// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package controller.api.resources.authmethods.v1; import "controller/api/resources/scopes/v1/scope.proto"; import "controller/custom_options/v1/options.proto"; import "google/api/field_behavior.proto"; import "google/api/visibility.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/wrappers.proto"; import "protoc-gen-openapiv2/options/annotations.proto"; option go_package = "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/authmethods;authmethods"; option (custom_options.v1.domain) = "auth"; // AuthMethod contains all fields related to an auth method resource message AuthMethod { // The ID of the auth method. string id = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; // @gotags: `class:"public" eventstream:"observation"` // The ID of the Scope of which this auth method is a part. string scope_id = 20 [json_name = "scope_id"]; // @gotags: `class:"public" eventstream:"observation"` // Scope information for this Auth method. resources.scopes.v1.ScopeInfo scope = 30 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional name for identification purposes. google.protobuf.StringValue name = 40 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "name" that: "Name" } ]; // @gotags: `class:"public"` // Optional user-set description for identification purposes. google.protobuf.StringValue description = 50 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "description" that: "Description" } ]; // @gotags: `class:"public"` // The time this resource was created. google.protobuf.Timestamp created_time = 60 [ json_name = "created_time", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public" eventstream:"observation"` // The time this resource was last updated. google.protobuf.Timestamp updated_time = 70 [ json_name = "updated_time", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public" eventstream:"observation"` // Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. // The mutation will fail if the version does not match the latest known good version. // Version is not required when you create an auth method. uint32 version = 80; // @gotags: `class:"public"` // The auth method type. string type = 90; // @gotags: `class:"public" eventstream:"observation"` oneof attrs { // The attributes that are applicable for the specific auth method type. google.protobuf.Struct attributes = 100 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.subtype) = "default", (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { example: "{\"min_login_name_length\": 10, \"min_password_length\": 16}", description: "The attributes that are applicable for the specific auth method type. " "The schema of this field depends on the type of the auth method " "that you create want to create.\n" "For password auth methods, the parameters are:\n" "```json\n" "{\n" " \"min_login_name_length\": \"min_login_name_length\",\n" " \"min_password_length\": \"min_password_length\"\n" "}\n" "```\n" "For OIDC auth methods, the parameters are:\n" "```json\n" "{\n" " \"issuer\": \"issuer\",\n" " \"client_id\": \"client_id\",\n" " \"client_secret\": \"client_secret\",\n" " \"max_age\": 3600,\n" " \"signing_algorithms\": [],\n" " \"api_url_prefix\": \"api_url_prefix\",\n" " \"idp_ca_certs\": [],\n" " \"allowed_audiences\": [],\n" " \"claims_scopes\": [],\n" " \"account_claim_maps\": [],\n" " \"disable_discovered_config_validation\": false,\n" " \"prompts\": []\n" "}\n" "```\n" "For LDAP auth methods, the parameters are:\n" "```json\n" "{\n" " \"start_tls\": false,\n" " \"insecure_tls\": false,\n" " \"discover_dn\": false,\n" " \"anon_group_search\": false,\n" " \"upn_domain\": \"upn_domain\",\n" " \"urls\": [],\n" " \"user_dn\": \"user_dn\",\n" " \"user_attr\": \"user_attr\",\n" " \"user_filter\": \"user_filter\",\n" " \"enable_groups\": false,\n" " \"group_dn\": \"group_dn\",\n" " \"group_attr\": \"group_attr\",\n" " \"group_filter\": \"group_filter\",\n" " \"certificates\": [],\n" " \"client_certificate\": \"client_certificate\",\n" " \"client_certificate_key\": \"client_certificate_key\",\n" " \"bind_dn\": \"bind_dn\",\n" " \"bind_password\": \"bind_password\",\n" " \"use_token_groups\": false,\n" " \"account_attribute_maps\": [],\n" " \"maximum_page_size\": 1000,\n" " \"dereference_aliases\": \"never\"\n" "}\n" "```\n" } ]; PasswordAuthMethodAttributes password_auth_method_attributes = 101 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.subtype) = "password", (google.api.field_visibility).restriction = "INTERNAL" ]; OidcAuthMethodAttributes oidc_auth_methods_attributes = 102 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.subtype) = "oidc", (google.api.field_visibility).restriction = "INTERNAL" ]; LdapAuthMethodAttributes ldap_auth_methods_attributes = 103 [ (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.subtype) = "ldap", (google.api.field_visibility).restriction = "INTERNAL" ]; } // Whether this auth method is the primary auth method for it's scope. // To change this value update the primary_auth_method_id field on the scope. bool is_primary = 110 [ json_name = "is_primary", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public" eventstream:"observation"` // The available actions on this resource for this user. repeated string authorized_actions = 300 [ json_name = "authorized_actions", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // The authorized actions for the scope's collections. map authorized_collection_actions = 310 [ json_name = "authorized_collection_actions", (google.api.field_behavior) = OUTPUT_ONLY ]; // classified as public via taggable implementation } // The attributes of a password typed auth method. message PasswordAuthMethodAttributes { // The minimum length allowed for user names for accounts in this auth method. uint32 min_login_name_length = 10 [ json_name = "min_login_name_length", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.min_login_name_length" that: "MinLoginNameLength" } ]; // @gotags: `class:"public"` // The minimum length allowed for passwords for accounts in this auth method. uint32 min_password_length = 20 [ json_name = "min_password_length", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.min_password_length" that: "MinPasswordLength" } ]; // @gotags: `class:"public"` } // The attributes of an OIDC typed auth method. message OidcAuthMethodAttributes { // The state of the auth method. Will be "inactive", // "active-private", or "active-public". string state = 10 [ json_name = "state", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // The issuer URL. Boundary expects only the schema, host, and port and will // strip off ".well-known/openid-configuration" if present. This will be // used for configuration discovery as well as for validation of the "iss" // claim. google.protobuf.StringValue issuer = 20 [ json_name = "issuer", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.issuer" that: "Issuer" } ]; // @gotags: `class:"public"` // An OAuth 2.0 Client Identifier valid at the Authorization Server. google.protobuf.StringValue client_id = 30 [ json_name = "client_id", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.client_id" that: "ClientId" } ]; // @gotags: `class:"public"` // The client's secret. google.protobuf.StringValue client_secret = 40 [ json_name = "client_secret", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.client_secret" that: "ClientSecret" }, (google.api.field_behavior) = INPUT_ONLY ]; // @gotags: `class:"secret"` // The HMAC'd value of the clients secret to indicate whether // the client secret has changed. string client_secret_hmac = 50 [ json_name = "client_secret_hmac", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // The OIDC "max_age" parameter sent to the Authorization Server indicating // a maximum acceptable time in seconds since the user's last authentication // before requiring the user to reauthenticate. 0 indicates an immediate // need to reauthenticate. google.protobuf.UInt32Value max_age = 60 [ json_name = "max_age", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.max_age" that: "MaxAge" } ]; // @gotags: `class:"public"` // The signing algorithms allowed for the auth method. repeated string signing_algorithms = 70 [ json_name = "signing_algorithms", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.signing_algorithms" that: "SigningAlgs" } ]; // @gotags: `class:"public"` // The prefix that should be used for any URLs needed during the // authentication flow. This includes the callback URL, the token retrieval // URL, and the redirection URL used by the OIDC Authorization Server. google.protobuf.StringValue api_url_prefix = 80 [ json_name = "api_url_prefix", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.api_url_prefix" that: "ApiUrl" } ]; // @gotags: `class:"public"` // The callback URL that should be configured on the // Authorization Server to use during the authentication flow. string callback_url = 90 [ json_name = "callback_url", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // Optional PEM-encoded X.509 CA certificates that can be used as trust anchors // when connecting to an OIDC provider. repeated string idp_ca_certs = 100 [ json_name = "idp_ca_certs", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.idp_ca_certs" that: "Certificates" } ]; // @gotags: `class:"public"` // Allowed audience claims for this auth method. repeated string allowed_audiences = 110 [ json_name = "allowed_audiences", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.allowed_audiences" that: "AudClaims" } ]; // @gotags: `class:"public"` // Optional claims scopes that will be requested during authentication. // see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims repeated string claims_scopes = 112 [ json_name = "claims_scopes", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.claims_scopes" that: "ClaimsScopes" } ]; // @gotags: `class:"public"` // account_claim_maps are optional claim maps from custom claims to the // standard claims of sub, name and email. These maps are represented as // key=value where the key equals the from_claim and the value equals the // to_claim. For example "oid=sub". repeated string account_claim_maps = 113 [ json_name = "account_claim_maps", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.account_claim_maps" that: "AccountClaimMaps" } ]; // @gotags: `class:"public"` // If the Authorization Server's discovered configuration contains values // that do not match the configuration set on this auth method, this can be // set to force the local configuration to override the discovered values. // This is useful in the case of slow-changing or incorrect values announced // by the Authorization Server. NOTE: For safety, not providing this value // will be treated the same as "false"; that is, every time the method is // updated or the state is changed, this value must be set to "true" or it // will be disabled. bool disable_discovered_config_validation = 120 [ json_name = "disable_discovered_config_validation", (custom_options.v1.generate_sdk_option) = true ]; // @gotags: `class:"public"` // dry_run, when set on an update request, indicates that the changes should // not be persisted. Boundary will still perform the normal checks to confirm // the auth method is complete and validated against the discovered config. // This value will also be set on the returned resource when set in the request // along with the updated fields applied to the resource (but not persisted) as // a result of the update request. bool dry_run = 130 [ json_name = "dry_run", (custom_options.v1.generate_sdk_option) = true ]; // @gotags: `class:"public"` // The prompts allowed for the auth method. repeated string prompts = 140 [ json_name = "prompts", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.prompts" that: "Prompts" } ]; // @gotags: `class:"public"` } // The structure of the OIDC authenticate start response, in the JSON object message OidcAuthMethodAuthenticateStartResponse { // The returned authentication URL string auth_url = 10 [json_name = "auth_url"]; // @gotags: `class:"public"` // The returned token ID string token_id = 30 [json_name = "token_id"]; // @gotags: `class:"public"` } // The structure of OIDC callback request parameters message OidcAuthMethodAuthenticateCallbackRequest { // The returned code string code = 10 [json_name = "code"]; // @gotags: `class:"secret"` // The returned state string state = 20 [json_name = "state"]; // @gotags: `class:"public"` // Error parameters, if they are returned string error = 30 [json_name = "error"]; // @gotags: `class:"public"` string error_description = 40 [json_name = "error_description"]; // @gotags: `class:"public"` string error_uri = 50 [json_name = "error_uri"]; // @gotags: `class:"public"` } // The structure of OIDC callback response parameters message OidcAuthMethodAuthenticateCallbackResponse { // The final redirection URL string final_redirect_url = 10 [json_name = "final_redirect_url"]; // @gotags: `class:"public"` } // The structure of OIDC token request parameters message OidcAuthMethodAuthenticateTokenRequest { // The ID of the pending token string token_id = 10 [json_name = "token_id"]; // @gotags: `class:"secret"` } // Internal only: the structure of a token response if it _does not_ contain a // token. message OidcAuthMethodAuthenticateTokenResponse { // The status. This will always be "unknown". It will never be forwarded to // the consumer. string status = 10; // @gotags: `class:"public"` } // The attributes of an LDAP typed auth method. message LdapAuthMethodAttributes { // The state of the auth method. Will be "inactive", // "active-private", or "active-public". string state = 10 [ json_name = "state", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.state" that: "OperationalState" }, (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // start_tls if true, issues a StartTLS command after establishing an // unencrypted connection. Defaults to false. bool start_tls = 20 [ json_name = "start_tls", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.start_tls" that: "StartTls" } ]; // @gotags: `class:"public"` // insecure_tls if true, skips LDAP server SSL certificate validation - // insecure and use with caution. Defaults to false. bool insecure_tls = 30 [ json_name = "insecure_tls", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.insecure_tls" that: "InsecureTls" } ]; // @gotags: `class:"public"` // discover_dn if true, use anon bind to discover the bind DN of a user. // Defaults to false. bool discover_dn = 40 [ json_name = "discover_dn", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.discover_dn" that: "DiscoverDn" } ]; // @gotags: `class:"public"` // anon_group_search if true, use anon bind when performing LDAP group // searches. Defaults to false. bool anon_group_search = 50 [ json_name = "anon_group_search", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.anon_group_search" that: "AnonGroupSearch" } ]; // @gotags: `class:"public"` // upn_domain is the userPrincipalDomain used to construct the UPN string for // the authenticating user. The constructed UPN will appear as // [username]@UPNDomain Example: example.com, which will cause Boundary to // bind as username@example.com when authenticating the user. google.protobuf.StringValue upn_domain = 60 [ json_name = "upn_domain", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.upn_domain" that: "UpnDomain" } ]; // @gotags: `class:"public"` // urls are the LDAP URLS that specify LDAP servers to connection to. There // must be at lease on URL for each LDAP auth method. When attempting to // connect, the URLs are tried in the order specified. These are Value Objects // that will be stored as Url messages, and are operated on as a complete set // (not individually). repeated string urls = 70 [ json_name = "urls", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.urls" that: "Urls" } ]; // @gotags: `class:"public"` // user_dn (optional) is the base DN under which to perform user search. // Example: ou=Users,dc=example,dc=com google.protobuf.StringValue user_dn = 80 [ json_name = "user_dn", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.user_dn" that: "UserDn" } ]; // @gotags: `class:"public"` // user_attr (optional) is the attribute on user attribute entry matching the // username passed when authenticating. Examples: cn, uid google.protobuf.StringValue user_attr = 90 [ json_name = "user_attr", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.user_attr" that: "UserAttr" } ]; // @gotags: `class:"public"` // user_filter (optional) is a go template used to construct a LDAP user // search filter. The template can access the following context variables: // [UserAttr, Username]. The default userfilter is // ({{.UserAttr}}={{.Username}}) or // (userPrincipalName={{.Username}}@UPNDomain) if the upndomain parameter is // set. google.protobuf.StringValue user_filter = 100 [ json_name = "user_filter", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.user_filter", that: "UserFilter" } ]; // @gotags: `class:"public"` // enable_groups if true, an authenticated user's groups will be found during // authentication. Defaults to false. bool enable_groups = 110 [ json_name = "enable_groups", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.enable_groups" that: "EnableGroups" } ]; // @gotags: `class:"public"` // group_dn (optional) is the base DN under which to perform user search. // Example: ou=Groups,dc=example,dc=com // // Note: there is no default, so no base dn will be used for group searches if // it's not specified. google.protobuf.StringValue group_dn = 120 [ json_name = "group_dn", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.group_dn" that: "GroupDn" } ]; // @gotags: `class:"public"` // group_attr (optional) is the LDAP attribute to follow on objects returned // by GroupFilter in order to enumerate user group membership. Examples: for // GroupFilter queries returning group objects, use: cn. For queries returning // user objects, use: memberOf. The default is cn. google.protobuf.StringValue group_attr = 130 [ json_name = "group_attr", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.group_attr" that: "GroupAttr" } ]; // @gotags: `class:"public"` // group_filter (optional) is a Go template used when constructing the group // membership query. The template can access the following context variables: // [UserDN, Username]. The default is // (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})), // which is compatible with several common directory schemas. google.protobuf.StringValue group_filter = 140 [ json_name = "group_filter", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.group_filter", that: "GroupFilter" } ]; // @gotags: `class:"public"` // certificates are optional PEM encoded x509 certificates in ASN.1 DER form // that can be used as trust anchors when connecting to an LDAP provider. // These are Value Objects that will be stored as Certificate messages, and // are operatated on as a complete set (not individually). repeated string certificates = 150 [ json_name = "certificates", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.certificates" that: "Certificates" } ]; // @gotags: `class:"public"` // client_certificate is the optional certificate encoded as PEM. It must be // set if an optional client_certificate_key specified google.protobuf.StringValue client_certificate = 160 [ json_name = "client_certificate", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.client_certificate", that: "ClientCertificate" } ]; // @gotags: `class:"public"` // The client_certificate_key (optional) is the plain-text of the // certificate key data encoded as PEM. google.protobuf.StringValue client_certificate_key = 170 [ json_name = "client_certificate_key", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.client_certificate_key", that: "ClientCertificateKey" }, (google.api.field_behavior) = INPUT_ONLY ]; // @gotags: `class:"secret"` // The HMAC'd value of the client certificate key to indicate // whether the certificate key has changed. string client_certificate_key_hmac = 180 [ json_name = "client_certificate_key_hmac", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` // bind_dn (optional) is the distinguished name of entry to bind when // performing user and group search. Example: // cn=vault,ou=Users,dc=example,dc=com google.protobuf.StringValue bind_dn = 190 [ json_name = "bind_dn", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.bind_dn", that: "BindDn" } ]; // @gotags: `class:"public"` // The bind_password (optional) is the password to use along with // binddn when performing user search. google.protobuf.StringValue bind_password = 200 [ json_name = "bind_password", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.bind_password", that: "BindPassword" }, (google.api.field_behavior) = INPUT_ONLY ]; // @gotags: `class:"secret"` // The HMAC'd value of the bind password to indicate // whether the password has changed. string bind_password_hmac = 210 [ json_name = "bind_password_hmac", (google.api.field_behavior) = OUTPUT_ONLY ]; // @gotags: `class:"public"` bool use_token_groups = 220 [ json_name = "use_token_groups", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.use_token_groups" that: "UseTokenGroups" } ]; // @gotags: `class:"public"` // account_attribute_maps are optional attribute maps from custom attributes // to the standard attributes of fullname and email. These maps are // represented as key=value where the key equals the from_attribute and the // value equals the to_attribute. For example "preferredName=fullName". All // attribute names are case insensitive. repeated string account_attribute_maps = 230 [ json_name = "account_attribute_maps", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.account_attribute_maps" that: "AccountAttributeMaps" } ]; // @gotags: `class:"public"` // maximum_page_size (optional) specifies a maximum ldap search result size to // use when retrieving the authenticated user's group memberships. This can // be used to avoid reaching the LDAP server's max result size. uint32 maximum_page_size = 240 [ json_name = "maximum_page_size", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.maximum_page_size", that: "MaximumPageSize" } ]; // @gotags: `class:"public"` // dereference_aliases (optional) will control how aliases are dereferenced when // performing the search. Possible values are: never, finding, searching, // and always. If unset, a default of "never" is used. When set to // "finding", it will only dereference aliases during name resolution of the // base. When set to "searching", it will dereference aliases after name // resolution. google.protobuf.StringValue dereference_aliases = 250 [ json_name = "dereference_aliases", (custom_options.v1.generate_sdk_option) = true, (custom_options.v1.mask_mapping) = { this: "attributes.dereference_aliases", that: "DereferenceAliases" } ]; // @gotags: `class:"public"` }