diff --git a/.github/workflows/mdbook.yaml b/.github/workflows/mdbook.yaml
index d80280c3..0726f7c5 100644
--- a/.github/workflows/mdbook.yaml
+++ b/.github/workflows/mdbook.yaml
@@ -45,6 +45,9 @@ jobs:
cargo install --version ${MDBOOK_VERSION} mdbook
cargo install mdbook-mermaid
+ - name: Generate OpenAPI
+ run: cargo run --bin keystone -- --dump-openapi yaml > doc/src/openapi.yaml
+
- name: Setup Pages
id: pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
diff --git a/doc/src/SUMMARY.md b/doc/src/SUMMARY.md
index eb4fcf28..44bb06c1 100644
--- a/doc/src/SUMMARY.md
+++ b/doc/src/SUMMARY.md
@@ -6,6 +6,7 @@
---
+- [API](./swagger-ui.html)
- [Federation](./federation.md)
- [Passkeys](./passkey.md)
diff --git a/doc/src/openapi.yaml b/doc/src/openapi.yaml
new file mode 100644
index 00000000..c5b82875
--- /dev/null
+++ b/doc/src/openapi.yaml
@@ -0,0 +1,2558 @@
+openapi: 3.1.0
+info:
+ title: openstack_keystone
+ description: OpenStack Keystone service
+ contact:
+ name: Artem Goncharov (gtema)
+ license:
+ name: Apache-2.0
+ identifier: Apache-2.0
+ version: 4.0.1
+paths:
+ /:
+ get:
+ tags:
+ - version
+ summary: Versions
+ description: Version discovery
+ operationId: version
+ responses:
+ '200':
+ description: Versions
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Versions'
+ /v3:
+ get:
+ tags:
+ - version
+ summary: Version discovery endpoint
+ description: Version discovery
+ operationId: version
+ responses:
+ '200':
+ description: Versions
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SingleVersion'
+ /v3/auth/tokens:
+ get:
+ tags:
+ - auth
+ summary: Validate token
+ description: Validate token
+ operationId: show
+ parameters:
+ - name: nocatalog
+ in: query
+ description: |-
+ The authentication response excludes the service catalog. By default, the response includes
+ the service catalog.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ - name: allow_expired
+ in: query
+ description: Allow fetching a token that has expired. By default expired tokens return a 404 exception.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ responses:
+ '200':
+ description: Token object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ post:
+ tags:
+ - auth
+ summary: Authenticate user issuing a new token
+ description: Issue token
+ operationId: post
+ parameters:
+ - name: nocatalog
+ in: query
+ description: |-
+ The authentication response excludes the service catalog. By default, the response includes
+ the service catalog.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthRequest'
+ required: true
+ responses:
+ '200':
+ description: Token object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ /v3/groups:
+ get:
+ tags:
+ - groups
+ summary: List groups
+ description: List groups
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of groups
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupList'
+ '500':
+ description: Internal error
+ post:
+ tags:
+ - groups
+ summary: Create group
+ description: Create new Group
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: Group object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupResponse'
+ /v3/groups/{group_id}:
+ get:
+ tags:
+ - groups
+ summary: Get single group
+ description: Get group by ID
+ operationId: show
+ parameters:
+ - name: group_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Group object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupResponse'
+ '404':
+ description: Group not found
+ delete:
+ tags:
+ - groups
+ summary: Delete group
+ description: Delete group by ID
+ operationId: remove
+ parameters:
+ - name: group_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: group not found
+ /v3/role_assignments:
+ get:
+ tags:
+ - roles
+ summary: List role assignments
+ description: List roles
+ operationId: list
+ parameters:
+ - name: scope.domain.id
+ in: query
+ description: Filters the response by a domain ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: group.id
+ in: query
+ description: Filters the response by a group ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: effective
+ in: query
+ description: |-
+ Returns the effective assignments, including any assignments gained by virtue of group
+ membership.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ - name: scope.project.id
+ in: query
+ description: Filters the response by a project ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: role.id
+ in: query
+ description: Filters the response by a role ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: user.id
+ in: query
+ description: Filters the response by a user ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: include_names
+ in: query
+ description: |-
+ If set to true, then the names of any entities returned will be include as well as their
+ IDs. Any value other than 0 (including no value) will be interpreted as true.
