{ "openapi": "3.0.1", "info": { "title": "Entrust Identity as a Service Authentication API", "contact": { "name": "Entrust Identity as a Service", "url": "https://www.entrust.com/", "email": "support@entrust.com" }, "version": "5.45" }, "servers": [ { "url": "https://customer.region.trustedauth.com" } ], "tags": [ { "name": "Authentication", "description": "Authentication controllers" }, { "name": "Authentication Self Admin", "description": "Authentication Self Admin Controllers" } ], "paths": { "/api/web/v1/authentication/logout": { "post": { "tags": [ "Authentication" ], "summary": "Remove User Session", "operationId": "logoutUsingPOST", "parameters": [ { "name": "Authorization", "in": "header", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/authentication/users/authenticate/{authenticator}/complete": { "post": { "tags": [ "Authentication" ], "summary": "Authenticate User Challenge", "operationId": "userAuthenticateUsingPOST", "parameters": [ { "name": "authenticator", "in": "path", "required": true, "schema": { "type": "string", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, { "name": "Authorization", "in": "header", "required": false, "schema": { "type": "string" } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthenticatedResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/self/fidotokens": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Start FIDO token registration for the current user.", "operationId": "startFIDORegisterUsingGET", "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDORegisterChallenge" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "post": { "tags": [ "Authentication Self Admin" ], "summary": "Complete FIDO token registration for the current user.", "operationId": "completeFIDORegisterUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDORegisterResponse" } } }, "required": true }, "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOToken" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v1/self/fidotokens/{fidoid}": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Get a FIDO token for the current user.", "operationId": "getSelfFIDOTokenUsingGET", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOToken" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "put": { "tags": [ "Authentication Self Admin" ], "summary": "Update a FIDO token from the current user.", "operationId": "updateSelfFIDOTokenUsingPUT", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOTokenParms" } } }, "required": true }, "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "delete": { "tags": [ "Authentication Self Admin" ], "summary": "Delete a FIDO token from the current user.", "operationId": "deleteSelfFIDOTokenUsingDELETE", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v1/self/tokens/offline": { "post": { "tags": [ "Authentication Self Admin" ], "summary": "Get Offline Token Responses", "operationId": "getOfflineTokenResponsesUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/GetOfflineTokenAuthenticateParms" } } }, "required": true }, "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OfflineTokenAuthenticateResponse" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/self/values": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Get User Values", "operationId": "selfGetUserValuesUsingGET", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/UserClientValue" } } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "put": { "tags": [ "Authentication Self Admin" ], "summary": "Update to delete User Values", "operationId": "selfDeleteUserValuesUsingPUT", "requestBody": { "content": { "application/json": { "schema": { "type": "array", "description": "An array of string names for the user name value pairs which is to be deleted. When the array is empty, the user values field will be reset to empty", "items": { "type": "string" } } } }, "required": true }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/UserClientValue" } } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "post": { "tags": [ "Authentication Self Admin" ], "summary": "Set or update User Values", "operationId": "selfSetUserValuesUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "type": "array", "description": "An array of user client value objects which is to be added or updated.", "items": { "$ref": "#/components/schemas/UserClientValue" } } } }, "required": true }, "responses": { "200": { "description": "OK" }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v2/authentication/users": { "post": { "tags": [ "Authentication" ], "summary": "Query User Authenticators", "operationId": "userAuthenticatorQueryUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateQueryParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateQueryResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v2/authentication/users/authenticate/{authenticator}": { "post": { "tags": [ "Authentication" ], "summary": "Request User Challenge", "operationId": "userChallengeUsingPOST", "parameters": [ { "name": "authenticator", "in": "path", "required": true, "schema": { "type": "string", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserChallengeParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthenticatedResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } } }, "components": { "schemas": { "AuthenticatedResponse": { "type": "object", "properties": { "authenticationCompleted": { "type": "boolean", "description": "Flag to indicate if authentication has successfully completed." }, "authenticatorResponse": { "type": "string", "description": "The authenticator response for MSCHAPv2", "format": "byte" }, "deviceCertAuthDesired": { "type": "boolean", "description": "Flag to indicate if the user has to attempt device certificate authentication." }, "expires": { "type": "integer", "description": "Expiry time of token.", "format": "int64" }, "faceChallenge": { "$ref": "#/components/schemas/FaceChallenge" }, "fidoChallenge": { "$ref": "#/components/schemas/FIDOChallenge" }, "firstName": { "type": "string", "description": "First Name." }, "gridChallenge": { "$ref": "#/components/schemas/GridChallenge" }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "lastName": { "type": "string", "description": "Last Name." }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "magicLinkType": { "type": "string", "description": "The type of Magic Link being used." }, "offlineTokenResponses": { "$ref": "#/components/schemas/OfflineTokenAuthenticateResponse" }, "organizations": { "type": "array", "description": "A list of the user organizations.", "items": { "$ref": "#/components/schemas/Organization" } }, "otpdeliveryType": { "type": "string", "description": "The OTP delivery type used.