Project: /_project.yaml Book: /_book.yaml
Defined in fuchsia.auth/attestation_signer.fidl
Cryptographically signs the plaintext
data sent in request using a crypto key configured at initialization.
Returns the raw bytes of the signature
string on success. Otherwise, an error status is returned.
Defined in fuchsia.auth/auth_provider.fidl
This interface is implemented by base shell. It is used to notify the base shell that a view for login needs to be started / stopped.
Requests base shell to display view_holder_token
for authentication. Another call to StartOverlay() will not be made until StopOverlay() has been called.
Requests base shell to stop displaying the auth view.
Defined in fuchsia.auth/auth_provider.fidl
OAuth identity service that provisions new users and provides authorization tokens for the currently enrolled users. Some common Auth Providers are Google, Facebook, Spotify and Twitter.
Authenticates and authorizes a user against an auth provider backend system using the OAuth protocol and returns the persistent credential such as Google‘s refresh token or Facebook’s access token for this user. These persistent credentials are long lived and their expiration time is set by the identity provider, for example Google's refresh tokens are valid until the user changes their password or revokes access explicitly, whereas Facebook access tokens are valid for up to 60 days or until the user revokes access.
During OAuth handshake, user needs to explicitly consent to the permissions as configured at the server. The consent is presented in a web_view using an auth_ui_context
overlay provided by the base_shell.
An optional user_profile_id
is provided for simplifying reauthorization flow.
Exchanges a persistent user credential
for a short lived app specific OAuth access token for the specified client_id
and scopes
. The credential
is a long lived OAuth token as generated by the external identity provider in the above GetPersistentCredential() call. If no client_id is specified a default will be used.
Access tokens are used by applications to make API requests against services offered by the Auth Provider.
Returns an auth_token
response containing an access token, if successful. Otherwise, an error status is returned.
Exchanges a persistent user credential
for an OAuth Identity token for the specified audience
. The audience is the intended recipient of the id_token. The credential
is a long lived OAuth token as generated by the external identity provider in the above GetPersistentCredential() call.
OAuth Id tokens are JSON Web Tokens (JWT) that contains digitally signed identity information about the user for the intended recipient.
Returns an auth_token
response containing an id token, if successful. Otherwise, an error status is returned.
Gets a firebase auth token for the user identified by id_token
and the requested |firebase_api key|. The id_token
is a JWT Identity token returned from GetAppIdToken() call above.
Returns a firebase_token
from the server if successful. Otherwise, an error status is returned.
Revokes user's grants at the Auth Provider by revoking a credential. The credential
is either a long lived OAuth token as returned by the GetPersistentCredential() call or an app specific access token as returned by the GetAppAccessToken() call.
Authenticates and authorizes a user against a remote attestation based auth provider backend system that mints bound persistent credentials.
This method is capable of performing user authorization directly on the device or use the OAuth authorization code generated out-of-band on a secondary device that is sent over a secure channel to the target device. In the latter case, auth_code generated out-of-band is passed as an argument in the attestation jwt_params
. Where as in the former case, user needs to explicitly consent to the permissions on the target device and the auth_code is returned to the device directly. The consent is presented in a web_view using an auth_ui_context
overlay provided by the base_shell. An optional user_profile_id
is provided for simplifying reauthorization flow.
The authorization code is exchanged to a bound refresh token using an attestation JWT constructed from jwt_params
and is signed by the attestation_signer
component passed in the request.
If the operation is successful, a long-lived credential
that is bound to the originating device is returned along with an optional auth_token
containing short-lived access token and an optional nonce
that is used on next token exchange request. An optional user_profile_info
containing user profile attributes is also returned if successful. Otherwise, an error status is returned.
Exchanges a bound persistent user credential
for a short lived app specific OAuth access token using the specified assertion JWT. The assertion JWT is constructed from jwt_params
and is signed by the attestation_signer
component passed in the request.
Access tokens are used by applications to make API requests against services offered by the Auth Provider.
Returns an auth_token
response containing an access token and an optional updated_credential
and auth_challenge
to be used on next token refresh request, if successful. Otherwise, an error status is returned.
Defined in fuchsia.auth/auth_provider_factory.fidl
AuthProviderFactory creates an Auth Provider that talks to a particular backend OAuth service such as Google, Facebook, or Twitter that can generate tokens as defined by auth_provider.fidl
.
Creates an auth provider instance for the given OAuth provider.
Defined in fuchsia.auth/token_manager.fidl
Implemented by a privileged system component with the ability to display UI to the end user.
