration , "response_modes_supported" .= oidcConfigurationResponseModesSupported , "response_types_supported" .= oidcConfigurationResponseTypesSupported , "revocation_endpoint" .= oidcConfigurationRevocationEndpoint , "scopes_supported" .= oidcConfigurationScopesSupported , "subject_types_supported" .= oidcConfigurationSubjectTypesSupported , "token_endpoint" .= oidcConfigurationTokenEndpoint , "token_endpoint_auth_methods_supported" .= oidcConfigurationTokenEndpointAuthMethodsSupported , "userinfo_endpoint" .= oidcConfigurationUserinfoEndpoint , "userinfo_signed_response_alg" .= oidcConfigurationUserinfoSignedResponseAlg , "userinfo_signing_alg_values_supported" .= oidcConfigurationUserinfoSigningAlgValuesSupported ] -- | Construct a value of type 'OidcConfiguration' (by applying it's required fields, if any) mkOidcConfiguration :: Text -- ^ 'oidcConfigurationAuthorizationEndpoint': OAuth 2.0 Authorization Endpoint URL -> [Text] -- ^ 'oidcConfigurationIdTokenSignedResponseAlg': OpenID Connect Default ID Token Signing Algorithms Algorithm used to sign OpenID Connect ID Tokens. -> [Text] -- ^ 'oidcConfigurationIdTokenSigningAlgValuesSupported': OpenID Connect Supported ID Token Signing Algorithms JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. -> Text -- ^ 'oidcConfigurationIssuer': OpenID Connect Issuer URL An URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL. -> Text -- ^ 'oidcConfigurationJwksUri': OpenID Connect Well-Known JSON Web Keys URL URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. -> [Text] -- ^ 'oidcConfigurationResponseTypesSupported': OAuth 2.0 Supported Response Types JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. -> [Text] -- ^ 'oidcConfigurationSubjectTypesSupported': OpenID Connect Supported Subject Types JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. -> Text -- ^ 'oidcConfigurationTokenEndpoint': OAuth 2.0 Token Endpoint URL -> [Text] -- ^ 'oidcConfigurationUserinfoSignedResponseAlg': OpenID Connect User Userinfo Signing Algorithm Algorithm used to sign OpenID Connect Userinfo Responses. -> OidcConfiguration mkOidcConfiguration oidcConfigurationAuthorizationEndpoint oidcConfigurationIdTokenSignedResponseAlg oidcConfigurationIdTokenSigningAlgValuesSupported oidcConfigurationIssuer oidcConfigurationJwksUri oidcConfigurationResponseTypesSupported oidcConfigurationSubjectTypesSupported oidcConfigurationTokenEndpoint oidcConfigurationUserinfoSignedResponseAlg = OidcConfiguration { oidcConfigurationAuthorizationEndpoint , oidcConfigurationBackchannelLogoutSessionSupported = Nothing , oidcConfigurationBackchannelLogoutSupported = Nothing , oidcConfigurationClaimsParameterSupported = Nothing , oidcConfigurationClaimsSupported = Nothing , oidcConfigurationCodeChallengeMethodsSupported = Nothing , oidcConfigurationEndSessionEndpoint = Nothing , oidcConfigurationFrontchannelLogoutSessionSupported = Nothing , oidcConfigurationFrontchannelLogoutSupported = Nothing , oidcConfigurationGrantTypesSupported = Nothing , oidcConfigurationIdTokenSignedResponseAlg , oidcConfigurationIdTokenSigningAlgValuesSupported , oidcConfigurationIssuer , oidcConfigurationJwksUri , oidcConfigurationRegistrationEndpoint = Nothing , oidcConfigurationRequestObjectSigningAlgValuesSupported = Nothing , oidcConfigurationRequestParameterSupported = Nothing , oidcConfigurationRequestUriParameterSupported = Nothing , oidcConfigurationRequireRequestUriRegistration = Nothing , oidcConfigurationResponseModesSupported = Nothing , oidcConfigurationResponseTypesSupported , oidcConfigurationRevocationEndpoint = Nothing , oidcConfigurationScopesSupported = Nothing , oidcConfigurationSubjectTypesSupported , oidcConfigurationTokenEndpoint , oidcConfigurationTokenEndpointAuthMethodsSupported = Nothing , oidcConfigurationUserinfoEndpoint = Nothing , oidcConfigurationUserinfoSignedResponseAlg , oidcConfigurationUserinfoSigningAlgValuesSupported = Nothing } -- ** OidcUserInfo -- | OidcUserInfo -- OpenID Connect Userinfo data OidcUserInfo = OidcUserInfo { oidcUserInfoBirthdate :: Maybe Text -- ^ "birthdate" - End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates. , oidcUserInfoEmail :: Maybe Text -- ^ "email" - End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7. , oidcUserInfoEmailVerified :: Maybe Bool -- ^ "email_verified" - True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. , oidcUserInfoFamilyName :: Maybe Text -- ^ "family_name" - Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. , oidcUserInfoGender :: Maybe Text -- ^ "gender" - End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. , oidcUserInfoGivenName :: Maybe Text -- ^ "given_name" - Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. , oidcUserInfoLocale :: Maybe Text -- ^ "locale" - End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well. , oidcUserInfoMiddleName :: Maybe Text -- ^ "middle_name" - Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used. , oidcUserInfoName :: Maybe Text -- ^ "name" - End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. , oidcUserInfoNickname :: Maybe Text -- ^ "nickname" - Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. , oidcUserInfoPhoneNumber :: Maybe Text -- ^ "phone_number" - End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678. , oidcUserInfoPhoneNumberVerified :: Maybe Bool -- ^ "phone_number_verified" - True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. , oidcUserInfoPicture :: Maybe Text -- ^ "picture" - URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User. , oidcUserInfoPreferredUsername :: Maybe Text -- ^ "preferred_username" - Non-unique shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. , oidcUserInfoProfile :: Maybe Text -- ^ "profile" - URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User. , oidcUserInfoSub :: Maybe Text -- ^ "sub" - Subject - Identifier for the End-User at the IssuerURL. , oidcUserInfoUpdatedAt :: Maybe Integer -- ^ "updated_at" - Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. , oidcUserInfoWebsite :: Maybe Text -- ^ "website" - URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with. , oidcUserInfoZoneinfo :: Maybe Text -- ^ "zoneinfo" - String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON OidcUserInfo instance A.FromJSON OidcUserInfo where parseJSON = A.withObject "OidcUserInfo" $ \o -> OidcUserInfo <$> (o .:? "birthdate") <*> (o .:? "email") <*> (o .:? "email_verified") <*> (o .:? "family_name") <*> (o .:? "gender") <*> (o .:? "given_name") <*> (o .:? "locale") <*> (o .:? "middle_name") <*> (o .:? "name") <*> (o .:? "nickname") <*> (o .:? "phone_number") <*> (o .:? "phone_number_verified") <*> (o .:? "picture") <*> (o .:? "preferred_username") <*> (o .:? "profile") <*> (o .:? "sub") <*> (o .:? "updated_at") <*> (o .:? "website") <*> (o .:? "zoneinfo") -- | ToJSON OidcUserInfo instance A.ToJSON OidcUserInfo where toJSON OidcUserInfo {..} = _omitNulls [ "birthdate" .= oidcUserInfoBirthdate , "email" .= oidcUserInfoEmail , "email_verified" .= oidcUserInfoEmailVerified , "family_name" .= oidcUserInfoFamilyName , "gender" .= oidcUserInfoGender , "given_name" .= oidcUserInfoGivenName , "locale" .= oidcUserInfoLocale , "middle_name" .= oidcUserInfoMiddleName , "name" .= oidcUserInfoName , "nickname" .= oidcUserInfoNickname , "phone_number" .= oidcUserInfoPhoneNumber , "phone_number_verified" .= oidcUserInfoPhoneNumberVerified , "picture" .= oidcUserInfoPicture , "preferred_username" .= oidcUserInfoPreferredUsername , "profile" .= oidcUserInfoProfile , "sub" .= oidcUserInfoSub , "updated_at" .= oidcUserInfoUpdatedAt , "website" .= oidcUserInfoWebsite , "zoneinfo" .