-
Notifications
You must be signed in to change notification settings - Fork 15
/
oidc.platform.proto
74 lines (58 loc) · 1.76 KB
/
oidc.platform.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
syntax = "proto3";
option go_package = "chainguard.dev/sdk/proto/platform/oidc/v1";
option java_multiple_files = true;
option java_package = "dev.chainguard.sdk.platform.oidc.v1";
option java_outer_classname = "PlatformOIDCProto";
package chainguard.platform.oidc;
import "google/api/annotations.proto";
import "google/api/resource.proto";
service SecurityTokenService {
rpc Exchange(ExchangeRequest) returns (RawToken) {
option (google.api.http) = {
post: "/sts/exchange"
additional_bindings {
get: "/sts/exchange"
}
};
}
rpc ExchangeRefreshToken(ExchangeRefreshTokenRequest) returns (TokenPair) {
option (google.api.http) = {
post: "/sts/exchange_refresh_token"
};
}
}
message ExchangeRefreshTokenRequest {
repeated string aud = 1;
string scope = 2;
// List of capabilities to request for the token.
repeated string cap = 3 [(google.api.resource_reference) = {
type: "chainguard.capabilities/Capability"
}];
}
message ExchangeRequest {
repeated string aud = 1;
string scope = 2;
// `cluster` field was deprecated and removed.
reserved 3;
reserved "cluster";
string identity = 4;
// List of capabilities to request for the token.
repeated string cap = 5 [(google.api.resource_reference) = {
type: "chainguard.capabilities/Capability"
}];
// `include_upstream_token` field was deprecated and removed.
reserved 6;
reserved "include_upstream_token";
// Empty or the UIDP of the custom identity provider.
string identity_provider = 7;
}
message RawToken {
string token = 1;
string refresh_token = 2;
}
// ExchangeRefreshToken returns a pair of token, in order to allow
// refresh token to also be rotated.
message TokenPair {
RawToken token = 1;
RawToken refresh_token = 2;
}