This is provided during the initialization of TokenManager service and is used for any subsequent authorize calls. The UI contexts created by this interface are used to display OAuth login and permission screens to the end user.
Defined in fuchsia.auth/token_manager.fidl
This interface provides a discoverable mechanism to create TokenManager instances for each user, and to supply auth provider configuration information using the structs defined in auth_provider.fidl
.
Creates an OAuth TokenManager instance scoped for the component specified by application_url
, the Fuchsia user specified by user_id
, and the list of auth providers specified in auth_provider_configs
.
auth_context_provider
is used to generate AuthenticationUIContexts during TokenManager methods that require UI, unless the caller of those methods supplies an alternative AuthenticationUIContext.
Defined in fuchsia.auth/token_manager.fidl
This interface manages OAuth tokens at the Fuchsia system level for different auth identity providers.
If user authorization is required for minting tokens, TokenManager uses the auth_context_provider's
UI context for displaying OAuth UI to the end user.
After initialization, TokenManager handles are typically handed out by Framework to components like Ledger and Agents. These components fetch OAuth tokens from any configured auth provider, and use the auth_context_provider
initialized above for new authorizations.
The first step of OAuth is to get authorization from the user. For Fuchsia components, this is accomplished by displaying OAuth permissions in a view provided by the caller. This view will use auth_ui_context
if supplied, or the auth_context_provider
supplied at TokenManager creation if not. The component's OAuth configuration is provided in app_config
and app_scopes
. An optional user_profile_id
that uniquely identifies an account for a given auth provider may be provided to identify an existing account during a re-auth flow.
IoT ID authorization includes a mode where the user authorizes on a second device and that device acquires an auth code from the auth provider. In this mode, the auth code may be supplied in auth_code
and no local user interface will be displayed.
After the user has successfully authorized, Token manager receives and securely stores a persistent credential, such as an OAuth refresh token, for the intended scopes. TokenManager later uses this credential for minting short lived tokens.
If the operation is successful, an OK status is returned along with user profile information in user_profile_info
such as the user's email, image_url, profile_url, and first and last names as configured on the auth provider backend system.
Returns a downscoped access token from an auth provider for the given user user_profile_id
and scopes
to a Fuchsia component. The component's OAuth configuration is provided in app_config
and the user_profile_id
is the unique user identifier returned by the Authorize() call.
In the interests of performance, Token Manager does not place the supplied scopes in a canonical order during caching. To benefit from caching of tokens, clients must request the same scopes in the same order across calls.
The access token is returned from cache if possible, otherwise the auth provider is used to exchange the persistent credential for a new access token.
Returns a JWT identity token from an auth provider to a Fuchsia component intended for the given audience
. The component's OAuth configuration is supplied in app_config
, the intended recipient of the id_token is supplied in audience
, and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
user_profile_id
is the unique user identifier returned by the Authorize() call.
The identity token is returned from cache if possible, otherwise the auth provider is used to exchange the persistant credential for a new identity token.
Returns a Firebase token from an auth provider for the given account and Fuchsia component, and Firebase client. The component's OAuth configuration is supplied in app_config
, the Firebase client is supplied in firebase_api_key
, and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
This api invokes firebase auth's VerifyAssertion endpoint that takes an OAuth IdToken as the fuchsia.ui.input. Audience is the intended recipient of the firebase id token.
The Firebase auth token is returned from cache if possible, otherwise it is refreshed from the auth provider.
Deletes and revokes all long lived and short lived tokens generated for an account and on behalf of a Fuchsia component. The component's OAuth configuration is provided in app_config
and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
Deletion of tokens involves three steps:
If force
is false then a failure at step 1 will terminate the method, ensuring client and server state remain consistent. If force
is true then steps 2&3 will be performed and the method will return OK even if step 1 fails, ensuring the local credentials are wiped in all circumstances.
Returns a vector of all currently authorized user_profile_ids for a component's OAuth configuration provided in app_config
.
Defined in fuchsia.auth/attestation_signer.fidl
Cryptographically signs the plaintext
data sent in request using a crypto key configured at initialization.
Returns the raw bytes of the signature
string on success. Otherwise, an error status is returned.
Defined in fuchsia.auth/auth_provider.fidl
This interface is implemented by base shell. It is used to notify the base shell that a view for login needs to be started / stopped.
Requests base shell to display view_holder_token
for authentication. Another call to StartOverlay() will not be made until StopOverlay() has been called.
Requests base shell to stop displaying the auth view.
Defined in fuchsia.auth/auth_provider.fidl
OAuth identity service that provisions new users and provides authorization tokens for the currently enrolled users. Some common Auth Providers are Google, Facebook, Spotify and Twitter.
