Update oauth documentation to include returned scope
Add post response values Update password grant type to match oauth spec Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This commit is contained in:
		
							parent
							
								
									3fc4e4cdc8
								
							
						
					
					
						commit
						d51f76f903
					
				
					 1 changed files with 84 additions and 19 deletions
				
			
		|  | @ -27,7 +27,6 @@ inside the token will not be extracted and presented by clients. | ||||||
| POST /token | POST /token | ||||||
| 
 | 
 | ||||||
| #### Headers | #### Headers | ||||||
| Authorization headers |  | ||||||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | ||||||
| 
 | 
 | ||||||
| #### Post parameters | #### Post parameters | ||||||
|  | @ -39,10 +38,11 @@ Content-Type: application/x-www-form-urlencoded | ||||||
|     <dd> |     <dd> | ||||||
|         (REQUIRED) Type of grant used to get token. When getting a refresh token |         (REQUIRED) Type of grant used to get token. When getting a refresh token | ||||||
|         using credentials this type should be set to "password" and have the |         using credentials this type should be set to "password" and have the | ||||||
|         accompanying basic auth header. Type "authorization_code" is reserved |         accompanying username and password paramters. Type "authorization_code" | ||||||
|         for future use for authenticating to an authorization server without |         is reserved for future use for authenticating to an authorization server | ||||||
|         having to send credentials directly from the client. When requesting an |         without having to send credentials directly from the client. When | ||||||
|         access token with a refresh token this should be set to "refresh_token". |         requesting an access token with a refresh token this should be set to | ||||||
|  |         "refresh_token". | ||||||
|     </dd> |     </dd> | ||||||
|     <dt> |     <dt> | ||||||
|         <code>service</code> |         <code>service</code> | ||||||
|  | @ -66,10 +66,10 @@ Content-Type: application/x-www-form-urlencoded | ||||||
|         <code>access_type</code> |         <code>access_type</code> | ||||||
|     </dt> |     </dt> | ||||||
|     <dd> |     <dd> | ||||||
|         (OPTIONAL) Access which is being requested. If "offline" is provided then a refresh |         (OPTIONAL) Access which is being requested. If "offline" is provided | ||||||
|         token will be returned. Otherwise only a short lived access token will |         then a refresh token will be returned. The default is "online" only | ||||||
|         be returned. If the grant type is "refresh_token" this will only return |         returning short lived access token. If the grant type is "refresh_token" | ||||||
|         the same refresh token and not a new one. |         this will only return the same refresh token and not a new one. | ||||||
|     </dd> |     </dd> | ||||||
|     <dt> |     <dt> | ||||||
|         <code>scope</code> |         <code>scope</code> | ||||||
|  | @ -77,12 +77,15 @@ Content-Type: application/x-www-form-urlencoded | ||||||
|     <dd> |     <dd> | ||||||
|         (OPTIONAL) The resource in question, formatted as one of the space-delimited |         (OPTIONAL) The resource in question, formatted as one of the space-delimited | ||||||
|         entries from the <code>scope</code> parameters from the <code>WWW-Authenticate</code> header |         entries from the <code>scope</code> parameters from the <code>WWW-Authenticate</code> header | ||||||
|         shown above. This query parameter should be specified multiple times if |         shown above. This query parameter should only be specified once but may | ||||||
|         there is more than one <code>scope</code> entry from the <code>WWW-Authenticate</code> |         contain multiple scopes using the scope list format defined in the scope | ||||||
|         header. The above example would be specified as: |         grammar. If multiple <code>scope</code> is provided from | ||||||