+
+ New in version 3.6
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ responses:
+ '200':
+ description: List of role assignments
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AssignmentList'
+ '500':
+ description: Internal error
+ /v3/roles:
+ get:
+ tags:
+ - roles
+ summary: List roles
+ description: List roles
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of roles
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleList'
+ '500':
+ description: Internal error
+ /v3/roles/{role_id}:
+ get:
+ tags:
+ - roles
+ summary: Get single role
+ description: Get role by ID
+ operationId: show
+ parameters:
+ - name: role_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Role object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleResponse'
+ '404':
+ description: Role not found
+ /v3/users:
+ get:
+ tags:
+ - users
+ summary: List users
+ description: List users
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of users
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserList'
+ '500':
+ description: Internal error
+ post:
+ tags:
+ - users
+ summary: Create user
+ description: Create new user
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: New user
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserResponse'
+ /v3/users/{user_id}:
+ get:
+ tags:
+ - users
+ summary: Get single user
+ operationId: show
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Single user
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserResponse'
+ '404':
+ description: User not found
+ delete:
+ tags:
+ - users
+ summary: Delete user
+ description: Delete user by ID
+ operationId: remove
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: User not found
+ /v3/users/{user_id}/groups:
+ get:
+ tags:
+ - users
+ summary: List groups a user is member of
+ description: List groups a user is member of
+ operationId: groups
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: List of user groups
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupList'
+ '500':
+ description: Internal error
+ /v4:
+ get:
+ tags:
+ - version
+ summary: Version discovery endpoint
+ description: Version discovery
+ operationId: version
+ responses:
+ '200':
+ description: Versions
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/SingleVersion'
+ /v4/auth/tokens:
+ get:
+ tags:
+ - auth
+ summary: Validate token
+ description: Validate token
+ operationId: show
+ parameters:
+ - name: nocatalog
+ in: query
+ description: |-
+ The authentication response excludes the service catalog. By default, the response includes
+ the service catalog.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ - name: allow_expired
+ in: query
+ description: Allow fetching a token that has expired. By default expired tokens return a 404 exception.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ responses:
+ '200':
+ description: Token object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ post:
+ tags:
+ - auth
+ summary: Authenticate user issuing a new token
+ description: Issue token
+ operationId: post
+ parameters:
+ - name: nocatalog
+ in: query
+ description: |-
+ The authentication response excludes the service catalog. By default, the response includes
+ the service catalog.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthRequest'
+ required: true
+ responses:
+ '200':
+ description: Token object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ /v4/federation/identity_providers:
+ get:
+ tags:
+ - identity_providers
+ summary: List identity providers.
+ description: |-
+ List identity providers. Without any filters only global identity providers are returned.
+ With the `domain_id` identity providers owned by the specified identity provider are returned.
+
+ It is expected that only global or owned identity providers can be returned, while an admin
+ user is able to list all providers.
+ operationId: list
+ parameters:
+ - name: name
+ in: query
+ description: Filters the response by IDP name.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: domain_id
+ in: query
+ description: Filters the response by a domain ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of identity providers
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderList'
+ '500':
+ description: Internal error
+ security:
+ - x-auth: []
+ post:
+ tags:
+ - identity_providers
+ summary: Create the identity provider.
+ description: |-
+ Create the identity provider with the specified properties.
+
+ It is expected that only admin user is able to create global identity providers.
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: identity provider object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderResponse'
+ security:
+ - x-auth: []
+ /v4/federation/identity_providers/{idp_id}:
+ get:
+ tags:
+ - identity_providers
+ summary: Get single identity provider.
+ description: Shows details of the existing identity provider.
+ operationId: show
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: IDP object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderResponse'
+ '404':
+ description: IDP not found
+ security:
+ - x-auth: []
+ put:
+ tags:
+ - identity_providers
+ summary: Update single identity provider.
+ description: Updates the existing identity provider.
+ operationId: update
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderUpdateRequest'
+ required: true
+ responses:
+ '200':
+ description: IDP object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderResponse'
+ '404':
+ description: IDP not found
+ security:
+ - x-auth: []
+ delete:
+ tags:
+ - identity_providers
+ summary: Delete Identity provider.
+ description: |-
+ Deletes the existing identity provider.
+
+ It is expected that only admin user is allowed to delete the global identity provider
+ operationId: remove
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: identity provider not found
+ security:
+ - x-auth: []
+ /v4/federation/identity_providers/{idp_id}/auth:
+ post:
+ tags:
+ - identity_providers
+ summary: Authenticate using identity provider.
+ description: Authenticate using identity provider
+ operationId: post
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderAuthRequest'
+ required: true
+ responses:
+ '201':
+ description: identity provider object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/IdentityProviderAuthResponse'
+ /v4/federation/identity_providers/{idp_id}/jwt:
+ post:
+ tags:
+ - identity_providers
+ summary: Authentication using the JWT.
+ description: |-
+ This operation allows user to exchange the JWT issued by the trusted identity provider for the
+ regular Keystone session token. Request specifies the necessary authentication mapping, which
+ is also used to validate expected claims.
+ operationId: login
+ parameters:
+ - name: openstack-mapping
+ in: header
+ description: Federated attribute mapping
+ required: true
+ schema:
+ type: string
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Authentication Token object
+ headers:
+ x-subject-token:
+ schema:
+ type: string
+ description: Keystone token
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ security:
+ - jwt: []
+ /v4/federation/mappings:
+ get:
+ tags:
+ - mappings
+ summary: List federation mappings.
+ description: |-
+ List available federation mappings.
+
+ Without `domain_id` specified global mappings are returned.
+
+ It is expected that listing mappings belonging to the other domain is only allowed to the admin
+ user.
+ operationId: list
+ parameters:
+ - name: name
+ in: query
+ description: Filters the response by IDP name.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: domain_id
+ in: query
+ description: Filters the response by a domain ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: idp_id
+ in: query
+ description: Filters the response by a idp ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: type
+ in: query
+ description: Filters the response by a mapping type.
