mirror of https://github.com/hashicorp/boundary
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
391 lines
19 KiB
391 lines
19 KiB
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
syntax = "proto3";
|
|
|
|
package controller.api.services.v1;
|
|
|
|
import "controller/api/resources/authmethods/v1/auth_method.proto";
|
|
import "controller/api/resources/authtokens/v1/authtoken.proto";
|
|
import "controller/custom_options/v1/options.proto";
|
|
import "google/api/annotations.proto";
|
|
import "google/api/visibility.proto";
|
|
import "google/protobuf/field_mask.proto";
|
|
import "google/protobuf/struct.proto";
|
|
import "protoc-gen-openapiv2/options/annotations.proto";
|
|
|
|
option go_package = "github.com/hashicorp/boundary/internal/gen/controller/api/services;services";
|
|
option (custom_options.v1.domain) = "auth";
|
|
|
|
service AuthMethodService {
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_tag) = {
|
|
name: "Auth method service"
|
|
description:
|
|
"The auth method service exposes endpoints for interacting with auth methods in Boundary. "
|
|
"An auth method defines how users can authenticate themselves within the system. "
|
|
"It acts as a bridge between Boundary and various external identity providers or authentication mechanisms."
|
|
external_docs: {
|
|
url: "https://developer.hashicorp.com/boundary/docs/concepts/domain-model/auth-methods";
|
|
description: "Read about auth methods in the Boundary domain model";
|
|
}
|
|
};
|
|
// GetAuthMethod returns a stored auth method if present. The provided request
|
|
// must include the auth method id. If missing, malformed or referencing a
|
|
// non existing resource an error is returned.
|
|
rpc GetAuthMethod(GetAuthMethodRequest) returns (GetAuthMethodResponse) {
|
|
option (google.api.http) = {
|
|
get: "/v1/auth-methods/{id}"
|
|
response_body: "item"
|
|
};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Gets a single auth method."};
|
|
}
|
|
|
|
// ListAuthMethods returns a list of stored auth methods which are in the
|
|
// provided scope. The request must include the scope ID and if missing,
|
|
// malformed, or referencing a non existing scope, an error is returned.
|
|
rpc ListAuthMethods(ListAuthMethodsRequest) returns (ListAuthMethodsResponse) {
|
|
option (google.api.http) = {get: "/v1/auth-methods"};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Lists all auth methods."};
|
|
}
|
|
|
|
// CreateAuthMethod creates and stores an auth method in Boundary. The
|
|
// provided request must include the scope in which the auth method will be
|
|
// created. If the scope ID is missing, malformed or referencing a
|
|
// non existing resource an error is returned. If a name is provided that is
|
|
// in use in another auth method in the same scope, an error is returned.
|
|
rpc CreateAuthMethod(CreateAuthMethodRequest) returns (CreateAuthMethodResponse) {
|
|
option (google.api.http) = {
|
|
post: "/v1/auth-methods"
|
|
body: "item"
|
|
response_body: "item"
|
|
};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Creates a single auth method."};
|
|
}
|
|
|
|
// UpdateAuthMethod updates an existing auth method in Boundary. The provided
|
|
// auth method must not have any read only fields set. The update mask must be
|
|
// included in the request and contain at least 1 mutable field. To unset
|
|
// a field's value, include the field in the update mask and don't set it
|
|
// in the provided user. An error is returned if the auth method ID is missing
|
|
// or reference a non existing resource. An error is also returned if the
|
|
// request attempts to update the name to one that is already in use by
|
|
// another auth method in the parent scope.
|
|
rpc UpdateAuthMethod(UpdateAuthMethodRequest) returns (UpdateAuthMethodResponse) {
|
|
option (google.api.http) = {
|
|
patch: "/v1/auth-methods/{id}"
|
|
body: "item"
|
|
response_body: "item"
|
|
};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Updates an auth method."};
|
|
}
|
|
|
|
// DeleteAuthMethod removes an auth method from Boundary. If the auth method id
|
|
// is malformed or not provided an error is returned.
|
|
rpc DeleteAuthMethod(DeleteAuthMethodRequest) returns (DeleteAuthMethodResponse) {
|
|
option (google.api.http) = {delete: "/v1/auth-methods/{id}"};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Deletes an AuthMethod"};
|
|
}
|
|
|
|
// ChangeState changes the state of an auth method from Boundary.
|
|
rpc ChangeState(ChangeStateRequest) returns (ChangeStateResponse) {
|
|
option (google.api.http) = {
|
|
post: "/v1/auth-methods/{id}:change-state"
|
|
body: "*"
|
|
response_body: "item"
|
|
};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Changes the state of an OIDC AuthMethod"};
|
|
}
|
|
|
|
// Authenticate validates credentials provided and returns an Auth Token.