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passthroughAuthenticationResponse": { "$ref": "#/components/schemas/PassthroughAuthenticationResponse" }, "passwordChallenge": { "$ref": "#/components/schemas/PasswordChallenge" }, "pushMutualChallenge": { "type": "string", "description": "Push authentication mutual challenge." }, "redirectUrl": { "type": "string", "description": "The redirect URL when using a Magic Link." }, "smartLoginChallenge": { "type": "string", "description": "For a SMART_LOGIN authenticator challenge, provides the challenge." }, "status": { "type": "string", "description": "Status of authenticator. This is not a required API field if Mobile Smart Credential or Token Push authentication is being used.", "enum": [ "CONFIRM", "CONCERN", "CANCEL", "NO_RESPONSE" ] }, "stepUpAuthExpiry": { "type": "integer", "description": "The timeout for step-up authentication", "format": "int64" }, "tempAccessCodeChallenge": { "$ref": "#/components/schemas/TempAccessCodeChallenge" }, "time": { "type": "integer", "format": "int64" }, "token": { "type": "string", "description": "Authenticated/unauthenticated authorization token." }, "tokenChallenge": { "$ref": "#/components/schemas/TokenChallenge" }, "tokenDetails": { "type": "array", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.", "items": { "type": "string", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate." } }, "tokenPushMutualChallenge": { "type": "string", "description": "The token push authentication mutual challenge.", "deprecated": true }, "transactionReceipt": { "$ref": "#/components/schemas/TransactionReceipt" }, "userCertificateChallenge": { "$ref": "#/components/schemas/UserCertificateChallenge" }, "userId": { "type": "string", "description": "The User ID of the Identity as a Service user that completed authentication." }, "userMachineSettings": { "$ref": "#/components/schemas/UserMachineSettings" }, "userRegistrationRequired": { "type": "boolean", "description": "Whether the user still requires registration." }, "userVerificationRequired": { "type": "boolean", "description": "Whether the user still requires verification." } }, "description": "Response associated with an authentication request." }, "CHAPResponse": { "type": "object" }, "Error": { "required": [ "code", "message" ], "type": "object", "properties": { "code": { "type": "string", "description": "The server error code" }, "message": { "type": "string", "description": "A human-readable representation of the error" }, "target": { "type": "string", "description": "The target of the error" } } }, "ErrorInfo": { "type": "object", "properties": { "errorCode": { "type": "string", "description": "Error Codes specific to cause of failure.", "example": "invalid_user_response" }, "errorMessage": { "type": "string", "description": "Additional Error Message describing the error.", "example": "Application id cannot be null" }, "parameters": { "type": "array", "description": "Optional additional error information.", "items": { "type": "object", "description": "Optional additional error information." } } }, "description": "Object containing information about errors reported by services." }, "FIDOChallenge": { "required": [ "challenge", "timeout", "timeoutMillis" ], "type": "object", "properties": { "allowCredentials": { "type": "array", "description": "The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.", "items": { "type": "string", "description": "The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded." } }, "challenge": { "type": "string", "description": "A random challenge. It is a base-64 encoded value." }, "timeout": { "type": "integer", "description": "The number of seconds that the client will wait for the FIDO token to respond. This field is deprecated, use 'timeoutMillis' instead.", "format": "int32", "deprecated": true }, "timeoutMillis": { "type": "integer", "description": "The number of milliseconds that the client will wait for the FIDO token to respond.", "format": "int32" } }, "description": "If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication." }, "FIDORegisterChallenge": { "type": "object", "properties": { "challenge": { "type": "string", "description": "The registration challenge generated by Identity as a Service. This is a base-64 encoded value." }, "registeredCredentials": { "type": "array", "description": "The IDs of FIDO tokens already registered to this user. These values are base-64 encoded.", "items": { "type": "string", "description": "The IDs of FIDO tokens already registered to this user. These values are base-64 encoded." } }, "registeredCredentialsNames": { "type": "array", "description": "The names of FIDO tokens already registered to this user.", "items": { "type": "string", "description": "The names of FIDO tokens already registered to this user." } }, "registrationAuthenticatorAttachment": { "type": "string", "description": "Should the token be embedded on the device or stored externally?", "enum": [ "EITHER", "PLATFORM", "CROSS_PLATFORM" ] }, "registrationRequireResidentKey": { "type": "string", "description": "Should the User ID be stored on the Passkey/FIDO2 token?", "enum": [ "DISCOURAGED", "PREFERRED", "REQUIRED" ] }, "registrationUserVerification": { "type": "string", "description": "Should the token perform user verification?", "enum": [ "DISCOURAGED", "PREFERRED", "REQUIRED" ] }, "rpName": { "type": "string", "description": "The name of this relying party. This is the name of the Identity as a Service account." }, "timeout": { "type": "integer", "description": "The number of seconds that the client will wait for the FIDO token to respond. This field is deprecated, use 