|         <code>scope=repository:samalba/my-app:push</code>. When requesting a refresh |         <code>WWW-Authenticate</code> header the scopes should first be | ||||||
|         token the scopes may be empty since the refresh token will not be limited by |         converted to a scope list before requesting the token. The above example | ||||||
|         this scope, only the provided short lived access token. |         would be specified as: <code>scope=repository:samalba/my-app:push</code>. | ||||||
|  |         When requesting a refresh token the scopes may be empty since the | ||||||
|  |         refresh token will not be limited by this scope, only the provided short | ||||||
|  |         lived access token will have the scope limitation. | ||||||
|     </dd> |     </dd> | ||||||
|     <dt> |     <dt> | ||||||
|         <code>refresh_token</code> |         <code>refresh_token</code> | ||||||
|  | @ -90,22 +93,84 @@ Content-Type: application/x-www-form-urlencoded | ||||||
|     <dd> |     <dd> | ||||||
|         (OPTIONAL) The refresh token to use for authentication when grant type "refresh_token" is used. |         (OPTIONAL) The refresh token to use for authentication when grant type "refresh_token" is used. | ||||||
|     </dd> |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>username</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (OPTIONAL) The username to use for authentication when grant type "password" is used. | ||||||
|  |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>password</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (OPTIONAL) The password to use for authentication when grant type "password" is used. | ||||||
|  |     </dd> | ||||||
| </dl> | </dl> | ||||||
| 
 | 
 | ||||||
|  | #### Response fields | ||||||
|  | 
 | ||||||
|  | <dl> | ||||||
|  |     <dt> | ||||||
|  |         <code>access_token</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (REQUIRED) An opaque <code>Bearer</code> token that clients should | ||||||
|  |         supply to subsequent requests in the <code>Authorization</code> header. | ||||||
|  |         This token should not be attempted to be parsed or understood by the | ||||||
|  |         client but treated as opaque string. | ||||||
|  |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>scope</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (REQUIRED) The scope granted inside the access token. This may be the | ||||||
|  |         same scope as requested or a subset. This requirement is stronger than | ||||||
|  |         specified in [RFC6749 Section 4.2.2](https://tools.ietf.org/html/rfc6749#section-4.2.2) | ||||||
|  |         by strictly requiring the scope in the return value. | ||||||
|  |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>expires_in</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (REQUIRED) The duration in seconds since the token was issued that it | ||||||
|  |         will remain valid.  When omitted, this defaults to 60 seconds.  For | ||||||
|  |         compatibility with older clients, a token should never be returned with | ||||||
|  |         less than 60 seconds to live. | ||||||
|  |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>issued_at</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (Optional) The <a href="https://www.ietf.org/rfc/rfc3339.txt">RFC3339</a>-serialized UTC | ||||||
|  |         standard time at which a given token was issued. If <code>issued_at</code> is omitted, the | ||||||
|  |         expiration is from when the token exchange completed. | ||||||
|  |     </dd> | ||||||
|  |     <dt> | ||||||
|  |         <code>refresh_token</code> | ||||||
|  |     </dt> | ||||||
|  |     <dd> | ||||||
|  |         (Optional) Token which can be used to get additional access tokens for | ||||||
|  |         the same subject with different scopes. This token should be kept secure | ||||||
|  |         by the client and only sent to the authorization server which issues | ||||||
