| // Copyright 2017 The Fuchsia Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| library fuchsia.auth; |
| |
| // Specifies the success/failure status of TokenManager calls. |
| enum Status { |
| // The command completed successfully |
| OK = 0; |
| // The command referred to a missing, misconfigured, or failed auth provider. |
| // Retrying is not recommended. |
| AUTH_PROVIDER_SERVICE_UNAVAILABLE = 1; |
| // The auth server was reachable but responded with an error. These errors |
| // are typically caused by a configuration problem or a revoked token and so |
| // should not be retried. |
| AUTH_PROVIDER_SERVER_ERROR = 2; |
| // An internal error occurred. This usually indicates a bug within the Token |
| // Manager itself. Retry is optional. |
| INTERNAL_ERROR = 3; |
| // An invalid or non-functional AuthContextProvider was provided. Retrying is |
| // unlikely to correct this error. |
| INVALID_AUTH_CONTEXT = 4; |
| // The request was malformed in some way, such as using an empty string for |
| // the user_profile_id. The request should not be retried. |
| INVALID_REQUEST = 5; |
| // The requested user profile could not be found in the database. The request |
| // should not be retried. |
| USER_NOT_FOUND = 6; |
| // A local error occured such as disk I/O or memory allocation. Retry, after |
| // a delay, is recommended. |
| IO_ERROR = 7; |
| // Some other problem occured that cannot be classified using one of the more |
| // specic statuses. Retry is optional. |
| UNKNOWN_ERROR = 8; |
| // The auth server requires that the user reauthenticate. The client should |
| // call the Authorize method. |
| REAUTH_REQUIRED = 9; |
| // The user cancelled the flow. User consent is required before any retry. |
| USER_CANCELLED = 10; |
| // A network error occured while communicating with the auth server. Retry, |
| // after a delay, is recommended. |
| NETWORK_ERROR = 11; |
| }; |
| |
| // Stores configuration parameters required to connect to available |
| // |AuthProvider|s. It is used by TokenManager to instantiate all auth providers |
| // during startup. |
| struct AuthProviderConfig { |
| // Type of OAuth Identity provider. An identity provider authenticates and |
| // authorizes users for accessing their services. They also provide unique |
| // identifiers for users to interact with the system and may provide |
| // information about the user that is known to the provider. |
| // |
| // Sample auth provider types include: |
| // Dev : An identity provider that's used for development and testing. |
| // Google: Uses Google as the identity provider. Authorization from Google |
| // requires a working network connection and a web view. |
| // Spotify: Uses Spotify as an identity provider. |
| string auth_provider_type; |
| |
| // Url of the Fuchsia component implementing the AuthProvider. |
| string url; |
| |
| // Optional parameters specified during AuthProvider startup. |
| vector<string>? params; |
| }; |
| |
| // Stores OAuth configuration details for a given client application. These |
| // details are used in the OAuth authorization step. |
| struct AppConfig { |
| // An OAuth identity provider matching a configuration set in |
| // AuthProviderConfig.auth_provider_type. |
| string auth_provider_type; |
| |
| // OAuth client id. |
| string? client_id; |
| |
| // OAuth client secret. |
| // This field is optional and will only be used on calls to Authorize. |
| string? client_secret; |
| |
| // OAuth application's redirect uri. |
| // This field is optional and will only be used on calls to Authorize. |
| string? redirect_uri; |
| }; |
| |
| // Implemented by a privileged system component with the ability to display UI |
| // to the end user. |
| // |
| // This is provided during the initialization of TokenManager service and is |
| // used for any subsequent authorize calls. The UI contexts created by this |
| // interface are used to display OAuth login and permission screens to the end |
| // user. |
| interface AuthenticationContextProvider { |
| 1: GetAuthenticationUIContext(request<AuthenticationUIContext> request); |
| }; |
| |
| // This interface provides a discoverable mechanism to create TokenManager |
| // instances for each user, and to supply auth provider configuration |
| // information using the structs defined in |auth_provider.fidl|. |
| [Discoverable] |
| interface TokenManagerFactory { |
| // Creates an OAuth TokenManager instance scoped for the component specified |
| // by |application_url|, the Fuchsia user specified by |user_id|, and the list |
| // of auth providers specified in |auth_provider_configs|. |
| // |
| // |auth_context_provider| is used to generate AuthenticationUIContexts during |
| // TokenManager methods that require UI, unless the caller of those methods |
| // supplies an alternative AuthenticationUIContext. |
| 1: GetTokenManager(string user_id, string application_url, |
| vector<AuthProviderConfig> auth_provider_configs, |
| AuthenticationContextProvider auth_context_provider, |
| request<TokenManager> token_manager); |
| }; |
| |
| // This interface manages OAuth tokens at the Fuchsia system level for different |
| // auth identity providers. |
| // |
| // If user authorization is required for minting tokens, TokenManager uses the |
| // |auth_context_provider's| UI context for displaying OAuth UI to the end user. |
| // |
| // After initialization, TokenManager handles are typically handed out by |