'timeoutMillis' instead.", "format": "int32", "deprecated": true }, "timeoutMillis": { "type": "integer", "description": "The time in milliseconds that the client will wait for the FIDO token to respond.", "format": "int32" }, "userDisplayName": { "type": "string", "description": "The display name of this user. It will be 'firstname lastname' of the user" }, "userId": { "type": "string", "description": "The id of this user. It will be UUID of the user base-64 encoded." }, "userName": { "type": "string", "description": "The name of this user. It will be the userId of the user." } }, "description": "A FIDORegisterChallenge defines the information returned when a user starts to register a FIDO token." }, "FIDORegisterResponse": { "type": "object", "properties": { "attestationObject": { "type": "string", "description": "The FIDO attestationObject data returned from the FIDO token. This is a base-64 encoded value." }, "clientDataJSON": { "type": "string", "description": "The FIDO clientData returned from the FIDO token. This is a base-64 encoded value." }, "name": { "type": "string", "description": "The name for the new FIDO token." }, "userIdStored": { "type": "boolean", "description": "Flag indicating if the userId was stored on the registered FIDO2 token. Defaults to false if not set.", "deprecated": true } }, "description": "FIDORegisterResponse defines the information returned from a FIDO token to complete registration." }, "FIDOResponse": { "required": [ "authenticatorData", "clientDataJSON", "credentialId", "signature" ], "type": "object", "properties": { "authenticatorData": { "type": "string", "description": "Authenticator Data returned from the token." }, "clientDataJSON": { "type": "string", "description": "Data about the token used to authenticate." }, "credentialId": { "type": "string", "description": "The ID of the token used to authenticate." }, "signature": { "type": "string", "description": "The authentication signature generated by the token." }, "userHandle": { "type": "string", "description": "The UUID of the user logging in." } }, "description": "The values returned from a FIDO token when performing an authentication." }, "FIDOToken": { "type": "object", "properties": { "allowedActions": { "type": "array", "description": "Administration actions that can be performed on this FIDO token.", "items": { "type": "string", "description": "Administration actions that can be performed on this FIDO token.", "enum": [ "DELETE", "ENABLE", "DISABLE", "RENAME" ] } }, "createDate": { "type": "string", "description": "The date on which the FIDO token was created.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "id": { "type": "string", "description": "The unique UUID assigned to the fido token when it is registered." }, "lastUsedDate": { "type": "string", "description": "The date on which this FIDO token was last used for authentication. This value will be null if the FIDO token has never been used.", "format": "date-time", "example": "2019-02-21T11:37:27Z" }, "name": { "type": "string", "description": "The name of this FIDO token." }, "origin": { "type": "string", "description": "The origin of where the FIDO token was generated." }, "relyingPartyId": { "type": "string", "description": "The relying party ID of where the FIDO token was generated." }, "state": { "type": "string", "description": "The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication.", "enum": [ "ACTIVE", "INACTIVE" ] }, "userId": { "type": "string", "description": "The user Id of the user who owns this FIDO token." }, "userIdStored": { "type": "boolean", "description": "Indicates if the userId was stored on the FIDO token." }, "userUUID": { "type": "string", "description": "The UUID of the user who owns this FIDO token." } }, "description": "A FIDOToken defines the information returned about a FIDO Token." }, "FIDOTokenParms": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of this FIDO token." }, "state": { "type": "string", "description": "The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication.", "enum": [ "ACTIVE", "INACTIVE" ] } }, "description": "The parameters specifying what is to be changed." }, "FaceChallenge": { "type": "object", "properties": { "device": { "type": "string", "description": "Which device to use for registration and authentication.", "enum": [ "WEB", "MOBILE" ] }, "id": { "type": "string", "description": "The ID of the Face Biometric to get." }, "qrCode": { "type": "string", "description": "QR Code to use to launch the mobile flow." }, "sdkToken": { "type": "string", "description": "The SDK token generated for the user." }, "workflowRunId": { "type": "string", "description": "Workflow run ID to use for the user." } }, "description": "Parameters returned to initialize a Face Biometric authenticator." }, "GetOfflineTokenAuthenticateParms": { "required": [ "applicationId", "tokenProtectedOfflineParms", "tokenSerialNumber" ], "type": "object", "properties": { "applicationId": { "type": "string" }, "tokenProtectedOfflineParms": { "$ref": "#/components/schemas/TokenProtectedOfflineParms" }, "tokenSerialNumber": { "type": "string" } }, "description": "Information used to get offline responses for a token assigned to a user." }, "GridChallenge": { "required": [ "challenge", "gridInfo", "numCharsPerCell" ], "type": "object", "properties": { "challenge": { "type": "array", "description": "The grid challenge specifies a list of grid cells that the user must answer in their challenge.", "items": { "$ref": "#/components/schemas/GridChallengeCell" } }, "gridInfo": { "type": "array", "description": "The grid details.", "items": { "$ref": "#/components/schemas/GridInfo" } }, "numCharsPerCell": { "type": "integer", "description": "The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.", "format": "int32" } }, "description": "If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer." }, "GridChallengeCell": { "required": [ "column", "row" ], "type": "object", "properties": { "column": { "type": "integer", "description": "The column within the grid starting at 0.", "format": "int32" }, "row": { "type": "integer", "description": "The row within the grid starting at 0.", "format": "int32" } }, "description": "A GridChallengeCell specifies one cell in a grid by its row and column coordinates. Normally a grid challenge cell is displayed using letters for the column and numbers for the row. For example, a cell with the value 0,0 will be displayed as A1." }, "GridInfo": { "required": [ "serialNumber" ], "type": "object", "properties": { "expiryDate": { "type": "string", "description": "The expiry date of the grid. Null value indicates the grid will never expire.