+ required: false
+ schema:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/MappingType'
+ responses:
+ '200':
+ description: List of mappings
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingList'
+ '500':
+ description: Internal error
+ security:
+ - x-auth: []
+ post:
+ tags:
+ - mappings
+ summary: Create mapping
+ description: Create new mapping
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: mapping object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingResponse'
+ security:
+ - x-auth: []
+ /v4/federation/mappings/{idp_id}:
+ get:
+ tags:
+ - mappings
+ summary: Get single mapping
+ description: Get mapping by ID
+ operationId: show
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: mapping object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingResponse'
+ '404':
+ description: mapping not found
+ security:
+ - x-auth: []
+ put:
+ tags:
+ - mappings
+ summary: Update single mapping
+ description: Update existing mapping
+ operationId: update
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingUpdateRequest'
+ required: true
+ responses:
+ '200':
+ description: mapping object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/MappingResponse'
+ '404':
+ description: mapping not found
+ security:
+ - x-auth: []
+ delete:
+ tags:
+ - mappings
+ summary: Delete Identity provider
+ description: Delete mapping by ID
+ operationId: remove
+ parameters:
+ - name: idp_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: mapping not found
+ security:
+ - x-auth: []
+ /v4/federation/oidc/callback:
+ post:
+ tags:
+ - identity_providers
+ summary: Authentication callback.
+ description: OIDC authentication callback
+ operationId: callback
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AuthCallbackParameters'
+ required: true
+ responses:
+ '200':
+ description: Authentication Token object
+ headers:
+ x-subject-token:
+ schema:
+ type: string
+ description: Keystone token
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/TokenResponse'
+ security:
+ - oauth2:
+ - openid
+ /v4/groups:
+ get:
+ tags:
+ - groups
+ summary: List groups
+ description: List groups
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of groups
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupList'
+ '500':
+ description: Internal error
+ post:
+ tags:
+ - groups
+ summary: Create group
+ description: Create new Group
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: Group object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupResponse'
+ /v4/groups/{group_id}:
+ get:
+ tags:
+ - groups
+ summary: Get single group
+ description: Get group by ID
+ operationId: show
+ parameters:
+ - name: group_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Group object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupResponse'
+ '404':
+ description: Group not found
+ delete:
+ tags:
+ - groups
+ summary: Delete group
+ description: Delete group by ID
+ operationId: remove
+ parameters:
+ - name: group_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: group not found
+ /v4/role_assignments:
+ get:
+ tags:
+ - roles
+ summary: List role assignments
+ description: List roles
+ operationId: list
+ parameters:
+ - name: scope.domain.id
+ in: query
+ description: Filters the response by a domain ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: group.id
+ in: query
+ description: Filters the response by a group ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: effective
+ in: query
+ description: |-
+ Returns the effective assignments, including any assignments gained by virtue of group
+ membership.
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ - name: scope.project.id
+ in: query
+ description: Filters the response by a project ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: role.id
+ in: query
+ description: Filters the response by a role ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: user.id
+ in: query
+ description: Filters the response by a user ID.
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: include_names
+ in: query
+ description: |-
+ If set to true, then the names of any entities returned will be include as well as their
+ IDs. Any value other than 0 (including no value) will be interpreted as true.
+
+ New in version 3.6
+ required: false
+ schema:
+ type:
+ - boolean
+ - 'null'
+ responses:
+ '200':
+ description: List of role assignments
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/AssignmentList'
+ '500':
+ description: Internal error
+ /v4/roles:
+ get:
+ tags:
+ - roles
+ summary: List roles
+ description: List roles
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of roles
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleList'
+ '500':
+ description: Internal error
+ /v4/roles/{role_id}:
+ get:
+ tags:
+ - roles
+ summary: Get single role
+ description: Get role by ID
+ operationId: show
+ parameters:
+ - name: role_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Role object
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/RoleResponse'
+ '404':
+ description: Role not found
+ /v4/users:
+ get:
+ tags:
+ - users
+ summary: List users
+ description: List users
+ operationId: list
+ parameters:
+ - name: domain_id
+ in: query
+ description: Filter users by Domain ID
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ - name: name
+ in: query
+ description: Filter users by Name
+ required: false
+ schema:
+ type:
+ - string
+ - 'null'
+ responses:
+ '200':
+ description: List of users
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserList'
+ '500':
+ description: Internal error
+ post:
+ tags:
+ - users
+ summary: Create user
+ description: Create new user
+ operationId: create
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserCreateRequest'
+ required: true
+ responses:
+ '201':
+ description: New user
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserResponse'
+ /v4/users/{user_id}:
+ get:
+ tags:
+ - users
+ summary: Get single user
+ operationId: show
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Single user
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserResponse'
+ '404':
+ description: User not found
+ delete:
+ tags:
+ - users
+ summary: Delete user
+ description: Delete user by ID
+ operationId: remove
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Deleted
+ '404':
+ description: User not found
+ /v4/users/{user_id}/groups:
+ get:
+ tags:
+ - users
+ summary: List groups a user is member of
+ description: List groups a user is member of
+ operationId: groups
+ parameters:
+ - name: user_id
+ in: path
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: List of user groups
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/GroupList'
+ '500':
+ description: Internal error
+ /v4/users/{user_id}/passkeys/login_finish:
+ post:
+ tags:
+ - passkey
+ summary: Finish passkey auth
+ description: Finish passkey login
+ operationId: login_finish
+ requestBody:
+ content:
+ application/json:
+ schema: {}
+ required: true
+ responses: {}
+ /v4/users/{user_id}/passkeys/login_start:
+ post:
+ tags:
+ - passkey
+ summary: Start passkey authentication
+ description: Start passkey authentication
+ operationId: login_start
+ responses: {}
+ /v4/users/{user_id}/passkeys/register_finish:
+ post:
+ tags:
+ - passkey
+ summary: Finish passkey registration
+ description: Finish passkey registration
+ operationId: register_finish
+ requestBody:
+ content:
+ application/json:
+ schema: {}
+ required: true
+ responses: {}
+ /v4/users/{user_id}/passkeys/register_start:
+ post:
+ tags:
+ - passkey
+ summary: Start passkey registration
+ description: Start passkey registration
+ operationId: register_start
+ responses: {}
+components:
+ schemas:
+ Assignment:
+ type: object
+ required:
+ - role
+ - scope
+ properties:
+ group:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Group'
+ role:
+ $ref: '#/components/schemas/Role'
+ description: Role ID
+ scope:
+ $ref: '#/components/schemas/Scope'
+ user:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/User'
+ AssignmentList:
+ type: object
+ description: Assignments
+ required:
+ - role_assignments
+ properties:
+ role_assignments:
+ type: array
+ items:
+ $ref: '#/components/schemas/Assignment'
+ description: Collection of role assignment objects
+ AuthCallbackParameters:
+ type: object
+ description: Authentication callback request the user is sending to complete the authentication request
+ required:
+ - state
+ - code
+ properties:
+ code:
+ type: string
+ description: Authorization code.
