token-server: Add protos for new API for generating service account tokens.

tokenserver/api/minter/v1/token_minter.pb.go

 // Code generated by protoc-gen-go.
 // source: github.com/luci/luci-go/tokenserver/api/minter/v1/token_minter.proto
 // DO NOT EDIT!
 
 /*
 Package minter is a generated protocol buffer package.
 
 It is generated from these files:
         github.com/luci/luci-go/tokenserver/api/minter/v1/token_minter.proto
 
 It has these top-level messages:
         MintMachineTokenRequest
         MachineTokenRequest
         MintMachineTokenResponse
         MachineTokenResponse
         LuciMachineToken
         MintDelegationTokenRequest
         MintDelegationTokenResponse
+        MintOAuthTokenGrantRequest
+        MintOAuthTokenGrantResponse
+        MintOAuthTokenViaGrantRequest
+        MintOAuthTokenViaGrantResponse
 */
 package minter
 
 import prpc "github.com/luci/luci-go/grpc/prpc"
 
 import proto "github.com/golang/protobuf/proto"
 import fmt "fmt"
 import math "math"
 import google_protobuf "github.com/golang/protobuf/ptypes/timestamp"
 import messages "github.com/luci/luci-go/server/auth/delegation/messages"
@@ skipping 161 matching lines @@
         return nil
 }
 
 func (m *MachineTokenRequest) GetTokenType() tokenserver.MachineTokenType {
         if m != nil {
                 return m.TokenType
         }
         return tokenserver.MachineTokenType_UNKNOWN_TYPE
 }
 
-// MintMachineTokenResponse is returned by 'MintMachineToken' if the server
+// MintMachineTokenResponse is returned by MintMachineToken if the server
 // processed the request.
 //
 // It's returned even if server refuses to mint a token. It contains the error
 // details in that case.
 type MintMachineTokenResponse struct {
         // Possible kinds of fatal errors.
         //
         // Non fatal errors are returned as grpc.Internal errors instead.
         ErrorCode ErrorCode `protobuf:"varint,1,opt,name=error_code,json=errorCode,enum=tokenserver.minter.ErrorCode" json:"error_code,omitempty"`
         // Optional detailed error message.
@@ skipping 259 matching lines @@
         return nil
 }
 
 func (m *MintDelegationTokenRequest) GetIntent() string {
         if m != nil {
                 return m.Intent
         }
         return ""
 }
 
-// MintDelegationTokenResponse is returned by 'MintDelegationToken' on success.
+// MintDelegationTokenResponse is returned by MintDelegationToken on success.
 //
 // Errors are returned via standard gRPC codes.
 type MintDelegationTokenResponse struct {
         // The actual base64-encoded signed token.
         Token string `protobuf:"bytes,1,opt,name=token" json:"token,omitempty"`
         // Same data as in 'token' in deserialized form, just for convenience.
         //
         // Mostly for JSON encoding users, since they may not understand proto-encoded
         // tokens.
         DelegationSubtoken *messages.Subtoken `protobuf:"bytes,2,opt,name=delegation_subtoken,json=delegationSubtoken" json:"delegation_subtoken,omitempty"`
         // Identifier of the service and its version that produced the token.
         //
         // Has the form "<app-id>/<module-version>". This is _not_ part of the token.
+        // Used only for logging and monitoring.
         ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion" json:"service_version,omitempty"`
 }
 
 func (m *MintDelegationTokenResponse) Reset()                    { *m = MintDelegationTokenResponse{} }
 func (m *MintDelegationTokenResponse) String() string            { return proto.CompactTextString(m) }
 func (*MintDelegationTokenResponse) ProtoMessage()               {}
 func (*MintDelegationTokenResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{6} }
 
 func (m *MintDelegationTokenResponse) GetToken() string {
         if m != nil {
                 return m.Token
         }
         return ""
 }
 
 func (m *MintDelegationTokenResponse) GetDelegationSubtoken() *messages.Subtoken {
         if m != nil {
                 return m.DelegationSubtoken
         }
         return nil
 }
 
 func (m *MintDelegationTokenResponse) GetServiceVersion() string {
         if m != nil {
                 return m.ServiceVersion
         }
         return ""
 }
 