= oidcUserInfoZoneinfo ] -- | Construct a value of type 'OidcUserInfo' (by applying it's required fields, if any) mkOidcUserInfo :: OidcUserInfo mkOidcUserInfo = OidcUserInfo { oidcUserInfoBirthdate = Nothing , oidcUserInfoEmail = Nothing , oidcUserInfoEmailVerified = Nothing , oidcUserInfoFamilyName = Nothing , oidcUserInfoGender = Nothing , oidcUserInfoGivenName = Nothing , oidcUserInfoLocale = Nothing , oidcUserInfoMiddleName = Nothing , oidcUserInfoName = Nothing , oidcUserInfoNickname = Nothing , oidcUserInfoPhoneNumber = Nothing , oidcUserInfoPhoneNumberVerified = Nothing , oidcUserInfoPicture = Nothing , oidcUserInfoPreferredUsername = Nothing , oidcUserInfoProfile = Nothing , oidcUserInfoSub = Nothing , oidcUserInfoUpdatedAt = Nothing , oidcUserInfoWebsite = Nothing , oidcUserInfoZoneinfo = Nothing } -- ** Pagination -- | Pagination data Pagination = Pagination { paginationPageSize :: Maybe Integer -- ^ "page_size" - Items per page This is the number of items per page to return. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). , paginationPageToken :: Maybe Text -- ^ "page_token" - Next Page Token The next page token. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON Pagination instance A.FromJSON Pagination where parseJSON = A.withObject "Pagination" $ \o -> Pagination <$> (o .:? "page_size") <*> (o .:? "page_token") -- | ToJSON Pagination instance A.ToJSON Pagination where toJSON Pagination {..} = _omitNulls [ "page_size" .= paginationPageSize , "page_token" .= paginationPageToken ] -- | Construct a value of type 'Pagination' (by applying it's required fields, if any) mkPagination :: Pagination mkPagination = Pagination { paginationPageSize = Nothing , paginationPageToken = Nothing } -- ** PaginationHeaders -- | PaginationHeaders data PaginationHeaders = PaginationHeaders { paginationHeadersLink :: Maybe Text -- ^ "link" - The link header contains pagination links. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). in: header , paginationHeadersXTotalCount :: Maybe Text -- ^ "x-total-count" - The total number of clients. in: header } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON PaginationHeaders instance A.FromJSON PaginationHeaders where parseJSON = A.withObject "PaginationHeaders" $ \o -> PaginationHeaders <$> (o .:? "link") <*> (o .:? "x-total-count") -- | ToJSON PaginationHeaders instance A.ToJSON PaginationHeaders where toJSON PaginationHeaders {..} = _omitNulls [ "link" .= paginationHeadersLink , "x-total-count" .= paginationHeadersXTotalCount ] -- | Construct a value of type 'PaginationHeaders' (by applying it's required fields, if any) mkPaginationHeaders :: PaginationHeaders mkPaginationHeaders = PaginationHeaders { paginationHeadersLink = Nothing , paginationHeadersXTotalCount = Nothing } -- ** RejectOAuth2Request -- | RejectOAuth2Request -- The request payload used to accept a login or consent request. -- data RejectOAuth2Request = RejectOAuth2Request { rejectOAuth2RequestError :: Maybe Text -- ^ "error" - The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`). Defaults to `request_denied`. , rejectOAuth2RequestErrorDebug :: Maybe Text -- ^ "error_debug" - Debug contains information to help resolve the problem as a developer. Usually not exposed to the public but only in the server logs. , rejectOAuth2RequestErrorDescription :: Maybe Text -- ^ "error_description" - Description of the error in a human readable format. , rejectOAuth2RequestErrorHint :: Maybe Text -- ^ "error_hint" - Hint to help resolve the error. , rejectOAuth2RequestStatusCode :: Maybe Integer -- ^ "status_code" - Represents the HTTP status code of the error (e.g. 401 or 403) Defaults to 400 } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON RejectOAuth2Request instance A.FromJSON RejectOAuth2Request where parseJSON = A.withObject "RejectOAuth2Request" $ \o -> RejectOAuth2Request <$> (o .:? "error") <*> (o .:? "error_debug") <*> (o .:? "error_description") <*> (o .:? "error_hint") <*> (o .:? "status_code") -- | ToJSON RejectOAuth2Request instance A.ToJSON RejectOAuth2Request where toJSON RejectOAuth2Request {..