| // Framework to components like Ledger and Agents. These components fetch |
| // OAuth tokens from any configured auth provider, and use the |
| // |auth_context_provider| initialized above for new authorizations. |
| interface TokenManager { |
| // The first step of OAuth is to get authorization from the user. For Fuchsia |
| // components, this is accomplished by displaying OAuth permissions in a view |
| // provided by the caller. This view will use |auth_ui_context| if supplied, |
| // or the |auth_context_provider| supplied at TokenManager creation if not. |
| // The component's OAuth configuration is provided in |app_config| and |
| // |app_scopes|. An optional |user_profile_id| that uniquely identifies an |
| // account for a given auth provider may be provided to identify an existing |
| // account during a re-auth flow. |
| // |
| // IoT ID authorization includes a mode where the user authorizes on a second |
| // device and that device acquires an auth code from the auth provider. |
| // In this mode, the auth code may be supplied in |auth_code| and no local |
| // user interface will be displayed. |
| // |
| // After the user has successfully authorized, Token manager receives and |
| // securely stores a persistent credential, such as an OAuth refresh token, |
| // for the intended scopes. TokenManager later uses this credential for |
| // minting short lived tokens. |
| // |
| // If the operation is successful, an OK status is returned along with user |
| // profile information in |user_profile_info| such as the user's email, |
| // image_url, profile_url, and first and last names as configured on the auth |
| // provider backend system. |
| 1: Authorize(AppConfig app_config, AuthenticationUIContext? auth_ui_context, |
| vector<string> app_scopes, string? user_profile_id, string? auth_code) |
| -> (Status status, UserProfileInfo? user_profile_info); |
| |
| // Returns a downscoped access token from an auth provider for the given user |
| // |user_profile_id| and |scopes| to a Fuchsia component. The component's |
| // OAuth configuration is provided in |app_config| and the |user_profile_id| |
| // is the unique user identifier returned by the Authorize() call. |
| // |
| // In the interests of performance, Token Manager does not place the supplied |
| // scopes in a canonical order during caching. To benefit from caching of |
| // tokens, clients must request the same scopes in the same order across |
| // calls. |
| // |
| // The access token is returned from cache if possible, otherwise the auth |
| // provider is used to exchange the persistent credential for a new access |
| // token. |
| 2: GetAccessToken(AppConfig app_config, string user_profile_id, |
| vector<string> app_scopes) -> (Status status, string? access_token); |
| |
| // Returns a JWT identity token from an auth provider to a Fuchsia component |
| // intended for the given |audience|. The component's OAuth configuration is |
| // supplied in |app_config|, the intended recipient of the id_token is |
| // supplied in |audience|, and |user_profile_id| is a unique account |
| // identifier returned by the Authorize() or ListProfileIds() calls. |
| // |
| // |user_profile_id| is the unique user identifier returned by the |
| // Authorize() call. |
| // |
| // The identity token is returned from cache if possible, otherwise the auth |
| // provider is used to exchange the persistant credential for a new identity |
| // token. |
| 3: GetIdToken(AppConfig app_config, string user_profile_id, string? audience) |
| -> (Status status, string? id_token); |
| |
| // Returns a Firebase token from an auth provider for the given account and |
| // Fuchsia component, and Firebase client. The component's OAuth configuration |
| // is supplied in |app_config|, the Firebase client is supplied in |
| // |firebase_api_key|, and |user_profile_id| is a unique account identifier |
| // returned by the Authorize() or ListProfileIds() calls. |
| // |
| // This api invokes firebase auth's VerifyAssertion endpoint that takes an |
| // OAuth IdToken as the fuchsia.ui.input. Audience is the intended recipient |
| // of the firebase id token. |
| // |
| // The Firebase auth token is returned from cache if possible, otherwise it is |
| // refreshed from the auth provider. |
| 4: GetFirebaseToken(AppConfig app_config, string user_profile_id, |
| string audience, string firebase_api_key) |
| -> (Status status, FirebaseToken? firebase_token); |
| |
| // Deletes and revokes all long lived and short lived tokens generated for |
| // an account and on behalf of a Fuchsia component. The component's OAuth |
| // configuration is provided in |app_config| and |user_profile_id| |
| // is a unique account identifier returned by the Authorize() or |
| // ListProfileIds() calls. |
| // |
| // Deletion of tokens involves three steps: |
| // - revoking credentials remotely at the auth provider. |
| // - deleting short lived tokens from the in-memory cache. |
| // - deleting persistent credentials stored locally on disk. |
| 5: DeleteAllTokens(AppConfig app_config, string user_profile_id) |
| -> (Status status); |
| |
| // Returns a vector of all currently authorized user_profile_ids for a |
| // component's OAuth configuration provided in |app_config|. |
| 6: ListProfileIds(AppConfig app_config) |
| -> (Status status, vector<string> user_profile_ids); |
| }; |