loginsessionspb

package
v0.0.0-...-a70aae3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package loginsessionspb contains protocol buffers for Login Sessions service.

Index

Constants

View Source 
const (
	LoginSessions_CreateLoginSession_FullMethodName = "/luci.auth.loginsessions.LoginSessions/CreateLoginSession"
	LoginSessions_GetLoginSession_FullMethodName    = "/luci.auth.loginsessions.LoginSessions/GetLoginSession"
)

Variables

View Source 
var (
	LoginSession_State_name = map[int32]string{
		0: "STATE_UNSPECIFIED",
		1: "PENDING",
		2: "CANCELED",
		3: "SUCCEEDED",
		4: "FAILED",
		5: "EXPIRED",
	}
	LoginSession_State_value = map[string]int32{
		"STATE_UNSPECIFIED": 0,
		"PENDING":           1,
		"CANCELED":          2,
		"SUCCEEDED":         3,
		"FAILED":            4,
		"EXPIRED":           5,
	}
)

Enum value maps for LoginSession_State.

View Source 
var File_go_chromium_org_luci_auth_loginsessionspb_service_proto protoreflect.FileDescriptor
View Source 
var LoginSessions_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "luci.auth.loginsessions.LoginSessions",
	HandlerType: (*LoginSessionsServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CreateLoginSession",
			Handler:    _LoginSessions_CreateLoginSession_Handler,
		},
		{
			MethodName: "GetLoginSession",
			Handler:    _LoginSessions_GetLoginSession_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "go.chromium.org/luci/auth/loginsessionspb/service.proto",
}

LoginSessions_ServiceDesc is the grpc.ServiceDesc for LoginSessions service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

Functions

func FileDescriptorSet 

func FileDescriptorSet() *descriptorpb.FileDescriptorSet

FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

Will not return nil.

Do NOT modify the returned descriptor.

func RegisterLoginSessionsServer 

func RegisterLoginSessionsServer(s grpc.ServiceRegistrar, srv LoginSessionsServer)

Types

type CreateLoginSessionRequest 

type CreateLoginSessionRequest struct {

	// An OAuth2 client ID that should be known to the login sessions server.
	//
	// The eventual outcome of the login protocol is a set of tokens associated
	// with this OAuth2 client (e.g. the ID token will have this client as
	// `aud` claim).
	//
	// This client ID also identifies the application information that the user
	// will see at the OAuth2 consent screen.
	//
	// Required.
	OauthClientId string `protobuf:"bytes,1,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
	// A list of OAuth2 scopes to get the refresh and access tokens with.
	//
	// The server may deny usage of some sensitive scopes. This set of scopes
	// defined what the user will see at the OAuth2 consent screen.
	//
	// Required.
	OauthScopes []string `protobuf:"bytes,2,rep,name=oauth_scopes,json=oauthScopes,proto3" json:"oauth_scopes,omitempty"`
	// A `code_challenge` parameter for PKCE protocol using S256 method.
	//
	// See https://tools.ietf.org/html/rfc7636. It should be a base64 URL-encoded
	// SHA256 digest of a `code_verifier` random string (that the caller should
	// not disclose anywhere).
	//
	// Required.
	OauthS256CodeChallenge string `` /* 131-byte string literal not displayed */
	// A name of the native program that started the flow.
	//
	// Will be shown on the confirmation web page in the login session UI to
	// provide some best-effort context around what opened the login session.
	// It is **not a security mechanism**, just an FYI for the user.
	//
	// Optional.
	ExecutableName string `protobuf:"bytes,4,opt,name=executable_name,json=executableName,proto3" json:"executable_name,omitempty"`
	// A hostname of the machine that started the flow.
	//
	// Used for the same purpose as `executable_name` to give some context around
	// what opened the login session. It is **not a security mechanism**, just
	// an FYI for the user.
	//
	// Optional.
	ClientHostname string `protobuf:"bytes,5,opt,name=client_hostname,json=clientHostname,proto3" json:"client_hostname,omitempty"`
	// contains filtered or unexported fields
}