|
|
rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse) {
|
|
option (google.api.http) = {
|
|
post: "/v1/auth-methods/{auth_method_id}:authenticate"
|
|
body: "*"
|
|
};
|
|
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Authenticate a user to an scope and retrieve an authentication token."};
|
|
}
|
|
}
|
|
|
|
message GetAuthMethodRequest {
|
|
// ID of the auth method being requested.
|
|
string id = 1; // @gotags: `class:"public" eventstream:"observation"`
|
|
}
|
|
|
|
message GetAuthMethodResponse {
|
|
resources.authmethods.v1.AuthMethod item = 1;
|
|
}
|
|
|
|
message ListAuthMethodsRequest {
|
|
// The scope ID in which to list auth methods.
|
|
string scope_id = 1 [json_name = "scope_id"]; // @gotags: `class:"public" eventstream:"observation"`
|
|
// Whether to recursively list auth methods in the provided scope's child scopes.
|
|
bool recursive = 20 [json_name = "recursive"]; // @gotags: `class:"public" eventstream:"observation"`
|
|
// You can specify that the filter should only return items that match.
|
|
// Refer to [filter expressions](https://developer.hashicorp.com/boundary/docs/concepts/filtering) for more information.
|
|
string filter = 30 [json_name = "filter"]; // @gotags: `class:"public"`
|
|
// An opaque token that Boundary uses to continue an existing iteration or
|
|
// request updated items. If you do not specify a token, pagination
|
|
// starts from the beginning. To learn more about list pagination
|
|
// in Boundary, refer to [list pagination](https://developer.hashicorp.com/boundary/docs/api-clients/api/pagination).
|
|
string list_token = 40 [json_name = "list_token"]; // @gotags: `class:"public"`
|
|
// The maximum size of a page in this iteration.
|
|
// If you do not set a page size, Boundary uses the configured default page size.
|
|
// If the page_size is greater than the default page size configured,
|
|
// Boundary truncates the page size to this number.
|
|
uint32 page_size = 50 [json_name = "page_size"]; // @gotags: `class:"public"`
|
|
}
|
|
|
|
message ListAuthMethodsResponse {
|
|
// The items returned in this page.
|
|
repeated resources.authmethods.v1.AuthMethod items = 1;
|
|
// The type of response, either "delta" or "complete".
|
|
// Delta signifies that this is part of a paginated result
|
|
// or an update to a previously completed pagination.
|
|
// Complete signifies that it is the last page.
|
|
string response_type = 2 [json_name = "response_type"]; // @gotags: `class:"public"`
|
|
// An opaque token used to continue an existing pagination or
|
|
// request updated items. Use this token in the next list request
|
|
// to request the next page.
|
|
string list_token = 3 [json_name = "list_token"]; // @gotags: `class:"public"`
|
|
// The name of the field which the items are sorted by.
|
|
string sort_by = 4 [json_name = "sort_by"]; // @gotags: `class:"public"`
|
|
// The direction of the sort, either "asc" or "desc".
|
|
string sort_dir = 5 [json_name = "sort_dir"]; // @gotags: `class:"public"`
|
|
// A list of item IDs that have been removed since they were returned
|
|
// as part of a pagination. They should be dropped from any client cache.
|
|
// This may contain items that are not known to the cache, if they were
|
|
// created and deleted between listings.
|
|
repeated string removed_ids = 6 [json_name = "removed_ids"]; // @gotags: `class:"public"`
|
|
// An estimate at the total items available. This may change during pagination.
|
|
uint32 est_item_count = 7 [json_name = "est_item_count"]; // @gotags: `class:"public"`
|
|
}
|
|
|
|
message CreateAuthMethodRequest {
|
|
resources.authmethods.v1.AuthMethod item = 1;
|
|
}
|
|
|
|
message CreateAuthMethodResponse {
|
|
string uri = 1; // @gotags: `class:"public" eventstream:"observation"`
|
|
resources.authmethods.v1.AuthMethod item = 2;
|
|
}
|
|
|
|
message UpdateAuthMethodRequest {
|
|
// The ID of the auth method that should be updated
|
|
string id = 1; // @gotags: `class:"public" eventstream:"observation"`
|
|
// A subset of the auth method containing the fields to update.
|
|
resources.authmethods.v1.AuthMethod item = 2;
|
|
google.protobuf.FieldMask update_mask = 3 [json_name = "update_mask"];
|
|
}
|
|
|
|
message UpdateAuthMethodResponse {
|
|
resources.authmethods.v1.AuthMethod item = 1;
|
|
}
|
|
|
|
message DeleteAuthMethodRequest {
|
|
// The ID of the auth method to delete.
