-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoidc.proto
119 lines (99 loc) · 3 KB
/
oidc.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
syntax = "proto3";
package main;
import "google/api/annotations.proto";
message Empty {
}
message SessionBackend {
string cookie_session = 1; // oauthenticated.
string cookie_path = 2; // path
string url = 3; // WHERE TO REDIRECT
}
message SessionIdp {
// mutually exclusive
string cookie_state = 1; // AUTH
string cookie_path = 2; // AUTH
string url = 3; // WHERE TO REDIRECT
}
/*
message SessionData {
string id = 1;
}
message UrlData {
string url = 1;
}
*/
/*
message RedirectData {
string url = 1;
}
message RedirectSessionData {
string id = 1;
string url = 2;
}
*/
// login password OR login oauth
//message LoginData {
message IdpRequest {
/*
string username = 1;
string password = 2;
*/
string provider = 1;
}
//message OidcData {
message IdpResponse {
string state = 1;
string code = 2;
string error = 3; // we don't get the description. we will log the entire error URL.
string error_description = 4;
}
service Oidc {
/*
rpc Redirect(UrlData) returns (RedirectData) {
option (google.api.http) = {
post: "/redirect"
body: "*"
};
}
// create a cookie + redirect
rpc RedirectSession(UrlData) returns (RedirectSessionData) {
option (google.api.http) = {
post: "/session"
body: "*"
};
}
*/
// this will be our OIDC login
// all it does it redirect to the proper endpoint
// in the openid provider with the created state and data appropriate to
// the the defined provider
// ok: redirect + session state cookie
rpc Login(IdpRequest) returns (SessionIdp) {
option (google.api.http) = {
get: "/login/{provider}"
};
}
// this will be ALL providers callback.
// reply either with Ok + SessionData
// or ErrAuthFailed + Empty SessionData
// ErrAuthFailed would redirect to /login-failed
// ok: redirect + session cookie
// err: redirect to login failed
rpc Callback(IdpResponse) returns (SessionBackend) {
option (google.api.http) = {
// get: "/auth/oidc/cb"
get: "/oauth"
};
}
}
/*
service Auth {
// ok: session cookie + no response in the content.
rpc Login(LoginData) returns (SessionData) {
option (google.api.http) = {
post: "/auth/login"
body: "*"
};
}
}
*/