1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.identitytoolkit.v2; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/cloud/identitytoolkit/v2/mfa_info.proto"; 23 24option csharp_namespace = "Google.Cloud.IdentityToolkit.V2"; 25option go_package = "cloud.google.com/go/identitytoolkit/apiv2/identitytoolkitpb;identitytoolkitpb"; 26option java_multiple_files = true; 27option java_package = "com.google.cloud.identitytoolkit.v2"; 28option php_namespace = "Google\\Cloud\\IdentityToolkit\\V2"; 29option ruby_package = "Google::Cloud::IdentityToolkit::V2"; 30 31// Account management for Identity Toolkit 32service AccountManagementService { 33 option (google.api.default_host) = "identitytoolkit.googleapis.com"; 34 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 35 36 // Finishes enrolling a second factor for the user. 37 rpc FinalizeMfaEnrollment(FinalizeMfaEnrollmentRequest) returns (FinalizeMfaEnrollmentResponse) { 38 option (google.api.http) = { 39 post: "/v2/accounts/mfaEnrollment:finalize" 40 body: "*" 41 }; 42 } 43 44 // Step one of the MFA enrollment process. In SMS case, this sends an 45 // SMS verification code to the user. 46 rpc StartMfaEnrollment(StartMfaEnrollmentRequest) returns (StartMfaEnrollmentResponse) { 47 option (google.api.http) = { 48 post: "/v2/accounts/mfaEnrollment:start" 49 body: "*" 50 }; 51 } 52 53 // Revokes one second factor from the enrolled second factors for an account. 54 rpc WithdrawMfa(WithdrawMfaRequest) returns (WithdrawMfaResponse) { 55 option (google.api.http) = { 56 post: "/v2/accounts/mfaEnrollment:withdraw" 57 body: "*" 58 }; 59 } 60} 61 62// Finishes enrolling a second factor for the user. 63message FinalizeMfaEnrollmentRequest { 64 // Required. ID token. 65 string id_token = 1 [(google.api.field_behavior) = REQUIRED]; 66 67 // Display name which is entered by users to distinguish between different 68 // second factors with same type or different type. 69 string display_name = 3; 70 71 // MFA enrollment information to be verified. 72 oneof verification_info { 73 // Verification info to authorize sending an SMS for phone verification. 74 FinalizeMfaPhoneRequestInfo phone_verification_info = 4; 75 } 76 77 // The ID of the Identity Platform tenant that the user enrolling MFA belongs 78 // to. If not set, the user belongs to the default Identity Platform project. 79 string tenant_id = 5; 80} 81 82// FinalizeMfaEnrollment response. 83message FinalizeMfaEnrollmentResponse { 84 // ID token updated to reflect MFA enrollment. 85 string id_token = 1; 86 87 // Refresh token updated to reflect MFA enrollment. 88 string refresh_token = 2; 89 90 // MFA verified enrollment information. 91 oneof auxiliary_auth_info { 92 // Auxiliary auth info specific to phone auth. 93 FinalizeMfaPhoneResponseInfo phone_auth_info = 3; 94 } 95} 96 97// Sends MFA enrollment verification SMS for a user. 98message StartMfaEnrollmentRequest { 99 // Required. User's ID token. 100 string id_token = 1 [(google.api.field_behavior) = REQUIRED]; 101 102 // MFA information by type of 2nd factor. 103 oneof enrollment_info { 104 // Verification info to authorize sending an SMS for phone verification. 105 StartMfaPhoneRequestInfo phone_enrollment_info = 3; 106 } 107 108 // The ID of the Identity Platform tenant that the user enrolling MFA belongs 109 // to. If not set, the user belongs to the default Identity Platform project. 110 string tenant_id = 4; 111} 112 113// StartMfaEnrollment response. 114message StartMfaEnrollmentResponse { 115 // MFA start enrollment response by 2nd factor type. 116 oneof enrollment_response { 117 // Verification info to authorize sending an SMS for phone verification. 118 StartMfaPhoneResponseInfo phone_session_info = 1; 119 } 120} 121 122// Withdraws MFA. 123message WithdrawMfaRequest { 124 // Required. User's ID token. 125 string id_token = 1 [(google.api.field_behavior) = REQUIRED]; 126 127 // Required. MFA enrollment id from a current MFA enrollment. 128 string mfa_enrollment_id = 2 [(google.api.field_behavior) = REQUIRED]; 129 130 // The ID of the Identity Platform tenant that the user unenrolling MFA 131 // belongs to. If not set, the user belongs to the default Identity Platform 132 // project. 133 string tenant_id = 3; 134} 135 136// Withdraws MultiFactorAuth response. 137message WithdrawMfaResponse { 138 // ID token updated to reflect removal of the second factor. 139 string id_token = 1; 140 141 // Refresh token updated to reflect removal of the second factor. 142 string refresh_token = 2; 143} 144