+// MintOAuthTokenGrantRequest is passed to MintOAuthTokenGrant.
+//
+// Additional implicit field is the identity of whoever makes this call. It
+// becomes 'wielder_identity' of the generated token.
+type MintOAuthTokenGrantRequest struct {
+        // Service account identity the end user wants to act as.
+        //
+        // A string of the form "user:<email>".
+        //
+        // Required.
+        ServiceAccount string `protobuf:"bytes,1,opt,name=service_account,json=serviceAccount" json:"service_account,omitempty"`
+        // How long the generated grant should be considered valid (in seconds).
+        //
+        // Default is 3600 sec.
+        ValidityDuration int64 `protobuf:"varint,2,opt,name=validity_duration,json=validityDuration" json:"validity_duration,omitempty"`
+        // An end user that wants to act as the service account (perhaps indirectly).
+        //
+        // A string of the form "user:<email>". On Swarming, this is an identity of
+        // a user that posted the task.
+        //
+        // TODO(vadimsh): Verify that this user is present during MintOAuthTokenGrant
+        // RPC by requiring the end user's credentials, e.g make Swarming forward
+        // user's OAuth token to the token server, where it can be validated.
+        //
+        // Required.
+        EndUserIdentity string `protobuf:"bytes,3,opt,name=end_user_identity,json=endUserIdentity" json:"end_user_identity,omitempty"`
+        // Optional reason why the grant is created.
+        //
+        // Used only for logging and auditing purposes. Doesn't become part of the
+        // grant.
+        Intent string `protobuf:"bytes,4,opt,name=intent" json:"intent,omitempty"`
+}
+
+func (m *MintOAuthTokenGrantRequest) Reset()                    { *m = MintOAuthTokenGrantRequest{} }
+func (m *MintOAuthTokenGrantRequest) String() string            { return proto.CompactTextString(m) }
+func (*MintOAuthTokenGrantRequest) ProtoMessage()               {}
+func (*MintOAuthTokenGrantRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{7} }
+
+func (m *MintOAuthTokenGrantRequest) GetServiceAccount() string {
+        if m != nil {
+                return m.ServiceAccount
+        }
+        return ""
+}
+
+func (m *MintOAuthTokenGrantRequest) GetValidityDuration() int64 {
+        if m != nil {
+                return m.ValidityDuration
+        }
+        return 0
+}
+
+func (m *MintOAuthTokenGrantRequest) GetEndUserIdentity() string {
+        if m != nil {
+                return m.EndUserIdentity
+        }
+        return ""
+}
+
+func (m *MintOAuthTokenGrantRequest) GetIntent() string {
+        if m != nil {
+                return m.Intent
+        }
+        return ""
+}
+
+// MintOAuthTokenGrantResponse is returned by MintOAuthTokenGrant.
+type MintOAuthTokenGrantResponse struct {
+        GrantToken string                     `protobuf:"bytes,1,opt,name=grant_token,json=grantToken" json:"grant_token,omitempty"`
+        Expiry     *google_protobuf.Timestamp `protobuf:"bytes,2,opt,name=expiry" json:"expiry,omitempty"`
+        // Identifier of the service and its version that produced the token.
+        //
+        // Has the form "<app-id>/<module-version>". This is _not_ part of the token.
+        // Used only for logging and monitoring.
+        ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion" json:"service_version,omitempty"`
+}
+
+func (m *MintOAuthTokenGrantResponse) Reset()                    { *m = MintOAuthTokenGrantResponse{} }
+func (m *MintOAuthTokenGrantResponse) String() string            { return proto.CompactTextString(m) }
+func (*MintOAuthTokenGrantResponse) ProtoMessage()               {}
+func (*MintOAuthTokenGrantResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{8} }
+
+func (m *MintOAuthTokenGrantResponse) GetGrantToken() string {
+        if m != nil {
+                return m.GrantToken
+        }
+        return ""
+}
+
+func (m *MintOAuthTokenGrantResponse) GetExpiry() *google_protobuf.Timestamp {
+        if m != nil {
+                return m.Expiry
+        }
+        return nil
+}
+
+func (m *MintOAuthTokenGrantResponse) GetServiceVersion() string {
+        if m != nil {
+                return m.ServiceVersion
+        }
+        return ""
+}
+
+// MintOAuthTokenViaGrantRequest is passed to MintOAuthTokenViaGrant.
+//
+// Additional implicit field is the identity of whoever makes this call. It is
+// compared against 'wielder_identity' inside the token.
+type MintOAuthTokenViaGrantRequest struct {
+        // A previously generated grant, as returned by MintOAuthTokenGrant.
+        GrantToken string `protobuf:"bytes,1,opt,name=grant_token,json=grantToken" json:"grant_token,omitempty"`
+        // The list of OAuth scopes the access token should have.
+        //
+        // The server may reject the request if some scopes are not allowed.
+        OauthScopes []string `protobuf:"bytes,2,rep,name=oauth_scopes,json=oauthScopes" json:"oauth_scopes,omitempty"`
+        // Minimally accepted validity duration of the returned OAuth token (seconds).
+        //
+        // The server may return a token that lives longer than this. The maximum is
+        // 1h. An attempt to get a token that lives longer will result in a error.
+        //
+        // The returned token validity duration doesn't not depend on the lifetime of
+        // the grant: it's possible to use a grant that expires in 1 sec to get an
+        // access token that lives for 1h.
+        //
+        // Default is 3600 sec.
+        MinValidityDuration int64 `protobuf:"varint,3,opt,name=min_validity_duration,json=minValidityDuration" json:"min_validity_duration,omitempty"`
+}
+
+func (m *MintOAuthTokenViaGrantRequest) Reset()                    { *m = MintOAuthTokenViaGrantRequest{} }
+func (m *MintOAuthTokenViaGrantRequest) String() string            { return proto.CompactTextString(m) }
+func (*MintOAuthTokenViaGrantRequest) ProtoMessage()               {}
+func (*MintOAuthTokenViaGrantRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{9} }
+
+func (m *MintOAuthTokenViaGrantRequest) GetGrantToken() string {
+        if m != nil {
+                return m.GrantToken
+        }
+        return ""
+}
+
+func (m *MintOAuthTokenViaGrantRequest) GetOauthScopes() []string {
+        if m != nil {
+                return m.OauthScopes
+        }
+        return nil
+}
+
+func (m *MintOAuthTokenViaGrantRequest) GetMinValidityDuration() int64 {
+        if m != nil {
+                return m.MinValidityDuration
+        }
+        return 0
+}
+
+// MintOAuthTokenViaGrantResponse is returned by MintOAuthTokenViaGrant.
+type MintOAuthTokenViaGrantResponse struct {
+        AccessToken string                     `protobuf:"bytes,1,opt,name=access_token,json=accessToken" json:"access_token,omitempty"`
+        Expiry      *google_protobuf.Timestamp `protobuf:"bytes,2,opt,name=expiry" json:"expiry,omitempty"`
+        // Identifier of the service and its version that produced the token.
+        //
+        // Has the form "<app-id>/<module-version>". Used only for logging and
+        // monitoring.
+        ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion" json:"service_version,omitempty"`
+}
+
+func (m *MintOAuthTokenViaGrantResponse) Reset()                    { *m = MintOAuthTokenViaGrantResponse{} }
+func (m *MintOAuthTokenViaGrantResponse) String() string            { return proto.CompactTextString(m) }
+func (*MintOAuthTokenViaGrantResponse) ProtoMessage()               {}
+func (*MintOAuthTokenViaGrantResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{10} }
+
+func (m *MintOAuthTokenViaGrantResponse) GetAccessToken() string {
+        if m != nil {
+                return m.AccessToken
+        }
+        return ""
+}
+
+func (m *MintOAuthTokenViaGrantResponse) GetExpiry() *google_protobuf.Timestamp {
+        if m != nil {
+                return m.Expiry
+        }
+        return nil
+}
+
+func (m *MintOAuthTokenViaGrantResponse) GetServiceVersion() string {
+        if m != nil {
+                return m.ServiceVersion
+        }
+        return ""
+}
+
 func init() {
         proto.RegisterType((*MintMachineTokenRequest)(nil), "tokenserver.minter.MintMachineTokenRequest")
         proto.RegisterType((*MachineTokenRequest)(nil), "tokenserver.minter.MachineTokenRequest")
         proto.RegisterType((*MintMachineTokenResponse)(nil), "tokenserver.minter.MintMachineTokenResponse")
         proto.RegisterType((*MachineTokenResponse)(nil), "tokenserver.minter.MachineTokenResponse")
         proto.RegisterType((*LuciMachineToken)(nil), "tokenserver.minter.LuciMachineToken")
         proto.RegisterType((*MintDelegationTokenRequest)(nil), "tokenserver.minter.MintDelegationTokenRequest")
         proto.RegisterType((*MintDelegationTokenResponse)(nil), "tokenserver.minter.MintDelegationTokenResponse")
+        proto.RegisterType((*MintOAuthTokenGrantRequest)(nil), "tokenserver.minter.MintOAuthTokenGrantRequest")
+        proto.RegisterType((*MintOAuthTokenGrantResponse)(nil), "tokenserver.minter.MintOAuthTokenGrantResponse")
+        proto.RegisterType((*MintOAuthTokenViaGrantRequest)(nil), "tokenserver.minter.MintOAuthTokenViaGrantRequest")
+        proto.RegisterType((*MintOAuthTokenViaGrantResponse)(nil), "tokenserver.minter.MintOAuthTokenViaGrantResponse")
         proto.RegisterEnum("tokenserver.minter.SignatureAlgorithm", SignatureAlgorithm_name, SignatureAlgorithm_value)
         proto.RegisterEnum("tokenserver.minter.ErrorCode", ErrorCode_name, ErrorCode_value)
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConn
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
@@ skipping 25 matching lines @@
         // the token):
         //   * They have expiration time.
         //   * They are usable only if presented with a credential of someone from
         //     the 'audience' list.
         //   * They are usable only on services specified in the 'services' list.
         //
         // The token server must be configured in advance with all expected
         // combinations of (caller identity, delegated identity, audience, service)
         // tuples. See DelegationRule in config.proto.
         MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error)
+        // MintOAuthTokenGrant generates a new grant for getting an OAuth2 token.
+        //
+        // This is a special (opaque for clients) token that asserts that the caller
+        // at the time of the call was allowed to act as a particular service account
+        // to perform a task authorized by an end-user.
+        //
+        // The returned grant can be used later (when the end-user is no longer
+        // present) to get a real OAuth2 access token via MintOAuthTokenViaGrant call.
+        //
+        // This pair of RPCs is used to "delay" generation of service account OAuth
+        // token until some later time, when it is actually needed. This is used by
+        // Swarming:
+        //   1. When the task is posted, Swarming calls MintOAuthTokenGrant to verify
+        //      that the end-user is allowed to act as the requested service account
+        //      on Swarming. On success, Swarming stores the grant in the task
+        //      metadata.
+        //   2. At a later time, when the task is executing and it needs an access
+        //      token, Swarming calls MintOAuthTokenViaGrant to convert the grant into
+        //      a real OAuth2 token.
+        //
+        // The returned grant can be used multiple times (as long as its validity
+        // duration and the token server policy allows).
+        //
+        // The token server must be configured in advance with all expected
+        // combinations of (caller identity, service account name, end users) tuples.
+        // See ServiceAccountRule in config.proto.
+        //
+        // MintOAuthTokenGrant will check that the requested usage is allowed by the
+        // rules. Later, MintOAuthTokenViaGrant will recheck this too.
+        MintOAuthTokenGrant(ctx context.Context, in *MintOAuthTokenGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenGrantResponse, error)
+        // MintOAuthTokenViaGrant converts an OAuth2 token grant into an access token.
+        //
+        // The grant must be previously generated by MintOAuthTokenGrant function, see
+        // its docs for more details.
+        MintOAuthTokenViaGrant(ctx context.Context, in *MintOAuthTokenViaGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenViaGrantResponse, error)
 }
 type tokenMinterPRPCClient struct {
         client *prpc.Client
 }
 
