@ory/kratos-client

/* tslint:disable */ /* eslint-disable */ /** * Ory Identities API * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. * * The version of the OpenAPI document: v26.2.0 * Contact: office@ory.sh * * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). * https://openapi-generator.tech * Do not edit the class manually. */ import type { Configuration } from './configuration'; import type { AxiosPromise, AxiosInstance, RawAxiosRequestConfig } from 'axios'; import globalAxios from 'axios'; // Some imports not used depending on template conditions // @ts-ignore import { DUMMY_BASE_URL, assertParamExists, setApiKeyToObject, setBasicAuthToObject, setBearerAuthToObject, setOAuthToObject, setSearchParams, serializeDataIfNeeded, toPathString, createRequestFunction } from './common'; import type { RequestArgs } from './base'; // @ts-ignore import { BASE_PATH, COLLECTION_FORMATS, BaseAPI, RequiredError, operationServerMap } from './base'; /** * The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder for an attacker to compromise the account. Generally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g. password + TOTP) have been used. To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials */ export const AuthenticatorAssuranceLevel = { Aal0: 'aal0', Aal1: 'aal1', Aal2: 'aal2', Aal3: 'aal3', UnknownDefaultOpenApi: '11184809' } as const; export type AuthenticatorAssuranceLevel = typeof AuthenticatorAssuranceLevel[keyof typeof AuthenticatorAssuranceLevel]; /** * Patch identities response */ export interface BatchPatchIdentitiesResponse { /** * The patch responses for the individual identities. */ 'identities'?: Array<IdentityPatchResponse>; } /** * Control API consistency guarantees */ export interface ConsistencyRequestParameters { /** * Read Consistency Level (preview) The read consistency level determines the consistency guarantee for reads: strong (slow): The read is guaranteed to return the most recent data committed at the start of the read. eventual (very fast): The result will return data that is about 4.8 seconds old. The default consistency guarantee can be changed in the Ory Network Console or using the Ory CLI with `ory patch project --replace \'/previews/default_read_consistency_level=\"strong\"\'`. Setting the default consistency level to `eventual` may cause regressions in the future as we add consistency controls to more APIs. Currently, the following APIs will be affected by this setting: `GET /admin/identities` This feature is in preview and only available in Ory Network. ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level. strong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level. eventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps. */ 'consistency'?: ConsistencyRequestParametersConsistencyEnum; } export const ConsistencyRequestParametersConsistencyEnum = { Empty: '', Strong: 'strong', Eventual: 'eventual', UnknownDefaultOpenApi: '11184809' } as const; export type ConsistencyRequestParametersConsistencyEnum = typeof ConsistencyRequestParametersConsistencyEnum[keyof typeof ConsistencyRequestParametersConsistencyEnum]; /** * @type ContinueWith */ export type ContinueWith = { action: 'redirect_browser_to' } & ContinueWithRedirectBrowserTo | { action: 'set_ory_session_token' } & ContinueWithSetOrySessionToken | { action: 'show_recovery_ui' } & ContinueWithRecoveryUi | { action: 'show_settings_ui' } & ContinueWithSettingsUi | { action: 'show_verification_ui' } & ContinueWithVerificationUi; /** * Indicates, that the UI flow could be continued by showing a recovery ui */ export interface ContinueWithRecoveryUi { /** * Action will always be `show_recovery_ui` show_recovery_ui ContinueWithActionShowRecoveryUIString */ 'action': ContinueWithRecoveryUiActionEnum; 'flow': ContinueWithRecoveryUiFlow; } export const ContinueWithRecoveryUiActionEnum = { ShowRecoveryUi: 'show_recovery_ui', UnknownDefaultOpenApi: '11184809' } as const; export type ContinueWithRecoveryUiActionEnum = typeof ContinueWithRecoveryUiActionEnum[keyof typeof ContinueWithRecoveryUiActionEnum]; export interface ContinueWithRecoveryUiFlow { /** * The ID of the recovery flow */ 'id': string; /** * The URL of the recovery flow If this value is set, redirect the user\'s browser to this URL. This value is typically unset for native clients / API flows. */ 'url'?: string; } /** * Indicates, that the UI flow could be continued by showing a recovery ui */ export interface ContinueWithRedirectBrowserTo { /** * Action will always be `redirect_browser_to` redirect_browser_to ContinueWithActionRedirectBrowserToString */ 'action': ContinueWithRedirectBrowserToActionEnum; /** * The URL to redirect the browser to */ 'redirect_browser_to': string; } export const ContinueWithRedirectBrowserToActionEnum = { RedirectBrowserTo: 'redirect_browser_to', UnknownDefaultOpenApi: '11184809' } as const; export type ContinueWithRedirectBrowserToActionEnum = typeof ContinueWithRedirectBrowserToActionEnum[keyof typeof ContinueWithRedirectBrowserToActionEnum]; /** * Indicates that a session was issued, and the application should use this token for authenticated requests */ export interface ContinueWithSetOrySessionToken { /** * Action will always be `set_ory_session_token` set_ory_session_token ContinueWithActionSetOrySessionTokenString */ 'action': ContinueWithSetOrySessionTokenActionEnum; /** * Token is the token of the session */ 'ory_session_token': string; } export const ContinueWithSetOrySessionTokenActionEnum = { SetOrySessionToken: 'set_ory_session_token', UnknownDefaultOpenApi: '11184809' } as const; export type ContinueWithSetOrySessionTokenActionEnum = typeof ContinueWithSetOrySessionTokenActionEnum[keyof typeof ContinueWithSetOrySessionTokenActionEnum]; /** * Indicates, that the UI flow could be continued by showing a settings ui */ export interface ContinueWithSettingsUi { /** * Action will always be `show_settings_ui` show_settings_ui ContinueWithActionShowSettingsUIString */ 'action': ContinueWithSettingsUiActionEnum; 'flow': ContinueWithSettingsUiFlow; } export const ContinueWithSettingsUiActionEnum = { ShowSettingsUi: 'show_settings_ui', UnknownDefaultOpenApi: '11184809' } as const; export type ContinueWithSettingsUiActionEnum = typeof ContinueWithSettingsUiActionEnum[keyof typeof ContinueWithSettingsUiActionEnum]; export interface ContinueWithSettingsUiFlow { /** * The ID of the settings flow */ 'id': string; /** * The URL of the settings flow If this value is set, redirect the user\'s browser to this URL. This value is typically unset for native clients / API flows. */ 'url'?: string; } /** * Indicates, that the UI flow could be continued by showing a verification ui */ export interface ContinueWithVerificationUi { /** * Action will always be `show_verification_ui` show_verification_ui ContinueWithActionShowVerificationUIString */ 'action': ContinueWithVerificationUiActionEnum; 'flow': ContinueWithVerificationUiFlow; } export const ContinueWithVerificationUiActionEnum = { ShowVerificationUi: 'show_verification_ui', UnknownDefaultOpenApi: '11184809' } as const; export type ContinueWithVerificationUiActionEnum = typeof ContinueWithVerificationUiActionEnum[keyof typeof ContinueWithVerificationUiActionEnum]; export interface ContinueWithVerificationUiFlow { /** * The ID of the verification flow */ 'id': string; /** * The URL of the verification flow If this value is set, redirect the user\'s browser to this URL. This value is typically unset for native clients / API flows. */ 'url'?: string; /** * The address that should be verified in this flow */ 'verifiable_address': string; } /** * A Message\'s Status */ export const CourierMessageStatus = { Queued: 'queued', Sent: 'sent', Processing: 'processing', Abandoned: 'abandoned', UnknownDefaultOpenApi: '11184809' } as const; export type CourierMessageStatus = typeof CourierMessageStatus[keyof typeof CourierMessageStatus]; /** * It can either be `email` or `phone` */ export const CourierMessageType = { Email: 'email', Phone: 'phone', UnknownDefaultOpenApi: '11184809' } as const; export type CourierMessageType = typeof CourierMessageType[keyof typeof CourierMessageType]; /** * Contains a list of all available FedCM providers. */ export interface CreateFedcmFlowResponse { 'csrf_token'?: string; 'providers'?: Array<Provider>; } /** * Create Identity Body */ export interface CreateIdentityBody { 'credentials'?: IdentityWithCredentials; /** * ExternalID is an optional external ID of the identity. This is used to link the identity to an external system. If set, the external ID must be unique across all identities. */ 'external_id'?: string; /** * Store metadata about the user which is only accessible through admin APIs such as `GET /admin/identities/<id>`. */ 'metadata_admin'?: any; /** * Store metadata about the identity which the identity itself can see when calling for example the session endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field. */ 'metadata_public'?: any; 'organization_id'?: string | null; /** * RecoveryAddresses contains all the addresses that can be used to recover an identity. Use this structure to import recovery addresses for an identity. Please keep in mind that the address needs to be represented in the Identity Schema or this field will be overwritten on the next identity update. */ 'recovery_addresses'?: Array<RecoveryIdentityAddress>; /** * SchemaID is the ID of the JSON Schema to be used for validating the identity\'s traits. */ 'schema_id': string; /** * State is the identity\'s state. active StateActive inactive StateInactive */ 'state'?: CreateIdentityBodyStateEnum; /** * Traits represent an identity\'s traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in `schema_url`. */ 'traits': object; /** * VerifiableAddresses contains all the addresses that can be verified by the user. Use this structure to import verified addresses for an identity. Please keep in mind that the address needs to be represented in the Identity Schema or this field will be overwritten on the next identity update. */ 'verifiable_addresses'?: Array<VerifiableIdentityAddress>; } export const CreateIdentityBodyStateEnum = { Active: 'active', Inactive: 'inactive', UnknownDefaultOpenApi: '11184809' } as const; export type CreateIdentityBodyStateEnum = typeof CreateIdentityBodyStateEnum[keyof typeof CreateIdentityBodyStateEnum]; /** * Create Recovery Code for Identity Request Body */ export interface CreateRecoveryCodeForIdentityBody { /** * Code Expires In The recovery code will expire after that amount of time has passed. Defaults to the configuration value of `selfservice.methods.code.config.lifespan`. */ 'expires_in'?: string; /** * The flow type can either be `api` or `browser`. */ 'flow_type'?: string; /** * Identity to Recover The identity\'s ID you wish to recover. */ 'identity_id': string; } /** * Create Recovery Link for Identity Request Body */ export interface CreateRecoveryLinkForIdentityBody { /** * Link Expires In The recovery link will expire after that amount of time has passed. Defaults to the configuration value of `selfservice.methods.code.config.lifespan`. */ 'expires_in'?: string; /** * Identity to Recover The identity\'s ID you wish to recover. */ 'identity_id': string; } /** * Deleted Session Count */ export interface DeleteMySessionsCount { /** * The number of sessions that were revoked. */ 'count'?: number; } export interface ErrorAuthenticatorAssuranceLevelNotSatisfied { 'error'?: GenericError; /** * Points to where to redirect the user to next. */ 'redirect_browser_to'?: string; } export interface ErrorBrowserLocationChangeRequired { 'error'?: ErrorGeneric; /** * Points to where to redirect the user to next. */ 'redirect_browser_to'?: string; } /** * Is sent when a flow is replaced by a different flow of the same class */ export interface ErrorFlowReplaced { 'error'?: GenericError; /** * The flow ID that should be used for the new flow as it contains the correct messages. */ 'use_flow_id'?: string; } /** * The standard Ory JSON API error format. */ export interface ErrorGeneric { 'error': GenericError; } export interface FlowError { /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at'?: string; 'error'?: object; /** * ID of the error container. */ 'id': string; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at'?: string; } export interface GenericError { /** * The status code */ 'code'?: number; /** * Debug information This field is often not exposed to protect against leaking sensitive information. */ 'debug'?: string; /** * Further error details */ 'details'?: object; /** * The error ID Useful when trying to identify various errors in application logic. */ 'id'?: string; /** * Error message The error\'s message. */ 'message': string; /** * A human-readable reason for the error */ 'reason'?: string; /** * The request ID The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID. */ 'request'?: string; /** * The status description */ 'status'?: string; } export interface GetVersion200Response { /** * The version of Ory Kratos. */ 'version': string; } export interface HealthNotReadyStatus { /** * Errors contains a list of errors that caused the not ready status. */ 'errors'?: { [key: string]: string; }; } export interface HealthStatus { /** * Status always contains \"ok\". */ 'status'?: string; } /** * An [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) represents a (human) user in Ory. */ export interface Identity { /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at'?: string; /** * Credentials represents all credentials that can be used for authenticating this identity. */ 'credentials'?: { [key: string]: IdentityCredentials; }; /** * ExternalID is an optional external ID of the identity. This is used to link the identity to an external system. If set, the external ID must be unique across all identities. */ 'external_id'?: string; /** * ID is the identity\'s unique identifier. The Identity ID can not be changed and can not be chosen. This ensures future compatibility and optimization for distributed stores such as CockroachDB. */ 'id': string; /** * NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable- */ 'metadata_admin'?: any | null; /** * NullJSONRawMessage represents a json.RawMessage that works well with JSON, SQL, and Swagger and is NULLable- */ 'metadata_public'?: any | null; 'organization_id'?: string | null; /** * RecoveryAddresses