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "serialNumber": { "type": "string", "description": "The serial number of the grid that can be used to answer this challenge." } }, "description": "Details about the grid." }, "KbaChallenge": { "required": [ "userQuestions" ], "type": "object", "properties": { "id": { "type": "string" }, "userQuestions": { "type": "array", "items": { "$ref": "#/components/schemas/UserQuestion" } } }, "description": "Knowledge-based authenticator required for authentication to Identity as a Service" }, "MSCHAPv1Response": { "required": [ "challenge", "response" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "The MSCHAPv1 challenge.", "format": "byte" }, "response": { "type": "string", "description": "The MSCHAPv1 response.", "format": "byte" } }, "description": "A MSCHAPv1Response specifies the values included in an MSCHAPv1 encoded authentication response." }, "MSCHAPv2Response": { "required": [ "challenge", "identifier", "peerChallenge", "response", "userId" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "The MSCHAPv2 challenge.", "format": "byte" }, "identifier": { "type": "integer", "description": "The MSCHAPv2 identifier.", "format": "int32" }, "peerChallenge": { "type": "string", "description": "The MSCHAPv2 peer challenge.", "format": "byte" }, "response": { "type": "string", "description": "The MSCHAPv2 response.", "format": "byte" }, "userId": { "type": "string", "description": "The MSCHAPv2 userId. This must be the exact same value used to calculate the MSCHAPv2 response. It will normally be the same as the userId value passed to the authentication method but allows for differences between the two values. For example, an alias may have been passed to the authentication method but the actual userid was used to calculate the MSCHAPv2 response." } }, "description": "A MSCHAPv2Response specifies the values included in an MSCHAPv2 encoded authentication response." }, "MachineAuthenticator": { "type": "object", "properties": { "fingerprint": { "type": "string", "description": "The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.", "example": "{\"platform\":\"web\",\"version\":\"2.0.0\",\"attributes\":{\"osName\":\"Mac OS\"}}" }, "machineNonce": { "type": "string", "description": "machineNonce", "example": "07ZeToA3YfoATTxoU6h2x==" }, "sequenceNonce": { "type": "string", "description": "sequenceNonce", "example": "03ReToA37851tyVU8f3y==" } }, "description": "Machine authenticator required to complete authentication challenge" }, "MachineAuthenticatorRegistration": { "required": [ "label" ], "type": "object", "properties": { "fingerprint": { "type": "string", "description": "The device fingerprint. It must be a valid fingerprint as produced by Entrust SDK.", "example": "{\"platform\":\"web\",\"version\":\"2.0.0\",\"attributes\":{\"osName\":\"Mac OS\"}}" }, "label": { "type": "string", "description": "Identifies the device/machine from the end-user point of view.", "example": "MachineAuthenticatorLabel" } }, "description": "Register a machine authenticator for authentication to Identity as a Service" }, "OTPContactValue": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the attribute.", "example": "alternativeEmail" }, "type": { "type": "string", "description": "Type of the OTP delivery attribute.", "example": "EMAIL", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "value": { "type": "string", "description": "Masked attribute value.", "example": "*******@mycompany.com" } }, "description": "OTPContactValue" }, "OTPDetails": { "type": "object", "properties": { "availableOTPDelivery": { "type": "array", "description": "The available delivery types.", "items": { "type": "string", "description": "The available delivery types.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] } }, "otpContactValues": { "type": "array", "description": "The available OTP contact values types.", "items": { "$ref": "#/components/schemas/OTPContactValue" } }, "otpDefaultDelivery": { "type": "string", "description": "The default delivery type.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "otpDeliveryAttribute": { "type": "string", "description": "The name of default OTP delivery attribute.", "example": "Alternative Email" } }, "description": "OTPDetails" }, "OfflineTokenAuthenticateResponse": { "type": "object", "properties": { "firstMovingFactor": { "type": "integer", "description": "This is the moving factor index for the first hashed OTP returned. In the case of time-based tokens, it represents time step, otherwise it represents the value of the counter.", "format": "int64" }, "iterations": { "type": "integer", "description": "The number of iterations of the hash function to be performed.", "format": "int32" }, "maxSizeInUnits": { "type": "integer", "description": "This is the policy-configured maximum number (hours or counters)", "format": "int32" }, "maxTimeSteps": { "type": "integer", "description": "This is the max number of time steps used to validate a token.", "format": "int32" }, "minorSizeInUnits": { "type": "integer", "description": "This is the policy-configured recommended number (hours or counters)", "format": "int32" }, "otps": { "type": "string", "description": "An array of all of the OTPs returned in the batch, each with its public component of the salt." }, "privateSaltLength": { "type": "integer", "description": "The number of digits in the private part of the salt that the client must guess.", "format": "int32" }, "resultOptimized": { "type": "boolean", "description": "Flag indicating if the set of OTP hashes returned was optimized so that OTPs which have already been downloaded in prior requests, but that have no yet expired, are not sent again." }, "timeDrift": { "type": "integer", "description": "This