 func NewTokenMinterPRPCClient(client *prpc.Client) TokenMinterClient {
         return &tokenMinterPRPCClient{client}
 }
 
 func (c *tokenMinterPRPCClient) MintMachineToken(ctx context.Context, in *MintMachineTokenRequest, opts ...grpc.CallOption) (*MintMachineTokenResponse, error) {
         out := new(MintMachineTokenResponse)
         err := c.client.Call(ctx, "tokenserver.minter.TokenMinter", "MintMachineToken", in, out, opts...)
         if err != nil {
                 return nil, err
         }
         return out, nil
 }
 
 func (c *tokenMinterPRPCClient) MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error) {
         out := new(MintDelegationTokenResponse)
         err := c.client.Call(ctx, "tokenserver.minter.TokenMinter", "MintDelegationToken", in, out, opts...)
         if err != nil {
                 return nil, err
         }
         return out, nil
 }
 
+func (c *tokenMinterPRPCClient) MintOAuthTokenGrant(ctx context.Context, in *MintOAuthTokenGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenGrantResponse, error) {
+        out := new(MintOAuthTokenGrantResponse)
+        err := c.client.Call(ctx, "tokenserver.minter.TokenMinter", "MintOAuthTokenGrant", in, out, opts...)
+        if err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
+func (c *tokenMinterPRPCClient) MintOAuthTokenViaGrant(ctx context.Context, in *MintOAuthTokenViaGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenViaGrantResponse, error) {
+        out := new(MintOAuthTokenViaGrantResponse)
+        err := c.client.Call(ctx, "tokenserver.minter.TokenMinter", "MintOAuthTokenViaGrant", in, out, opts...)
+        if err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
 type tokenMinterClient struct {
         cc *grpc.ClientConn
 }
 
 func NewTokenMinterClient(cc *grpc.ClientConn) TokenMinterClient {
         return &tokenMinterClient{cc}
 }
 
 func (c *tokenMinterClient) MintMachineToken(ctx context.Context, in *MintMachineTokenRequest, opts ...grpc.CallOption) (*MintMachineTokenResponse, error) {
         out := new(MintMachineTokenResponse)
         err := grpc.Invoke(ctx, "/tokenserver.minter.TokenMinter/MintMachineToken", in, out, c.cc, opts...)
         if err != nil {
                 return nil, err
         }
         return out, nil
 }
 
 func (c *tokenMinterClient) MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error) {
         out := new(MintDelegationTokenResponse)
         err := grpc.Invoke(ctx, "/tokenserver.minter.TokenMinter/MintDelegationToken", in, out, c.cc, opts...)
         if err != nil {
                 return nil, err
         }
         return out, nil
 }
 
+func (c *tokenMinterClient) MintOAuthTokenGrant(ctx context.Context, in *MintOAuthTokenGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenGrantResponse, error) {
+        out := new(MintOAuthTokenGrantResponse)
+        err := grpc.Invoke(ctx, "/tokenserver.minter.TokenMinter/MintOAuthTokenGrant", in, out, c.cc, opts...)
+        if err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
+func (c *tokenMinterClient) MintOAuthTokenViaGrant(ctx context.Context, in *MintOAuthTokenViaGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenViaGrantResponse, error) {
+        out := new(MintOAuthTokenViaGrantResponse)
+        err := grpc.Invoke(ctx, "/tokenserver.minter.TokenMinter/MintOAuthTokenViaGrant", in, out, c.cc, opts...)
+        if err != nil {
+                return nil, err
+        }
+        return out, nil
+}
+
 // Server API for TokenMinter service
 