} = _omitNulls [ "error" .= rejectOAuth2RequestError , "error_debug" .= rejectOAuth2RequestErrorDebug , "error_description" .= rejectOAuth2RequestErrorDescription , "error_hint" .= rejectOAuth2RequestErrorHint , "status_code" .= rejectOAuth2RequestStatusCode ] -- | Construct a value of type 'RejectOAuth2Request' (by applying it's required fields, if any) mkRejectOAuth2Request :: RejectOAuth2Request mkRejectOAuth2Request = RejectOAuth2Request { rejectOAuth2RequestError = Nothing , rejectOAuth2RequestErrorDebug = Nothing , rejectOAuth2RequestErrorDescription = Nothing , rejectOAuth2RequestErrorHint = Nothing , rejectOAuth2RequestStatusCode = Nothing } -- ** TokenPagination -- | TokenPagination data TokenPagination = TokenPagination { tokenPaginationPageSize :: Maybe Integer -- ^ "page_size" - Items per page This is the number of items per page to return. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). , tokenPaginationPageToken :: Maybe Text -- ^ "page_token" - Next Page Token The next page token. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TokenPagination instance A.FromJSON TokenPagination where parseJSON = A.withObject "TokenPagination" $ \o -> TokenPagination <$> (o .:? "page_size") <*> (o .:? "page_token") -- | ToJSON TokenPagination instance A.ToJSON TokenPagination where toJSON TokenPagination {..} = _omitNulls [ "page_size" .= tokenPaginationPageSize , "page_token" .= tokenPaginationPageToken ] -- | Construct a value of type 'TokenPagination' (by applying it's required fields, if any) mkTokenPagination :: TokenPagination mkTokenPagination = TokenPagination { tokenPaginationPageSize = Nothing , tokenPaginationPageToken = Nothing } -- ** TokenPaginationHeaders -- | TokenPaginationHeaders data TokenPaginationHeaders = TokenPaginationHeaders { tokenPaginationHeadersLink :: Maybe Text -- ^ "link" - The link header contains pagination links. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). in: header , tokenPaginationHeadersXTotalCount :: Maybe Text -- ^ "x-total-count" - The total number of clients. in: header } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TokenPaginationHeaders instance A.FromJSON TokenPaginationHeaders where parseJSON = A.withObject "TokenPaginationHeaders" $ \o -> TokenPaginationHeaders <$> (o .:? "link") <*> (o .:? "x-total-count") -- | ToJSON TokenPaginationHeaders instance A.ToJSON TokenPaginationHeaders where toJSON TokenPaginationHeaders {..} = _omitNulls [ "link" .= tokenPaginationHeadersLink , "x-total-count" .= tokenPaginationHeadersXTotalCount ] -- | Construct a value of type 'TokenPaginationHeaders' (by applying it's required fields, if any) mkTokenPaginationHeaders :: TokenPaginationHeaders mkTokenPaginationHeaders = TokenPaginationHeaders { tokenPaginationHeadersLink = Nothing , tokenPaginationHeadersXTotalCount = Nothing } -- ** TokenPaginationRequestParameters -- | TokenPaginationRequestParameters -- Pagination Request Parameters -- -- The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as: `; rel=\"{page}\"` For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). data TokenPaginationRequestParameters = TokenPaginationRequestParameters { tokenPaginationRequestParametersPageSize :: Maybe Integer -- ^ "page_size" - Items per Page This is the number of items per page to return. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). , tokenPaginationRequestParametersPageToken :: Maybe Text -- ^ "page_token" - Next Page Token The next page token. For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TokenPaginationRequestParameters instance A.FromJSON TokenPaginationRequestParameters where parseJSON = A.withObject "TokenPaginationRequestParameters" $ \o -> TokenPaginationRequestParameters <$> (o .:? "page_size") <*> (o .:? "page_token") -- | ToJSON TokenPaginationRequestParameters instance A.ToJSON TokenPaginationRequestParameters where toJSON TokenPaginationRequestParameters {..} = _omitNulls [ "page_size" .= tokenPaginationRequestParametersPageSize , "page_token" .= tokenPaginationRequestParametersPageToken ] -- | Construct a value of type 'TokenPaginationRequestParameters' (by applying it's required fields, if any) mkTokenPaginationRequestParameters :: TokenPaginationRequestParameters mkTokenPaginationRequestParameters = TokenPaginationRequestParameters { tokenPaginationRequestParametersPageSize = Nothing , tokenPaginationRequestParametersPageToken = Nothing } -- ** TokenPaginationResponseHeaders -- | TokenPaginationResponseHeaders -- Pagination Response Header -- -- The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as: `; rel=\"{page}\"` For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination). data TokenPaginationResponseHeaders = TokenPaginationResponseHeaders { tokenPaginationResponseHeadersLink :: Maybe Text -- ^ "link" - The Link HTTP Header The `Link` header contains a comma-delimited list of links to the following pages: first: The first page of results. next: The next page of results. prev: The previous page of results. last: The last page of results. Pages are omitted if they do not exist. For example, if there is no next page, the `next` link is omitted. Examples: </clients?page_size=5&page_token=0>; rel=\"first\",</clients?page_size=5&page_token=15>; rel=\"next\",</clients?page_size=5&page_token=5>; rel=\"prev\",</clients?page_size=5&page_token=20>; rel=\"last\" , tokenPaginationResponseHeadersXTotalCount :: Maybe Integer -- ^ "x-total-count" - The X-Total-Count HTTP Header The `X-Total-Count` header contains the total number of items in the collection. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TokenPaginationResponseHeaders instance A.FromJSON TokenPaginationResponseHeaders where parseJSON = A.withObject "TokenPaginationResponseHeaders" $ \o -> TokenPaginationResponseHeaders <$> (o .:? "link") <*> (o .:? "x-total-count") -- | ToJSON TokenPaginationResponseHeaders instance A.ToJSON TokenPaginationResponseHeaders where toJSON TokenPaginationResponseHeaders {..} = _omitNulls [ "link" .= tokenPaginationResponseHeadersLink , "x-total-count" .= tokenPaginationResponseHeadersXTotalCount ] -- | Construct a value of type 'TokenPaginationResponseHeaders' (by applying it's required fields, if any) mkTokenPaginationResponseHeaders :: TokenPaginationResponseHeaders mkTokenPaginationResponseHeaders = TokenPaginationResponseHeaders { tokenPaginationResponseHeadersLink = Nothing , tokenPaginationResponseHeadersXTotalCount = Nothing } -- ** TrustOAuth2JwtGrantIssuer -- | TrustOAuth2JwtGrantIssuer -- Trust OAuth2 JWT Bearer Grant Type Issuer Request Body data TrustOAuth2JwtGrantIssuer = TrustOAuth2JwtGrantIssuer { trustOAuth2JwtGrantIssuerAllowAnySubject :: Maybe Bool -- ^ "allow_any_subject" - The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT. , trustOAuth2JwtGrantIssuerExpiresAt :: DateTime -- ^ /Required/ "expires_at" - The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\". , trustOAuth2JwtGrantIssuerIssuer :: Text -- ^ /Required/ "issuer" - The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT). , trustOAuth2JwtGrantIssuerJwk :: JsonWebKey -- ^ /Required/ "jwk" , trustOAuth2JwtGrantIssuerScope :: [Text] -- ^ /Required/ "scope" - The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) , trustOAuth2JwtGrantIssuerSubject :: Maybe Text -- ^ "subject" - The \"subject\" identifies the principal that is the subject of the JWT. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TrustOAuth2JwtGrantIssuer instance A.FromJSON TrustOAuth2JwtGrantIssuer where parseJSON = A.withObject "TrustOAuth2JwtGrantIssuer" $ \o -> TrustOAuth2JwtGrantIssuer <$> (o .:? "allow_any_subject") <*> (o .: "expires_at") <*> (o .: "issuer") <*> (o .: "jwk") <*> (o .: "scope") <*> (o .:? "subject") -- | ToJSON TrustOAuth2JwtGrantIssuer instance A.ToJSON TrustOAuth2JwtGrantIssuer where toJSON TrustOAuth2JwtGrantIssuer {..} = _omitNulls [ "allow_any_subject" .= trustOAuth2JwtGrantIssuerAllowAnySubject , "expires_at" .= trustOAuth2JwtGrantIssuerExpiresAt , "issuer" .= trustOAuth2JwtGrantIssuerIssuer , "jwk" .= trustOAuth2JwtGrantIssuerJwk , "scope" .= trustOAuth2JwtGrantIssuerScope , "subject" .= trustOAuth2JwtGrantIssuerSubject ] -- | Construct a value of type 'TrustOAuth2JwtGrantIssuer' (by applying it's required fields, if any) mkTrustOAuth2JwtGrantIssuer :: DateTime -- ^ 'trustOAuth2JwtGrantIssuerExpiresAt': The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\". -> Text -- ^ 'trustOAuth2JwtGrantIssuerIssuer': The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT). -> JsonWebKey -- ^ 'trustOAuth2JwtGrantIssuerJwk' -> [Text] -- ^ 'trustOAuth2JwtGrantIssuerScope': The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) -> TrustOAuth2JwtGrantIssuer mkTrustOAuth2JwtGrantIssuer trustOAuth2JwtGrantIssuerExpiresAt trustOAuth2JwtGrantIssuerIssuer trustOAuth2JwtGrantIssuerJwk trustOAuth2JwtGrantIssuerScope = TrustOAuth2JwtGrantIssuer { trustOAuth2JwtGrantIssuerAllowAnySubject = Nothing , trustOAuth2JwtGrantIssuerExpiresAt , trustOAuth2JwtGrantIssuerIssuer , trustOAuth2JwtGrantIssuerJwk , trustOAuth2JwtGrantIssuerScope , trustOAuth2JwtGrantIssuerSubject = Nothing } -- ** TrustedOAuth2JwtGrantIssuer -- | TrustedOAuth2JwtGrantIssuer -- OAuth2 JWT Bearer Grant Type Issuer Trust Relationship data TrustedOAuth2JwtGrantIssuer = TrustedOAuth2JwtGrantIssuer { trustedOAuth2JwtGrantIssuerAllowAnySubject :: Maybe Bool -- ^ "allow_any_subject" - The \"allow_any_subject\" indicates that the issuer is allowed to have any principal as the subject of the JWT. , trustedOAuth2JwtGrantIssuerCreatedAt :: Maybe DateTime -- ^ "created_at" - The \"created_at\" indicates, when grant was created. , trustedOAuth2JwtGrantIssuerExpiresAt :: Maybe DateTime -- ^ "expires_at" - The \"expires_at\" indicates, when grant will expire, so we will reject assertion from \"issuer\" targeting \"subject\". , trustedOAuth2JwtGrantIssuerId :: Maybe Text -- ^ "id" , trustedOAuth2JwtGrantIssuerIssuer :: Maybe Text -- ^ "issuer" - The \"issuer\" identifies the principal that issued the JWT assertion (same as \"iss\" claim in JWT). , trustedOAuth2JwtGrantIssuerPublicKey :: Maybe TrustedOAuth2JwtGrantJsonWebKey -- ^ "public_key" , trustedOAuth2JwtGrantIssuerScope :: Maybe [Text] -- ^ "scope" - The \"scope\" contains list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) , trustedOAuth2JwtGrantIssuerSubject :: Maybe Text -- ^ "subject" - The \"subject\" identifies the principal that is the subject of the JWT. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TrustedOAuth2JwtGrantIssuer instance A.FromJSON TrustedOAuth2JwtGrantIssuer where parseJSON = A.withObject "TrustedOAuth2JwtGrantIssuer" $ \o -> TrustedOAuth2JwtGrantIssuer <$> (o .:? "allow_any_subject") <*> (o .:? "created_at") <*> (o .:? "expires_at") <*> (o .:? "id") <*> (o .:? "issuer") <*> (o .:? "public_key") <*> (o .:? "scope") <*> (o .:? "subject") -- | ToJSON TrustedOAuth2JwtGrantIssuer instance A.ToJSON TrustedOAuth2JwtGrantIssuer where toJSON TrustedOAuth2JwtGrantIssuer {..} = _omitNulls [ "allow_any_subject" .= trustedOAuth2JwtGrantIssuerAllowAnySubject , "created_at" .= trustedOAuth2JwtGrantIssuerCreatedAt , "expires_at" .= trustedOAuth2JwtGrantIssuerExpiresAt , "id" .= trustedOAuth2JwtGrantIssuerId , "issuer" .= trustedOAuth2JwtGrantIssuerIssuer , "public_key" .= trustedOAuth2JwtGrantIssuerPublicKey , "scope" .= trustedOAuth2JwtGrantIssuerScope , "subject" .