Inputs for CreateLoginSession

func (*CreateLoginSessionRequest) Descriptor deprecated 

func (*CreateLoginSessionRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateLoginSessionRequest.ProtoReflect.Descriptor instead.

func (*CreateLoginSessionRequest) GetClientHostname 

func (x *CreateLoginSessionRequest) GetClientHostname() string

func (*CreateLoginSessionRequest) GetExecutableName 

func (x *CreateLoginSessionRequest) GetExecutableName() string

func (*CreateLoginSessionRequest) GetOauthClientId 

func (x *CreateLoginSessionRequest) GetOauthClientId() string

func (*CreateLoginSessionRequest) GetOauthS256CodeChallenge 

func (x *CreateLoginSessionRequest) GetOauthS256CodeChallenge() string

func (*CreateLoginSessionRequest) GetOauthScopes 

func (x *CreateLoginSessionRequest) GetOauthScopes() []string

func (*CreateLoginSessionRequest) ProtoMessage 

func (*CreateLoginSessionRequest) ProtoMessage()

func (*CreateLoginSessionRequest) ProtoReflect 

func (x *CreateLoginSessionRequest) ProtoReflect() protoreflect.Message

func (*CreateLoginSessionRequest) Reset 

func (x *CreateLoginSessionRequest) Reset()

func (*CreateLoginSessionRequest) String 

func (x *CreateLoginSessionRequest) String() string

type GetLoginSessionRequest 

type GetLoginSessionRequest struct {

	// ID of the login session to get the state of. Required.
	LoginSessionId string `protobuf:"bytes,1,opt,name=login_session_id,json=loginSessionId,proto3" json:"login_session_id,omitempty"`
	// The password returned by CreateLoginSession. Required.
	LoginSessionPassword []byte `protobuf:"bytes,2,opt,name=login_session_password,json=loginSessionPassword,proto3" json:"login_session_password,omitempty"`
	// contains filtered or unexported fields
}

Inputs for GetLoginSession.

func (*GetLoginSessionRequest) Descriptor deprecated 

func (*GetLoginSessionRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetLoginSessionRequest.ProtoReflect.Descriptor instead.

func (*GetLoginSessionRequest) GetLoginSessionId 

func (x *GetLoginSessionRequest) GetLoginSessionId() string

func (*GetLoginSessionRequest) GetLoginSessionPassword 

func (x *GetLoginSessionRequest) GetLoginSessionPassword() []byte

func (*GetLoginSessionRequest) ProtoMessage 

func (*GetLoginSessionRequest) ProtoMessage()

func (*GetLoginSessionRequest) ProtoReflect 

func (x *GetLoginSessionRequest) ProtoReflect() protoreflect.Message

func (*GetLoginSessionRequest) Reset 

func (x *GetLoginSessionRequest) Reset()