 type TokenMinterServer interface {
         // MintMachineToken generates a new token for an authenticated machine.
         //
         // It checks that provided certificate was signed by some trusted CA, and it
         // is still valid (non-expired and hasn't been revoked). It then checks that
         // the request was signed by the corresponding private key. Finally it checks
         // that the caller is authorized to generate requested kind of token.
         //
@@ skipping 13 matching lines @@
         // the token):
         //   * They have expiration time.
         //   * They are usable only if presented with a credential of someone from
         //     the 'audience' list.
         //   * They are usable only on services specified in the 'services' list.
         //
         // The token server must be configured in advance with all expected
         // combinations of (caller identity, delegated identity, audience, service)
         // tuples. See DelegationRule in config.proto.
         MintDelegationToken(context.Context, *MintDelegationTokenRequest) (*MintDelegationTokenResponse, error)
+        // MintOAuthTokenGrant generates a new grant for getting an OAuth2 token.
+        //
+        // This is a special (opaque for clients) token that asserts that the caller
+        // at the time of the call was allowed to act as a particular service account
+        // to perform a task authorized by an end-user.
+        //
+        // The returned grant can be used later (when the end-user is no longer
+        // present) to get a real OAuth2 access token via MintOAuthTokenViaGrant call.
+        //
+        // This pair of RPCs is used to "delay" generation of service account OAuth
+        // token until some later time, when it is actually needed. This is used by
+        // Swarming:
+        //   1. When the task is posted, Swarming calls MintOAuthTokenGrant to verify
+        //      that the end-user is allowed to act as the requested service account
+        //      on Swarming. On success, Swarming stores the grant in the task
+        //      metadata.
+        //   2. At a later time, when the task is executing and it needs an access
+        //      token, Swarming calls MintOAuthTokenViaGrant to convert the grant into
+        //      a real OAuth2 token.
+        //
+        // The returned grant can be used multiple times (as long as its validity
+        // duration and the token server policy allows).
+        //
+        // The token server must be configured in advance with all expected
+        // combinations of (caller identity, service account name, end users) tuples.
+        // See ServiceAccountRule in config.proto.
+        //
+        // MintOAuthTokenGrant will check that the requested usage is allowed by the
+        // rules. Later, MintOAuthTokenViaGrant will recheck this too.
+        MintOAuthTokenGrant(context.Context, *MintOAuthTokenGrantRequest) (*MintOAuthTokenGrantResponse, error)
+        // MintOAuthTokenViaGrant converts an OAuth2 token grant into an access token.
+        //
+        // The grant must be previously generated by MintOAuthTokenGrant function, see
+        // its docs for more details.
+        MintOAuthTokenViaGrant(context.Context, *MintOAuthTokenViaGrantRequest) (*MintOAuthTokenViaGrantResponse, error)
 }
 
 func RegisterTokenMinterServer(s prpc.Registrar, srv TokenMinterServer) {
         s.RegisterService(&_TokenMinter_serviceDesc, srv)
 }
 
 func _TokenMinter_MintMachineToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
         in := new(MintMachineTokenRequest)
         if err := dec(in); err != nil {
                 return nil, err
@@ skipping 22 matching lines @@
         info := &grpc.UnaryServerInfo{
                 Server:     srv,
                 FullMethod: "/tokenserver.minter.TokenMinter/MintDelegationToken",
         }
         handler := func(ctx context.Context, req interface{}) (interface{}, error) {
                 return srv.(TokenMinterServer).MintDelegationToken(ctx, req.(*MintDelegationTokenRequest))
         }
         return interceptor(ctx, in, info, handler)
 }
 
+func _TokenMinter_MintOAuthTokenGrant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+        in := new(MintOAuthTokenGrantRequest)
+        if err := dec(in); err != nil {
+                return nil, err
+        }
+        if interceptor == nil {
+                return srv.(TokenMinterServer).MintOAuthTokenGrant(ctx, in)
+        }
+        info := &grpc.UnaryServerInfo{
+                Server:     srv,
+                FullMethod: "/tokenserver.minter.TokenMinter/MintOAuthTokenGrant",
+        }
+        handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+                return srv.(TokenMinterServer).MintOAuthTokenGrant(ctx, req.(*MintOAuthTokenGrantRequest))
+        }
+        return interceptor(ctx, in, info, handler)
+}
+
+func _TokenMinter_MintOAuthTokenViaGrant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+        in := new(MintOAuthTokenViaGrantRequest)
+        if err := dec(in); err != nil {
+                return nil, err
+        }
+        if interceptor == nil {
+                return srv.(TokenMinterServer).MintOAuthTokenViaGrant(ctx, in)
+        }
+        info := &grpc.UnaryServerInfo{
+                Server:     srv,
+                FullMethod: "/tokenserver.minter.TokenMinter/MintOAuthTokenViaGrant",
+        }
+        handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+                return srv.(TokenMinterServer).MintOAuthTokenViaGrant(ctx, req.(*MintOAuthTokenViaGrantRequest))
+        }
+        return interceptor(ctx, in, info, handler)
+}
+
 var _TokenMinter_serviceDesc = grpc.ServiceDesc{
         ServiceName: "tokenserver.minter.TokenMinter",
         HandlerType: (*TokenMinterServer)(nil),
         Methods: []grpc.MethodDesc{
                 {
                         MethodName: "MintMachineToken",
                         Handler:    _TokenMinter_MintMachineToken_Handler,
                 },
                 {
                         MethodName: "MintDelegationToken",
                         Handler:    _TokenMinter_MintDelegationToken_Handler,
                 },
+                {
+                        MethodName: "MintOAuthTokenGrant",
+                        Handler:    _TokenMinter_MintOAuthTokenGrant_Handler,
+                },
+                {
+                        MethodName: "MintOAuthTokenViaGrant",
+                        Handler:    _TokenMinter_MintOAuthTokenViaGrant_Handler,
+                },
         },
         Streams:  []grpc.StreamDesc{},
         Metadata: "github.com/luci/luci-go/tokenserver/api/minter/v1/token_minter.proto",
 }
 
 func init() {
         proto.RegisterFile("github.com/luci/luci-go/tokenserver/api/minter/v1/token_minter.proto", fileDescriptor0)
 }
 
