blob: b7cdefbfab78524057b59fd75fb582a69c4b524d [file] [log] [blame]
// Copyright 2017 The LUCI Authors. All rights reserved.
// Use of this source code is governed under the Apache License, Version 2.0
// that can be found in the LICENSE file.
syntax = "proto3";
package tokenserver;
import "google/protobuf/timestamp.proto";
// OAuthTokenGrantBody contains the internal guts of an oauth token grant.
// It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which
// then also gets serialized to get the final blob with the grant. This blob is
// then base64-encoded and returned to the caller of MintOAuthTokenGrant.
message OAuthTokenGrantBody {
// Identifier of this token as generated by the token server.
// Used for logging and tracking purposes.
// TODO(vadimsh): It may later be used for revocation purposes.
int64 token_id = 1;
// Service account email the end user wants to act as.
string service_account = 2;
// Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token.
// A string of the form "user:<email>". On Swarming, this is Swarming's own
// service account name.
string proxy = 3;
// An end user that wants to act as the service account (perhaps indirectly).
// A string of the form "user:<email>". On Swarming, this is an identity of
// a user that posted the task.
// Used by MintOAuthTokenViaGrant to recheck that the access is still allowed.
string end_user = 4;
// When the token was generated (and when it becomes valid).
google.protobuf.Timestamp issued_at = 5;
// How long the token is considered valid (in seconds).
// It may become invalid sooner if the token server policy changes and the
// new policy doesn't allow this token.
int64 validity_duration = 6;
// OAuthTokenGrantEnvelope is what is actually being serialized and send to
// the callers of MintOAuthTokenGrant (after being encoded using base64 standard
// raw encoding).
message OAuthTokenGrantEnvelope {
bytes token_body = 1; // serialized OAuthTokenGrantBody
string key_id = 2; // id of a token server private key used for signing
bytes pkcs1_sha256_sig = 3; // signature of 'token_body'