Details

openapi: 3.0.0 info: version: '0.0' title: OIDC Provider servers: - url: 'https://login.jackhenry.com' tags: - name: Provider Info - name: Token - name: Authorization paths: /a/oidc-provider/api/v0/.well-known/openid-configuration: get: tags: - Provider Info description: Gets a JSON listing of the OpenID/OAuth enpoints, supported scopes, supported claims, and other details. Clients can use this information in order to build a request to the OpenID server. responses: '200': description: OK '500': description: Internal Server Error /a/oidc-provider/api/v0/jwks: get: tags: - Provider Info summary: Gets the JSON Web Key Set (JWKS) for verifying JWTs received from the authentication server. responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/certsResponse' '500': description: Internal Server Error /a/oidc-provider/api/v0/token: post: tags: - Token summary: Exchanges authorization code for an access token parameters: - name: DPoP in: header schema: type: string required: false description: | OPTIONAL: A valid Demonstrate Proof of Possession (DPoP) JWT used to bind the access token to the client. This is an advanced technique to prevent token theft. When an access token is bound, all API requests to a resource server must also present a valid DPoP header. requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/tokenRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/tokenResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/tokenFailure' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error /a/oidc-provider/api/v0/token/revocation: post: tags: - Token summary: Revokes a token. description: See the [OAuth Token Revocation specs](https://tools.ietf.org/html/rfc7009). parameters: - name: DPoP in: header schema: type: string required: false description: | OPTIONAL: A valid Demonstrate Proof of Possession (DPoP) JWT used to bind the access token to the client. This is an advanced technique to prevent token theft. When an access token is bound, all API requests to a resource server must also present a valid DPoP header. requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/tokenRevocationRequest' responses: '200': description: OK (no content) '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/tokenFailure' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error /a/oidc-provider/api/v0/auth: get: summary: Sends authentication request using query string parameters. description: 'Utilizing query string parameters, the `/auth` route will redirect to the specified `redirect_uri` with the result of the call found in the URL.' tags: - Authorization parameters: - name: response_type in: query description: The authorization type. Must be set to `code` required: true schema: type: string enum: - code example: code - name: client_id in: query description: ID of the client required: true schema: type: string example: 00000000-0000-0000-0000-000000000000 - name: redirect_uri in: query description: The redirect URI as registered by the client. required: false schema: type: string example: https://localhost/cb - name: scope in: query description: The possible scope of the request required: false schema: type: string example: openid - name: claims in: query description: Claims to return in the id_token or from the userinfo endpoint required: false schema: type: string example: "{\"id_token\":{\"email\":null}}" - name: state in: query description: Any client state that needs to be passed onto the redirect URI required: false schema: type: string example: 00000000-0000-0000-0000-000000000000 - name: prompt description: Specific prompts a user must be presented with in: query schema: type: string enum: - login - consent example: consent - name: code_challenge in: query description: PKCE code challenge required: false schema: type: string example: base64UrlEncoded(sha256(code_verifier)) - name: code_challenge_method description: PKCE code challenge method in: query required: false schema: type: string enum: - S256 example: S256 - name: request_uri in: query required: false schema: type: string example: urn:ietf:params:oauth:request_uri:cnEx7B1mkVFXze4BoZWp5 responses: '200': description: OK '400': description: Bad Request '500': description: Internal Server Error post: tags: - Authorization summary: Sends authentication request using a POST request Body. description: 'Utilizing a `POST` request, the `/auth` route will redirect to the specified `redirect_uri` with the result of the call found in the URL.' requestBody: content: application/x-www-form-urlencoded: schema: oneOf: - $ref: '#/components/schemas/authRequest' - $ref: '#/components/schemas/parAuthRequest' responses: '200': description: OK content: text/html: schema: type: string '400': description: Bad Request content: text/html: schema: type: string '500': description: Internal Server Error /a/oidc-provider/api/v0/request: post: tags: - Authorization summary: Pushed Authorization Request (PAR) description: 'Start an authorization request by posting the payload from one server to the identity provider. Increases security by not exposing the authorization parameters to the user in the brower URL and also supports using unregistered callback URLs.' security: - basicAuth: [] requestBody: content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/authRequest' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/parResponse' '400': description: Bad Request content: text/html: schema: type: string '500': description: Internal Server Error /a/oidc-provider/api/v0/me: get: tags: - User Info summary: Returns info about the authenticated user. description: See the [OpenID Connect Core specs](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). security: - OpenID_Connect: - openid responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/userInfo' '401': description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/tokenUnauthorized' '500': description: Internal Server Error /a/oidc-provider/api/v0/logout: get: tags: - Logout summary: Log a user out and allow custom logout redirects description: | See [OpenID Connect RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html). This endpoint is designed to use as a redirect for the end user agent. It will facilitate logging the user out of both the identity provider and relying party sites. Either a client_id or id_token hint parameter must be passed. parameters: - name: id_token_hint in: query description: | ID Token previously issued. It is passed to the Logout Endpoint as a hint about the End-User's current authenticated session with the Client. Either id_token_hint or client_id must be provided. required: false schema: type: string - name: client_id in: query description: | Client ID of the relying party. It is passed to the Logout Endpoint to enable post_logout_redirect_uri parameters. Either id_token_hint or client_id must be provided. required: false schema: type: string - name: post_logout_redirect_uri in: query