You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
236 lines
9.0 KiB
236 lines
9.0 KiB
// Copyright 2015 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
syntax = "proto3";
|
|
|
|
package google.api;
|
|
|
|
option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
|
|
option java_multiple_files = true;
|
|
option java_outer_classname = "AuthProto";
|
|
option java_package = "com.google.api";
|
|
option objc_class_prefix = "GAPI";
|
|
|
|
// `Authentication` defines the authentication configuration for API methods
|
|
// provided by an API service.
|
|
//
|
|
// Example:
|
|
//
|
|
// name: calendar.googleapis.com
|
|
// authentication:
|
|
// providers:
|
|
// - id: google_calendar_auth
|
|
// jwks_uri: https://www.googleapis.com/oauth2/v1/certs
|
|
// issuer: https://securetoken.google.com
|
|
// rules:
|
|
// - selector: "*"
|
|
// requirements:
|
|
// provider_id: google_calendar_auth
|
|
// - selector: google.calendar.Delegate
|
|
// oauth:
|
|
// canonical_scopes: https://www.googleapis.com/auth/calendar.read
|
|
message Authentication {
|
|
// A list of authentication rules that apply to individual API methods.
|
|
//
|
|
// **NOTE:** All service configuration rules follow "last one wins" order.
|
|
repeated AuthenticationRule rules = 3;
|
|
|
|
// Defines a set of authentication providers that a service supports.
|
|
repeated AuthProvider providers = 4;
|
|
}
|
|
|
|
// Authentication rules for the service.
|
|
//
|
|
// By default, if a method has any authentication requirements, every request
|
|
// must include a valid credential matching one of the requirements.
|
|
// It's an error to include more than one kind of credential in a single
|
|
// request.
|
|
//
|
|
// If a method doesn't have any auth requirements, request credentials will be
|
|
// ignored.
|
|
message AuthenticationRule {
|
|
// Selects the methods to which this rule applies.
|
|
//
|
|
// Refer to [selector][google.api.DocumentationRule.selector] for syntax details.
|
|
string selector = 1;
|
|
|
|
// The requirements for OAuth credentials.
|
|
OAuthRequirements oauth = 2;
|
|
|
|
// If true, the service accepts API keys without any other credential.
|
|
// This flag only applies to HTTP and gRPC requests.
|
|
bool allow_without_credential = 5;
|
|
|
|
// Requirements for additional authentication providers.
|
|
repeated AuthRequirement requirements = 7;
|
|
}
|
|
|
|
// Specifies a location to extract JWT from an API request.
|
|
message JwtLocation {
|
|
oneof in {
|
|
// Specifies HTTP header name to extract JWT token.
|
|
string header = 1;
|
|
|
|
// Specifies URL query parameter name to extract JWT token.
|
|
string query = 2;
|
|
|
|
// Specifies cookie name to extract JWT token.
|
|
string cookie = 4;
|
|
}
|
|
|
|
// The value prefix. The value format is "value_prefix{token}"
|
|
// Only applies to "in" header type. Must be empty for "in" query type.
|
|
// If not empty, the header value has to match (case sensitive) this prefix.
|
|
// If not matched, JWT will not be extracted. If matched, JWT will be
|
|
// extracted after the prefix is removed.
|
|
//
|
|
// For example, for "Authorization: Bearer {JWT}",
|
|
// value_prefix="Bearer " with a space at the end.
|
|
string value_prefix = 3;
|
|
}
|
|
|
|
// Configuration for an authentication provider, including support for
|
|
// [JSON Web Token
|
|
// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
|
|
message AuthProvider {
|
|
// The unique identifier of the auth provider. It will be referred to by
|
|
// `AuthRequirement.provider_id`.
|
|
//
|
|
// Example: "bookstore_auth".
|
|
string id = 1;
|
|
|
|
// Identifies the principal that issued the JWT. See
|
|
// https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
|
|
// Usually a URL or an email address.
|
|
//
|
|
// Example: https://securetoken.google.com
|
|
// Example: 1234567-compute@developer.gserviceaccount.com
|
|
string issuer = 2;
|
|
|
|
// URL of the provider's public key set to validate signature of the JWT. See
|
|
// [OpenID
|
|
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
|
|
// Optional if the key set document:
|
|
// - can be retrieved from
|
|
// [OpenID
|
|
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
|
|
// of the issuer.
|
|
// - can be inferred from the email domain of the issuer (e.g. a Google
|
|
// service account).
