Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(634)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/api/oauth_token_grant.proto

Issue 2986423002: tokenserver: Fix some mistakes in proto docs for new token grants feature. (Closed)
Patch Set: Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « tokenserver/api/admin/v1/pb.discovery.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. All rights reserved. 1 // Copyright 2017 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 syntax = "proto3"; 5 syntax = "proto3";
6 6
7 package tokenserver; 7 package tokenserver;
8 8
9 import "google/protobuf/timestamp.proto"; 9 import "google/protobuf/timestamp.proto";
10 10
11 11
12 // OAuthTokenGrantBody contains the internal guts of an oauth token grant. 12 // OAuthTokenGrantBody contains the internal guts of an oauth token grant.
13 // 13 //
14 // It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which 14 // It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which
15 // then also gets serialized to get the final blob with the grant. This blob is 15 // then also gets serialized to get the final blob with the grant. This blob is
16 // then base64-encoded and returned to the caller of MintOAuthTokenGrant. 16 // then base64-encoded and returned to the caller of MintOAuthTokenGrant.
17 message OAuthTokenGrantBody { 17 message OAuthTokenGrantBody {
18 // Identifier of this token as generated by the token server. 18 // Identifier of this token as generated by the token server.
19 // 19 //
20 // Used for logging and tracking purposes. 20 // Used for logging and tracking purposes.
21 // 21 //
22 // TODO(vadimsh): It may later be used for revocation purposes. 22 // TODO(vadimsh): It may later be used for revocation purposes.
23 int64 token_id = 1; 23 int64 token_id = 1;
24 24
25 // Service account identity the end user wants to act as. 25 // Service account email the end user wants to act as.
Vadim Sh. 2017/08/04 05:55:53 I decided all service account references (in confi
26 //
27 // A string of the form "user:<email>".
28 string service_account = 2; 26 string service_account = 2;
29 27
30 // Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token. 28 // Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token.
31 // 29 //
32 // A string of the form "user:<email>". On Swarming, this is Swarming's own 30 // A string of the form "user:<email>". On Swarming, this is Swarming's own
33 // service account name. 31 // service account name.
34 string proxy = 3; 32 string proxy = 3;
35 33
36 // An end user that wants to act as the service account (perhaps indirectly). 34 // An end user that wants to act as the service account (perhaps indirectly).
37 // 35 //
38 // A string of the form "user:<email>". On Swarming, this is an identity of 36 // A string of the form "user:<email>". On Swarming, this is an identity of
39 // a user that posted the task. 37 // a user that posted the task.
40 // 38 //
41 // This is informational field currently (not used in authorization checks). 39 // Used by MintOAuthTokenViaGrant to recheck that the access is still allowed.
Vadim Sh. 2017/08/04 05:55:53 Realized that while writing MintOAuthTokenGrant im
42 string end_user = 4; 40 string end_user = 4;
43 41
44 // When the token was generated (and when it becomes valid). 42 // When the token was generated (and when it becomes valid).
45 google.protobuf.Timestamp issued_at = 5; 43 google.protobuf.Timestamp issued_at = 5;
46 44
47 // How long the token is considered valid (in seconds). 45 // How long the token is considered valid (in seconds).
48 // 46 //
49 // It may become invalid sooner if the token server policy changes and the 47 // It may become invalid sooner if the token server policy changes and the
50 // new policy doesn't allow this token. 48 // new policy doesn't allow this token.
51 int64 validity_duration = 6; 49 int64 validity_duration = 6;
52 } 50 }
53 51
54 52
55 // OAuthTokenGrantEnvelope is what is actually being serialized and send to 53 // OAuthTokenGrantEnvelope is what is actually being serialized and send to
56 // the callers of MintOAuthTokenGrant (after being encoded using base64 standard 54 // the callers of MintOAuthTokenGrant (after being encoded using base64 standard
57 // raw encoding). 55 // raw encoding).
58 message OAuthTokenGrantEnvelope { 56 message OAuthTokenGrantEnvelope {
59 bytes token_body = 1; // serialized OAuthTokenGrantBody 57 bytes token_body = 1; // serialized OAuthTokenGrantBody
60 string key_id = 2; // id of a token server private key used for signi ng 58 string key_id = 2; // id of a token server private key used for signi ng
61 bytes pkcs1_sha256_sig = 3; // signature of 'token_body' 59 bytes pkcs1_sha256_sig = 3; // signature of 'token_body'
62 } 60 }
OLDNEW
« no previous file with comments | « tokenserver/api/admin/v1/pb.discovery.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698