 var fileDescriptor0 = []byte{
-        // 919 bytes of a gzipped FileDescriptorProto
-        0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x55, 0xdd, 0x6e, 0xdb, 0x36,
-        0x14, 0x8e, 0x62, 0xc7, 0xb5, 0x4f, 0x7e, 0xaa, 0xd0, 0x49, 0xea, 0xb9, 0x1b, 0x1a, 0x78, 0xc3,
-        0x16, 0xb4, 0xab, 0x84, 0x79, 0xd8, 0x0f, 0xd0, 0xdd, 0xa8, 0xb6, 0x9a, 0x38, 0xad, 0xe4, 0x80,
-        0x92, 0x57, 0xec, 0x8a, 0x50, 0x2c, 0xd6, 0x21, 0x6a, 0x4b, 0xae, 0x44, 0x19, 0xf3, 0xde, 0x61,
-        0x0f, 0xb1, 0x27, 0xd8, 0x6b, 0xec, 0x49, 0xf6, 0x04, 0x03, 0x76, 0x3b, 0x88, 0x94, 0x6c, 0x39,
-        0x51, 0x87, 0xdc, 0x18, 0xe2, 0xf7, 0x7d, 0x3c, 0xdf, 0xe1, 0x39, 0x87, 0x34, 0xf4, 0x27, 0x8c,
-        0xdf, 0x24, 0xd7, 0xda, 0x38, 0x9c, 0xe9, 0xd3, 0x64, 0xcc, 0xc4, 0xcf, 0xf3, 0x49, 0xa8, 0xf3,
-        0xf0, 0x3d, 0x0d, 0x62, 0x1a, 0x2d, 0x68, 0xa4, 0x7b, 0x73, 0xa6, 0xcf, 0x58, 0xc0, 0x69, 0xa4,
-        0x2f, 0xbe, 0x91, 0x0c, 0x91, 0x6b, 0x6d, 0x1e, 0x85, 0x3c, 0x44, 0xa8, 0xa0, 0xd6, 0x24, 0xd3,
-        0x7e, 0x32, 0x09, 0xc3, 0xc9, 0x94, 0xea, 0x42, 0x71, 0x9d, 0xbc, 0xd3, 0x39, 0x9b, 0xd1, 0x98,
-        0x7b, 0xb3, 0xb9, 0xdc, 0xd4, 0xbe, 0xf8, 0x98, 0x75, 0xee, 0x9a, 0xf0, 0x1b, 0xdd, 0xa7, 0x53,
-        0x3a, 0xf1, 0x38, 0x0b, 0x03, 0x7d, 0x46, 0xe3, 0xd8, 0x9b, 0xd0, 0xb8, 0x80, 0x65, 0x91, 0x5e,
-        0xdc, 0xfb, 0x10, 0xde, 0xf8, 0x86, 0x05, 0x94, 0x08, 0x5c, 0x6e, 0xee, 0x7c, 0x80, 0x47, 0x16,
-        0x0b, 0xb8, 0x25, 0x29, 0x37, 0x65, 0x30, 0xfd, 0x90, 0xd0, 0x98, 0xa3, 0x1f, 0xa1, 0x15, 0xd3,
-        0x88, 0x79, 0x53, 0xf6, 0x1b, 0xf5, 0xe5, 0x26, 0x12, 0x49, 0xae, 0xa5, 0x9c, 0x2a, 0x67, 0x7b,
-        0xf8, 0x64, 0xcd, 0x6f, 0xec, 0xfc, 0x14, 0x1a, 0x31, 0x9b, 0x04, 0x1e, 0x4f, 0x22, 0xda, 0xda,
-        0x16, 0xd2, 0x35, 0xd0, 0xf9, 0x7d, 0x1b, 0x9a, 0x65, 0x7e, 0xa7, 0xb0, 0x3b, 0xa6, 0x11, 0x67,
-        0xef, 0xd8, 0xd8, 0xe3, 0x34, 0xb3, 0x28, 0x42, 0xe8, 0x2d, 0x34, 0x57, 0x61, 0x88, 0x37, 0x9d,
-        0x84, 0x11, 0xe3, 0x37, 0x33, 0xe1, 0x70, 0xd0, 0xfd, 0x52, 0xbb, 0xdb, 0x06, 0xcd, 0xc9, 0xe5,
-        0x46, 0xae, 0xc6, 0x28, 0xbe, 0x83, 0xa1, 0x1f, 0xa0, 0xc1, 0xe2, 0x38, 0xa1, 0x3e, 0xf1, 0x78,
-        0xab, 0x72, 0xaa, 0x9c, 0xed, 0x76, 0xdb, 0x9a, 0xec, 0xa0, 0x96, 0x77, 0x50, 0x73, 0xf3, 0x0e,
-        0xe2, 0xba, 0x14, 0x1b, 0x1c, 0xfd, 0x04, 0x20, 0x0b, 0xc3, 0x97, 0x73, 0xda, 0xaa, 0x8a, 0x44,
-        0x3e, 0xdb, 0x48, 0xa4, 0x78, 0x52, 0x77, 0x39, 0xa7, 0xb8, 0xc1, 0xf3, 0xcf, 0xcb, 0x6a, 0x7d,
-        0x47, 0xad, 0x75, 0xfe, 0x55, 0xa0, 0x75, 0xb7, 0x07, 0xf1, 0x3c, 0x0c, 0x62, 0x9a, 0x1a, 0xd0,
-        0x28, 0x0a, 0x23, 0x32, 0x0e, 0x7d, 0x59, 0x93, 0xdb, 0x06, 0xd9, 0x49, 0xcd, 0x54, 0xd5, 0x0b,
-        0x7d, 0x8a, 0x1b, 0x34, 0xff, 0x44, 0x9f, 0xc3, 0xbe, 0xdc, 0x9d, 0x4d, 0x8f, 0x28, 0x55, 0x03,
-        0xef, 0x09, 0xd0, 0x92, 0x18, 0x1a, 0xc2, 0x41, 0xde, 0x5c, 0x69, 0x9a, 0x55, 0xe0, 0xac, 0xcc,
-        0xa6, 0x2c, 0x49, 0xbc, 0xcf, 0x37, 0x72, 0xfe, 0x0a, 0x1e, 0xa6, 0x9b, 0xd8, 0x98, 0x92, 0x05,
-        0x8d, 0x62, 0x16, 0x06, 0xa2, 0x32, 0x0d, 0x7c, 0x90, 0xc1, 0x3f, 0x4b, 0xb4, 0xf3, 0xa7, 0x02,
-        0x47, 0xa5, 0xa7, 0x2e, 0x89, 0xb0, 0x5d, 0x16, 0x01, 0xb9, 0x80, 0xd2, 0x69, 0x27, 0x1b, 0xa3,
-        0xdd, 0x3a, 0x16, 0xf9, 0x7f, 0x51, 0x96, 0xff, 0x9b, 0x64, 0xcc, 0x8a, 0x96, 0x17, 0x5b, 0x58,
-        0x9d, 0xde, 0xc2, 0x5e, 0xee, 0x15, 0xbb, 0x7a, 0x59, 0xad, 0x2b, 0xea, 0xf6, 0x65, 0xb5, 0x7e,
-        0xa4, 0x1e, 0x77, 0xde, 0x83, 0x7a, 0x3b, 0x42, 0x5a, 0xe4, 0x4d, 0x7b, 0x45, 0x16, 0x79, 0x56,
-        0x14, 0x75, 0xa1, 0x46, 0x7f, 0x9d, 0xb3, 0x68, 0x29, 0x0e, 0xf2, 0xff, 0xe3, 0x95, 0x29, 0x3b,
-        0x7f, 0x29, 0xd0, 0x4e, 0x07, 0xa3, 0xbf, 0xba, 0xf1, 0x1b, 0xf7, 0xe5, 0x39, 0xa0, 0xec, 0x2d,
-        0xa0, 0x3e, 0x61, 0x3e, 0x0d, 0x38, 0xe3, 0xcb, 0xcc, 0xfc, 0x70, 0xc5, 0x0c, 0x32, 0x02, 0x3d,
-        0x83, 0xc3, 0x85, 0x37, 0x65, 0x3e, 0xe3, 0x4b, 0xe2, 0x27, 0x91, 0x88, 0x27, 0x92, 0xa9, 0x60,
-        0x35, 0x27, 0xfa, 0x19, 0x8e, 0xda, 0x50, 0xf7, 0x12, 0x9f, 0xd1, 0x60, 0x9c, 0x4e, 0x43, 0xe5,
-        0xac, 0x81, 0x57, 0xeb, 0x94, 0xcb, 0xba, 0x10, 0xb7, 0xaa, 0x92, 0xcb, 0xd7, 0xe8, 0x04, 0x6a,
-        0x69, 0x9d, 0x03, 0xde, 0xda, 0x11, 0x79, 0x64, 0xab, 0xce, 0x1f, 0x0a, 0x3c, 0x2e, 0x3d, 0x4a,
-        0xd6, 0xf0, 0x23, 0xd8, 0x29, 0xd6, 0x4e, 0x2e, 0x50, 0x0f, 0x9a, 0xeb, 0xd7, 0x8e, 0xc4, 0xc9,
-        0xb5, 0xd4, 0xc8, 0x0a, 0x22, 0x2d, 0x7f, 0x12, 0x35, 0x27, 0x63, 0x30, 0x5a, 0xcb, 0x73, 0xac,
-        0x6c, 0x96, 0x2a, 0x65, 0xb3, 0xf4, 0xf4, 0x05, 0xa0, 0xbb, 0xcf, 0x05, 0x52, 0x61, 0x6f, 0x64,
-        0xbf, 0xb6, 0x87, 0x6f, 0x6d, 0x62, 0xbc, 0x39, 0x1f, 0xaa, 0x5b, 0xa8, 0x09, 0x0f, 0x9d, 0x0b,
-        0xa3, 0xfb, 0xdd, 0xf7, 0x04, 0x3b, 0x86, 0x04, 0x95, 0xa7, 0x7f, 0x2b, 0xd0, 0x58, 0x5d, 0x41,
-        0xb4, 0x0b, 0x0f, 0x9c, 0x51, 0xaf, 0x67, 0x3a, 0x8e, 0xba, 0x85, 0x3e, 0x81, 0xe3, 0x91, 0xed,
-        0x8c, 0xae, 0xae, 0x86, 0xd8, 0x35, 0xfb, 0xc4, 0x19, 0x9c, 0xdb, 0x86, 0x3b, 0xc2, 0xa6, 0xaa,
-        0xa0, 0x36, 0x9c, 0x14, 0x29, 0x77, 0xf8, 0xda, 0xb4, 0x89, 0xfb, 0xcb, 0x95, 0xa9, 0x6e, 0xa3,
-        0x43, 0xd8, 0x7f, 0x69, 0xf4, 0x89, 0x3b, 0xb0, 0x4c, 0xc7, 0x35, 0xac, 0x2b, 0xb5, 0x92, 0xca,
-        0x53, 0xa8, 0x67, 0x62, 0x77, 0xf0, 0x6a, 0xd0, 0x33, 0x5c, 0x93, 0xbc, 0x1a, 0x62, 0xcb, 0x70,
-        0xd5, 0x6a, 0x2e, 0x5f, 0x47, 0xdf, 0x91, 0xc6, 0x2e, 0x1e, 0x39, 0x69, 0xec, 0xc2, 0x26, 0xb5,
-        0x86, 0x1e, 0x41, 0x53, 0x04, 0x17, 0x86, 0x06, 0x3e, 0x1f, 0x59, 0xa6, 0xed, 0x3a, 0xea, 0x03,
-        0xf4, 0x04, 0x1e, 0x5b, 0x46, 0xef, 0x62, 0x60, 0x9b, 0x19, 0x69, 0x0d, 0x6c, 0x77, 0x60, 0x9f,
-        0x13, 0x13, 0xe3, 0x21, 0x56, 0xeb, 0xdd, 0x7f, 0x14, 0xd8, 0x15, 0xbd, 0xb3, 0xc4, 0x85, 0x42,
-        0x33, 0x50, 0x6f, 0x3f, 0x5e, 0xe8, 0x59, 0xe9, 0xcb, 0x51, 0xfe, 0x37, 0xd3, 0xfe, 0xfa, 0x7e,
-        0xe2, 0x6c, 0x50, 0x16, 0xd0, 0x2c, 0x99, 0x23, 0xa4, 0x7d, 0x2c, 0x48, 0xf9, 0xdd, 0x69, 0xeb,
-        0xf7, 0xd6, 0x4b, 0xdf, 0xeb, 0x9a, 0xb8, 0xa7, 0xdf, 0xfe, 0x17, 0x00, 0x00, 0xff, 0xff, 0x24,
-        0xdc, 0xe5, 0x43, 0x32, 0x08, 0x00, 0x00,
+        // 1117 bytes of a gzipped FileDescriptorProto
+        0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0xcd, 0x6e, 0xdb, 0x46,
+        0x17, 0x0d, 0x25, 0xd9, 0x91, 0xae, 0x64, 0x9b, 0x1e, 0xd9, 0x8e, 0x3e, 0xe5, 0x4b, 0xed, 0xa8,
+        0x45, 0x6b, 0x38, 0x8d, 0x84, 0xa8, 0xe8, 0x0f, 0x90, 0x6e, 0x18, 0x99, 0xb1, 0xe5, 0x44, 0x92,
+        0x31, 0xa4, 0x1c, 0x74, 0x45, 0xd0, 0xe4, 0x44, 0x1e, 0x44, 0x22, 0x15, 0x72, 0x68, 0xd4, 0xdd,
+        0xf4, 0x09, 0xba, 0xee, 0xa2, 0x9b, 0xf6, 0x09, 0xba, 0xeb, 0x33, 0xf4, 0x49, 0xba, 0xeb, 0xba,
+        0xdb, 0x82, 0x33, 0xa4, 0x44, 0x4a, 0x54, 0xe3, 0x14, 0xe8, 0xc6, 0x10, 0xcf, 0xbd, 0x73, 0xcf,