|
|
string id = 1; // @gotags: `class:"public" eventstream:"observation"`
|
|
}
|
|
|
|
message DeleteAuthMethodResponse {}
|
|
|
|
// Attributes specific to changing the state of an OIDC auth method.
|
|
message OidcChangeStateAttributes {
|
|
// state must be `inactive`, `active-private`, or `active-public`
|
|
string state = 1; // @gotags: `class:"public"`
|
|
// This flag is only useful for an OIDC auth method. It should not be used
|
|
// unless the OIDC provider's config is incorrectly set and is stopping the
|
|
// activation of this auth method.
|
|
bool disable_discovered_config_validation = 2 [json_name = "disable_discovered_config_validation"]; // @gotags: `class:"public"`
|
|
}
|
|
|
|
message ChangeStateRequest {
|
|
string id = 1; // @gotags: `class:"public"`
|
|
// Version is used to ensure this resource has not changed.
|
|
// The mutation will fail if the version does not match the latest known good version.
|
|
uint32 version = 2; // @gotags: `class:"public"`
|
|
|
|
oneof attrs {
|
|
// The attributes specific to this auth method's state.
|
|
google.protobuf.Struct attributes = 4 [
|
|
(custom_options.v1.subtype) = "default",
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "{\"state\": \"active-public\", \"disable_discovered_config_validation\": false}",
|
|
description:
|
|
"The attributes that are applicable for the specific auth method type. "
|
|
"The schema of this field depends on the type of the auth method. "
|
|
"The only supported auth method type is OIDC.\n"
|
|
"For OIDC auth methods, the parameters are:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"state\": \"active-public\",\n"
|
|
" \"disable_discovered_config_validation\": false\n"
|
|
"}\n"
|
|
"```\n"
|
|
}
|
|
];
|
|
OidcChangeStateAttributes oidc_change_state_attributes = 5 [
|
|
(custom_options.v1.subtype) = "oidc",
|
|
(google.api.field_visibility).restriction = "INTERNAL"
|
|
];
|
|
}
|
|
}
|
|
|
|
message ChangeStateResponse {
|
|
resources.authmethods.v1.AuthMethod item = 1;
|
|
}
|
|
|
|
// The layout of the struct for "attributes" field in AuthenticateRequest for a password type.
|
|
// This message isn't directly referenced anywhere but is used here to define the expected
|
|
// field names and types.
|
|
message PasswordLoginAttributes {
|
|
string login_name = 1 [json_name = "login_name"]; // @gotags: `class:"sensitive"`
|
|
string password = 2; // @gotags: `class:"secret"`
|
|
}
|
|
|
|
// The layout of the struct for "attributes" field in AuthenticateRequest for a OIDC type's start command. This message isn't directly referenced anywhere but is used here to define the expected field
|
|
// names and types.
|
|
message OidcStartAttributes {
|
|
// An object which will be marshaled as JSON and roundtripped in the token command call.
|
|
google.protobuf.Struct roundtrip_payload = 1 [json_name = "roundtrip_payload"];
|
|
// Cached marshaled payload. This is not ingressed from the client; anything found will be thrown out.
|
|
string cached_roundtrip_payload = 2; // @gotags: `class:"sensitive"`
|
|
}
|
|
|
|
// The layout of the struct for "attributes" field in AuthenticateRequest for an
|
|
// ldap type. This message isn't directly referenced anywhere but is used here
|
|
// to define the expected field names and types.
|
|
message LdapLoginAttributes {
|
|
string login_name = 10 [json_name = "login_name"]; // @gotags: `class:"sensitive"`
|
|
string password = 20; // @gotags: `class:"secret"`
|
|
}
|
|
|
|
message AuthenticateRequest {
|
|
// The ID of the auth method in the system that should be used for authentication.
|
|
string auth_method_id = 1 [json_name = "auth_method_id"]; // @gotags: `class:"public" eventstream:"observation"`
|
|
// This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order
|
|
// to keep it safe from rogue JS in the browser. Deprecated, use "type" instead.
|
|
string token_type = 2 [
|
|
json_name = "token_type",
|
|
deprecated = true
|
|
]; // @gotags: `class:"public"`
|
|
// This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order
|
|
// to keep it safe from rogue JS in the browser.
|
|
string type = 6 [json_name = "type"]; // @gotags: `class:"public" eventstream:"observation"`
|
|
oneof attrs {
|
|
// Attributes are passed to the auth method. The valid keys and values depend on the type of auth method as well as the command.