description: | URI to which the relying party is requesting that the End-User be redirected after a logout has been performed. This URI SHOULD use the https scheme and MUST be pre-registered as a callback URI for the client. required: false schema: type: string - name: state in: query description: Any client state that needs to be passed onto the redirect URI required: false schema: type: string example: random+value responses: '301': description: Redirect the user through a logout flow components: securitySchemes: clientCredentials: type: oauth2 description: OAuth2 using the client credentials flow flows: clientCredentials: tokenUrl: https://login.jackhenry.com/a/oidc-provider/api/v0/token scopes: {} basicAuth: type: http scheme: basic OpenID_Connect: type: oauth2 flows: implicit: authorizationUrl: https://login.jackhenry.com/a/oidc-provider/api/v0/auth scopes: openid: Access to the user's OpenID schemas: certsResponse: type: object properties: keys: type: array items: required: - kid - kty - use type: object properties: kty: type: string example: string kid: type: string example: string use: type: string example: string crv: type: string example: string x: type: string example: string 'y': type: string example: string d: type: string example: string e: type: string example: string 'n': type: string example: string p: type: string example: string q: type: string example: string dp: type: string example: string dq: type: string example: string qi: type: string example: string tokenRequest: required: - grant_type type: object properties: client_assertion: description: Properly signed JWT token (this houses the client id for the request). Test token payload at https://jwt.io/ type: string example: string client_assertion_type: $ref: "#/components/schemas/validClientAssertionTypes" grant_type: $ref: "#/components/schemas/validGrantTypes" scope: $ref: "#/components/schemas/validScopes" code: description: The authorization code received from the authorization endpoint. type: string example: string redirect_uri: description: The redirect URI used in the initial authorization request. type: string example: https://localhost/cb client_id: description: ID of the client type: string example: 00000000-0000-0000-0000-000000000000 code_verifier: description: PKCE code verifier type: string example: string tokenRevocationRequest: required: - client_id - client_secret - token type: object properties: client_id: type: string example: 0cd6b55a-3017-4e16-aa50-f0cbdb1cd12f client_secret: type: string example: b63f559e-1425-41f9-9381-454b64e1981a token: type: string description: ID of the token to revoke token_type_hint: type: string example: access_token description: Suggests the type of token passed tokenResponse: required: - access_token - token_type - refresh_token type: object properties: access_token: type: string description: The access token returned from the server example: string token_type: type: string description: the type of access token that was given. example: string expires_in: type: string description: the number of seconds the token will take to expire example: '600' refresh_token: type: string description: A refresh token for when the access token is expired. example: string tokenFailure: type: object properties: error: type: string example: Invalid request error_description: type: string example: no client authentication mechanism provided tokenUnauthorized: type: object properties: error: type: string example: invalid client error_description: type: string example: client authentication failed authRequest: required: - response_type - client_id type: object properties: response_type: description: The authorization type. Must be set to `code` type: string enum: - code example: code client_id: description: ID of the client type: string example: 00000000-0000-0000-0000-000000000000 redirect_uri: description: The redirect URI as registered by the client. type: string example: https://localhost/cb scope: description: The possible scope of the request type: string example: openid claims: description: Claims to return in the id_token or from the userinfo endpoint type: string example: "{\"id_token\":{\"email\":null}}" state: description: Any client state that needs to be passed onto the redirect URI type: string example: random+value prompt: description: Specific prompts a user must be presented with type: string enum: - login - consent example: consent code_challenge: description: PKCE code challenge type: string example: base64UrlEncoded(sha256(code_verifier)) code_challenge_method: description: PKCE code challenge method - must be `S256` type: string enum: - S256 example: S256 parAuthRequest: required: - client_id - request_uri type: object properties: client_id: type: string description: ID of client as given by the authorization server example: string request_uri: type: string example: urn:ietf:params:oauth:request_uri:cnEx7B1mkVFXze4BoZWp5 parResponse: required: - request_uri - expires_in type: object properties: request_uri: type: string description: value to be used as a request_uri parameter in the authorization code flow. example: urn:ietf:params:oauth:request_uri:cnEx7B1mkVFXze4BoZWp5 expires_in: type: number description: duration in seconds during which the request_uri is valid example: 90 validClientAssertionTypes: type: string description: The possible client assertion types for the request enum: - urn:ietf:params:oauth:client-assertion-type:jwt-bearer validGrantTypes: type: string description: The possible grant types for the request enum: - client_credentials validScopes: type: string description: The possible scope of the request enum: - openid userInfo: type: object properties: sub: type: string description: User ID example: cf857130-6d24-11e9-870c-0242b75cad58 cash_management_user: type: object example: {} cash_management_user_id: type: string example: example esi_bsl_token: type: string example: example institution_id: type: string example: c8b309b0-fc09-11e5-8adf-0e09432615dc netteller_id: type: string example: '"888800000001"' theme_data: type: object example: {} birthdate: type: string example: '1900-01-01' family_name: type: string example: John given_name: type: string example: Doe middle_name: type: string nullable: true example: Q name: type: string example: John Doe picture: type: string example: https://ovation.banno-uat.com/a/consumer/api/node/public-profile-photo/dmF1bHQ6djE6Ny84ejdFdjBLTlFYWUxxcXZJSGVFS1ljNndSN3NYRGtKTlBVVzdXZXNBNy9rSnEzelpiT0NCcENHY0dNUWNQRS9QRGV0TElGdEhVV1RIVHpDMkpVZ3c9PQ== preferred_username: type: string example: jdoe email: type: string example: jdoe@example.com phone_number: type: string example: '"+15555556652"' address: $ref: '#/components/schemas/userAddress' userAddress: type: object properties: locality: type: string example: Cedar Falls postal_code: type: string example: '"506130000"' region: type: string example: IA street_address: type: string example: 2911 Lovejoy Drive