+        0x99, 0x73, 0xef, 0xcc, 0x18, 0x8e, 0x47, 0x94, 0x5d, 0x05, 0x97, 0x4d, 0xcb, 0x9d, 0xb4, 0xc6,
+        0x81, 0x45, 0xf9, 0x9f, 0xc7, 0x23, 0xb7, 0xc5, 0xdc, 0x37, 0xc4, 0xf1, 0x89, 0x77, 0x4d, 0xbc,
+        0x96, 0x39, 0xa5, 0xad, 0x09, 0x75, 0x18, 0xf1, 0x5a, 0xd7, 0x4f, 0x44, 0xc4, 0x10, 0xdf, 0xcd,
+        0xa9, 0xe7, 0x32, 0x17, 0xa1, 0x44, 0x76, 0x53, 0x44, 0xea, 0xfb, 0x23, 0xd7, 0x1d, 0x8d, 0x49,
+        0x8b, 0x67, 0x5c, 0x06, 0xaf, 0x5b, 0x8c, 0x4e, 0x88, 0xcf, 0xcc, 0xc9, 0x54, 0x2c, 0xaa, 0x9f,
+        0xae, 0xa2, 0x8e, 0x59, 0x03, 0x76, 0xd5, 0xb2, 0xc9, 0x98, 0x8c, 0x4c, 0x46, 0x5d, 0xa7, 0x35,
+        0x21, 0xbe, 0x6f, 0x8e, 0x88, 0x9f, 0xc0, 0xa2, 0x4a, 0x4f, 0x6f, 0xbd, 0x09, 0xd3, 0xba, 0xa2,
+        0x0e, 0x31, 0x38, 0x2e, 0x16, 0x37, 0xde, 0xc2, 0xbd, 0x1e, 0x75, 0x58, 0x4f, 0x84, 0xf4, 0x30,
+        0x82, 0xc9, 0xdb, 0x80, 0xf8, 0x0c, 0x7d, 0x05, 0x35, 0x9f, 0x78, 0xd4, 0x1c, 0xd3, 0xef, 0x88,
+        0x2d, 0x16, 0x19, 0x9e, 0x88, 0xd5, 0xa4, 0x03, 0xe9, 0xb0, 0x82, 0xf7, 0xe6, 0xf1, 0xd4, 0xca,
+        0xff, 0x43, 0xc9, 0xa7, 0x23, 0xc7, 0x64, 0x81, 0x47, 0x6a, 0x39, 0x9e, 0x3a, 0x07, 0x1a, 0x3f,
+        0xe4, 0xa0, 0x9a, 0xc5, 0x77, 0x00, 0x65, 0x8b, 0x78, 0x8c, 0xbe, 0xa6, 0x96, 0xc9, 0x48, 0x44,
+        0x91, 0x84, 0xd0, 0x2b, 0xa8, 0xce, 0xca, 0x18, 0xe6, 0x78, 0xe4, 0x7a, 0x94, 0x5d, 0x4d, 0x38,
+        0xc3, 0x66, 0xfb, 0xe3, 0xe6, 0x72, 0x1b, 0x9a, 0x5a, 0x9c, 0xae, 0xc4, 0xd9, 0x18, 0xf9, 0x4b,
+        0x18, 0xfa, 0x12, 0x4a, 0xd4, 0xf7, 0x03, 0x62, 0x1b, 0x26, 0xab, 0xe5, 0x0f, 0xa4, 0xc3, 0x72,
+        0xbb, 0xde, 0x14, 0x1d, 0x6c, 0xc6, 0x1d, 0x6c, 0xea, 0x71, 0x07, 0x71, 0x51, 0x24, 0x2b, 0x0c,
+        0x7d, 0x0d, 0x20, 0x8c, 0x61, 0x37, 0x53, 0x52, 0x2b, 0x70, 0x21, 0x0f, 0x52, 0x42, 0x92, 0x3b,
+        0xd5, 0x6f, 0xa6, 0x04, 0x97, 0x58, 0xfc, 0xf3, 0xac, 0x50, 0x5c, 0x93, 0xd7, 0x1b, 0x7f, 0x49,
+        0x50, 0x5b, 0xee, 0x81, 0x3f, 0x75, 0x1d, 0x9f, 0x84, 0x04, 0xc4, 0xf3, 0x5c, 0xcf, 0xb0, 0x5c,
+        0x5b, 0x78, 0xb2, 0x48, 0x10, 0xed, 0x54, 0x0d, 0xb3, 0x3a, 0xae, 0x4d, 0x70, 0x89, 0xc4, 0x3f,
+        0xd1, 0x87, 0xb0, 0x21, 0x56, 0x47, 0xd3, 0xc3, 0xad, 0x2a, 0xe1, 0x0a, 0x07, 0x7b, 0x02, 0x43,
+        0x03, 0xd8, 0x8c, 0x9b, 0x2b, 0x48, 0x23, 0x07, 0x0e, 0xb3, 0x68, 0xb2, 0x44, 0xe2, 0x0d, 0x96,
+        0xd2, 0xfc, 0x09, 0x6c, 0x85, 0x8b, 0xa8, 0x45, 0x8c, 0x6b, 0xe2, 0xf9, 0xd4, 0x75, 0xb8, 0x33,
+        0x25, 0xbc, 0x19, 0xc1, 0x17, 0x02, 0x6d, 0xfc, 0x2a, 0xc1, 0x4e, 0xe6, 0xae, 0x33, 0x2a, 0xe4,
+        0xb2, 0x2a, 0x20, 0x1d, 0x50, 0x38, 0xed, 0x46, 0x6a, 0xb4, 0x6b, 0xbb, 0x5c, 0xff, 0x47, 0x59,
+        0xfa, 0x5f, 0x06, 0x16, 0x4d, 0x52, 0x9e, 0xde, 0xc1, 0xf2, 0x78, 0x01, 0x7b, 0x56, 0x49, 0x76,
+        0xf5, 0xac, 0x50, 0x94, 0xe4, 0xdc, 0x59, 0xa1, 0xb8, 0x23, 0xef, 0x36, 0xde, 0x80, 0xbc, 0x58,
+        0x21, 0x34, 0x39, 0x4d, 0x2f, 0x09, 0x93, 0x27, 0xc9, 0xa4, 0x36, 0xac, 0x93, 0x6f, 0xa7, 0xd4,
+        0xbb, 0xe1, 0x1b, 0xf9, 0xe7, 0xf1, 0x8a, 0x32, 0x1b, 0xbf, 0x4b, 0x50, 0x0f, 0x07, 0xe3, 0x78,
+        0x76, 0xe2, 0x53, 0xe7, 0xe5, 0x31, 0xa0, 0xe8, 0x2e, 0x20, 0xb6, 0x41, 0x6d, 0xe2, 0x30, 0xca,
+        0x6e, 0x22, 0xf2, 0xed, 0x59, 0xa4, 0x1b, 0x05, 0xd0, 0x23, 0xd8, 0xbe, 0x36, 0xc7, 0xd4, 0xa6,
+        0xec, 0xc6, 0xb0, 0x03, 0x8f, 0xd7, 0xe3, 0x62, 0xf2, 0x58, 0x8e, 0x03, 0xc7, 0x11, 0x8e, 0xea,