func (*GetLoginSessionRequest) String 

func (x *GetLoginSessionRequest) String() string

type LoginSession 

type LoginSession struct {

	// Globally identifies this session.
	//
	// It is a randomly generated URL-safe string. Knowing it is enough to
	// complete the login session via the web UI. Should be used only by the user
	// that started the login flow.
	//
	// It will also appear as a `nonce` claim in the ID token produced by the
	// protocol.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Password is required to call GetLoginSession.
	//
	// It is populated only in the response from CreateLoginSession. It exists
	// to make sure that only whoever created the session can check its status.
	// Must not be shared or stored.
	Password []byte             `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty"`
	State    LoginSession_State `protobuf:"varint,3,opt,name=state,proto3,enum=luci.auth.loginsessions.LoginSession_State" json:"state,omitempty"`
	// When the session was created. Always populated.
	Created *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=created,proto3" json:"created,omitempty"`
	// When the session will expire. Always populated.
	Expiry *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=expiry,proto3" json:"expiry,omitempty"`
	// When the session moved to a final state. Populated for finished sessions.
	Completed *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=completed,proto3" json:"completed,omitempty"`
	// A full URL to a webpage the user should visit to perform the login flow.
	//
	// It encodes `id` inside. Always populated.
	//
	// Knowing it is enough to complete the login session via the web UI. Should
	// be used only by the user that started the login flow.
	LoginFlowUrl string `protobuf:"bytes,7,opt,name=login_flow_url,json=loginFlowUrl,proto3" json:"login_flow_url,omitempty"`
	// How often the caller should poll the session status via GetLoginSession.
	//
	// It is a mechanism to adjust the global poll rate without redeploying
	// new clients.
	//
	// Populated for sessions in PENDING state. The caller is allowed to ignore it
	// if absolutely necessary.
	PollInterval *durationpb.Duration `protobuf:"bytes,8,opt,name=poll_interval,json=pollInterval,proto3" json:"poll_interval,omitempty"`
	// The active confirmation code.
	//
	// The user will be asked to provide this code by the web UI as the final step
	// of the login flow. The code should be shown to the user by the native
	// program in the terminal. This code is very short lived (~ 1 min) and the
	// native program should periodically fetch and show the most recent code.
	//
	// The purpose of this mechanism is to make sure the user is completing the
	// flow they have actually started in their own terminal. It makes phishing
	// attempts harder, since the target of a phishing attack should not only
	// click through the web UI login flow initiated from a link (which is
	// relatively easy to arrange), but also actively copy-paste an up-to-date
	// code that expires very fast (making "asynchronous" phishing attempts
	// relatively hard to perform).
	//
	// Populated only if the session is still in PENDING state.
	ConfirmationCode string `protobuf:"bytes,9,opt,name=confirmation_code,json=confirmationCode,proto3" json:"confirmation_code,omitempty"`
	// When the confirmation code expires, as duration since when the request to
	// get it completed.
	//
	// It is a relative time (instead of an absolute timestamp) to avoid relying
	// on clock synchronization between the backend and the client machine. Since
	// the code expires pretty fast, even small differences in clocks may cause
	// issues.
	//
	// This value is always sufficiently larger than zero (to give the user some
	// time to use it). The server will prepare a new code in advance if the
	// existing one expires soon. See confirmation_code_refresh below. During such
	// transitions both codes are valid.
	//
	// Populated only if the session is still in PENDING state.
	ConfirmationCodeExpiry *durationpb.Duration `` /* 130-byte string literal not displayed */
	// When the confirmation code will be refreshed (approximately).
	//
	// A "refresh" in this context means GetLoginSession will start returning
	// a new code. It happens somewhat before the previous code expires. That way
	// the user always sees a code that is sufficiently fresh to be copy-pasted
	// into the confirmation web page in a leisurely pace.
	//
	// Populated only if the session is still in PENDING state.
	ConfirmationCodeRefresh *durationpb.Duration `` /* 133-byte string literal not displayed */
	// The OAuth2 authorization code that can be exchanged for OAuth2 tokens.
	//
	// Populated only for sessions in SUCCEEDED state. Getting this code is the
	// goal of LoginSessions service. Knowing this code, an OAuth2 client secret
	// (which is usually hardcoded in the native program code) and the PKCE code
	// verifier secret (which was used to derive `oauth_s256_code_challenge`) is
	// enough to get all OAuth2 tokens.
	//
	// Must not be shared.
	OauthAuthorizationCode string `` /* 130-byte string literal not displayed */
	// An URL that should be used as `redirect_url` parameter when calling the
	// authorization server token endpoint when exchanging the authorization code
	// for tokens.
	//
	// Populated only for sessions in SUCCEEDED state. It is usually a static
	// well-known URL pointing to a page on the login sessions service domain,
	// but it is returned with the session to avoid hardcoding dependencies on
	// implementation details of the login sessions server.
	OauthRedirectUrl string `protobuf:"bytes,13,opt,name=oauth_redirect_url,json=oauthRedirectUrl,proto3" json:"oauth_redirect_url,omitempty"`
	// An optional error message if the login flow failed.
	//
	// Populated only for sessions in FAILED state.
	OauthError string `protobuf:"bytes,14,opt,name=oauth_error,json=oauthError,proto3" json:"oauth_error,omitempty"`
	// contains filtered or unexported fields
}

Represents a login session whose eventual outcome if an OAuth2 authorization code.