|
|
google.protobuf.Struct attributes = 4 [
|
|
json_name = "attributes",
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "{\"login\": \"login\", \"password\": \"password\"}",
|
|
description:
|
|
"The attributes that are used to authenticate to the auth method. "
|
|
"The schema of this field depends on the type of the auth method. "
|
|
"For password auth methods, the parameters are:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"login_name\": \"login_name\",\n"
|
|
" \"password\": \"password\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
"For LDAP auth methods, the parameters are:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"login_name\": \"login_name\",\n"
|
|
" \"password\": \"password\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
"For OIDC auth methods, the parameters are:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"roundtrip_payload\": {}\n"
|
|
"}\n"
|
|
"```\n"
|
|
"OIDC authentication requires multiple calls to this endpoint. "
|
|
"After the initial call and successful authentication, the OIDC "
|
|
"provider must redirect the user to the `callback` command:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"code\": \"code\",\n"
|
|
" \"state\": \"state\",\n"
|
|
" \"error\": \"error\",\n"
|
|
" \"error_description\": \"error_description\",\n"
|
|
" \"error_uri\": \"error_uri\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
"Once this has succeded, the issued auth token can be retrieved by using the `token` command:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"token_id\": \"token_id_from_initial_response\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
}
|
|
];
|
|
// Note: these fields have a custom mapping function for transforming to and from the generic attributes,
|
|
// they do not use the standard attribute transformation.
|
|
PasswordLoginAttributes password_login_attributes = 7 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
OidcStartAttributes oidc_start_attributes = 8 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackRequest oidc_auth_method_authenticate_callback_request = 9 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenRequest oidc_auth_method_authenticate_token_request = 10 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
LdapLoginAttributes ldap_login_attributes = 11 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
}
|
|
// The command to perform. One of "login", "callback", or "token".
|
|
string command = 5 [json_name = "command"]; // @gotags: `class:"public"`
|
|
|
|
// Deprecated fields
|
|
reserved "credentials";
|
|
reserved 3;
|
|
}
|
|
|
|
message AuthenticateResponse {
|
|
reserved 1, 2; // Old item and token_type
|
|
reserved "item", "token_type";
|
|
// The type of the token returned. Either "cookie" or "token".
|
|
string type = 3; // @gotags: `class:"public" eventstream:"observation"`
|
|
oneof attrs {
|
|
// Valid keys and values depend on the type of auth method as well as the command.
|
|
google.protobuf.Struct attributes = 4 [
|
|
json_name = "attributes",
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "{\"login\": \"login\", \"password\": \"password\"}",
|
|
description:
|
|
"The response attributes that are used to authenticate to the auth method. "
|
|
"The schema of this field depends on the type of the auth method. "
|
|
"For password, OIDC and LDAP auth methods, the response is an auth token:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"id\": \"token_id\",\n"
|
|
" \"scope_id\": \"scope_id\",\n"
|
|
" \"token\": \"token_string\",\n"
|
|
" \"user_id\": \"user_id\",\n"
|
|
" \"auth_method_id\": \"auth_method_id\",\n"
|
|
" \"account_id\": \"account_id\",\n"
|
|
" \"created_time\": \"token_created_time\",\n"
|
|
" \"updated_time\": \"token_updated_time\",\n"
|
|
" \"approximate_last_used_time\": \"token_approximate_last_used_time\",\n"
|
|
" \"expiration_time\": \"token_expiration_time\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
"For OIDC auth methods, the initial parameters are:\n"
|
|
"```json\n"
|
|
"{\n"
|
|
" \"auth_url\": \"OIDC_auth_url\",\n"
|
|
" \"token_id\": \"OIDC_token_id\"\n"
|
|
"}\n"
|
|
"```\n"
|
|
"The `auth_url` is the URL that authenticating user should open "
|
|
"in the browser to authenticate with the OIDC provider. "
|
|
"The `token_id` should be used in subsequent calls to the `authenticate` endpoint "
|
|
"to retrieve the auth token.\n"
|
|
}
|
|
];
|
|
// Note: these fields have a custom mapping function for transforming to and from the generic attributes,
|
|
// they do not use the standard attribute transformation.
|
|
controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateStartResponse oidc_auth_method_authenticate_start_response = 6 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateCallbackResponse oidc_auth_method_authenticate_callback_response = 7 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
controller.api.resources.authmethods.v1.OidcAuthMethodAuthenticateTokenResponse oidc_auth_method_authenticate_token_response = 8 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
controller.api.resources.authtokens.v1.AuthToken auth_token_response = 9 [(google.api.field_visibility).restriction = "INTERNAL"];
|
|
}
|
|
// The command that was performed.
|
|
string command = 5 [json_name = "command"]; // @gotags: `class:"public"`
|
|
}
|