Authenticates and authorizes a user against an auth provider backend system using the OAuth protocol and returns the persistent credential such as Google‘s refresh token or Facebook’s access token for this user. These persistent credentials are long lived and their expiration time is set by the identity provider, for example Google's refresh tokens are valid until the user changes their password or revokes access explicitly, whereas Facebook access tokens are valid for up to 60 days or until the user revokes access.
During OAuth handshake, user needs to explicitly consent to the permissions as configured at the server. The consent is presented in a web_view using an auth_ui_context
overlay provided by the base_shell.
An optional user_profile_id
is provided for simplifying reauthorization flow.
Exchanges a persistent user credential
for a short lived app specific OAuth access token for the specified client_id
and scopes
. The credential
is a long lived OAuth token as generated by the external identity provider in the above GetPersistentCredential() call. If no client_id is specified a default will be used.
Access tokens are used by applications to make API requests against services offered by the Auth Provider.
Returns an auth_token
response containing an access token, if successful. Otherwise, an error status is returned.
Exchanges a persistent user credential
for an OAuth Identity token for the specified audience
. The audience is the intended recipient of the id_token. The credential
is a long lived OAuth token as generated by the external identity provider in the above GetPersistentCredential() call.
OAuth Id tokens are JSON Web Tokens (JWT) that contains digitally signed identity information about the user for the intended recipient.
Returns an auth_token
response containing an id token, if successful. Otherwise, an error status is returned.
Gets a firebase auth token for the user identified by id_token
and the requested |firebase_api key|. The id_token
is a JWT Identity token returned from GetAppIdToken() call above.
Returns a firebase_token
from the server if successful. Otherwise, an error status is returned.
Revokes user's grants at the Auth Provider by revoking a credential. The credential
is either a long lived OAuth token as returned by the GetPersistentCredential() call or an app specific access token as returned by the GetAppAccessToken() call.
Authenticates and authorizes a user against a remote attestation based auth provider backend system that mints bound persistent credentials.
This method is capable of performing user authorization directly on the device or use the OAuth authorization code generated out-of-band on a secondary device that is sent over a secure channel to the target device. In the latter case, auth_code generated out-of-band is passed as an argument in the attestation jwt_params
. Where as in the former case, user needs to explicitly consent to the permissions on the target device and the auth_code is returned to the device directly. The consent is presented in a web_view using an auth_ui_context
overlay provided by the base_shell. An optional user_profile_id
is provided for simplifying reauthorization flow.
The authorization code is exchanged to a bound refresh token using an attestation JWT constructed from jwt_params
and is signed by the attestation_signer
component passed in the request.
If the operation is successful, a long-lived credential
that is bound to the originating device is returned along with an optional auth_token
containing short-lived access token and an optional nonce
that is used on next token exchange request. An optional user_profile_info
containing user profile attributes is also returned if successful. Otherwise, an error status is returned.
Exchanges a bound persistent user credential
for a short lived app specific OAuth access token using the specified assertion JWT. The assertion JWT is constructed from jwt_params
and is signed by the attestation_signer
component passed in the request.
Access tokens are used by applications to make API requests against services offered by the Auth Provider.
Returns an auth_token
response containing an access token and an optional updated_credential
and auth_challenge
to be used on next token refresh request, if successful. Otherwise, an error status is returned.
Defined in fuchsia.auth/auth_provider_factory.fidl
AuthProviderFactory creates an Auth Provider that talks to a particular backend OAuth service such as Google, Facebook, or Twitter that can generate tokens as defined by auth_provider.fidl
.
Creates an auth provider instance for the given OAuth provider.
Defined in fuchsia.auth/token_manager.fidl
Implemented by a privileged system component with the ability to display UI to the end user.
This is provided during the initialization of TokenManager service and is used for any subsequent authorize calls. The UI contexts created by this interface are used to display OAuth login and permission screens to the end user.
Defined in fuchsia.auth/token_manager.fidl
This interface provides a discoverable mechanism to create TokenManager instances for each user, and to supply auth provider configuration information using the structs defined in auth_provider.fidl
.
Creates an OAuth TokenManager instance scoped for the component specified by application_url
, the Fuchsia user specified by user_id
, and the list of auth providers specified in auth_provider_configs
.
auth_context_provider
is used to generate AuthenticationUIContexts during TokenManager methods that require UI, unless the caller of those methods supplies an alternative AuthenticationUIContext.
Defined in fuchsia.auth/token_manager.fidl
This interface manages OAuth tokens at the Fuchsia system level for different auth identity providers.
