1*d5c09012SAndroid Build Coastguard Worker// Copyright 2023 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.api; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workeroption go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig"; 20*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 21*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "AuthProto"; 22*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.api"; 23*d5c09012SAndroid Build Coastguard Workeroption objc_class_prefix = "GAPI"; 24*d5c09012SAndroid Build Coastguard Worker 25*d5c09012SAndroid Build Coastguard Worker// `Authentication` defines the authentication configuration for API methods 26*d5c09012SAndroid Build Coastguard Worker// provided by an API service. 27*d5c09012SAndroid Build Coastguard Worker// 28*d5c09012SAndroid Build Coastguard Worker// Example: 29*d5c09012SAndroid Build Coastguard Worker// 30*d5c09012SAndroid Build Coastguard Worker// name: calendar.googleapis.com 31*d5c09012SAndroid Build Coastguard Worker// authentication: 32*d5c09012SAndroid Build Coastguard Worker// providers: 33*d5c09012SAndroid Build Coastguard Worker// - id: google_calendar_auth 34*d5c09012SAndroid Build Coastguard Worker// jwks_uri: https://www.googleapis.com/oauth2/v1/certs 35*d5c09012SAndroid Build Coastguard Worker// issuer: https://securetoken.google.com 36*d5c09012SAndroid Build Coastguard Worker// rules: 37*d5c09012SAndroid Build Coastguard Worker// - selector: "*" 38*d5c09012SAndroid Build Coastguard Worker// requirements: 39*d5c09012SAndroid Build Coastguard Worker// provider_id: google_calendar_auth 40*d5c09012SAndroid Build Coastguard Worker// - selector: google.calendar.Delegate 41*d5c09012SAndroid Build Coastguard Worker// oauth: 42*d5c09012SAndroid Build Coastguard Worker// canonical_scopes: https://www.googleapis.com/auth/calendar.read 43*d5c09012SAndroid Build Coastguard Workermessage Authentication { 44*d5c09012SAndroid Build Coastguard Worker // A list of authentication rules that apply to individual API methods. 45*d5c09012SAndroid Build Coastguard Worker // 46*d5c09012SAndroid Build Coastguard Worker // **NOTE:** All service configuration rules follow "last one wins" order. 47*d5c09012SAndroid Build Coastguard Worker repeated AuthenticationRule rules = 3; 48*d5c09012SAndroid Build Coastguard Worker 49*d5c09012SAndroid Build Coastguard Worker // Defines a set of authentication providers that a service supports. 50*d5c09012SAndroid Build Coastguard Worker repeated AuthProvider providers = 4; 51*d5c09012SAndroid Build Coastguard Worker} 52*d5c09012SAndroid Build Coastguard Worker 53*d5c09012SAndroid Build Coastguard Worker// Authentication rules for the service. 54*d5c09012SAndroid Build Coastguard Worker// 55*d5c09012SAndroid Build Coastguard Worker// By default, if a method has any authentication requirements, every request 56*d5c09012SAndroid Build Coastguard Worker// must include a valid credential matching one of the requirements. 57*d5c09012SAndroid Build Coastguard Worker// It's an error to include more than one kind of credential in a single 58*d5c09012SAndroid Build Coastguard Worker// request. 59*d5c09012SAndroid Build Coastguard Worker// 60*d5c09012SAndroid Build Coastguard Worker// If a method doesn't have any auth requirements, request credentials will be 61*d5c09012SAndroid Build Coastguard Worker// ignored. 62*d5c09012SAndroid Build Coastguard Workermessage AuthenticationRule { 63*d5c09012SAndroid Build Coastguard Worker // Selects the methods to which this rule applies. 64*d5c09012SAndroid Build Coastguard Worker // 65*d5c09012SAndroid Build Coastguard Worker // Refer to [selector][google.api.DocumentationRule.selector] for syntax 66*d5c09012SAndroid Build Coastguard Worker // details. 67*d5c09012SAndroid Build Coastguard Worker string selector = 1; 68*d5c09012SAndroid Build Coastguard Worker 69*d5c09012SAndroid Build Coastguard Worker // The requirements for OAuth credentials. 70*d5c09012SAndroid Build Coastguard Worker OAuthRequirements oauth = 2; 71*d5c09012SAndroid Build Coastguard Worker 72*d5c09012SAndroid Build Coastguard Worker // If true, the service accepts API keys without any other credential. 73*d5c09012SAndroid Build Coastguard Worker // This flag only applies to HTTP and gRPC requests. 74*d5c09012SAndroid Build Coastguard Worker bool allow_without_credential = 5; 75*d5c09012SAndroid Build Coastguard Worker 76*d5c09012SAndroid Build Coastguard Worker // Requirements for additional authentication providers. 77*d5c09012SAndroid Build Coastguard Worker repeated AuthRequirement requirements = 7; 78*d5c09012SAndroid Build Coastguard Worker} 79*d5c09012SAndroid Build Coastguard Worker 80*d5c09012SAndroid Build Coastguard Worker// Specifies a location to extract JWT from an API request. 81*d5c09012SAndroid Build Coastguard Workermessage JwtLocation { 82*d5c09012SAndroid Build Coastguard Worker oneof in { 83*d5c09012SAndroid Build Coastguard Worker // Specifies HTTP header name to extract JWT token. 84*d5c09012SAndroid Build Coastguard Worker string header = 1; 85*d5c09012SAndroid Build Coastguard Worker 86*d5c09012SAndroid Build Coastguard Worker // Specifies URL query parameter name to extract JWT token. 87*d5c09012SAndroid Build Coastguard Worker string query = 2; 88*d5c09012SAndroid Build Coastguard Worker 89*d5c09012SAndroid Build Coastguard Worker // Specifies cookie name to extract JWT token. 90*d5c09012SAndroid Build Coastguard Worker string cookie = 4; 91*d5c09012SAndroid Build Coastguard Worker } 92*d5c09012SAndroid Build Coastguard Worker 93*d5c09012SAndroid Build Coastguard Worker // The value prefix. The value format is "value_prefix{token}" 94*d5c09012SAndroid Build Coastguard Worker // Only applies to "in" header type. Must be empty for "in" query type. 95*d5c09012SAndroid Build Coastguard Worker // If not empty, the header value has to match (case sensitive) this prefix. 96*d5c09012SAndroid Build Coastguard Worker // If not matched, JWT will not be extracted. If matched, JWT will be 97*d5c09012SAndroid Build Coastguard Worker // extracted after the prefix is removed. 98*d5c09012SAndroid Build Coastguard Worker // 99*d5c09012SAndroid Build Coastguard Worker // For example, for "Authorization: Bearer {JWT}", 100*d5c09012SAndroid Build Coastguard Worker // value_prefix="Bearer " with a space at the end. 101*d5c09012SAndroid Build Coastguard Worker string value_prefix = 3; 102*d5c09012SAndroid Build Coastguard Worker} 103*d5c09012SAndroid Build Coastguard Worker 104*d5c09012SAndroid Build Coastguard Worker// Configuration for an authentication provider, including support for 105*d5c09012SAndroid Build Coastguard Worker// [JSON Web Token 106*d5c09012SAndroid Build Coastguard Worker// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). 107*d5c09012SAndroid Build Coastguard Workermessage AuthProvider { 108*d5c09012SAndroid Build Coastguard Worker // The unique identifier of the auth provider. It will be referred to by 109*d5c09012SAndroid Build Coastguard Worker // `AuthRequirement.provider_id`. 110*d5c09012SAndroid Build Coastguard Worker // 111*d5c09012SAndroid Build Coastguard Worker // Example: "bookstore_auth". 112*d5c09012SAndroid Build Coastguard Worker string id = 1; 113*d5c09012SAndroid Build Coastguard Worker 114*d5c09012SAndroid Build Coastguard Worker // Identifies the principal that issued the JWT. See 115*d5c09012SAndroid Build Coastguard Worker // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 116*d5c09012SAndroid Build Coastguard Worker // Usually a URL or an email address. 117*d5c09012SAndroid Build Coastguard Worker // 118*d5c09012SAndroid Build Coastguard Worker // Example: https://securetoken.google.com 119*d5c09012SAndroid Build Coastguard Worker // Example: [email protected] 120*d5c09012SAndroid Build Coastguard Worker string issuer = 2; 121*d5c09012SAndroid Build Coastguard Worker 122*d5c09012SAndroid Build Coastguard Worker // URL of the provider's public key set to validate signature of the JWT. See 123*d5c09012SAndroid Build Coastguard Worker // [OpenID 124*d5c09012SAndroid Build Coastguard Worker // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). 125*d5c09012SAndroid Build Coastguard Worker // Optional if the key set document: 126*d5c09012SAndroid Build Coastguard Worker // - can be retrieved from 127*d5c09012SAndroid Build Coastguard Worker // [OpenID 128*d5c09012SAndroid Build Coastguard Worker // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) 129*d5c09012SAndroid Build Coastguard Worker // of the issuer. 130*d5c09012SAndroid Build Coastguard Worker // - can be inferred from the email domain of the issuer (e.g. a Google 131*d5c09012SAndroid Build Coastguard Worker // service account). 