|  |         bearer tokens. This field will only be set when `access_type=offline` is | ||||||
|  |         provided in the request. | ||||||
|  |     </dd> | ||||||
|  | </dl> | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| #### Example getting refresh token | #### Example getting refresh token | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | ||||||
| Host: auth.docker.io | Host: auth.docker.io | ||||||
| Authorization: ... |  | ||||||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | ||||||
| 
 | 
 | ||||||
| grant_type=password&service=hub.docker.io&client_id=dockerengine&access_type=offline | grant_type=password&username=johndoe&password=A3ddj3w&service=hub.docker.io&client_id=dockerengine&access_type=offline | ||||||
| 
 | 
 | ||||||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | ||||||
| Content-Type: application/json | Content-Type: application/json | ||||||
| 
 | 
 | ||||||
| {"refresh_token":"xT2s5VFNrbzZTMVExUmpwWVRsSklPbFJMTmtnNlMxUkxOanBCUVV0VU1Ga3d","access_token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5UQTJNalV4T1RVMU5EWmFGdzB4TmpBMk1qUXhPVFUxTkRaYU1FWXhSREJDQmdOVkJBTVRPMGhHU1UwNldGZFZWam8yUVZkSU9sWlpUVEk2TTFnMVREcFNWREkxT2s5VFNrbzZTMVExUmpwWVRsSklPbFJMTmtnNlMxUkxOanBCUVV0VU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRXl2UzIvdEI3T3JlMkVxcGRDeFdtS1NqV1N2VmJ2TWUrWGVFTUNVMDByQjI0akNiUVhreFdmOSs0MUxQMlZNQ29BK0RMRkIwVjBGZGdwajlOWU5rL2pxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNBSUF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3U0VaSlRUcFlWMVZXT2paQlYwZzZWbGxOTWpveldEVk1PbEpVTWpVNlQxTktTanBMVkRWR09saE9Va2c2VkVzMlNEcExWRXMyT2tGQlMxUXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTXZiT2h4cHhrTktqSDRhMFBNS0lFdXRmTjZtRDFvMWs4ZEJOVGxuWVFudkFpRUF0YVJGSGJSR2o4ZlVSSzZ4UVJHRURvQm1ZZ3dZelR3Z3BMaGJBZzNOUmFvPSJdfQ.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImRtY2dvd2FuL2hlbGxvLXdvcmxkIiwiYWN0aW9ucyI6WyJwdWxsIl19XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNDU0NDM4Njc1LCJpYXQiOjE0NTQ0MzgzNzUsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiZXFrVmVsWWJtbW5KSDctNW53SEkiLCJuYmYiOjE0NTQ0MzgzNzUsInN1YiI6ImRtY2dvd2FuIn0"} | {"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5","expires_in":"900","scope":""} | ||||||
| ```` | ```` | ||||||
| 
 | 
 | ||||||
| #### Example refreshing an Access Token | #### Example refreshing an Access Token | ||||||
|  | @ -120,6 +185,6 @@ grant_type=refresh_token&refresh_token=kas9Da81Dfa8&service=registry-1.docker.io | ||||||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | ||||||
| Content-Type: application/json | Content-Type: application/json | ||||||
| 
 | 
 | ||||||
| {"access_token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5UQTJNalV4T1RVMU5EWmFGdzB4TmpBMk1qUXhPVFUxTkRaYU1FWXhSREJDQmdOVkJBTVRPMGhHU1UwNldGZFZWam8yUVZkSU9sWlpUVEk2TTFnMVREcFNWREkxT2s5VFNrbzZTMVExUmpwWVRsSklPbFJMTmtnNlMxUkxOanBCUVV0VU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRXl2UzIvdEI3T3JlMkVxcGRDeFdtS1NqV1N2VmJ2TWUrWGVFTUNVMDByQjI0akNiUVhreFdmOSs0MUxQMlZNQ29BK0RMRkIwVjBGZGdwajlOWU5rL2pxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNBSUF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3U0VaSlRUcFlWMVZXT2paQlYwZzZWbGxOTWpveldEVk1PbEpVTWpVNlQxTktTanBMVkRWR09saE9Va2c2VkVzMlNEcExWRXMyT2tGQlMxUXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTXZiT2h4cHhrTktqSDRhMFBNS0lFdXRmTjZtRDFvMWs4ZEJOVGxuWVFudkFpRUF0YVJGSGJSR2o4ZlVSSzZ4UVJHRURvQm1ZZ3dZelR3Z3BMaGJBZzNOUmFvPSJdfQ.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImRtY2dvd2FuL2hlbGxvLXdvcmxkIiwiYWN0aW9ucyI6WyJwdWxsIl19XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNDU0NDM4Njc1LCJpYXQiOjE0NTQ0MzgzNzUsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiZXFrVmVsWWJtbW5KSDctNW53SEkiLCJuYmYiOjE0NTQ0MzgzNzUsInN1YiI6ImRtY2dvd2FuIn0"} | {"refresh_token":"kas9Da81Dfa8","access_token":"eyJhbGciOiJFUzI1NiIsInR5":"expires_in":"900","scope":"repository:samalba/my-app:pull,repository:samalba/my-app:push"} | ||||||
| ```` | ```` | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue