Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(14)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: tokenserver/api/oauth_token_grant.proto

Issue 2785973002: token-server: Add protos for new API for generating service account tokens. (Closed)
Patch Set: fix tests Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« tokenserver/api/minter/v1/token_minter.proto ('K') | « tokenserver/api/minter/v1/token_minter.pb.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: tokenserver/api/oauth_token_grant.proto
diff --git a/tokenserver/api/oauth_token_grant.proto b/tokenserver/api/oauth_token_grant.proto
new file mode 100644
index 0000000000000000000000000000000000000000..182a0942dfac673e9d8e8797e4881169b2d014c5
--- /dev/null
+++ b/tokenserver/api/oauth_token_grant.proto
@@ -0,0 +1,60 @@
+// Copyright 2017 The LUCI Authors. All rights reserved.
+// Use of this source code is governed under the Apache License, Version 2.0
+// that can be found in the LICENSE file.
+
+syntax = "proto3";
+
+package tokenserver;
+
+import "google/protobuf/timestamp.proto";
+
+
+// OAuthTokenGrantBody contains the internal guts of an oauth token grant.
+//
+// It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which
+// then also gets serialized to get the final blob with the grant. This blob is
+// then base64-encoded and returned to the caller of MintOAuthTokenGrant.
+message OAuthTokenGrantBody {
+ // Identifier of this token as generated by the token server.
+ //
+ // Used for logging and tracking purposes.
+ //
+ // TODO(vadimsh): It may later be used for revocation purposes.
+ int64 subtoken_id = 1;
nodir 2017/04/03 22:51:55 grant_id?
Vadim Sh. 2017/07/28 22:44:46 Renamed to token_id.
+
+ // Service account identity the end user wants to act as.
+ //
+ // A string of the form "user:<email>".
+ string service_account = 2;
+
+ // Who requested this token and who can pass it to MintOAuthTokenViaGrant.
+ //
+ // A string of the form "user:<email>". On Swarming, this is Swarming's own
+ // service account name.
+ string wielder_identity = 3;
+
+ // An end user that wants to act as the service account (perhaps indirectly).
+ //
+ // A string of the form "user:<email>". On Swarming, this is an identity of
+ // a user that posted the task.
+ string end_user_identity = 4;
+
+ // When the token was generated (and when it becomes valid).
+ google.protobuf.Timestamp issued_at = 5;
+
+ // How long the token is considered valid (in seconds).
+ //
+ // It may become invalid sooner if the token server policy changes and the
+ // new policy doesn't allow this token.
+ int64 validity_duration = 6;
+}
+
+
+// OAuthTokenGrantEnvelope is what is actually being serialized and send to
+// the callers of MintOAuthTokenGrant (after being encoded using base64 standard
+// raw encoding).
+message OAuthTokenGrantEnvelope {
+ bytes token_body = 1; // serialized OAuthTokenGrantBody
+ string key_id = 2; // id of a token server private key used for signing
+ bytes pkcs1_sha256_sig = 3; // signature of 'token_body'
+}
« tokenserver/api/minter/v1/token_minter.proto ('K') | « tokenserver/api/minter/v1/token_minter.pb.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698