is the token time drift in seconds. This applies only to time-based tokens.", "format": "int32" }, "timeInterval": { "type": "integer", "description": "If this contains a positive value then this batch is for time-based tokens, otherwise it is for event based tokens.", "format": "int32" }, "tokenSerialNumber": { "type": "string", "description": "The serial number of the token for which offline tokens are generated." }, "useSecret": { "type": "string", "description": "The secret the client should use when requesting the next batch of protected offline OTPs.", "format": "byte" } }, "description": "Used to return batches of protected OTPs for a given token" }, "Organization": { "required": [ "displayName", "id", "name" ], "type": "object", "properties": { "description": { "type": "string", "description": "The description of the organization." }, "displayName": { "type": "string", "description": "The display name of the organization." }, "id": { "type": "string", "description": "The unique UUID assigned to the organization when it is created." }, "logoUri": { "type": "string", "description": "The URI of the logo to display when showing organizations.", "example": "https://account.mycompany.com/images/logo.png" }, "name": { "type": "string", "description": "The name of the organization." } }, "description": "Organization defines the attributes of an organization used in B2B scenarios." }, "PassthroughAuthenticationResponse": { "type": "object", "properties": { "passthroughAuthenticationResultItems": { "type": "array", "description": "Passthrough authentication result items.", "items": { "$ref": "#/components/schemas/PassthroughAuthenticationResultItems" } } }, "description": "Passthrough authenticator response." }, "PassthroughAuthenticationResultItems": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the result item." }, "value": { "type": "string", "description": "The value of the result item." } }, "description": "Passthrough authentication result items." }, "PassthroughAuthenticatorParms": { "type": "object", "properties": { "passthroughAuthenticatorPlaceholders": { "type": "array", "description": "The list of placeholders.", "items": { "$ref": "#/components/schemas/PassthroughAuthenticatorPlaceholder" } } }, "description": "Passthrough authenticator parameters" }, "PassthroughAuthenticatorPlaceholder": { "required": [ "name", "value" ], "type": "object", "properties": { "name": { "type": "string", "description": "The placeholder name." }, "value": { "type": "string", "description": "The placeholder value." } }, "description": "Passthrough authenticator placeholder" }, "PasswordChallenge": { "type": "object", "properties": { "name": { "type": "string" }, "namedPasswordId": { "type": "string" } } }, "RequestDetail": { "type": "object", "properties": { "browser": { "type": "string", "description": "The browser associated with the request.", "example": "Chrome 67.0.3396.99" }, "os": { "type": "string", "description": "The OS associated with the request.", "example": "Windows 8.1" } }, "description": "Request detail items." }, "TempAccessCodeChallenge": { "type": "object", "properties": { "adminContact": { "type": "string", "description": "An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message." }, "enableAdminContact": { "type": "boolean", "description": "Indicates if the admin contact message should be displayed for this challenge." } }, "description": "Information about the temporary access code settings." }, "TokenChallenge": { "required": [ "token" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "For TOKENCR authentication, the challenge that must be entered into the token. Will be null for TOKEN and TOKENPUSH authentication." }, "token": { "type": "array", "description": "The token challenge contains a list of TokenInfo objects for each of the tokens that can be used to authenticate. In the case of an offline QR code challenge, a TokenInfo object includes the QR code.", "items": { "$ref": "#/components/schemas/TokenInfo" } } }, "description": "If the authentication challenge is of offline token, the TokenChallenge object will contain the QR codes can be scanned by the mobile app." }, "TokenInfo": { "type": "object", "properties": { "label": { "type": "string", "description": "Optional label to identify an assigned token: a String up to 100 characters.", "example": "PENDING" }, "qrCode": { "type": "string", "description": "The base-64 encoded QR code. This QR code can be scanned by the Entrust Identity mobile application to perform activation in the case of an offline QR code challenge." }, "qrCodeUrl": { "type": "string", "description": "The URL based QR code string. In the case of an offline QR code challenge, this string can be used to generated the base-64 encoded QR code." }, "serialNumber": { "type": "string", "description": "The serial number of the token." } }, "description": "A TokenInfo specifies one token that can be used to authenticate with a token serial number, a base-64 QR code string and a url based QR code string." }, "TokenProtectedOfflineParms": { "type": "object", "properties": { "tokenProtectedOfflineOTPClientName": { "type": "string", "description": "The name sent by the client." }, "tokenProtectedOfflineOTPClientSecret": { "type": "string", "description": "One or several secrets sent by the client concatenated to a single array.", "format": "byte" }, "tokenProtectedOfflineOTPDoNotOptimize": { "type": "boolean", "description": "Flag indicating whether the number of OTPs being returned need to be optimized." }, "tokenProtectedOfflineOTPGet": { "type": "string", "description": "The different levels of protection for offline tokens.", "enum": [ "NONE", "MINOR", "MAJOR", "CUSTOM" ] }, "tokenProtectedOfflineOTPSize": { "type": "integer", "description": "Request size (Units of hour or count).", "format": "int32" } }, "description": "The model used to generate the offline token." }, "TransactionDetail": { "type": "object", "properties": { "detail": { "type": "string", "description": "The transaction detail name.", "example": "Amount" }, "usage": { "type": "array", "items": { "type": "string", "description": "The transaction detail