+        0x50, 0x34, 0x03, 0x9b, 0x12, 0xc7, 0x0a, 0xa7, 0x21, 0x7f, 0x58, 0xc2, 0xb3, 0xef, 0x30, 0x16,
+        0x75, 0xc1, 0xaf, 0x15, 0x44, 0x2c, 0xfe, 0x46, 0x7b, 0xb0, 0x1e, 0xfa, 0xec, 0xb0, 0xda, 0x1a,
+        0xd7, 0x11, 0x7d, 0x35, 0x7e, 0x91, 0xe0, 0x7e, 0xe6, 0x56, 0xa2, 0x86, 0xef, 0xc0, 0x5a, 0xd2,
+        0x3b, 0xf1, 0x81, 0x3a, 0x50, 0x9d, 0xdf, 0x76, 0x86, 0x1f, 0x5c, 0x8a, 0x1c, 0xe1, 0x20, 0x6a,
+        0xc6, 0x57, 0x62, 0x53, 0x8b, 0x22, 0x18, 0xcd, 0xd3, 0x63, 0x2c, 0x6b, 0x96, 0xf2, 0x99, 0xd3,
+        0xf8, 0x5b, 0x64, 0xf7, 0x40, 0x09, 0xd8, 0x15, 0x97, 0x77, 0xe2, 0x99, 0x0e, 0x8b, 0xed, 0x4e,
+        0xd4, 0x31, 0x2d, 0xcb, 0x0d, 0x1c, 0x16, 0x89, 0x8d, 0xeb, 0x28, 0x02, 0x7d, 0x3f, 0xa3, 0x8f,
+        0x60, 0x9b, 0x38, 0xb6, 0x11, 0xf8, 0xc4, 0x9b, 0xf7, 0x50, 0xe8, 0xdb, 0x22, 0x8e, 0x3d, 0xf4,
+        0x89, 0x37, 0xeb, 0xe0, 0xdc, 0xdc, 0x42, 0xca, 0xdc, 0x9f, 0x22, 0x73, 0x97, 0x84, 0x47, 0xe6,
+        0xee, 0x43, 0x79, 0x14, 0x02, 0xa9, 0xf1, 0x04, 0x0e, 0xfd, 0xeb, 0xe1, 0xbc, 0xbd, 0xad, 0x3f,
+        0x4a, 0xf0, 0x20, 0xad, 0xee, 0x82, 0x9a, 0x29, 0x67, 0xdf, 0xa9, 0xef, 0x21, 0x54, 0xdc, 0xf0,
+        0x3d, 0x34, 0x7c, 0xcb, 0x9d, 0x12, 0xbf, 0x96, 0xe3, 0x53, 0x57, 0xe6, 0x98, 0xc6, 0x21, 0xd4,
+        0x86, 0xdd, 0x09, 0x75, 0x8c, 0x65, 0xe3, 0xf3, 0xdc, 0xf8, 0xea, 0x84, 0x3a, 0x17, 0x0b, 0xde,
+        0x37, 0x7e, 0x96, 0xe0, 0x83, 0x55, 0xca, 0x22, 0xeb, 0x1e, 0x42, 0xc5, 0xb4, 0x2c, 0xe2, 0xfb,
+        0x29, 0x6d, 0x65, 0x81, 0xfd, 0xf7, 0xe6, 0x1d, 0x3d, 0x05, 0xb4, 0xfc, 0x84, 0x21, 0x19, 0x2a,
+        0xc3, 0xfe, 0x8b, 0xfe, 0xe0, 0x55, 0xdf, 0x50, 0x5e, 0x9e, 0x0c, 0xe4, 0x3b, 0xa8, 0x0a, 0x5b,
+        0xda, 0xa9, 0xd2, 0xfe, 0xfc, 0x0b, 0x03, 0x6b, 0x8a, 0x00, 0xa5, 0xa3, 0x3f, 0x24, 0x28, 0xcd,
+        0x9e, 0x05, 0x54, 0x86, 0xbb, 0xda, 0xb0, 0xd3, 0x51, 0x35, 0x4d, 0xbe, 0x83, 0xfe, 0x07, 0xbb,
+        0xc3, 0xbe, 0x36, 0x3c, 0x3f, 0x1f, 0x60, 0x5d, 0x3d, 0x36, 0xb4, 0xee, 0x49, 0x5f, 0xd1, 0x87,
+        0x58, 0x95, 0x25, 0x54, 0x87, 0xbd, 0x64, 0x48, 0x1f, 0xbc, 0x50, 0xfb, 0x86, 0xfe, 0xcd, 0xb9,
+        0x2a, 0xe7, 0xd0, 0x36, 0x6c, 0x3c, 0x53, 0x8e, 0x0d, 0xbd, 0xdb, 0x53, 0x35, 0x5d, 0xe9, 0x9d,
+        0xcb, 0xf9, 0x30, 0x3d, 0x84, 0x3a, 0x2a, 0xd6, 0xbb, 0xcf, 0xbb, 0x1d, 0x45, 0x57, 0x8d, 0xe7,
+        0x03, 0xdc, 0x53, 0x74, 0xb9, 0x10, 0xa7, 0xcf, 0xab, 0xaf, 0x09, 0x62, 0x1d, 0x0f, 0xb5, 0xb0,
+        0x76, 0x62, 0x91, 0xbc, 0x8e, 0xee, 0x41, 0x95, 0x17, 0xe7, 0x84, 0x0a, 0x3e, 0x19, 0xf6, 0xd4,
+        0xbe, 0xae, 0xc9, 0x77, 0xd1, 0x3e, 0xdc, 0xef, 0x29, 0x9d, 0xd3, 0x6e, 0x5f, 0x8d, 0x82, 0xbd,
+        0x6e, 0x5f, 0xef, 0xf6, 0x4f, 0x0c, 0x15, 0xe3, 0x01, 0x96, 0x8b, 0xed, 0x3f, 0xf3, 0x50, 0xe6,
+        0xcd, 0xe8, 0xf1, 0x4b, 0x1e, 0x4d, 0x40, 0x5e, 0x7c, 0x50, 0xd1, 0xa3, 0xcc, 0xd7, 0x2c, 0xfb,
+        0x5f, 0x9f, 0xfa, 0xa7, 0xb7, 0x4b, 0x8e, 0x86, 0xe4, 0x1a, 0xaa, 0x19, 0x77, 0x1b, 0x6a, 0xae,
+        0x2a, 0x92, 0x7d, 0x9f, 0xd7, 0x5b, 0xb7, 0xce, 0x4f, 0xf3, 0x2e, 0x1c, 0xfb, 0xd5, 0xbc, 0xd9,
+        0x17, 0xdb, 0x6a, 0xde, 0x55, 0xf7, 0xc9, 0xf7, 0xb0, 0x97, 0x7d, 0x6c, 0xd0, 0x93, 0x77, 0x97,
+        0x5a, 0x38, 0xfc, 0xf5, 0xf6, 0xfb, 0x2c, 0x11, 0x02, 0x2e, 0xd7, 0xf9, 0xd1, 0xfa, 0xec, 0xef,
+        0x00, 0x00, 0x00, 0xff, 0xff, 0x9b, 0x07, 0xeb, 0xf4, 0xbf, 0x0b, 0x00, 0x00,
 }