+ state:
+ type: string
+ description: Authentication state.
+ AuthRequest:
+ type: object
+ description: An authentication request.
+ required:
+ - auth
+ properties:
+ auth:
+ $ref: '#/components/schemas/AuthRequestInner'
+ description: An identity object.
+ AuthRequestInner:
+ type: object
+ description: An authentication request.
+ required:
+ - identity
+ properties:
+ identity:
+ $ref: '#/components/schemas/Identity'
+ description: An identity object.
+ scope:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Scope'
+ description: |-
+ The authorization scope, including the system (Since v3.10), a project, or a domain (Since
+ v3.4). If multiple scopes are specified in the same request (e.g. project and domain or
+ domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be
+ simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely
+ identify a project but if a project is specified by name, then the domain of the project
+ must also be specified in order to uniquely identify the project by name. A domain scope
+ may be specified by either the domain’s ID or name with equivalent results.
+ Catalog:
+ type: array
+ items:
+ $ref: '#/components/schemas/CatalogService'
+ description: A catalog object
+ CatalogService:
+ type: object
+ description: A catalog object
+ required:
+ - id
+ - endpoints
+ properties:
+ endpoints:
+ type: array
+ items:
+ $ref: '#/components/schemas/Endpoint'
+ id:
+ type: string
+ name:
+ type:
+ - string
+ - 'null'
+ type:
+ type:
+ - string
+ - 'null'
+ Domain:
+ type: object
+ description: Domain information
+ properties:
+ id:
+ type:
+ - string
+ - 'null'
+ description: Domain ID
+ name:
+ type:
+ - string
+ - 'null'
+ description: Domain Name
+ Endpoint:
+ type: object
+ description: A Catalog Endpoint
+ required:
+ - id
+ - url
+ - interface
+ properties:
+ id:
+ type: string
+ interface:
+ type: string
+ region:
+ type:
+ - string
+ - 'null'
+ region_id:
+ type:
+ - string
+ - 'null'
+ url:
+ type: string
+ Group:
+ allOf:
+ - {}
+ - type: object
+ required:
+ - id
+ - domain_id
+ - name
+ properties:
+ description:
+ type:
+ - string
+ - 'null'
+ description: Group description
+ domain_id:
+ type: string
+ description: Group domain ID
+ id:
+ type: string
+ description: Group ID
+ name:
+ type: string
+ description: Group name
+ GroupCreate:
+ allOf:
+ - {}
+ - type: object
+ required:
+ - domain_id
+ - name
+ properties:
+ description:
+ type:
+ - string
+ - 'null'
+ description: Group description
+ domain_id:
+ type: string
+ description: Group domain ID
+ name:
+ type: string
+ description: Group name
+ GroupCreateRequest:
+ type: object
+ required:
+ - group
+ properties:
+ group:
+ $ref: '#/components/schemas/GroupCreate'
+ description: Group object
+ GroupList:
+ type: object
+ description: Groups
+ required:
+ - groups
+ properties:
+ groups:
+ type: array
+ items:
+ $ref: '#/components/schemas/Group'
+ description: Collection of group objects
+ GroupResponse:
+ type: object
+ required:
+ - group
+ properties:
+ group:
+ $ref: '#/components/schemas/Group'
+ description: group object
+ Identity:
+ type: object
+ description: An identity object.
+ required:
+ - methods
+ properties:
+ methods:
+ type: array
+ items:
+ type: string
+ description: The authentication method. For password authentication, specify password.
+ password:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/PasswordAuth'
+ description: The password object, contains the authentication information.
+ token:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/TokenAuth'
+ description: The token object, contains the authentication information.
+ IdentityProvider:
+ type: object
+ description: Identity provider data
+ required:
+ - id
+ - name
+ properties:
+ bound_issuer:
+ type:
+ - string
+ - 'null'
+ default_mapping_name:
+ type:
+ - string
+ - 'null'
+ domain_id:
+ type:
+ - string
+ - 'null'
+ id:
+ type: string
+ jwks_url:
+ type:
+ - string
+ - 'null'
+ description: URL to fetch JsonWebKeySet.