132*d5c09012SAndroid Build Coastguard Worker // 133*d5c09012SAndroid Build Coastguard Worker // Example: https://www.googleapis.com/oauth2/v1/certs 134*d5c09012SAndroid Build Coastguard Worker string jwks_uri = 3; 135*d5c09012SAndroid Build Coastguard Worker 136*d5c09012SAndroid Build Coastguard Worker // The list of JWT 137*d5c09012SAndroid Build Coastguard Worker // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3). 138*d5c09012SAndroid Build Coastguard Worker // that are allowed to access. A JWT containing any of these audiences will 139*d5c09012SAndroid Build Coastguard Worker // be accepted. When this setting is absent, JWTs with audiences: 140*d5c09012SAndroid Build Coastguard Worker // - "https://[service.name]/[google.protobuf.Api.name]" 141*d5c09012SAndroid Build Coastguard Worker // - "https://[service.name]/" 142*d5c09012SAndroid Build Coastguard Worker // will be accepted. 143*d5c09012SAndroid Build Coastguard Worker // For example, if no audiences are in the setting, LibraryService API will 144*d5c09012SAndroid Build Coastguard Worker // accept JWTs with the following audiences: 145*d5c09012SAndroid Build Coastguard Worker // - 146*d5c09012SAndroid Build Coastguard Worker // https://library-example.googleapis.com/google.example.library.v1.LibraryService 147*d5c09012SAndroid Build Coastguard Worker // - https://library-example.googleapis.com/ 148*d5c09012SAndroid Build Coastguard Worker // 149*d5c09012SAndroid Build Coastguard Worker // Example: 150*d5c09012SAndroid Build Coastguard Worker // 151*d5c09012SAndroid Build Coastguard Worker // audiences: bookstore_android.apps.googleusercontent.com, 152*d5c09012SAndroid Build Coastguard Worker // bookstore_web.apps.googleusercontent.com 153*d5c09012SAndroid Build Coastguard Worker string audiences = 4; 154*d5c09012SAndroid Build Coastguard Worker 155*d5c09012SAndroid Build Coastguard Worker // Redirect URL if JWT token is required but not present or is expired. 156*d5c09012SAndroid Build Coastguard Worker // Implement authorizationUrl of securityDefinitions in OpenAPI spec. 157*d5c09012SAndroid Build Coastguard Worker string authorization_url = 5; 158*d5c09012SAndroid Build Coastguard Worker 159*d5c09012SAndroid Build Coastguard Worker // Defines the locations to extract the JWT. For now it is only used by the 160*d5c09012SAndroid Build Coastguard Worker // Cloud Endpoints to store the OpenAPI extension [x-google-jwt-locations] 161*d5c09012SAndroid Build Coastguard Worker // (https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations) 162*d5c09012SAndroid Build Coastguard Worker // 163*d5c09012SAndroid Build Coastguard Worker // JWT locations can be one of HTTP headers, URL query parameters or 164*d5c09012SAndroid Build Coastguard Worker // cookies. The rule is that the first match wins. 165*d5c09012SAndroid Build Coastguard Worker // 166*d5c09012SAndroid Build Coastguard Worker // If not specified, default to use following 3 locations: 167*d5c09012SAndroid Build Coastguard Worker // 1) Authorization: Bearer 168*d5c09012SAndroid Build Coastguard Worker // 2) x-goog-iap-jwt-assertion 169*d5c09012SAndroid Build Coastguard Worker // 3) access_token query parameter 170*d5c09012SAndroid Build Coastguard Worker // 171*d5c09012SAndroid Build Coastguard Worker // Default locations can be specified as followings: 172*d5c09012SAndroid Build Coastguard Worker // jwt_locations: 173*d5c09012SAndroid Build Coastguard Worker // - header: Authorization 174*d5c09012SAndroid Build Coastguard Worker // value_prefix: "Bearer " 175*d5c09012SAndroid Build Coastguard Worker // - header: x-goog-iap-jwt-assertion 176*d5c09012SAndroid Build Coastguard Worker // - query: access_token 177*d5c09012SAndroid Build Coastguard Worker repeated JwtLocation jwt_locations = 6; 178*d5c09012SAndroid Build Coastguard Worker} 179*d5c09012SAndroid Build Coastguard Worker 180*d5c09012SAndroid Build Coastguard Worker// OAuth scopes are a way to define data and permissions on data. For example, 181*d5c09012SAndroid Build Coastguard Worker// there are scopes defined for "Read-only access to Google Calendar" and 182*d5c09012SAndroid Build Coastguard Worker// "Access to Cloud Platform". Users can consent to a scope for an application, 183*d5c09012SAndroid Build Coastguard Worker// giving it permission to access that data on their behalf. 184*d5c09012SAndroid Build Coastguard Worker// 185*d5c09012SAndroid Build Coastguard Worker// OAuth scope specifications should be fairly coarse grained; a user will need 186*d5c09012SAndroid Build Coastguard Worker// to see and understand the text description of what your scope means. 