go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/delegation/messages/delegation.proto

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/delegation/messages/delegation.proto (about)

     1  // Copyright 2015 The LUCI Authors. All rights reserved.
     2  // Use of this source code is governed under the Apache License, Version 2.0
     3  // that can be found in the LICENSE file.
     4  
     5  // This file is copied from luci-py.git:
     6  // appengine/components/components/auth/proto/delegation.proto
     7  // Commit: f615e7592619691fe9fa64997880e2490072db21
     8  //
     9  // Changes: renamed package to 'messages'.
    10  
    11  syntax = "proto3";
    12  
    13  package messages;
    14  
    15  option go_package = "go.chromium.org/luci/server/auth/delegation/messages";
    16  
    17  
    18  // Signed serialized Subtoken.
    19  //
    20  // This message is just an envelope that carries the serialized Subtoken message
    21  // and its signature.
    22  //
    23  // Next ID: 6.
    24  message DelegationToken {
    25    reserved 1;
    26  
    27    // Identity of a service that signed this token.
    28    //
    29    // It can be a 'service:<app-id>' string or 'user:<service-account-email>'
    30    // string.
    31    //
    32    // In both cases the appropriate certificate store will be queried (via SSL)
    33    // for the public key to use for signature verification.
    34    string signer_id = 2;
    35  
    36    // ID of a key used for making the signature.
    37    //
    38    // There can be multiple active keys at any moment in time: one used for new
    39    // signatures, and one being rotated out (but still valid for verification).
    40    //
    41    // The lifetime of the token indirectly depends on the lifetime of the signing
    42    // key, which is 24h. So delegation tokens can't live longer than 24h.
    43    string signing_key_id = 3;
    44  
    45    // The signature: PKCS1_v1_5+SHA256(serialized_subtoken, signing_key_id).
    46    bytes pkcs1_sha256_sig = 4;
    47  
    48    // Serialized Subtoken message. It's signature is stored in pkcs1_sha256_sig.
    49    bytes serialized_subtoken = 5;
    50  }
    51  
    52  
    53  // Identifies who delegates what authority to whom where.
    54  //
    55  // Next ID: 10.
    56  message Subtoken {
    57    enum Kind {
    58      // This is to catch old tokens that don't have 'kind' field yet.
    59      //
    60      // Tokens of this kind are interpreted as 'BEARER_DELEGATION_TOKEN' for now,
    61      // for compatibility. But eventually (when all backends are updated), they
    62      // will become invalid (and there will be no way to generate them). This is
    63      // needed to avoid old servers accidentally interpret tokens of kind != 0 as
    64      // BEARER_DELEGATION_TOKEN tokens.
    65      UNKNOWN_KIND = 0;
    66  
    67      // The token of this kind can be sent in X-Delegation-Token-V1 HTTP header.
    68      // The services will check all restrictions of the token, and will
    69      // authenticate requests as coming from 'delegated_identity'.
    70      BEARER_DELEGATION_TOKEN = 1;
    71    }
    72  
    73    // What kind of token is this.
    74    //
    75    // Defines how it can be used. See comments for Kind enum.
    76    Kind kind = 8;
    77  
    78    // Identifier of this subtoken as generated by the token server.
    79    //
    80    // Used for logging and tracking purposes.
    81    int64 subtoken_id = 4;
    82  
    83    // Identity whose authority is delegated.
    84    //
    85    // A string of the form "user:<email>".
    86    string delegated_identity = 1;
    87  
    88    // Who requested this token.
    89    //
    90    // This can match delegated_identity if the user is delegating their own
    91    // identity or it can be a different id if the token is actually
    92    // an impersonation token.
    93    string requestor_identity = 7;
    94  
    95    // When the token was generated (and when it becomes valid).
    96    //
    97    // Number of seconds since epoch (Unix timestamp).
    98    int64 creation_time = 2;
    99  
   100    // How long the token is considered valid (in seconds).
   101    int32 validity_duration = 3;
   102  
   103    // Who can present this token.
   104    //
   105    // Each item can be an identity string (e.g. "user:<email>"), a "group:<name>"
   106    // string, or special "*" string which means "Any bearer can use the token".
   107    repeated string audience = 5;
   108  
   109    // What services should accept this token.
   110    //
   111    // List of services (specified as service identities, e.g. "service:app-id")
   112    // that should accept this token. May also contain special "*" string, which
   113    // means "All services".
   114    repeated string services = 6;
   115  
   116    // Arbitrary key:value pairs embedded into the token by whoever requested it.
   117    // Convey circumstance of why the token is created.
   118    //
   119    // Services that accept the token may use them for additional authorization
   120    // decisions. Please use extremely carefully, only when you control both sides
   121    // of the delegation link and can guarantee that services involved understand
   122    // the tags.
   123    repeated string tags = 9;
   124  }