+ jwt_validation_pubkeys:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ name:
+ type: string
+ oidc_client_id:
+ type:
+ - string
+ - 'null'
+ oidc_discovery_url:
+ type:
+ - string
+ - 'null'
+ oidc_response_mode:
+ type:
+ - string
+ - 'null'
+ oidc_response_types:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ provider_config: {}
+ IdentityProviderAuthRequest:
+ type: object
+ description: Request for initializing the federated authentication
+ required:
+ - redirect_uri
+ properties:
+ mapping_id:
+ type:
+ - string
+ - 'null'
+ description: IDP mapping id
+ mapping_name:
+ type:
+ - string
+ - 'null'
+ description: IDP mapping name
+ redirect_uri:
+ type: string
+ description: Redirect URI to include in the auth request
+ scope:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Scope'
+ description: Authentication scope
+ IdentityProviderAuthResponse:
+ type: object
+ description: Authentication initialization response
+ required:
+ - auth_url
+ properties:
+ auth_url:
+ type: string
+ description: Url the client must open in the browser to continue the authentication
+ IdentityProviderCreate:
+ type: object
+ description: Identity provider data
+ required:
+ - name
+ properties:
+ bound_issuer:
+ type:
+ - string
+ - 'null'
+ description: Bound issuer
+ default_mapping_name:
+ type:
+ - string
+ - 'null'
+ description: Default mapping name that should be used by default
+ domain_id:
+ type:
+ - string
+ - 'null'
+ description: Identity provider domain.
+ jwks_url:
+ type:
+ - string
+ - 'null'
+ description: |-
+ Optional URL to fetch JsonWebKeySet. Must be specified for JWT authentication when
+ discovery for the provider is not available or not standard compliant.
+ jwt_validation_pubkeys:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: JWT validation public keys
+ name:
+ type: string
+ description: Identity provider name.
+ oidc_client_id:
+ type:
+ - string
+ - 'null'
+ description: OIDC/OAuth2 Client id
+ oidc_client_secret:
+ type:
+ - string
+ - 'null'
+ description: OIDC/OAuth2 Client secret
+ oidc_discovery_url:
+ type:
+ - string
+ - 'null'
+ description: OIDC/OAuth2 discovery url
+ oidc_response_mode:
+ type:
+ - string
+ - 'null'
+ description: OIDC response more
+ oidc_response_types:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: OIDC response types
+ provider_config:
+ description: Additional special provider specific configuration
+ IdentityProviderCreateRequest:
+ type: object
+ description: Identity provider create request
+ required:
+ - identity_provider
+ properties:
+ identity_provider:
+ $ref: '#/components/schemas/IdentityProviderCreate'
+ description: Identity provider object
+ IdentityProviderList:
+ type: object
+ description: List of Identity Providers
+ required:
+ - identity_providers
+ properties:
+ identity_providers:
+ type: array
+ items:
+ $ref: '#/components/schemas/IdentityProvider'
+ description: Collection of identity provider objects
+ IdentityProviderResponse:
+ type: object
+ description: Identity provider response
+ required:
+ - identity_provider
+ properties:
+ identity_provider:
+ $ref: '#/components/schemas/IdentityProvider'
+ description: IDP object
+ IdentityProviderUpdate:
+ type: object
+ description: Identity provider data
+ properties:
+ bound_issuer:
+ type:
+ - string
+ - 'null'
+ default_mapping_name:
+ type:
+ - string
+ - 'null'
+ jwks_url:
+ type:
+ - string
+ - 'null'
+ description: |-
+ Optional URL to fetch JsonWebKeySet. Must be specified for JWT authentication when
+ discovery for the provider is not available or not standard compliant.
+ jwt_validation_pubkeys:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ name:
+ type:
+ - string
+ - 'null'
+ oidc_client_id:
+ type:
+ - string
+ - 'null'
+ oidc_client_secret:
+ type:
+ - string
+ - 'null'
+ oidc_discovery_url:
+ type:
+ - string
+ - 'null'
+ oidc_response_mode:
+ type:
+ - string
+ - 'null'
+ oidc_response_types:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ provider_config: {}
+ IdentityProviderUpdateRequest:
+ type: object
+ description: Identity provider update request
+ required:
+ - identity_provider
+ properties:
+ identity_provider:
+ $ref: '#/components/schemas/IdentityProviderUpdate'
+ description: Identity provider object
+ Link:
+ type: object
+ required:
+ - rel
+ - href
+ properties:
+ href:
+ type: string
+ rel:
+ type: string
+ Mapping:
+ type: object
+ description: OIDC/JWT mapping data.
+ required:
+ - id
+ - name
+ - idp_id
+ - type
+ - user_id_claim
+ - user_name_claim
+ properties:
+ allowed_redirect_uris:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of allowed redirect urls (only for `oidc` type).
+ bound_audiences:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of audiences that must be present in the token.
+ bound_claims:
+ description: Additional claims that must be present in the token.
+ bound_subject:
+ type:
+ - string
+ - 'null'
+ description: Token subject value that must be set in the token.
+ domain_id:
+ type:
+ - string
+ - 'null'
+ description: |-
+ `domain_id` owning the attribute mapping.
+
+ Unset `domain_id` means the attribute mapping is shared and can be used by different
+ domains. This requires `domain_id_claim` to be present. Attribute mapping can be only
+ shared when the referred identity provider is also shared (does not set the `domain_id`
+ attribute).
+ domain_id_claim:
+ type:
+ - string
+ - 'null'
+ description: '`domain_id` claim name.'
+ groups_claim:
+ type:
+ - string
+ - 'null'
+ description: '`groups` claim name.'
+ id:
+ type: string
+ description: Attribute mapping ID for federated logins.
+ idp_id:
+ type: string
+ description: ID of the federated identity provider for which this attribute mapping can be used.
+ name:
+ type: string
+ description: Attribute mapping name for federated logins.
+ oidc_scopes:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of OIDC scopes.