usage. If not provided, the attribute supports all usages. RBA indicates that the detail is used for risk-based authentication; TVS indicates that the detail is used for transaction verification.", "example": "RBA", "enum": [ "RBA", "TVS" ] } }, "value": { "type": "string", "description": "The transaction detail value.", "example": "$10,001" } }, "description": "Transaction detail item and its value used with push authenticators and with offline transaction verification." }, "TransactionReceipt": { "type": "object", "properties": { "authenticationType": { "type": "string", "description": "The transaction authentication type.", "example": "OTP", "enum": [ "OTP", "TOKEN" ] }, "date": { "type": "string", "description": "The transaction date.", "format": "date-time", "example": "2020-02-01T12:13:24Z" }, "details": { "type": "array", "description": "The transaction details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "id": { "type": "string", "description": "The transaction id.", "example": "Qwpfsc6AmWU6GHkvRzIhew==" }, "securityLevel": { "type": "string", "description": "The transaction authentication security level.", "example": "MEDIUM", "enum": [ "LOW", "MEDIUM", "HIGH" ] }, "userid": { "type": "string", "description": "The transaction user.", "example": "user1" } }, "description": "Transaction Receipt item and its value used with push authenticators and with offline transaction verification." }, "UserAuthenticateParameters": { "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of Identity as a Service Authentication API application.", "example": "6781549d-433c-44ea-a42f-4705c26f3245." }, "applicationInfo": { "type": "string", "description": "Client provided information about the application that will be included in the authentication audits if provided." }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "cancel": { "type": "boolean", "description": "Cancel Identity as a Service authentication to the application", "example": false }, "certificate": { "type": "string", "description": "The certificate with public key to verify signature." }, "chapResponse": { "$ref": "#/components/schemas/CHAPResponse" }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "enableWebSession": { "type": "boolean", "description": "If set to true, enhanced session protection is enabled for the auth token. An HTTP cookie named INTELLITRUST_SESSION_ID is returned with the response and must be returned in all subsequent requests using the auth token.", "example": false }, "faceResponse": { "type": "string", "description": "For Face Biometric authentication, the workflow run id to check.", "deprecated": true }, "fidoResponse": { "$ref": "#/components/schemas/FIDOResponse" }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "locale": { "type": "string", "description": "The locale of this user. If not set, the default account locale will be used.", "example": "en" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "machineAuthenticatorRegistration": { "$ref": "#/components/schemas/MachineAuthenticatorRegistration" }, "mschapV1Response": { "$ref": "#/components/schemas/MSCHAPv1Response" }, "mschapV2Response": { "$ref": "#/components/schemas/MSCHAPv2Response" }, "newPassword": { "type": "string", "description": "New password if change requested." }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used ", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "passthroughAuthenticatorParms": { "$ref": "#/components/schemas/PassthroughAuthenticatorParms" }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "response": { "type": "string", "description": "API response based on Authenticator type. This is not a required field if Mobile Smart Credential, KBA, Token Push, Smart Login or Face Biometric authentication is being used.", "example": "7569582." }, "rpId": { "type": "string", "description": "Specifies the domain name (relying party ID) of your application and the passkey is registered with. Provide the domain only (e.g., example.com), without protocol (https://). Required if using a custom domain different from your IDaaS tenant’s hostname.", "example": "mycompany.example.com" }, "secondFactorAuthenticator": { "type": "string", "description": "Authenticator type selected for second factor (if enabled).", "example": "OTP.", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] }, "tokenProtectedOfflineParms": { "$ref": "#/components/schemas/TokenProtectedOfflineParms" }, "transactionDetails": { "type": "array", "description": "Transaction Details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userCertificateResponse": { "$ref": "#/components/schemas/UserCertificateResponse" }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.", "example": "admin" } }, "description": "Request parameters for completing authentication process." }, "UserAuthenticateQueryParameters": { "required": [ "applicationId", "userId" ], "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of the Identity as a Service Authentication API application", "example": "6781549d-433c-44ea-a42f-4705c26f3245" }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "authToken": { "type": "string", "description": "Authentication token." }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "maxAge": { "type": "integer", "description": "Maximum Authentication Age. If an authentication token is supplied, the maximum authentication age used to determine whether authentication is required or not is based on the current system time or a supplied request time.", "format": "int32" }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "priority": { "type": "integer", "description": "The priority for push transactions where queuing is enabled. Default is 0 and allowed values are 0-9. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "format": "int32" }, "pushMessageIdentifier": { "type": "string", "description": "Defines an identifier to retrieve customized SDK push message configuration. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": "generic" }, "pushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if push mutual authentication is supported for tokens or Face Biometric. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "requestDetail": { "$ref": "#/components/schemas/RequestDetail" }, "requestTime": { "type": "integer", "description": "The request start time in milliseconds. If an authentication token and a maximum authentication age are supplied, determining whether authentication is required or not is based on the current system time if this value is not provided.", "format": "int64" }, "returnDefaultChallenge": { "type": "boolean", "description": "Flag indicating whether the service should include in the response the default challenge.", "example": true }, "rpId": { "type": "string", "description": "The Relying Party ID associated with the passkey. This identifies the domain or origin for which the passkey is registered. This field is mandatory if domain is outside of the IDaaS hostname.", "example": "mycompany.example.com" }, "summary": { "type": "string", "description": "The push authentication challenge that appears in the user's mobile application. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": "You have requested to authenticate for a SAML Service Provider." }, "supportChoosingOtpDelivery": { "type": "boolean", "description": "Deprecated : Clients who support choosing OTP delivery can still work without having to supply this flag.Flag indicating whether client supports choosing OTP delivery contact attribute.If the client doesn't support it and default OTP delivery is set to NONE, OTP won't be available as an authenticator.", "example": true, "deprecated": true }, "tokenPushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if the token push mutual authentication is supported. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true, "deprecated": true }, "transactionDetails": { "type": "array", "description": "Transaction Details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.", "example": "user" } }, "description": "Request parameters for starting user authentication process." }, "UserAuthenticateQueryResponse": { "type": "object", "properties": { "authenticationCompleted": { "type": "boolean", "description": "Flag to indicate if access to the application is allowed with the current JWT." }, "authenticationTypes": { "type": "array", "description": "List of authenticator types available for the user.", "items": { "type": "string", "description": "List of authenticator types available for the user.", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "authenticatorLockoutStatus": { "type": "array", "description": "A list of all authenticators that the user has with their lockout status.", "items": { "$ref": "#/components/schemas/UserAuthenticatorLockoutStatus" } }, "availableSecondFactor": { "type": "array", "description": "Lists authenticator types available to complete second factor challenge (if enabled).", "items": { "type": "string", "description": "Lists authenticator types available to complete second factor challenge (if enabled).", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "deviceCertAuthDesired": { "type": "boolean", "description": "Flag to indicate if the user has to attempt device certificate authentication." }, "expires": { "type": "integer", "format": "int64" }, "fidoChallenge": { "$ref": "#/components/schemas/FIDOChallenge" }, "gridChallenge": { "$ref": "#/components/schemas/GridChallenge" }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "organizations": { "type": "array", "description": "A list of the user organizations.", "items": { "$ref": "#/components/schemas/Organization" } }, "otpDeliveryInfo": { "$ref": "#/components/schemas/OTPDetails" }, "otpDeliveryType": { "type": "string", "description": "The OTP delivery type used.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passwordChallenge": { "$ref": "#/components/schemas/PasswordChallenge" }, "passwordResetAllowed": { "type": "boolean", "description": "Flag to indicate if the user can initiate a password reset flow." }, "pushMutualChallenge": { "type": "string", "description": "Push authentication mutual challenge for token or Face Biometric." }, "registrationRequired": { "type": "boolean", "description": "Flag to indicate if the user has to register authenticators." }, "supportsSignature": { "type": "boolean", "description": "Flag to indicate if the user has a token that supports signature." }, "tempAccessCodeChallenge": { "$ref": "#/components/schemas/TempAccessCodeChallenge" }, "time": { "type": "integer", "format": "int64" }, "token": { "type": "string" }, "tokenChallenge": { "$ref": "#/components/schemas/TokenChallenge" }, "tokenDetails": { "type": "array", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.", "items": { "type": "string", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate." } }, "tokenPushMutualChallenge": { "type": "string", "description": "The token push authentication mutual challenge.", "deprecated": true }, "userMachineSettings": { "$ref": "#/components/schemas/UserMachineSettings" }, "verificationRequired": { "type": "boolean", "description": "Flag to indicate if the user has to verify." } }, "description": "Response associated with user authentication query." }, "UserAuthenticatorLockoutStatus": { "type": "object", "properties": { "lockoutDate": { "type": "string", "description": "The date the user was locked. Null means the user is not locked.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "lockoutExpiryDate": { "type": "string", "description": "if remainingAuthenticationAttempts is 0 then a lockoutExpiryDate of null means the lockout never expires. Otherwise a value of null means the user isn't locked out.", "format": "date-time", "example": "2019-02-20T13:15:27Z" }, "name": { "type": "string", "description": "The users named password authentication that is locked out." }, "remainingAuthenticationAttempts": { "type": "integer", "description": "The number of authentication attempts remaining before the user is locked out.", "format": "int32" }, "type": { "type": "string", "description": "The type of the authenticator.", "example": "OTP", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "description": "Detailed lockout information for each authenticator for a particular user." }, "UserCertificateChallenge": { "required": [ "challenge" ], "type": "object", "properties": { "challenge": { "type": "string" } }, "description": "For a user certificate authenticator challenge, provides the challenge." }, "UserCertificateResponse": { "type": "object", "properties": { "code": { "type": "string" }, "verifier": { "type": "string" } }, "description": "For user certificate login" }, "UserChallengeParameters": { "required": [ "applicationId" ], "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of the Identity as a Service Authentication API application", "example": "6781549d-433c-44ea-a42f-4705c26f3245" }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "authToken": { "type": "string", "description": "Authentication token (Required if the call to userQuery returned an authenticated token)." }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "locale": { "type": "string", "description": "The locale of this user. If not set, the default account locale will be used.", "example": "en" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used ", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "otpDeliveryAttribute": { "type": "string", "description": "OTP delivery attribute name.", "example": "Alternative Email" }, "otpDeliveryType": { "type": "string", "description": "Defines how a user receives their one-time passcode (Email, Text message (SMS), or Voice message (VOICE))", "example": "EMAIL/SMS/VOICE", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passthroughAuthenticatorParms": { "$ref": "#/components/schemas/PassthroughAuthenticatorParms" }, "priority": { "type": "integer", "description": "The priority for push transactions where queuing is enabled. Default is 0 and allowed values are 0-9", "format": "int32" }, "pushMessageIdentifier": { "type": "string", "description": "Defines an identifier to retrieve customized SDK push message configuration", "example": "generic" }, "pushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if push mutual authentication is supported for tokens or Face Biometric", "example": true }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "requestDetail": { "$ref": "#/components/schemas/RequestDetail" }, "rpId": { "type": "string", "description": "Specifies the domain name (relying party ID) of your application and the passkey is registered with. Provide the domain only (e.g., example.com), without protocol (https://). Required if using a custom domain different from your IDaaS tenant’s hostname.", "example": "mycompany.example.com" }, "secondFactorAuthenticator": { "type": "string", "description": "Authenticator type selected for second factor (if enabled).", "example": "OTP", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] }, "summary": { "type": "string", "description": "The push authentication challenge that appears in the user's mobile application.", "example": "You have requested to authenticate for a SAML Service Provider." }, "tokenPushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if the token push mutual authentication is supported", "example": true, "deprecated": true }, "transactionDetails": { "type": "array", "description": "Defines transaction details to be included in the challenge", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge. The userid is required for non-passwordless authenticators.", "example": "admin" } }, "description": "Request parameters for obtaining a challenge." }, "UserClientValue": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the user value which will be added or updated, when corresponding self admin action completes, it will also be the response body which is the name of the user values the user currently has or the remaining after deletion." }, "value": { "type": "string", "description": "The value of the user value which will be added or updated, when corresponding self admin action completes, it will also be response body which is the value of the user values the user currently has or the remaining after deletion." } }, "description": "The information of user client values" }, "UserMachineAuthenticator": { "required": [ "id", "label", "registrationTime" ], "type": "object", "properties": { "expiryTime": { "type": "string", "description": "When this machine secret expires in UTC time", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "id": { "type": "string", "description": "Identifies the device/machine" }, "label": { "type": "string", "description": "Identifies the device/machine from the end-user point of view" }, "lastUsedTime": { "type": "string", "description": "When this machine secret was last used", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "registrationTime": { "type": "string", "description": "When this machine secret was created in UTC time", "format": "date-time", "example": "2019-02-19T13:15:27Z" } }, "description": "UserMachineAuthenticator" }, "UserMachineSettings": { "type": "object", "properties": { "attributeExclusions": { "type": "array", "description": "List of device fingerprinting attributes that should not be collected when a device fingerprint is captured.", "items": { "type": "string", "description": "List of device fingerprinting attributes that should not be collected when a device fingerprint is captured." } }, "deviceFingerprintRequired": { "type": "boolean", "description": "Indicates whether a device fingerprint should be captured during machine registration or authentication" }, "machineAuthenticatorEnabled": { "type": "boolean", "description": "machineAuthenticatorEnabled" }, "userMachineAuthenticators": { "type": "array", "description": "List of Machine Authenticators that the user currently has--used to prevent duplicated labels.", "items": { "$ref": "#/components/schemas/UserMachineAuthenticator" } } }, "description": "UserMachineSettings" }, "UserQuestion": { "type": "object", "properties": { "answer": { "type": "string", "description": "The question's answer." }, "id": { "type": "string", "description": "The UUID of the KBA question/answer." }, "question": { "type": "string", "description": "The question." } }, "description": "A KBA question/answer stored for a user." } }, "securitySchemes": { "AdminAPIAuthentication": { "type": "apiKey", "name": "Authorization", "in": "header" } } } }