187*d5c09012SAndroid Build Coastguard Worker// 188*d5c09012SAndroid Build Coastguard Worker// In most cases: use one or at most two OAuth scopes for an entire family of 189*d5c09012SAndroid Build Coastguard Worker// products. If your product has multiple APIs, you should probably be sharing 190*d5c09012SAndroid Build Coastguard Worker// the OAuth scope across all of those APIs. 191*d5c09012SAndroid Build Coastguard Worker// 192*d5c09012SAndroid Build Coastguard Worker// When you need finer grained OAuth consent screens: talk with your product 193*d5c09012SAndroid Build Coastguard Worker// management about how developers will use them in practice. 194*d5c09012SAndroid Build Coastguard Worker// 195*d5c09012SAndroid Build Coastguard Worker// Please note that even though each of the canonical scopes is enough for a 196*d5c09012SAndroid Build Coastguard Worker// request to be accepted and passed to the backend, a request can still fail 197*d5c09012SAndroid Build Coastguard Worker// due to the backend requiring additional scopes or permissions. 198*d5c09012SAndroid Build Coastguard Workermessage OAuthRequirements { 199*d5c09012SAndroid Build Coastguard Worker // The list of publicly documented OAuth scopes that are allowed access. An 200*d5c09012SAndroid Build Coastguard Worker // OAuth token containing any of these scopes will be accepted. 201*d5c09012SAndroid Build Coastguard Worker // 202*d5c09012SAndroid Build Coastguard Worker // Example: 203*d5c09012SAndroid Build Coastguard Worker // 204*d5c09012SAndroid Build Coastguard Worker // canonical_scopes: https://www.googleapis.com/auth/calendar, 205*d5c09012SAndroid Build Coastguard Worker // https://www.googleapis.com/auth/calendar.read 206*d5c09012SAndroid Build Coastguard Worker string canonical_scopes = 1; 207*d5c09012SAndroid Build Coastguard Worker} 208*d5c09012SAndroid Build Coastguard Worker 209*d5c09012SAndroid Build Coastguard Worker// User-defined authentication requirements, including support for 210*d5c09012SAndroid Build Coastguard Worker// [JSON Web Token 211*d5c09012SAndroid Build Coastguard Worker// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). 212*d5c09012SAndroid Build Coastguard Workermessage AuthRequirement { 213*d5c09012SAndroid Build Coastguard Worker // [id][google.api.AuthProvider.id] from authentication provider. 214*d5c09012SAndroid Build Coastguard Worker // 215*d5c09012SAndroid Build Coastguard Worker // Example: 216*d5c09012SAndroid Build Coastguard Worker // 217*d5c09012SAndroid Build Coastguard Worker // provider_id: bookstore_auth 218*d5c09012SAndroid Build Coastguard Worker string provider_id = 1; 219*d5c09012SAndroid Build Coastguard Worker 220*d5c09012SAndroid Build Coastguard Worker // NOTE: This will be deprecated soon, once AuthProvider.audiences is 221*d5c09012SAndroid Build Coastguard Worker // implemented and accepted in all the runtime components. 222*d5c09012SAndroid Build Coastguard Worker // 223*d5c09012SAndroid Build Coastguard Worker // The list of JWT 224*d5c09012SAndroid Build Coastguard Worker // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3). 225*d5c09012SAndroid Build Coastguard Worker // that are allowed to access. A JWT containing any of these audiences will 226*d5c09012SAndroid Build Coastguard Worker // be accepted. When this setting is absent, only JWTs with audience 227*d5c09012SAndroid Build Coastguard Worker // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]" 228*d5c09012SAndroid Build Coastguard Worker // will be accepted. For example, if no audiences are in the setting, 229*d5c09012SAndroid Build Coastguard Worker // LibraryService API will only accept JWTs with the following audience 230*d5c09012SAndroid Build Coastguard Worker // "https://library-example.googleapis.com/google.example.library.v1.LibraryService". 231*d5c09012SAndroid Build Coastguard Worker // 232*d5c09012SAndroid Build Coastguard Worker // Example: 233*d5c09012SAndroid Build Coastguard Worker // 234*d5c09012SAndroid Build Coastguard Worker // audiences: bookstore_android.apps.googleusercontent.com, 235*d5c09012SAndroid Build Coastguard Worker // bookstore_web.apps.googleusercontent.com 236*d5c09012SAndroid Build Coastguard Worker string audiences = 2; 237*d5c09012SAndroid Build Coastguard Worker} 238