IsExtensionGrants judge GrantType whether extension grants.

IsValidDisplay whether display option is valid.

IsValidPrompt whether prompt option is valid.

NewResponse output.

OutputHTML encodes the Response to HTML and writes to the http.ResponseWriter.

OutputJSON encodes the Response to JSON and writes to the http.ResponseWriter.

Claims that are asserted by a Claims Provider other than the OpenID Provider but are returned by OpenID Provider.

Claims that are asserted by a Claims Provider other than the OpenID Provider but are returned as references by the OpenID Provider.

Claims that are directly asserted by the OpenID Provider.

A native application is a public client installed and executed on the device used by the resource owner.

A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a user-agent (e.g., web browser) on the device used by the resource owner.

A web application is a confidential client running on a web server.

The value of the "client_assertion" parameter contains a single JWT.

The value of the "client_assertion" parameter MUST contain a single SAML 2.0 Assertion.

The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.

Clients that have registered a public key sign a JWT using that key.

Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme.

Clients that have received a client_secret value from the Authorization Server create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256.

Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body.

Indicates that client authentication to the authorization server will occur using mutual TLS with the client utilizing a self-signed certificate.

https://www.rfc-editor.org/rfc/rfc8705.html Indicates that client authentication to the authorization server will occur with mutual TLS utilizing the PKI method of associating a certificate to a client.

Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.

Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

code_verifier.

BASE64URL-ENCODE(SHA256(ASCII(code_verifier))).

The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view.

The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window.

The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.

The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.

"authorization_code" used for the Token Request in the Authorization Code Flow.

"client_credentials" used for the Token Request in the Client Credentials Flow.

GrantTypeDeviceCode "urn:ietf:params:oauth:grant-type:device_code" used for the Device Code Grant https://datatracker.ietf.org/doc/html/rfc8628.

"implicit" used for the Token Request in the Implicit Flow, not real.

GrantTypeBearer "urn:ietf:params:oauth:grant-type:jwt-bearer" used for the JWT Authorization Grant https://www.rfc-editor.org/rfc/rfc7523.

"password" used for the Token Request in the Password Flow.

"refresh_token" used for the Token Request in the Refresh Token Flow.

GrantTypeSAML2Bearer urn:ietf:params:oauth:grant-type:saml2-bearer used for OAuth SMAL2 https://www.rfc-editor.org/rfc/rfc7522.html.

GrantTypeTokenExchange "urn:ietf:params:oauth:grant-type:token-exchange" used for the OAuth Token Exchange Grant https://oauth.net/2/token-exchange/.

The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.

The Authorization Server SHOULD prompt the End-User for reauthentication.

The Authorization Server MUST NOT display any authentication or consent user interface pages.

The Authorization Server SHOULD prompt the End-User to select a user account.

In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format.

In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.

In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.

This specification defines a new response mode for RFC6749 that uses HTML5 Web Messaging (a.k.a window.postMessage()) instead of the redirect for the Authorization Response from the Authorization Endpoint.

"code" for requesting an authorization code.

Response type list, The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list code: authorization_code id_token: implicit token id_token: implicit code id_token: authorization_code, implicit code token: authorization_code, implicit code token id_token: authorization_code, implicit.

Response type list, The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list code: authorization_code id_token: implicit token id_token: implicit code id_token: authorization_code, implicit code token: authorization_code, implicit code token id_token: authorization_code, implicit.

Response type list, The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list code: authorization_code id_token: implicit token id_token: implicit code id_token: authorization_code, implicit code token: authorization_code, implicit code token id_token: authorization_code, implicit.

"device" is custom response_type for Device Code Flow.

"id_token" for requesting an oidc on OAuth2 https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#id_token.

The Response Type none SHOULD NOT be combined with other Response Types.

"token" for requesting an access token (implicit grant).

Response type list, The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list code: authorization_code id_token: implicit token id_token: implicit code id_token: authorization_code, implicit code token: authorization_code, implicit code token id_token: authorization_code, implicit.

OPTIONAL.

OPTIONAL.

This (optional) scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).

scope list.

OPTIONAL.