+ token_project_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed project_id for the token.
+ token_role_ids:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of fixed roles that would be included in the token.
+ token_user_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed user_id for which the keystone token would be issued.
+ type:
+ $ref: '#/components/schemas/MappingType'
+ description: Attribute mapping type ([oidc, jwt]).
+ user_id_claim:
+ type: string
+ description: '`user_id` claim name.'
+ user_name_claim:
+ type: string
+ description: '`user_name` claim name.'
+ MappingCreate:
+ type: object
+ description: OIDC/JWT attribute mapping create data.
+ required:
+ - name
+ - idp_id
+ - user_id_claim
+ - user_name_claim
+ properties:
+ allowed_redirect_uris:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of allowed redirect urls (only for `oidc` type).
+ bound_audiences:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of audiences that must be present in the token.
+ bound_claims:
+ description: Additional claims that must be present in the token.
+ bound_subject:
+ type:
+ - string
+ - 'null'
+ description: Token subject value that must be set in the token.
+ domain_id:
+ type:
+ - string
+ - 'null'
+ description: |-
+ `domain_id` owning the attribute mapping.
+
+ Unset `domain_id` means the attribute mapping is shared and can be used by different
+ domains. This requires `domain_id_claim` to be present. Attribute mapping can be only
+ shared when the referred identity provider is also shared (does not set the `domain_id`
+ attribute).
+ domain_id_claim:
+ type:
+ - string
+ - 'null'
+ description: '`domain_id` claim name.'
+ groups_claim:
+ type:
+ - string
+ - 'null'
+ description: '`groups` claim name.'
+ id:
+ type:
+ - string
+ - 'null'
+ description: Attribute mapping ID for federated logins.
+ idp_id:
+ type: string
+ description: ID of the federated identity provider for which this attribute mapping can be used.
+ name:
+ type: string
+ description: Attribute mapping name for federated logins.
+ oidc_scopes:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of OIDC scopes.
+ token_project_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed project_id for the token.
+ token_role_ids:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of fixed roles that would be included in the token.
+ token_user_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed user_id for which the keystone token would be issued.
+ type:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/MappingType'
+ description: Attribute mapping type ([oidc, jwt]).
+ user_id_claim:
+ type: string
+ description: '`user_id` claim name.'
+ user_name_claim:
+ type: string
+ description: '`user_name` claim name.'
+ MappingCreateRequest:
+ type: object
+ description: OIDC/JWT attribute mapping create request.
+ required:
+ - mapping
+ properties:
+ mapping:
+ $ref: '#/components/schemas/MappingCreate'
+ description: Mapping object
+ MappingList:
+ type: object
+ description: List of OIDC/JWT attribute mappings.
+ required:
+ - mappings
+ properties:
+ mappings:
+ type: array
+ items:
+ $ref: '#/components/schemas/Mapping'
+ description: Collection of identity provider objects
+ MappingResponse:
+ type: object
+ required:
+ - mapping
+ properties:
+ mapping:
+ $ref: '#/components/schemas/Mapping'
+ description: IDP object
+ MappingType:
+ type: string
+ description: Attribute mapping type.
+ enum:
+ - oidc
+ - jwt
+ MappingUpdate:
+ type: object
+ description: OIDC/JWT attribute mapping update data.
+ properties:
+ allowed_redirect_uris:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of allowed redirect urls (only for `oidc` type).
+ bound_audiences:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of audiences that must be present in the token.
+ bound_claims:
+ description: Additional claims that must be present in the token.
+ bound_subject:
+ type:
+ - string
+ - 'null'
+ description: Token subject value that must be set in the token.
+ domain_id:
+ type:
+ - string
+ - 'null'
+ description: |-
+ `domain_id` owning the attribute mapping.
+
+ Unset `domain_id` means the attribute mapping is shared and can be used by different
+ domains. This requires `domain_id_claim` to be present. Attribute mapping can be only
+ shared when the referred identity provider is also shared (does not set the `domain_id`
+ attribute).
+ domain_id_claim:
+ type:
+ - string
+ - 'null'
+ groups_claim:
+ type:
+ - string
+ - 'null'
+ description: '`groups` claim name.'
+ idp_id:
+ type:
+ - string
+ - 'null'
+ description: ID of the federated identity provider for which this attribute mapping can be used.
+ name:
+ type:
+ - string
+ - 'null'
+ description: Attribute mapping name for federated logins.
+ oidc_scopes:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of OIDC scopes.
+ token_project_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed project_id for the token.
+ token_role_ids:
+ type:
+ - array
+ - 'null'
+ items:
+ type: string
+ description: List of fixed roles that would be included in the token.
+ token_user_id:
+ type:
+ - string
+ - 'null'
+ description: Fixed user_id for which the keystone token would be issued.
+ type:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/MappingType'
+ description: Attribute mapping type ([oidc, jwt]).
+ user_id_claim:
+ type:
+ - string
+ - 'null'
+ description: '`user_id` claim name.'
+ user_name_claim:
+ type:
+ - string
+ - 'null'
+ description: '`user_name` claim name.'
+ MappingUpdateRequest:
+ type: object
+ description: OIDC/JWT attribute mapping update request.
+ required:
+ - mapping
+ properties:
+ mapping:
+ $ref: '#/components/schemas/MappingUpdate'
+ description: Mapping object
+ MediaType:
+ type: object
+ required:
+ - base
+ - type
+ properties:
+ base:
+ type: string
+ type:
+ type: string
+ PasswordAuth:
+ type: object
+ description: The password object, contains the authentication information.