contains all the addresses that can be used to recover an identity. */ 'recovery_addresses'?: Array<RecoveryIdentityAddress>; /** * SchemaID is the ID of the JSON Schema to be used for validating the identity\'s traits. */ 'schema_id': string; /** * SchemaURL is the URL of the endpoint where the identity\'s traits schema can be fetched from. format: url */ 'schema_url': string; /** * State is the identity\'s state. This value has currently no effect. active StateActive inactive StateInactive */ 'state'?: IdentityStateEnum; 'state_changed_at'?: string; /** * Traits represent an identity\'s traits. The identity is able to create, modify, and delete traits in a self-service manner. The input will always be validated against the JSON Schema defined in `schema_url`. */ 'traits': any; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at'?: string; /** * VerifiableAddresses contains all the addresses that can be verified by the user. */ 'verifiable_addresses'?: Array<VerifiableIdentityAddress>; } export const IdentityStateEnum = { Active: 'active', Inactive: 'inactive', UnknownDefaultOpenApi: '11184809' } as const; export type IdentityStateEnum = typeof IdentityStateEnum[keyof typeof IdentityStateEnum]; /** * Credentials represents a specific credential type */ export interface IdentityCredentials { 'config'?: object; /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at'?: string; /** * Identifiers represent a list of unique identifiers this credential type matches. */ 'identifiers'?: Array<string>; /** * Type discriminates between different types of credentials. password CredentialsTypePassword oidc CredentialsTypeOIDC totp CredentialsTypeTOTP lookup_secret CredentialsTypeLookup webauthn CredentialsTypeWebAuthn code CredentialsTypeCodeAuth passkey CredentialsTypePasskey profile CredentialsTypeProfile saml CredentialsTypeSAML link_recovery CredentialsTypeRecoveryLink CredentialsTypeRecoveryLink is a special credential type linked to the link strategy (recovery flow). It is not used within the credentials object itself. code_recovery CredentialsTypeRecoveryCode */ 'type'?: IdentityCredentialsTypeEnum; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at'?: string; /** * Version refers to the version of the credential. Useful when changing the config schema. */ 'version'?: number; } export const IdentityCredentialsTypeEnum = { Password: 'password', Oidc: 'oidc', Totp: 'totp', LookupSecret: 'lookup_secret', Webauthn: 'webauthn', Code: 'code', Passkey: 'passkey', Profile: 'profile', Saml: 'saml', LinkRecovery: 'link_recovery', CodeRecovery: 'code_recovery', UnknownDefaultOpenApi: '11184809' } as const; export type IdentityCredentialsTypeEnum = typeof IdentityCredentialsTypeEnum[keyof typeof IdentityCredentialsTypeEnum]; /** * CredentialsCode represents a one time login/registration code */ export interface IdentityCredentialsCode { 'addresses'?: Array<IdentityCredentialsCodeAddress>; } export interface IdentityCredentialsCodeAddress { /** * The address for this code */ 'address'?: string; 'channel'?: string; } export interface IdentityCredentialsOidc { 'providers'?: Array<IdentityCredentialsOidcProvider>; } export interface IdentityCredentialsOidcProvider { 'initial_access_token'?: string; 'initial_id_token'?: string; 'initial_refresh_token'?: string; 'organization'?: string; 'provider'?: string; 'subject'?: string; 'use_auto_link'?: boolean; } export interface IdentityCredentialsPassword { /** * HashedPassword is a hash-representation of the password. */ 'hashed_password'?: string; /** * UsePasswordMigrationHook is set to true if the password should be migrated using the password migration hook. If set, and the HashedPassword is empty, a webhook will be called during login to migrate the password. */ 'use_password_migration_hook'?: boolean; } /** * Payload for patching an identity */ export interface IdentityPatch { 'create'?: CreateIdentityBody; /** * The ID of this patch. The patch ID is optional. If specified, the ID will be returned in the response, so consumers of this API can correlate the response with the patch. */ 'patch_id'?: string; } /** * Response for a single identity patch */ export interface IdentityPatchResponse { /** * The action for this specific patch create ActionCreate Create this identity. error ActionError Error indicates that the patch failed. */ 'action'?: IdentityPatchResponseActionEnum; 'error'?: any; /** * The identity ID payload of this patch */ 'identity'?: string; /** * The ID of this patch response, if an ID was specified in the patch. */ 'patch_id'?: string; } export const IdentityPatchResponseActionEnum = { Create: 'create', Error: 'error', UnknownDefaultOpenApi: '11184809' } as const; export type IdentityPatchResponseActionEnum = typeof IdentityPatchResponseActionEnum[keyof typeof IdentityPatchResponseActionEnum]; /** * An Identity JSON Schema Container */ export interface IdentitySchemaContainer { /** * The ID of the Identity JSON Schema */ 'id': string; /** * The actual Identity JSON Schema */ 'schema': object; } /** * Create Identity and Import Credentials */ export interface IdentityWithCredentials { 'oidc'?: IdentityWithCredentialsOidc; 'password'?: IdentityWithCredentialsPassword; 'saml'?: IdentityWithCredentialsSaml; } /** * Create Identity and Import Social Sign In Credentials */ export interface IdentityWithCredentialsOidc { 'config'?: IdentityWithCredentialsOidcConfig; } export interface IdentityWithCredentialsOidcConfig { /** * A list of OpenID Connect Providers */ 'providers'?: Array<IdentityWithCredentialsOidcConfigProvider>; } /** * Create Identity and Import Social Sign In Credentials Configuration */ export interface IdentityWithCredentialsOidcConfigProvider { 'organization'?: string | null; /** * The OpenID Connect provider to link the subject to. Usually something like `google` or `github`. */ 'provider': string; /** * The subject (`sub`) of the OpenID Connect connection. Usually the `sub` field of the ID Token. */ 'subject': string; /** * If set, this credential allows the user to sign in using the OpenID Connect provider without setting the subject first. */ 'use_auto_link'?: boolean; } /** * Create Identity and Import Password Credentials */ export interface IdentityWithCredentialsPassword { 'config'?: IdentityWithCredentialsPasswordConfig; } /** * Create Identity and Import Password Credentials Configuration */ export interface IdentityWithCredentialsPasswordConfig { /** * The hashed password in [PHC format](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#hashed-passwords) */ 'hashed_password'?: string; /** * The password in plain text if no hash is available. */ 'password'?: string; /** * If set to true, the password will be migrated using the password migration hook. */ 'use_password_migration_hook'?: boolean; } /** * Payload to import SAML credentials */ export interface IdentityWithCredentialsSaml { 'config'?: IdentityWithCredentialsSamlConfig; } /** * Payload of SAML providers */ export interface IdentityWithCredentialsSamlConfig { /** * A list of SAML Providers */ 'providers'?: Array<IdentityWithCredentialsSamlConfigProvider>; } /** * Payload of specific SAML provider */ export interface IdentityWithCredentialsSamlConfigProvider { 'organization'?: string | null; /** * The SAML provider to link the subject to. */ 'provider': string; /** * The unique subject of the SAML connection. This value must be immutable at the source. */ 'subject': string; } export interface IsAlive200Response { /** * Always \"ok\". */ 'status': string; } export interface IsReady503Response { /** * Errors contains a list of errors that caused the not ready status. */ 'errors': { [key: string]: string; }; } /** * A JSONPatch document as defined by RFC 6902 */ export interface JsonPatch { /** * This field is used together with operation \"move\" and uses JSON Pointer notation. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). */ 'from'?: string; /** * The operation to be performed. One of \"add\", \"remove\", \"replace\", \"move\", \"copy\", or \"test\". */ 'op': string; /** * The path to the target path. Uses JSON pointer notation. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). */ 'path': string; /** * The value to be used within the operations. Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5). */ 'value'?: any; } /** * This object represents a login flow. A login flow is initiated at the \"Initiate Login API / Browser Flow\" endpoint by a client. Once a login flow is completed successfully, a session cookie or session token will be issued. */ export interface LoginFlow { /** * The active login method If set contains the login method used. If the flow is new, it is unset. password CredentialsTypePassword oidc CredentialsTypeOIDC totp CredentialsTypeTOTP lookup_secret CredentialsTypeLookup webauthn CredentialsTypeWebAuthn code CredentialsTypeCodeAuth passkey CredentialsTypePasskey profile CredentialsTypeProfile saml CredentialsTypeSAML link_recovery CredentialsTypeRecoveryLink CredentialsTypeRecoveryLink is a special credential type linked to the link strategy (recovery flow). It is not used within the credentials object itself. code_recovery CredentialsTypeRecoveryCode */ 'active'?: LoginFlowActiveEnum; /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at'?: string; /** * ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in, a new flow has to be initiated. */ 'expires_at': string; /** * ID represents the flow\'s unique ID. When performing the login flow, this represents the id in the login UI\'s query parameter: http://<selfservice.flows.login.ui_url>/?flow=<flow_id> */ 'id': string; /** * IdentitySchema optionally holds the ID of the identity schema that is used for this flow. This value can be set by the user when creating the flow and should be retained when the flow is saved or converted to another flow. */ 'identity_schema'?: string; /** * IssuedAt is the time (UTC) when the flow started. */ 'issued_at': string; /** * Ory OAuth 2.0 Login Challenge. This value is set using the `login_challenge` query parameter of the registration and login endpoints. If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider. */ 'oauth2_login_challenge'?: string; 'oauth2_login_request'?: OAuth2LoginRequest; 'organization_id'?: string | null; /** * Refresh stores whether this login flow should enforce re-authentication. */ 'refresh'?: boolean; /** * RequestURL is the initial URL that was requested from Ory Kratos. It can be used to forward information contained in the URL\'s path or query for example. */ 'request_url': string; 'requested_aal'?: AuthenticatorAssuranceLevel; /** * ReturnTo contains the requested return_to URL. */ 'return_to'?: string; /** * SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the login flow has been completed. This is only set if the client has requested a session token exchange code, and if the flow is of type \"api\", and only on creating the login flow. */ 'session_token_exchange_code'?: string; /** * State represents the state of this request: choose_method: ask the user to choose a method to sign in with sent_email: the email has been sent to the user passed_challenge: the request was successful and the login challenge was passed. */ 'state': any; /** * TransientPayload is used to pass data from the login to hooks and email templates */ 'transient_payload'?: object; /** * The flow type can either be `api` or `browser`. */ 'type': string; 'ui': UiContainer; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at'?: string; } export const LoginFlowActiveEnum = { Password: 'password', Oidc: 'oidc', Totp: 'totp', LookupSecret: 'lookup_secret', Webauthn: 'webauthn', Code: 'code', Passkey: 'passkey', Profile: 'profile', Saml: 'saml', LinkRecovery: 'link_recovery', CodeRecovery: 'code_recovery', UnknownDefaultOpenApi: '11184809' } as const; export type LoginFlowActiveEnum = typeof LoginFlowActiveEnum[keyof typeof LoginFlowActiveEnum]; /** * The experimental state represents the state of a login flow. This field is EXPERIMENTAL and subject to change! */ export const LoginFlowState = { ChooseMethod: 'choose_method', SentEmail: 'sent_email', PassedChallenge: 'passed_challenge', UnknownDefaultOpenApi: '11184809' } as const; export type LoginFlowState = typeof LoginFlowState[keyof typeof LoginFlowState]; /** * Logout Flow */ export interface LogoutFlow { /** * LogoutToken can be used to perform logout using AJAX. */ 'logout_token': string; /** * LogoutURL can be opened in a browser to sign the user out. format: uri */ 'logout_url': string; } export interface Message { 'body': string; 'channel'?: string; /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at': string; /** * Dispatches store information about the attempts of delivering a message May contain an error if any happened, or just the `success` state. */ 'dispatches'?: Array<MessageDispatch>; 'id': string; 'recipient': string; 'send_count': number; 'status': CourierMessageStatus; 'subject': string; /** * recovery_invalid TypeRecoveryInvalid recovery_valid TypeRecoveryValid recovery_code_invalid TypeRecoveryCodeInvalid recovery_code_valid TypeRecoveryCodeValid verification_invalid TypeVerificationInvalid verification_valid TypeVerificationValid verification_code_invalid TypeVerificationCodeInvalid verification_code_valid TypeVerificationCodeValid stub TypeTestStub login_code_valid TypeLoginCodeValid registration_code_valid TypeRegistrationCodeValid */ 'template_type': MessageTemplateTypeEnum; 'type': CourierMessageType; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at': string; } export const MessageTemplateTypeEnum = { RecoveryInvalid: 'recovery_invalid', RecoveryValid: 'recovery_valid', RecoveryCodeInvalid: 'recovery_code_invalid', RecoveryCodeValid: 'recovery_code_valid', VerificationInvalid: 'verification_invalid', VerificationValid: 'verification_valid', VerificationCodeInvalid: 'verification_code_invalid', VerificationCodeValid: 'verification_code_valid', Stub: 'stub', LoginCodeValid: 'login_code_valid', RegistrationCodeValid: 'registration_code_valid', UnknownDefaultOpenApi: '11184809' } as const; export type MessageTemplateTypeEnum = typeof MessageTemplateTypeEnum[keyof typeof MessageTemplateTypeEnum]; /** * MessageDispatch represents an attempt of sending a courier message It contains the status of the attempt (failed or successful) and the error if any occured */ export interface MessageDispatch { /** * CreatedAt is a helper struct field for gobuffalo.pop. */ 'created_at': string; 'error'?: object; /** * The ID of this message dispatch */ 'id': string; /** * The ID of the message being dispatched */ 'message_id': string; /** * The status of this dispatch Either \"failed\" or \"success\" failed CourierMessageDispatchStatusFailed success CourierMessageDispatchStatusSuccess */ 'status': MessageDispatchStatusEnum; /** * UpdatedAt is a helper struct field for gobuffalo.pop. */ 'updated_at': string; } export const MessageDispatchStatusEnum = { Failed: 'failed', Success: 'success', UnknownDefaultOpenApi: '11184809' } as const; export type MessageDispatchStatusEnum = typeof MessageDispatchStatusEnum[keyof typeof MessageDispatchStatusEnum]; export interface NeedsPrivilegedSessionError { 'error'?: GenericError; /** * Points to where to redirect the user to next. */ 'redirect_browser_to': string; } export interface OAuth2Client { /** * OAuth 2.0 Access Token Strategy AccessTokenStrategy is the strategy used to generate access tokens. Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens Setting the stragegy here overrides the global setting in `strategies.access_token`. */ 'access_token_strategy'?: string; 'allowed_cors_origins'?: Array<string>; 'audience'?: Array<string>; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'authorization_code_grant_access_token_lifespan'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'authorization_code_grant_id_token_lifespan'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'authorization_code_grant_refresh_token_lifespan'?: string; /** * OpenID Connect Back-Channel Logout Session Required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. */ 'backchannel_logout_session_required'?: boolean; /** * OpenID Connect Back-Channel Logout URI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. */ 'backchannel_logout_uri'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'client_credentials_grant_access_token_lifespan'?: string; /** * OAuth 2.0 Client ID The ID is immutable. If no ID is provided, a UUID4 will be generated. */ 'client_id'?: string; /** * OAuth 2.0 Client Name The human-readable name of the client to be presented to the end-user during authorization. */ 'client_name'?: string; /** * OAuth 2.0 Client Secret The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost. */ 'client_secret'?: string; /** * OAuth 2.0 Client Secret Expires At The field is currently not supported and its value is always 0. */ 'client_secret_expires_at'?: number; /** * OAuth 2.0 Client URI ClientURI is a URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion. */ 'client_uri'?: string; 'contacts'?: Array<string>; /** * OAuth 2.0 Client Creation Date CreatedAt returns the timestamp of the client\'s creation. */ 'created_at'?: string; /** * OpenID Connect Front-Channel Logout Session Required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. If omitted, the default value is false. */ 'frontchannel_logout_session_required'?: boolean; /** * OpenID Connect Front-Channel Logout URI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be. */ 'frontchannel_logout_uri'?: string; 'grant_types'?: Array<string>; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'implicit_grant_access_token_lifespan'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'implicit_grant_id_token_lifespan'?: string; /** * OAuth 2.0 Client JSON Web Key Set Client\'s JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks parameters MUST NOT be used together. */ 'jwks'?: any; /** * OAuth 2.0 Client JSON Web Key Set URL URL for the Client\'s JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client\'s encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key\'s intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. */ 'jwks_uri'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'jwt_bearer_grant_access_token_lifespan'?: string; /** * OAuth 2.0 Client Logo URI A URL string referencing the client\'s logo. */ 'logo_uri'?: string; 'metadata'?: any; /** * OAuth 2.0 Client Owner Owner is a string identifying the owner of the OAuth 2.0 Client. */ 'owner'?: string; /** * OAuth 2.0 Client Policy URI PolicyURI is a URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data. */ 'policy_uri'?: string; 'post_logout_redirect_uris'?: Array<string>; 'redirect_uris'?: Array<string>; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'refresh_token_grant_access_token_lifespan'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'refresh_token_grant_id_token_lifespan'?: string; /** * Specify a time duration in milliseconds, seconds, minutes, hours. */ 'refresh_token_grant_refresh_token_lifespan'?: string; /** * OpenID Connect Dynamic Client Registration Access Token RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client using Dynamic Client Registration. */ 'registration_access_token'?: string; /** * OpenID Connect Dynamic Client Registration URL RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client. */ 'registration_client_uri'?: string; /** * OpenID Connect Request Object Signing Algorithm JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. */ 'request_object_signing_alg'?: string; 'request_uris'?: Array<string>; 'response_types'?: Array<string>; /** * OAuth 2.0 Client Scope Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. */ 'scope'?: string; /** * OpenID Connect Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. */ 'sector_identifier_uri'?: string; /** * SkipConsent skips the consent screen for this client. This field can only be set from the admin API. */ 'skip_consent'?: boolean; /** * SkipLogoutConsent skips the logout consent screen for this client. This field can only be set from the admin API. */ 'skip_logout_consent'?: boolean; /** * OpenID Connect Subject Type The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. */ 'subject_type'?: string; /** * OAuth 2.0 Token Endpoint Authentication Method Requested Client Authentication method for the Token Endpoint. The options are: `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets. */ 'token_endpoint_auth_method'?: string; /** * OAuth 2.0 Token Endpoint Signing Algorithm Requested Client Authentication signing algorithm for the Token Endpoint. */ 'token_endpoint_auth_signing_alg'?: string; /** * OAuth 2.0 Client Terms of Service URI A URL string pointing to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client. */ 'tos_uri'?: string; /** * OAuth 2.0 Client Last Update Date UpdatedAt returns the timestamp of the last update. */ 'updated_at'?: string; /** * OpenID Connect Request Userinfo Signed Response Algorithm JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims as a UTF-8 encoded JSON object using the application/json content-type. */ 'userinfo_signed_response_alg'?: string; } /** * OAuth2ConsentRequestOpenIDConnectContext struct for OAuth2ConsentRequestOpenIDConnectContext */ export interface OAuth2ConsentRequestOpenIDConnectContext { /** * ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request. It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required. OpenID Connect defines it as follows: > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter. */ 'acr_values'?: Array<string>; /** * Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode. popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over. touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface. wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a \\\"feature phone\\\" type display. The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display. */ 'display'?: string; /** * IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the End-User\'s current or past authenticated session with the Client. */ 'id_token_hint_claims'?: { [key: string]: any; }; /** * LoginHint hints about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is optional. */ 'login_hint'?: string; /** * UILocales is the End-User\'id preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value \\\"fr-CA fr en\\\" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. */ 'ui_locales'?: Array<string>; } /** * OAuth2LoginRequest struct for OAuth2LoginRequest */ export interface OAuth2LoginRequest { /** * ID is the identifier (\\\"login challenge\\\") of the login request. It is used to identify the session. */ 'challenge'?: string; 'client'?: OAuth2Client; 'oidc_context'?: OAuth2ConsentRequestOpenIDConnectContext; /** * RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. */ 'request_url'?: string; 'requested_access_token_audience'?: Array<string>; 'requested_scope'?: Array<string>; /** * SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \\\"sid\\\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It\'s value can generally be used to associate consecutive login requests by a certain user. */ 'session_id'?: string; /** * Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL. This feature allows you to update / set session information. */ 'skip'?: boolean; /** * Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. */ 'subject'?: string; } /** * Patch Identities Body */ export interface PatchIdentitiesBody { /** * Identities holds the list of patches to apply required */ 'identities'?: Array<IdentityPatch>; } /** * Perform Native Logout Request Body */ export interface PerformNativeLogoutBody { /** * The Session Token Invalidate this session token. */ 'session_token': string; } export interface Provider { /** * The RP\'s client identifier, issued by the IdP. */ 'client_id'?: string; /** * A full path of the IdP config file. */ 'config_url'?: string; /*