OPTIONAL.

This provides a different sub value to each Client, so as not to enable Clients to correlate the End-User's activities without permission.

This provides the same sub (subject) value to all Clients.

https://www.rfc-editor.org/rfc/rfc8693.html#name-token-type-identifiers.

An access token as defined in [RFC6749], Section 1.4.

refresh_token: A refresh token as defined in [RFC6749], Section 1.5.

Token type list.

https://www.rfc-editor.org/rfc/rfc7519.html.

Token type list.

Token type list.

Token type list.

CheckSessionIframe check session endpoint iframe.

DefaultExpirations default expirations.

error code list.

error code list.

Device Access Token Response https://datatracker.ietf.org/doc/html/rfc8628#section-3.5.

error code list.

error code list.

error code list.

error code list.

Authentication Error Response https://openid.net/specs/openid-connect-core-1_0.html#AuthError.

https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/22/.

error code list.

error code list.

https://www.rfc-editor.org/rfc/rfc6750.html#section-3.1.

error code list.

error code list.

error code list.

https://www.rfc-editor.org/rfc/rfc8707.html#name-resource-parameter.

error code list.

error code list.

ErrNotFoundEntity not found object.

error code list.

error code list.

error code list.

error code list.

error code list.

error code list.

error code list.

error code list.

https://www.rfc-editor.org/rfc/rfc9200.html#section-5.8.3.

error code list.

https://www.rfc-editor.org/rfc/rfc7009.html#section-2.2.1.

AccessData access data.

AccessRequest is a request for access tokens.

Address The Address Claim represents a physical mailing address.

AuthorizeData authorize data.

AuthorizeRequest An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.

CheckSessionRequest check_session_iframe endpoint.

Configuration see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata and https://www.rfc-editor.org/rfc/rfc8414 See example: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse.

EndSessionRequest end_session endpoint.

Error OAuth2 error codes.

Expirations settings expiration.

GrantAuthorizationCodeRequest authorization_code.

GrantClientCredentialsRequest client_credentials.

GrantDeviceCodeRequest urn:ietf:params:oauth:grant-type:device_code.

GrantImplicitRequest implicit.

GrantJwtBearerRequest urn:ietf:params:oauth:grant-type:jwt-bearer.

GrantPasswordRequest passowrd.

GrantRefreshTokenRequest refresh_token.

GrantSaml2BearerRequest urn:ietf:params:oauth:grant-type:saml2-bearer.

GrantTokenExchangeRequest urn:ietf:params:oauth:grant-type:token-exchange.

IDToken The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure.

Response response for request.

RevocationRequest revocation endpoint.

UserInfo This specification defines a set of standard Claims.

UserInfoRequest userinfo request.

Client OAuth2/OIDC client.

Session session manager.

Storage store interface.

ClaimType the Claim Types that the OpenID Provider supports.

ClientAppType OAuth2 has been designed around the following client profiles.

ClientAssertionType client authentication, the client uses the following parameter values and encodings.

ClientAuthMethod This section defines a set of Client Authentication methods that are used by Clients to authenticate to the Authorization Server when using the Token Endpoint.

ClientType OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials) https://www.rfc-editor.org/rfc/rfc6749#section-2.1.

CodeChallengeMethod proof key for code exchange method.

CustomClaims alias jwt.MapClaims.

Display specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.

GrantType grant access type.

Locales local tag.

Prompt Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

ResponseMode Informs the Authorization Server of the mechanism to be used for returning Authorization Response parameters from the Authorization Endpoint.

ResponseType authorization endpoint is used by the authorization code grant type and implicit grant type flows If an authorization request is missing the "response_type" parameter, or if the response type is not understood, the authorization server MUST return an error response as described in Section 4.1.2.1.

Scope OpenID Connect Clients use scope values, as defined in Section 3.3 of OAuth 2.0 [RFC6749], to specify what access privileges are being requested for Access Tokens.

SpaceDelimitedArr space delimited string.

SubjectType A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.

TokenType grant token type.

TokenTypeHint A hint about the type of the token submitted for revocation.