func (*LoginSession) Descriptor deprecated 

func (*LoginSession) Descriptor() ([]byte, []int)

Deprecated: Use LoginSession.ProtoReflect.Descriptor instead.

func (*LoginSession) GetCompleted 

func (x *LoginSession) GetCompleted() *timestamppb.Timestamp

func (*LoginSession) GetConfirmationCode 

func (x *LoginSession) GetConfirmationCode() string

func (*LoginSession) GetConfirmationCodeExpiry 

func (x *LoginSession) GetConfirmationCodeExpiry() *durationpb.Duration

func (*LoginSession) GetConfirmationCodeRefresh 

func (x *LoginSession) GetConfirmationCodeRefresh() *durationpb.Duration

func (*LoginSession) GetCreated 

func (x *LoginSession) GetCreated() *timestamppb.Timestamp

func (*LoginSession) GetExpiry 

func (x *LoginSession) GetExpiry() *timestamppb.Timestamp

func (*LoginSession) GetId 

func (x *LoginSession) GetId() string

func (*LoginSession) GetLoginFlowUrl 

func (x *LoginSession) GetLoginFlowUrl() string

func (*LoginSession) GetOauthAuthorizationCode 

func (x *LoginSession) GetOauthAuthorizationCode() string

func (*LoginSession) GetOauthError 

func (x *LoginSession) GetOauthError() string

func (*LoginSession) GetOauthRedirectUrl 

func (x *LoginSession) GetOauthRedirectUrl() string

func (*LoginSession) GetPassword 

func (x *LoginSession) GetPassword() []byte

func (*LoginSession) GetPollInterval 

func (x *LoginSession) GetPollInterval() *durationpb.Duration

func (*LoginSession) GetState 

func (x *LoginSession) GetState() LoginSession_State

func (*LoginSession) ProtoMessage 

func (*LoginSession) ProtoMessage()

func (*LoginSession) ProtoReflect 

func (x *LoginSession) ProtoReflect() protoreflect.Message

func (*LoginSession) Reset 

func (x *LoginSession) Reset()

func (*LoginSession) String 

func (x *LoginSession) String() string

type LoginSession_State 

type LoginSession_State int32

A session starts in PENDING state and then moves to one of other states (all of them are final) in response to user actions or passage of time. 

const (
	LoginSession_STATE_UNSPECIFIED LoginSession_State = 0
	LoginSession_PENDING           LoginSession_State = 1
	LoginSession_CANCELED          LoginSession_State = 2
	LoginSession_SUCCEEDED         LoginSession_State = 3
	LoginSession_FAILED            LoginSession_State = 4
	LoginSession_EXPIRED           LoginSession_State = 5
)

func (LoginSession_State) Descriptor 

func (LoginSession_State) Descriptor() protoreflect.EnumDescriptor

func (LoginSession_State) Enum 

func (x LoginSession_State) Enum() *LoginSession_State

func (LoginSession_State) EnumDescriptor deprecated 

func (LoginSession_State) EnumDescriptor() ([]byte, []int)

Deprecated: Use LoginSession_State.Descriptor instead.

func (LoginSession_State) Number 

func (x LoginSession_State) Number() protoreflect.EnumNumber

func (LoginSession_State) String 

func (x LoginSession_State) String() string

func (LoginSession_State) Type 

func (LoginSession_State) Type() protoreflect.EnumType

type LoginSessionsClient 

type LoginSessionsClient interface {
	// CreateLoginSession creates a new login session in PENDING state.
	//
	// The returned message contains a new session with auto-generated random `id`
	// and `password`. It's the only reply that has `password` populated. Both
	// `id` and `password` are needed to get the up-to-date state of the session
	// in GetLoginSession.
	//
	// Returns:
	//
	//	INVALID_ARGUMENT: when missing required fields.
	//	PERMISSION_DENIED: when `oauth_client_id` is not recognized or some
	//	    requested scopes are forbidden from use.
	CreateLoginSession(ctx context.Context, in *CreateLoginSessionRequest, opts ...grpc.CallOption) (*LoginSession, error)
	// GetLoginSession returns the current up-to-date state of a login session.
	//
	// The state changes based on interaction with the user in the browser (via
	// a flow launched by visiting `login_flow_url`) and with passage of time.
	//
	// Returns:
	//
	//	INVALID_ARGUMENT: when missing required fields.
	//	NOT_FOUND: if the session is not found, expired long time ago or the
	//	    password doesn't match.
	GetLoginSession(ctx context.Context, in *GetLoginSessionRequest, opts ...grpc.CallOption) (*LoginSession, error)
}

LoginSessionsClient is the client API for LoginSessions service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

LoginSessions service allows creating and polling login sessions.