|
|
//
|
|
// Example: https://www.googleapis.com/oauth2/v1/certs
|
|
string jwks_uri = 3;
|
|
|
|
// The list of JWT
|
|
// [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
|
|
// that are allowed to access. A JWT containing any of these audiences will
|
|
// be accepted. When this setting is absent, JWTs with audiences:
|
|
// - "https://[service.name]/[google.protobuf.Api.name]"
|
|
// - "https://[service.name]/"
|
|
// will be accepted.
|
|
// For example, if no audiences are in the setting, LibraryService API will
|
|
// accept JWTs with the following audiences:
|
|
// -
|
|
// https://library-example.googleapis.com/google.example.library.v1.LibraryService
|
|
// - https://library-example.googleapis.com/
|
|
//
|
|
// Example:
|
|
//
|
|
// audiences: bookstore_android.apps.googleusercontent.com,
|
|
// bookstore_web.apps.googleusercontent.com
|
|
string audiences = 4;
|
|
|
|
// Redirect URL if JWT token is required but not present or is expired.
|
|
// Implement authorizationUrl of securityDefinitions in OpenAPI spec.
|
|
string authorization_url = 5;
|
|
|
|
// Defines the locations to extract the JWT. For now it is only used by the
|
|
// Cloud Endpoints to store the OpenAPI extension [x-google-jwt-locations]
|
|
// (https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations)
|
|
//
|
|
// JWT locations can be one of HTTP headers, URL query parameters or
|
|
// cookies. The rule is that the first match wins.
|
|
//
|
|
// If not specified, default to use following 3 locations:
|
|
// 1) Authorization: Bearer
|
|
// 2) x-goog-iap-jwt-assertion
|
|
// 3) access_token query parameter
|
|
//
|
|
// Default locations can be specified as followings:
|
|
// jwt_locations:
|
|
// - header: Authorization
|
|
// value_prefix: "Bearer "
|
|
// - header: x-goog-iap-jwt-assertion
|
|
// - query: access_token
|
|
repeated JwtLocation jwt_locations = 6;
|
|
}
|
|
|
|
// OAuth scopes are a way to define data and permissions on data. For example,
|
|
// there are scopes defined for "Read-only access to Google Calendar" and
|
|
// "Access to Cloud Platform". Users can consent to a scope for an application,
|
|
// giving it permission to access that data on their behalf.
|
|
//
|
|
// OAuth scope specifications should be fairly coarse grained; a user will need
|
|
// to see and understand the text description of what your scope means.
|
|
//
|
|
// In most cases: use one or at most two OAuth scopes for an entire family of
|
|
// products. If your product has multiple APIs, you should probably be sharing
|
|
// the OAuth scope across all of those APIs.
|
|
//
|
|
// When you need finer grained OAuth consent screens: talk with your product
|
|
// management about how developers will use them in practice.
|
|
//
|
|
// Please note that even though each of the canonical scopes is enough for a
|
|
// request to be accepted and passed to the backend, a request can still fail
|
|
// due to the backend requiring additional scopes or permissions.
|
|
message OAuthRequirements {
|
|
// The list of publicly documented OAuth scopes that are allowed access. An
|
|
// OAuth token containing any of these scopes will be accepted.
|
|
//
|
|
// Example:
|
|
//
|
|
// canonical_scopes: https://www.googleapis.com/auth/calendar,
|
|
// https://www.googleapis.com/auth/calendar.read
|
|
string canonical_scopes = 1;
|
|
}
|
|
|
|
// User-defined authentication requirements, including support for
|
|
// [JSON Web Token
|
|
// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
|
|
message AuthRequirement {
|
|
// [id][google.api.AuthProvider.id] from authentication provider.
|
|
//
|
|
// Example:
|
|
//
|
|
// provider_id: bookstore_auth
|
|
string provider_id = 1;
|
|
|
|
// NOTE: This will be deprecated soon, once AuthProvider.audiences is
|
|
// implemented and accepted in all the runtime components.
|
|
//
|
|
// The list of JWT
|
|
// [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
|
|
// that are allowed to access. A JWT containing any of these audiences will
|
|
// be accepted. When this setting is absent, only JWTs with audience
|
|
// "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]"
|
|
// will be accepted. For example, if no audiences are in the setting,
|
|
// LibraryService API will only accept JWTs with the following audience
|
|
// "https://library-example.googleapis.com/google.example.library.v1.LibraryService".
|
|
//
|
|
// Example:
|
|
//
|
|
// audiences: bookstore_android.apps.googleusercontent.com,
|
|
// bookstore_web.apps.googleusercontent.com
|
|
string audiences = 2;
|
|
}
|
|
|