Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(209)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/api/oauth_token_grant.proto

Issue 2987383002: tokenserver: Protos for service account rules. (Closed)
Patch Set: tokenserver: Protos for service account rules. Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « tokenserver/api/minter/v1/token_minter.pb.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. All rights reserved. 1 // Copyright 2017 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 syntax = "proto3"; 5 syntax = "proto3";
6 6
7 package tokenserver; 7 package tokenserver;
8 8
9 import "google/protobuf/timestamp.proto"; 9 import "google/protobuf/timestamp.proto";
10 10
11 11
12 // OAuthTokenGrantBody contains the internal guts of an oauth token grant. 12 // OAuthTokenGrantBody contains the internal guts of an oauth token grant.
13 // 13 //
14 // It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which 14 // It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which
15 // then also gets serialized to get the final blob with the grant. This blob is 15 // then also gets serialized to get the final blob with the grant. This blob is
16 // then base64-encoded and returned to the caller of MintOAuthTokenGrant. 16 // then base64-encoded and returned to the caller of MintOAuthTokenGrant.
17 message OAuthTokenGrantBody { 17 message OAuthTokenGrantBody {
18 // Identifier of this token as generated by the token server. 18 // Identifier of this token as generated by the token server.
19 // 19 //
20 // Used for logging and tracking purposes. 20 // Used for logging and tracking purposes.
21 // 21 //
22 // TODO(vadimsh): It may later be used for revocation purposes. 22 // TODO(vadimsh): It may later be used for revocation purposes.
23 int64 token_id = 1; 23 int64 token_id = 1;
24 24
25 // Service account identity the end user wants to act as. 25 // Service account identity the end user wants to act as.
26 // 26 //
27 // A string of the form "user:<email>". 27 // A string of the form "user:<email>".
28 string service_account = 2; 28 string service_account = 2;
29 29
30 // Who requested this token and who can pass it to MintOAuthTokenViaGrant. 30 // Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token.
31 // 31 //
32 // A string of the form "user:<email>". On Swarming, this is Swarming's own 32 // A string of the form "user:<email>". On Swarming, this is Swarming's own
33 // service account name. 33 // service account name.
34 string wielder_identity = 3; 34 string proxy = 3;
35 35
36 // An end user that wants to act as the service account (perhaps indirectly). 36 // An end user that wants to act as the service account (perhaps indirectly).
37 // 37 //
38 // A string of the form "user:<email>". On Swarming, this is an identity of 38 // A string of the form "user:<email>". On Swarming, this is an identity of
39 // a user that posted the task. 39 // a user that posted the task.
40 string end_user_identity = 4; 40 //
41 // This is informational field currently (not used in authorization checks).
42 string end_user = 4;
41 43
42 // When the token was generated (and when it becomes valid). 44 // When the token was generated (and when it becomes valid).
43 google.protobuf.Timestamp issued_at = 5; 45 google.protobuf.Timestamp issued_at = 5;
44 46
45 // How long the token is considered valid (in seconds). 47 // How long the token is considered valid (in seconds).
46 // 48 //
47 // It may become invalid sooner if the token server policy changes and the 49 // It may become invalid sooner if the token server policy changes and the
48 // new policy doesn't allow this token. 50 // new policy doesn't allow this token.
49 int64 validity_duration = 6; 51 int64 validity_duration = 6;
50 } 52 }
51 53
52 54
53 // OAuthTokenGrantEnvelope is what is actually being serialized and send to 55 // OAuthTokenGrantEnvelope is what is actually being serialized and send to
54 // the callers of MintOAuthTokenGrant (after being encoded using base64 standard 56 // the callers of MintOAuthTokenGrant (after being encoded using base64 standard
55 // raw encoding). 57 // raw encoding).
56 message OAuthTokenGrantEnvelope { 58 message OAuthTokenGrantEnvelope {
57 bytes token_body = 1; // serialized OAuthTokenGrantBody 59 bytes token_body = 1; // serialized OAuthTokenGrantBody
58 string key_id = 2; // id of a token server private key used for signi ng 60 string key_id = 2; // id of a token server private key used for signi ng
59 bytes pkcs1_sha256_sig = 3; // signature of 'token_body' 61 bytes pkcs1_sha256_sig = 3; // signature of 'token_body'
60 } 62 }
OLDNEW
« no previous file with comments | « tokenserver/api/minter/v1/token_minter.pb.go ('k') | tokenserver/api/oauth_token_grant.pb.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698