A login session is essentially a short-lived container for an OAuth2 authorization code. A native client-side program creates a login session via CreateLoginSession and asks the user to complete the login through the web UI exposed by the login session server (see `login_flow_url` field).

The user performs the browser-based login flow that results in an OAuth2 authorization code placed in the login session.

Meanwhile, the program that created the session is periodically checking its status. As soon as it notices there's an authorization code available, it exchanges this code for a full set of OAuth2 tokens (an access token, a refresh token and an ID token).

This protocol is intended for use **only** by native clients. The backend will reply with PERMISSION_DENIED errors if it detects the calls are coming from a browser.

func NewLoginSessionsClient 

func NewLoginSessionsClient(cc grpc.ClientConnInterface) LoginSessionsClient

type LoginSessionsServer 

type LoginSessionsServer interface {
	// CreateLoginSession creates a new login session in PENDING state.
	//
	// The returned message contains a new session with auto-generated random `id`
	// and `password`. It's the only reply that has `password` populated. Both
	// `id` and `password` are needed to get the up-to-date state of the session
	// in GetLoginSession.
	//
	// Returns:
	//
	//	INVALID_ARGUMENT: when missing required fields.
	//	PERMISSION_DENIED: when `oauth_client_id` is not recognized or some
	//	    requested scopes are forbidden from use.
	CreateLoginSession(context.Context, *CreateLoginSessionRequest) (*LoginSession, error)
	// GetLoginSession returns the current up-to-date state of a login session.
	//
	// The state changes based on interaction with the user in the browser (via
	// a flow launched by visiting `login_flow_url`) and with passage of time.
	//
	// Returns:
	//
	//	INVALID_ARGUMENT: when missing required fields.
	//	NOT_FOUND: if the session is not found, expired long time ago or the
	//	    password doesn't match.
	GetLoginSession(context.Context, *GetLoginSessionRequest) (*LoginSession, error)
	// contains filtered or unexported methods
}

LoginSessionsServer is the server API for LoginSessions service. All implementations must embed UnimplementedLoginSessionsServer for forward compatibility.

LoginSessions service allows creating and polling login sessions.

A login session is essentially a short-lived container for an OAuth2 authorization code. A native client-side program creates a login session via CreateLoginSession and asks the user to complete the login through the web UI exposed by the login session server (see `login_flow_url` field).

The user performs the browser-based login flow that results in an OAuth2 authorization code placed in the login session.

Meanwhile, the program that created the session is periodically checking its status. As soon as it notices there's an authorization code available, it exchanges this code for a full set of OAuth2 tokens (an access token, a refresh token and an ID token).

This protocol is intended for use **only** by native clients. The backend will reply with PERMISSION_DENIED errors if it detects the calls are coming from a browser.

type UnimplementedLoginSessionsServer 

type UnimplementedLoginSessionsServer struct{}

UnimplementedLoginSessionsServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedLoginSessionsServer) CreateLoginSession 

func (UnimplementedLoginSessionsServer) CreateLoginSession(context.Context, *CreateLoginSessionRequest) (*LoginSession, error)

func (UnimplementedLoginSessionsServer) GetLoginSession 

func (UnimplementedLoginSessionsServer) GetLoginSession(context.Context, *GetLoginSessionRequest) (*LoginSession, error)

type UnsafeLoginSessionsServer 

type UnsafeLoginSessionsServer interface {
	// contains filtered or unexported methods
}

UnsafeLoginSessionsServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to LoginSessionsServer will result in compilation errors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.