You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
kratos/third_party/google/iam/credentials/v1/common.proto

224 lines
8.3 KiB

// Copyright 2018 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.iam.credentials.v1;
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";
option cc_enable_arenas = true;
option go_package = "google.golang.org/genproto/googleapis/iam/credentials/v1;credentials";
option java_multiple_files = true;
option java_outer_classname = "IAMCredentialsCommonProto";
option java_package = "com.google.cloud.iam.credentials.v1";
message GenerateAccessTokenRequest {
// The resource name of the service account for which the credentials
// are requested, in the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
string name = 1;
// The sequence of service accounts in a delegation chain. Each service
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
// on its next service account in the chain. The last service account in the
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
// on the service account that is specified in the `name` field of the
// request.
//
// The delegates must have the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
repeated string delegates = 2;
// Code to identify the scopes to be included in the OAuth 2.0 access token.
// See https://developers.google.com/identity/protocols/googlescopes for more
// information.
// At least one value required.
repeated string scope = 4;
// The desired lifetime duration of the access token in seconds.
// Must be set to a value less than or equal to 3600 (1 hour). If a value is
// not specified, the token's lifetime will be set to a default value of one
// hour.
google.protobuf.Duration lifetime = 7;
}
message GenerateAccessTokenResponse {
// The OAuth 2.0 access token.
string access_token = 1;
// Token expiration time.
// The expiration time is always set.
google.protobuf.Timestamp expire_time = 3;
}
message SignBlobRequest {
// The resource name of the service account for which the credentials
// are requested, in the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
string name = 1;
// The sequence of service accounts in a delegation chain. Each service
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
// on its next service account in the chain. The last service account in the
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
// on the service account that is specified in the `name` field of the
// request.
//
// The delegates must have the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
repeated string delegates = 3;
// The bytes to sign.
bytes payload = 5;
}
message SignBlobResponse {
// The ID of the key used to sign the blob.
string key_id = 1;
// The signed blob.
bytes signed_blob = 4;
}
message SignJwtRequest {
// The resource name of the service account for which the credentials
// are requested, in the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
string name = 1;
// The sequence of service accounts in a delegation chain. Each service
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
// on its next service account in the chain. The last service account in the
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
// on the service account that is specified in the `name` field of the
// request.
//
// The delegates must have the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
repeated string delegates = 3;
// The JWT payload to sign: a JSON object that contains a JWT Claims Set.
string payload = 5;
}
message SignJwtResponse {
// The ID of the key used to sign the JWT.
string key_id = 1;
// The signed JWT.
string signed_jwt = 2;
}
message GenerateIdTokenRequest {
// The resource name of the service account for which the credentials
// are requested, in the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
string name = 1;
// The sequence of service accounts in a delegation chain. Each service
// account must be granted the `roles/iam.serviceAccountTokenCreator` role
// on its next service account in the chain. The last service account in the
// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
// on the service account that is specified in the `name` field of the
// request.
//
// The delegates must have the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`
repeated string delegates = 2;
// The audience for the token, such as the API or account that this token
// grants access to.
string audience = 3;
// Include the service account email in the token. If set to `true`, the
// token will contain `email` and `email_verified` claims.
bool include_email = 4;
}
message GenerateIdTokenResponse {
// The OpenId Connect ID token.
string token = 1;
}
message GenerateIdentityBindingAccessTokenRequest {
// The resource name of the service account for which the credentials
// are requested, in the following format:
// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
string name = 1;
// Code to identify the scopes to be included in the OAuth 2.0 access token.
// See https://developers.google.com/identity/protocols/googlescopes for more
// information.
// At least one value required.
repeated string scope = 2;
// Required. Input token.
// Must be in JWT format according to
// RFC7523 (https://tools.ietf.org/html/rfc7523)
// and must have 'kid' field in the header.
// Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
// Mandatory payload fields (along the lines of RFC 7523, section 3):
// - iss: issuer of the token. Must provide a discovery document at
// $iss/.well-known/openid-configuration . The document needs to be
// formatted according to section 4.2 of the OpenID Connect Discovery
// 1.0 specification.
// - iat: Issue time in seconds since epoch. Must be in the past.
// - exp: Expiration time in seconds since epoch. Must be less than 48 hours
// after iat. We recommend to create tokens that last shorter than 6
// hours to improve security unless business reasons mandate longer
// expiration times. Shorter token lifetimes are generally more secure
// since tokens that have been exfiltrated by attackers can be used for
// a shorter time. you can configure the maximum lifetime of the
// incoming token in the configuration of the mapper.
// The resulting Google token will expire within an hour or at "exp",
// whichever is earlier.
// - sub: JWT subject, identity asserted in the JWT.
// - aud: Configured in the mapper policy. By default the service account
// email.
//
// Claims from the incoming token can be transferred into the output token
// accoding to the mapper configuration. The outgoing claim size is limited.
// Outgoing claims size must be less than 4kB serialized as JSON without
// whitespace.
//
// Example header:
// {
// "alg": "RS256",
// "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
// }
// Example payload:
// {
// "iss": "https://accounts.google.com",
// "iat": 1517963104,
// "exp": 1517966704,
// "aud": "https://iamcredentials.googleapis.com/",
// "sub": "113475438248934895348",
// "my_claims": {
// "additional_claim": "value"
// }
// }
string jwt = 3;
}
message GenerateIdentityBindingAccessTokenResponse {
// The OAuth 2.0 access token.
string access_token = 1;
// Token expiration time.
// The expiration time is always set.
google.protobuf.Timestamp expire_time = 2;
}