If user authorization is required for minting tokens, TokenManager uses the auth_context_provider's
UI context for displaying OAuth UI to the end user.
After initialization, TokenManager handles are typically handed out by Framework to components like Ledger and Agents. These components fetch OAuth tokens from any configured auth provider, and use the auth_context_provider
initialized above for new authorizations.
The first step of OAuth is to get authorization from the user. For Fuchsia components, this is accomplished by displaying OAuth permissions in a view provided by the caller. This view will use auth_ui_context
if supplied, or the auth_context_provider
supplied at TokenManager creation if not. The component's OAuth configuration is provided in app_config
and app_scopes
. An optional user_profile_id
that uniquely identifies an account for a given auth provider may be provided to identify an existing account during a re-auth flow.
IoT ID authorization includes a mode where the user authorizes on a second device and that device acquires an auth code from the auth provider. In this mode, the auth code may be supplied in auth_code
and no local user interface will be displayed.
After the user has successfully authorized, Token manager receives and securely stores a persistent credential, such as an OAuth refresh token, for the intended scopes. TokenManager later uses this credential for minting short lived tokens.
If the operation is successful, an OK status is returned along with user profile information in user_profile_info
such as the user's email, image_url, profile_url, and first and last names as configured on the auth provider backend system.
Returns a downscoped access token from an auth provider for the given user user_profile_id
and scopes
to a Fuchsia component. The component's OAuth configuration is provided in app_config
and the user_profile_id
is the unique user identifier returned by the Authorize() call.
In the interests of performance, Token Manager does not place the supplied scopes in a canonical order during caching. To benefit from caching of tokens, clients must request the same scopes in the same order across calls.
The access token is returned from cache if possible, otherwise the auth provider is used to exchange the persistent credential for a new access token.
Returns a JWT identity token from an auth provider to a Fuchsia component intended for the given audience
. The component's OAuth configuration is supplied in app_config
, the intended recipient of the id_token is supplied in audience
, and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
user_profile_id
is the unique user identifier returned by the Authorize() call.
The identity token is returned from cache if possible, otherwise the auth provider is used to exchange the persistant credential for a new identity token.
Returns a Firebase token from an auth provider for the given account and Fuchsia component, and Firebase client. The component's OAuth configuration is supplied in app_config
, the Firebase client is supplied in firebase_api_key
, and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
This api invokes firebase auth's VerifyAssertion endpoint that takes an OAuth IdToken as the fuchsia.ui.input. Audience is the intended recipient of the firebase id token.
The Firebase auth token is returned from cache if possible, otherwise it is refreshed from the auth provider.
Deletes and revokes all long lived and short lived tokens generated for an account and on behalf of a Fuchsia component. The component's OAuth configuration is provided in app_config
and user_profile_id
is a unique account identifier returned by the Authorize() or ListProfileIds() calls.
Deletion of tokens involves three steps:
If force
is false then a failure at step 1 will terminate the method, ensuring client and server state remain consistent. If force
is true then steps 2&3 will be performed and the method will return OK even if step 1 fails, ensuring the local credentials are wiped in all circumstances.
Returns a vector of all currently authorized user_profile_ids for a component's OAuth configuration provided in app_config
.
Defined in fuchsia.auth/auth_provider.fidl
OAuth token response populated after parsing JSON object that contains short-lived access token or id token returned by the auth provider.
Defined in fuchsia.auth/auth_provider.fidl
Stores attributes related to a firebase auth token for a given firebase api key.
These tokens are minted by Firebase Auth server and are meant to be used for authorizing users into Firebase services such as DB and storage.
Defined in fuchsia.auth/auth_provider.fidl
Challenge response returned by the auth provider during remote attestation based authentication.
Defined in fuchsia.auth/auth_provider.fidl
Stores Elliptic Curve public key parameters of the credential key.
Defined in fuchsia.auth/auth_provider.fidl
Contains parameters required by the auth provider component to build attestation JWTs.
Defined in fuchsia.auth/auth_provider.fidl
Contains parameters required by the auth provider to build assertion JWTs.
Defined in fuchsia.auth/auth_provider.fidl
User attributes returned to callers on authorizing a new user at any auth provider. These attributes are generated by calling the auth provider's user profile apis.
Defined in fuchsia.auth/common.fidl
An assessment of the current presence and engagement of the human that owns a Fuchsia account, including the system's confidence in that assessment and its timeliness.
Note this struct is currently defined to enable multi-user experimentation. Substantial work is required before any realistic use cases.
