blob: e32a85c4ce4ef9482df00a14670d338278f10a0e [file] [log] [blame]
// Copyright 2017 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
library fuchsia.modular.auth;
using fuchsia.ui.viewsv1token;
// Authentication errors returned by AccountProvider. It contains error status
// code along with a detailed error message.
struct AuthErr {
Status status;
string message;
// Specifies the success/failure status.
enum Status {
// Success
OK = 0;
// A problem with client configuration such as invalid_client, missing params
// etc. This should happen only in development not at run-time, unless
// user/developer changes any of this config. No retry is required.
// Unable to parse the server side response. Retry is optional, this error
// should be extremely rare.
// Server is reachable and propagated an error returned by OAuth Server
// backends. That kind of error cannot be fixed on retries, and has some
// root cause that needs to be addressed either in the client's configuration
// or because the user explicitly revoked access to the client app. For
// instance: invalid_token, expired_token, invalid_client_id, invalid_user,
// invalid_args, etc.
// User cancelled the flow, no need to retry.
// Network error, eg. unreachable. This may be temporary, a retry is
// recommended.
// Internal error. Retry is optional, this error should be rare.
// An interface that allows the Framework to talk to the token manager service
// to add new accounts and be able to mint the corresponding |TokenManager|
// specialized instances for thid party agents and first party ledger client.
// This is only meant to be used by the Framework and will be replaced with
// |AccountManager| in the near future.
interface AccountProvider {
// Adds a new user account. This involves talking to the identity provider and
// fetching profile attributes.
2: AddAccount(IdentityProvider identity_provider)
-> (Account? account, string? error_code);
// Removes an existing user account. This involves talking to account's
// identity provider and revoking user credentials both locally and remotely.
// This operation also deletes cached tokens for the given account.
// TODO(ukode): Modify this api to take account_id and IDP as input once the
// Account struct is cleaned up.
// If |revoke_all| is set to true, then all device credentials are revoked
// both locally and remotely on the backend server and user is logged out from
// all devices. If |revoke_all| is set to false, then credentials stored
// locally are wiped. This includes cached tokens such as access/id and
// firebase tokens and the locally persisted refresh token. By default,
// |revoke_all| is set to false and deletes account only from that given
// device.
3: RemoveAccount(Account account, bool revoke_all) -> (AuthErr status);
// This signals |AccountProvider| to teardown itself. After the
// AccountProvider responds by closing its handle, the caller may terminate
// the |AccountProvider| application if it hasn't already exited.
5: Terminate();