= trustedOAuth2JwtGrantIssuerSubject ] -- | Construct a value of type 'TrustedOAuth2JwtGrantIssuer' (by applying it's required fields, if any) mkTrustedOAuth2JwtGrantIssuer :: TrustedOAuth2JwtGrantIssuer mkTrustedOAuth2JwtGrantIssuer = TrustedOAuth2JwtGrantIssuer { trustedOAuth2JwtGrantIssuerAllowAnySubject = Nothing , trustedOAuth2JwtGrantIssuerCreatedAt = Nothing , trustedOAuth2JwtGrantIssuerExpiresAt = Nothing , trustedOAuth2JwtGrantIssuerId = Nothing , trustedOAuth2JwtGrantIssuerIssuer = Nothing , trustedOAuth2JwtGrantIssuerPublicKey = Nothing , trustedOAuth2JwtGrantIssuerScope = Nothing , trustedOAuth2JwtGrantIssuerSubject = Nothing } -- ** TrustedOAuth2JwtGrantJsonWebKey -- | TrustedOAuth2JwtGrantJsonWebKey -- OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key data TrustedOAuth2JwtGrantJsonWebKey = TrustedOAuth2JwtGrantJsonWebKey { trustedOAuth2JwtGrantJsonWebKeyKid :: Maybe Text -- ^ "kid" - The \"key_id\" is key unique identifier (same as kid header in jws/jwt). , trustedOAuth2JwtGrantJsonWebKeySet :: Maybe Text -- ^ "set" - The \"set\" is basically a name for a group(set) of keys. Will be the same as \"issuer\" in grant. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON TrustedOAuth2JwtGrantJsonWebKey instance A.FromJSON TrustedOAuth2JwtGrantJsonWebKey where parseJSON = A.withObject "TrustedOAuth2JwtGrantJsonWebKey" $ \o -> TrustedOAuth2JwtGrantJsonWebKey <$> (o .:? "kid") <*> (o .:? "set") -- | ToJSON TrustedOAuth2JwtGrantJsonWebKey instance A.ToJSON TrustedOAuth2JwtGrantJsonWebKey where toJSON TrustedOAuth2JwtGrantJsonWebKey {..} = _omitNulls [ "kid" .= trustedOAuth2JwtGrantJsonWebKeyKid , "set" .= trustedOAuth2JwtGrantJsonWebKeySet ] -- | Construct a value of type 'TrustedOAuth2JwtGrantJsonWebKey' (by applying it's required fields, if any) mkTrustedOAuth2JwtGrantJsonWebKey :: TrustedOAuth2JwtGrantJsonWebKey mkTrustedOAuth2JwtGrantJsonWebKey = TrustedOAuth2JwtGrantJsonWebKey { trustedOAuth2JwtGrantJsonWebKeyKid = Nothing , trustedOAuth2JwtGrantJsonWebKeySet = Nothing } -- ** Version -- | Version data Version = Version { versionVersion :: Maybe Text -- ^ "version" - Version is the service's version. } deriving (P.Show, P.Eq, P.Typeable) -- | FromJSON Version instance A.FromJSON Version where parseJSON = A.withObject "Version" $ \o -> Version <$> (o .:? "version") -- | ToJSON Version instance A.ToJSON Version where toJSON Version {..} = _omitNulls [ "version" .= versionVersion ] -- | Construct a value of type 'Version' (by applying it's required fields, if any) mkVersion :: Version mkVersion = Version { versionVersion = Nothing } -- * Auth Methods -- ** AuthBasicBasic data AuthBasicBasic = AuthBasicBasic B.ByteString B.ByteString -- ^ username password deriving (P.Eq, P.Show, P.Typeable) instance AuthMethod AuthBasicBasic where applyAuthMethod _ a@(AuthBasicBasic user pw) req = P.pure $ if (P.typeOf a `P.elem` rAuthTypes req) then req `setHeader` toHeader ("Authorization", T.decodeUtf8 cred) & L.over rAuthTypesL (P.filter (/= P.typeOf a)) else req where cred = BC.append "Basic " (B64.encode $ BC.concat [ user, ":", pw ]) -- ** AuthBasicBearer data AuthBasicBearer = AuthBasicBearer B.ByteString B.ByteString -- ^ username password deriving (P.Eq, P.Show, P.Typeable) instance AuthMethod AuthBasicBearer where applyAuthMethod _ a@(AuthBasicBearer user pw) req = P.pure $ if (P.typeOf a `P.elem` rAuthTypes req) then req `setHeader` toHeader ("Authorization", T.decodeUtf8 cred) & L.over rAuthTypesL (P.filter (/= P.typeOf a)) else req where cred = BC.append "Basic " (B64.encode $ BC.concat [ user, ":", pw ]) -- ** AuthOAuthOauth2 data AuthOAuthOauth2 = AuthOAuthOauth2 Text -- ^ secret deriving (P.Eq, P.Show, P.Typeable) instance AuthMethod AuthOAuthOauth2 where applyAuthMethod _ a@(AuthOAuthOauth2 secret) req = P.pure $ if (P.typeOf a `P.elem` rAuthTypes req) then req `setHeader` toHeader ("Authorization", "Bearer " <> secret) & L.over rAuthTypesL (P.filter (/= P.typeOf a)) else req