Defined in fuchsia.auth/common.fidl
An expression of the types of changes an auth state that should be reported over listener interfaces. By default no changes will be reported.
Defined in fuchsia.auth/common.fidl
A unique identifier for an account with some service provider, comprised of the identity of the service provider and an account identity supplied by that service provider.
Defined in fuchsia.auth/token_manager.fidl
Stores configuration parameters required to connect to available AuthProvider
s. It is used by TokenManager to instantiate all auth providers during startup.
Sample auth provider types include: Dev : An identity provider that's used for development and testing. Google: Uses Google as the identity provider. Authorization from Google requires a working network connection and a web view. Spotify: Uses Spotify as an identity provider.
Defined in fuchsia.auth/token_manager.fidl
Stores OAuth configuration details for a given client application. These details are used in the OAuth authorization step.
Defined in fuchsia.auth/auth_provider.fidl
OAuth token response populated after parsing JSON object that contains short-lived access token or id token returned by the auth provider.
Defined in fuchsia.auth/auth_provider.fidl
Stores attributes related to a firebase auth token for a given firebase api key.
These tokens are minted by Firebase Auth server and are meant to be used for authorizing users into Firebase services such as DB and storage.
Defined in fuchsia.auth/auth_provider.fidl
Challenge response returned by the auth provider during remote attestation based authentication.
Defined in fuchsia.auth/auth_provider.fidl
Stores Elliptic Curve public key parameters of the credential key.
Defined in fuchsia.auth/auth_provider.fidl
Contains parameters required by the auth provider component to build attestation JWTs.
Defined in fuchsia.auth/auth_provider.fidl
Contains parameters required by the auth provider to build assertion JWTs.
Defined in fuchsia.auth/auth_provider.fidl
User attributes returned to callers on authorizing a new user at any auth provider. These attributes are generated by calling the auth provider's user profile apis.
Defined in fuchsia.auth/common.fidl
An assessment of the current presence and engagement of the human that owns a Fuchsia account, including the system's confidence in that assessment and its timeliness.
Note this struct is currently defined to enable multi-user experimentation. Substantial work is required before any realistic use cases.
Defined in fuchsia.auth/common.fidl
An expression of the types of changes an auth state that should be reported over listener interfaces. By default no changes will be reported.
Defined in fuchsia.auth/common.fidl
A unique identifier for an account with some service provider, comprised of the identity of the service provider and an account identity supplied by that service provider.
Defined in fuchsia.auth/token_manager.fidl
Stores configuration parameters required to connect to available AuthProvider
s. It is used by TokenManager to instantiate all auth providers during startup.
Sample auth provider types include: Dev : An identity provider that's used for development and testing. Google: Uses Google as the identity provider. Authorization from Google requires a working network connection and a web view. Spotify: Uses Spotify as an identity provider.
Defined in fuchsia.auth/token_manager.fidl
Stores OAuth configuration details for a given client application. These details are used in the OAuth authorization step.
Type: uint32
Defined in fuchsia.auth/attestation_signer.fidl
This file contains an interface to cryptographically sign any plain text data using any crypto key. This interface is useful for signing JWT's in device attestation based authentication.
Specifies the success/failure status from the attestation signer.
Type: uint32
Defined in fuchsia.auth/auth_provider.fidl
Specifies the success/failure status from auth provider.
Type: uint32
Defined in fuchsia.auth/auth_provider.fidl
The type of token returned.
Type: uint32
Defined in fuchsia.auth/common.fidl
A high level assessment of whether the human that owns a Fuchsia account is present and engaged.
Note this enum is currently defined to enable multi-user experimentation. Substantial work is required before any realistic use cases.
Type: uint32
Defined in fuchsia.auth/token_manager.fidl
Specifies the success/failure status of TokenManager calls.
Type: uint32
Defined in fuchsia.auth/attestation_signer.fidl
This file contains an interface to cryptographically sign any plain text data using any crypto key. This interface is useful for signing JWT's in device attestation based authentication.
Specifies the success/failure status from the attestation signer.
Type: uint32
Defined in fuchsia.auth/auth_provider.fidl
Specifies the success/failure status from auth provider.
Type: uint32
Defined in fuchsia.auth/auth_provider.fidl
The type of token returned.
Type: uint32
Defined in fuchsia.auth/common.fidl
A high level assessment of whether the human that owns a Fuchsia account is present and engaged.
Note this enum is currently defined to enable multi-user experimentation. Substantial work is required before any realistic use cases.
Type: uint32
Defined in fuchsia.auth/token_manager.fidl
Specifies the success/failure status of TokenManager calls.