+ required:
+ - user
+ properties:
+ user:
+ $ref: '#/components/schemas/UserPassword'
+ description: A user object.
+ Project:
+ type: object
+ description: Project information
+ required:
+ - id
+ - name
+ - domain
+ properties:
+ domain:
+ $ref: '#/components/schemas/Domain'
+ description: project domain
+ id:
+ type: string
+ description: Project ID
+ name:
+ type: string
+ description: Project Name
+ ProjectScope:
+ type: object
+ description: Project scope information
+ properties:
+ domain:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Domain'
+ description: project domain
+ id:
+ type:
+ - string
+ - 'null'
+ description: Project ID
+ name:
+ type:
+ - string
+ - 'null'
+ description: Project Name
+ Role:
+ allOf:
+ - {}
+ - type: object
+ required:
+ - id
+ - name
+ properties:
+ description:
+ type:
+ - string
+ - 'null'
+ description: Role description
+ domain_id:
+ type:
+ - string
+ - 'null'
+ description: Role domain ID
+ id:
+ type: string
+ description: Role ID
+ name:
+ type: string
+ description: Role name
+ RoleList:
+ type: object
+ description: Roles
+ required:
+ - roles
+ properties:
+ roles:
+ type: array
+ items:
+ $ref: '#/components/schemas/Role'
+ description: Collection of role objects
+ RoleResponse:
+ type: object
+ required:
+ - role
+ properties:
+ role:
+ $ref: '#/components/schemas/Role'
+ description: Role object
+ Scope:
+ oneOf:
+ - type: object
+ description: Project scope
+ required:
+ - project
+ properties:
+ project:
+ $ref: '#/components/schemas/ProjectScope'
+ description: Project scope
+ - type: object
+ description: Domain scope
+ required:
+ - domain
+ properties:
+ domain:
+ $ref: '#/components/schemas/Domain'
+ description: Domain scope
+ - type: object
+ description: System scope
+ required:
+ - system
+ properties:
+ system:
+ $ref: '#/components/schemas/System'
+ description: System scope
+ description: |-
+ The authorization scope, including the system (Since v3.10), a project, or a domain (Since
+ v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain
+ and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously
+ scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project
+ but if a project is specified by name, then the domain of the project must also be specified in
+ order to uniquely identify the project by name. A domain scope may be specified by either the
+ domain’s ID or name with equivalent results.
+ SingleVersion:
+ type: object
+ required:
+ - version
+ properties:
+ version:
+ $ref: '#/components/schemas/Version'
+ System:
+ type: object
+ description: System scope
+ properties:
+ all:
+ type:
+ - boolean
+ - 'null'
+ description: system scope
+ Token:
+ type: object
+ description: Authorization token
+ required:
+ - audit_ids
+ - methods
+ - expires_at
+ - user
+ properties:
+ audit_ids:
+ type: array
+ items:
+ type: string
+ description: |-
+ A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe
+ string that you can use to track a token. The first audit ID is the current audit ID for
+ the token. The second audit ID is present for only re-scoped tokens and is the audit ID
+ from the token before it was re-scoped. A re- scoped token is one that was exchanged for
+ another token of the same or different scope. You can use these audit IDs to track the use
+ of a token or chain of tokens across multiple requests and endpoints without exposing the
+ token ID to non-privileged users.
+ catalog:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Catalog'
+ description: A catalog object.
+ domain:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Domain'
+ description: |-
+ A domain object including the id and name representing the domain the token is scoped to.
+ This is only included in tokens that are scoped to a domain.
+ expires_at:
+ type: string
+ format: date-time
+ description: The date and time when the token expires.
+ methods:
+ type: array
+ items:
+ type: string
+ description: |-
+ The authentication methods, which are commonly password, token, or other methods. Indicates
+ the accumulated set of authentication methods that were used to obtain the token. For
+ example, if the token was obtained by password authentication, it contains password. Later,
+ if the token is exchanged by using the token authentication method one or more times, the
+ subsequently created tokens contain both password and token in their methods attribute.
+ Unlike multi-factor authentication, the methods attribute merely indicates the methods that
+ were used to authenticate the user in exchange for a token. The client is responsible for
+ determining the total number of authentication factors.
+ project:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Project'
+ description: |-
+ A project object including the id, name and domain object representing the project the
+ token is scoped to. This is only included in tokens that are scoped to a project.
+ roles:
+ type:
+ - array
+ - 'null'
+ items:
+ $ref: '#/components/schemas/Role'
+ description: A list of role objects
+ user:
+ $ref: '#/components/schemas/User'
+ description: A user object.
+ TokenAuth:
+ type: object
+ description: The token object, contains the authentication information.
+ required:
+ - id
+ properties:
+ id:
+ type: string
+ description: An authentication token.
+ TokenResponse:
+ type: object
+ required:
+ - token
+ properties:
+ token:
+ $ref: '#/components/schemas/Token'
+ description: Token
+ User:
+ type: object
+ description: User information
+ required:
+ - id
+ - domain
+ properties:
+ domain:
+ $ref: '#/components/schemas/Domain'
+ description: User domain
+ id:
+ type: string
+ description: User ID
+ name:
+ type:
+ - string
+ - 'null'
+ description: User Name
+ password_expires_at:
+ type:
+ - string
+ - 'null'
+ format: date-time
+ description: User password expiry date
+ UserCreate:
+ allOf:
+ - description: Additional user properties
+ - type: object
+ required:
+ - domain_id
+ - name
+ properties:
+ default_project_id:
+ type:
+ - string
+ - 'null'
+ description: |-
+ The ID of the default project for the user. A user’s default project must not be a domain.
+ Setting this attribute does not grant any actual authorization on the project, and is
+ merely provided for convenience. Therefore, the referenced project does not need to exist
+ within the user domain. (Since v3.1) If the user does not have authorization to their
+ default project, the default project is ignored at token creation. (Since v3.1)
+ Additionally, if your default project is not valid, a token is issued without an explicit
+ scope of authorization.
+ domain_id:
+ type: string
+ description: User domain ID
+ enabled:
+ type:
+ - boolean
+ - 'null'
+ description: If the user is enabled, this value is true. If the user is disabled, this value is false.
+ name:
+ type: string
+ description: The user name. Must be unique within the owning domain.
+ options:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/UserOptions'
+ description: |-
+ The resource options for the user. Available resource options are
+ ignore_change_password_upon_first_use, ignore_password_expiry,
+ ignore_lockout_failure_attempts, lock_password, multi_factor_auth_enabled, and
+ multi_factor_auth_rules ignore_user_inactivity.
+ password:
+ type:
+ - string
+ - 'null'
+ description: The password for the user.
+ UserCreateRequest:
+ type: object
+ required:
+ - user
+ properties:
+ user:
+ $ref: '#/components/schemas/UserCreate'
+ description: User object
+ UserList:
+ type: object
+ description: Users
+ required:
+ - users
+ properties:
+ users:
+ type: array
+ items:
+ $ref: '#/components/schemas/User'
+ description: Collection of user objects
+ UserOptions:
+ type: object
+ properties:
+ ignore_change_password_upon_first_use:
+ type:
+ - boolean
+ - 'null'
+ ignore_lockout_failure_attempts:
+ type:
+ - boolean
+ - 'null'
+ ignore_password_expiry:
+ type:
+ - boolean
+ - 'null'
+ ignore_user_inactivity:
+ type:
+ - boolean
+ - 'null'
+ lock_password:
+ type:
+ - boolean
+ - 'null'
+ multi_factor_auth_enabled:
+ type:
+ - boolean
+ - 'null'
+ multi_factor_auth_rules:
+ type:
+ - array
+ - 'null'
+ items:
+ type: array
+ items:
+ type: string
+ UserPassword:
+ type: object
+ description: User password information
+ required:
+ - password
+ properties:
+ domain:
+ oneOf:
+ - type: 'null'
+ - $ref: '#/components/schemas/Domain'
+ description: User domain
+ id:
+ type:
+ - string
+ - 'null'
+ description: User ID
+ name:
+ type:
+ - string
+ - 'null'
+ description: User Name
+ password:
+ type: string
+ description: User password expiry date
+ UserResponse:
+ type: object
+ required:
+ - user
+ properties:
+ user:
+ $ref: '#/components/schemas/User'
+ description: User object
+ Values:
+ type: object
+ required:
+ - values
+ properties:
+ values:
+ type: array
+ items:
+ $ref: '#/components/schemas/Version'
+ Version:
+ type: object
+ required:
+ - id
+ - status
+ properties:
+ id:
+ type: string
+ links:
+ type:
+ - array
+ - 'null'
+ items:
+ $ref: '#/components/schemas/Link'
+ media_types:
+ type:
+ - array
+ - 'null'
+ items:
+ $ref: '#/components/schemas/MediaType'
+ status:
+ $ref: '#/components/schemas/VersionStatus'
+ updated:
+ type:
+ - string
+ - 'null'
+ format: date-time
+ VersionStatus:
+ type: string
+ enum:
+ - stable
+ - experimental
+ Versions:
+ type: object
+ required:
+ - versions
+ properties:
+ versions:
+ $ref: '#/components/schemas/Values'
+ securitySchemes:
+ jwt:
+ type: http
+ scheme: bearer
+ bearerFormat: JWT
+ description: JWT (ID) Token issued by the federated IDP
+ oauth2:
+ type: oauth2
+ flows:
+ authorizationCode:
+ authorizationUrl: https://localhost/authorization/token
+ tokenUrl: https://localhost/token/url
+ scopes:
+ openid: default scope
+ x-auth:
+ type: apiKey
+ in: header
+ name: x-auth-token
+tags:
+- name: identity_providers
+ description: |
+ Identity providers API.
+
+ Identity provider resource allows to federate users from an external Identity Provider (i.e.
+ Keycloak, Azure AD, etc.).
+
+ Using the Identity provider requires creation of the mapping, which describes how to map attributes
+ of the remote Idp to local users.
+
+ Identity provider with an empty domain_id are considered globals and every domain may use it with
+ appropriate mapping.
+- name: mappings
+ description: |
+ Federation mappings API.
+
+ Mappings define how the user attributes on the remote IDP are mapped to the local user.
+
+ Mappings with an empty domain_id are considered globals and every domain may use it. Such mappings
+ require the `domain_id_claim` attribute to be set to identify the domain_id for the respective
+ user.
diff --git a/doc/src/swagger-ui.html b/doc/src/swagger-ui.html
new file mode 100644
index 00000000..b49ce3c5
--- /dev/null
+++ b/doc/src/swagger-ui.html
@@ -0,0 +1,22 @@
+
+
+
+
+ Swagger UI
+
+
+
+
+
+
+
+