diff --git a/api/external/authn.proto b/api/external/authn.proto new file mode 100644 index 0000000..a3a6c3d --- /dev/null +++ b/api/external/authn.proto @@ -0,0 +1,185 @@ +syntax = "proto3"; + +// schema tags are required for application/x-www-form-urlencoded + +package yabslabs.auth.authn.api.v1; +option go_package = "api"; + +option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { + info: { + title: "Authorization Service of yabs"; + version: "1.0"; + contact: { + url: "https://github.com/yabslabs/auth" + }; + }; + + schemes: HTTPS; + + consumes: "application/json"; + consumes: "application/grpc"; + + produces: "application/json"; + produces: "application/grpc"; +}; + +service AuthnService { + + // With this function a IPD / OP (client) can initiate an interactive authN flow (login) + // Non interactive flow like oauth client_credential need to be handeld directly by the specific implementation + // However they may call the VerifyUserNamePassword function directly + rpc ClientAuthNRequest (ClientAuthNRequest) returns (ClientAuthNResponse) { + option (google.api.http) = { + post: "/authn/client" + body: "*" + }; + } + + //With this call a Client (for example our Login GUI) can check the credentials (username / password) against a datastore + //If sucessfull the call returns wether additional steps like MFA are necessary or, if this step was sufficient + rpc VerifyUserNamePassword (VerifyUserNamePasswordRequest) returns (VerifyUserNamePasswordResponse) { + option (google.api.http) = { + post: "/authn/verify/userpassword" + body: "*" + }; + } + + //By clicking a link a user can login in without a need for credentials + //In some cases this is used with an MFA function + rpc VerifyMagicLink(VerifyMagicLinkRequest) returns (VerifyMagicLinkResponse) { + option (google.api.http) = { + post: "/authn/verify/magiclink" + body: "*" + }; + } + + //The Multifactor verfication is responsible for checking the multifactor credential against the configured type + //In some cases this can be used in conjuction with a magic link + rpc VerifyMultiFactor (VerifyMultiFactorRequest) returns (VerifyMultiFactorResponse) { + option (google.api.http) = { + post: "/authn/verify/factors/{id}" + body: "*" + }; + } + + //This function is intended to check wether a x509 handshake can be initiaded this may also be used by headless clients / servers + rpc VerifyCertificate (VerifyCertificateRequest) returns (VerifyCertificateResponse) { + option (google.api.http) = { + post: "/authn/verify/certificate" + body: "*" + }; + } +} + +// We should return a JWT for validation by the IDP +message AuthNRequest { + string id = 1; //This id is also important for the SSO mapping, refresh tokens and session implementation within the specific providers (idp) + Scopes scopes = 2; + SamlAttributes saml_attributes = 3; + ClientType client_type = 4; +} + +//The type of client calling the ClientAuthNRequest function +enum ClientType { + UNKNOWN = 0; + WEB = 1; + OIDC = 2; + SAML = 3; +} + +// This message holds the scopes from the call forward by the oidc op +message Scopes { + repeated string = 1; +} + +// This message holds the scopes from the call forward by the saml idp +message SamlAttributes { + repeated string = 1; +} + +// Returns wether the authN with the user was successfull +message AuthNResponse { + string id = 1; + string scopes = 2; + AuthNStatus auth_n_status = 3; //On sucess we should return a singed JWT, but maybe for somne clients a JSON is enough +} + +enum AuthNStatus { + DENIED = 0; + SUCESSFULL = 1; +} + +message VerifyUserNamePasswordRequest { + string id = 1; + string username = 2; + string password = 3; +} + +message VerifyUserNamePasswordResponse { + string id = 1; + bool factor_required = 2; + Factors factors = 3; + VerifyUserNamePasswordStatus status = 4; +} + +enum VerifyUserNamePasswordStatus { + DENIED = 0; + SUCESSFULL = 1; + // We can add hints like password expired here +} + +message VerifyMagicLinkRequest { + string id = 1; + string key = 2; +} + +message VerifyMagicLinkResponse { + string id = 1; + bool factor_required = 2; + Factors factors = 3; + VerifyMagicLinkStatus verify_magic_link_status= 4; +} + +enum VerifyMagicLinkStatus { + DENIED = 0; + SUCESSFULL = 1; +} + +//IMHO this should come from the mgmt API +message Factor { + string id = 1; + FactorType factor_type = 2; +} + +//IMHO this should come from the mgmt API +message Factors { + repeated factor = 1; +} + +//IMHO this should come from the mgmt API +enum FactorType { + SMS = 0; + OTP = 1; + TELEGRAM = 2; + FBMESSENGER = 3; + CTAP1 = 4; //webauthn uf2 keys + CTAP2 = 5; //webauthn fido2 keys + RECOVERYKEY = 6; +} + +message VerifyMultiFactorRequest { + string id = 1; + //We need object for the different type of factos, becuase they do not all use the same mechanics +} + +message VerifyMultiFactorResponse { + string id = 1; + bool additional_factor_required = 2; + Factors factors = 3; //Remaining Factors + VerifyMultiFactorStatus status = 4; +} + +enum VerifyMultiFactorStatus { + DENIED = 0; + SUCESSFULL = 1; +} \ No newline at end of file diff --git a/api/external/mgmt.proto b/api/external/mgmt.proto new file mode 100644 index 0000000..3dccffa --- /dev/null +++ b/api/external/mgmt.proto @@ -0,0 +1,528 @@ +syntax = "proto3"; + +import "github.com/yabslabs/yabs/API/core.proto"; + +package yabslabs.auth.mgmt.api.v1; +option go_package = "api"; + +option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { + info: { + title: "Authorization Management Service for yabs"; + version: "1.0"; + contact: { + url: "https://github.com/yabslabs/auth" + }; + }; + + schemes: HTTPS; + + consumes: "application/json"; + consumes: "application/grpc"; + + produces: "application/json"; + produces: "application/grpc"; +}; + +service AuthMgmtService { +//User + rpc CreateUser(CreateUserRequest) returns (CreateUserResponse) { + option (google.api.http) = { + post: "/users" + body: "*" + }; + } + + rpc GetUserById(GetUserByIdRequest) returns (GetUserByIdResponse) { + option (google.api.http) = { + get: "/users/{id}" + }; + } + + rpc FilterUsers(FilterUserRequest) returns (FilterUserResponse) { + option (google.api.http) = { + post: "/users/_search" + body: "*" + }; + } + + rpc UpdateUser(UpdateUserRequest) returns (UpdateUserResponse) { + option (google.api.http) = { + put: "/users/{id}" + body: "*" + }; + } + + rpc DeleteUser(DeleteUserRequest) returns (DeleteUserResponse) { + option (google.api.http) = { + delete: "/users/{id}" + }; + } + + rpc ChangePassword(ChangePasswordRequest) returns (ChangePasswordResponse) { + option (google.api.http) = { + post: "/users/{id}/_changepw" + body: "*" + }; + } + + rpc OverwritePassword(OverwritePasswordRequest) returns (OverwritePasswordResponse) { + option (google.api.http) = { + post: "/users/{id}/_overwritepw" + body: "*" + }; + } + +//Group + rpc CreateGroup(CreateGroupRequest) returns (CreateGroupResponse) { + option (google.api.http) = { + post: "/groups" + body: "*" + }; + } + + rpc GetGroupById(GetGroupByIdRequest) returns (GetGroupByIdResponse) { + option (google.api.http) = { + get: "/groups/{id}" + }; + } + + rpc FilterGroups(FilterGroupRequest) returns (FilterGroupResponse) { + option (google.api.http) = { + post: "/groups/_search" + body: "*" + }; + } + + rpc UpdateGroup(UpdateGroupRequest) returns (UpdateGroupResponse) { + option (google.api.http) = { + put: "/groups/{id}" + body: "*" + }; + } + + rpc DeleteGroup(DeleteGroupRequest) returns (DeleteGroupResponse) { + option (google.api.http) = { + delete: "/groups/{id}" + }; + } +// Member + rpc GetAllGroupMembers(google.protobuf.Empty) returns (Users) { + option (google.api.http) = { + get: "/groups/{group_id}/members" + }; + } + + rpc AddMemberToGroup(AddMemberToGroupRequest) returns (AddMemberToGroupResponse) { + option (google.api.http) = { + post: "/groups/{group_id}/members/{user_id}" + body: "*" + }; + } + + rpc GetMemberFromGroup(GetMemberFromGroupRequest) returns (GetMemberFromGroupResponse) { + option (google.api.http) = { + post: "/groups/{group_id}/members/{user_id}" + body: "*" + }; + } + + rpc DeleteMemberFromGroup(DeleteMemberFromGroupRequest) returns (DeleteMemberFromGroupResponse) { + option (google.api.http) = { + delete: "/groups/{group_id}/members/{user_id}" + }; + } + +// Roles + rpc GetRoles(google.protobuf.Empty) returns (Roles) { + option (google.api.http) = { + get: "/roles" + }; + } + +//Authorizations + rpc GetAuthorizationByUser(GetAuthorizationByUserRequest) returns (GetAuthorizationByUserResponse) { + option (google.api.http) = { + get: "/users/{id}/authorizations" + }; + } + + rpc GetAuthorizationByGroup(GetAuthorizationByGroupRequest) returns (GetAuthorizationByGroupResponse) { + option (google.api.http) = { + get: "/groups/{id}/authorizations" + }; + } + + rpc CreateAuthorization(CreateAuthorizationRequest) returns (CreateAuthorizationResponse) { + option (google.api.http) = { + post: "/authorizations" + body: "*" + }; + } + + rpc UpdateAuthorizations(UpdateAuthorizationRequest) returns (UpdateAuthorizationResponse) { + option (google.api.http) = { + put: "/authorizations/{id}" + body: "*" + }; + } + + rpc DeleteAuthorization(DeleteAuthorizationRequest) returns (DeleteAuthorizationResponse) { + option (google.api.http) = { + delete: "/authorizations/{id}" + }; + } + //add two factor + //reset two factor + //delete two factor + //verify two factor +} +message GetAuthorizationByUserRequest { + string id = 1; +} +message GetAuthorizationByUserResponse { + repeated Authorization authorizations = 1; +} +message GetAuthorizationByGroupRequest { + string id = 1; +} +message GetAuthorizationByGroupResponse { + repeated Authorization authorizations = 1; +} +message CreateAuthorizationRequest { + string group_id = 1; + string role_id = 2; + string user_id = 3; +} +message CreateAuthorizationResponse { + string id = 1; + Group group = 2; + Role role = 3; + User user = 4; +} +message UpdateAuthorizationRequest { + string authorization_id = 1; + string group_id = 2; + string role_id = 3; + string user_id = 4; +} +message UpdateAuthorizationResponse { + string id = 1; + Group group = 2; + Role role = 3; + User user = 4; +} +message DeleteAuthorizationRequest { + string id = 1; +} +message DeleteAuthorizationResponse { + string id = 1; + Group group = 2; + Role role = 3; + User user = 4; +} + + +message CreateUserRequest { + string preferred_username = 1; + string familyname = 2; + string givenname = 3; + + string email = 4; + + string phone_number = 5; + + string password = 6; + string hash_function = 7; +} + +message CreateUserResponse { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; +} + +message GetUserByIdRequest { + string id = 1; + +} + +message GetUserByIdResponse { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; +} + +message FilterUserRequest { +// dynamic filter +} + +message FilterUserResponse { + uint64 total_results = 1; + uint64 read_results = 2; + uint64 count = 3; + repeated User users = 4; +} + +message UpdateUserRequest { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; +} + +message UpdateUserResponse { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; +} + +message DeleteUserRequest { + string id = 1; +} + +message DeleteUserResponse { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; +} + +message ChangePasswordRequest { + string id = 1; + string old_password = 2; + string new_password1 = 3; + string new_password2 = 4; + string hash_function = 5; +} + +message ChangePasswordResponse { + string id = 1; + PasswordState state = 2; +} + +enum PasswordState { + NONE = 0; + ACTIVE = 1; + INITIAL = 2; + DELETED = 3; +} + +message OverwritePasswordRequest { + string id = 1; + string hash_function = 5; + string password = 2; +} + +message OverwritePasswordResponse { + string id = 1; + PasswordState state = 2; +} +message CreateGroupRequest { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto +} +message CreateGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} +message GetGroupByIdRequest { + string id = 1; +} +message GetGroupByIdResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} +message FilterGroupRequest { +// dynamic filter +} +message FilterGroupResponse { + uint64 total_results = 1; + uint64 read_results = 2; + uint64 count = 3; + repeated Group groups = 4; +} +message UpdateGroupRequest { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; +} +message UpdateGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} +message DeleteGroupRequest { + string id = 1; +} +message DeleteGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + + +message AddMemberToGroupRequest { + string group_id = 1; + string user_id = 2; +} +message AddMemberToGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + +message GetMemberFromGroupRequest { + string group_id = 1; + string user_id = 2; +} + +message GetMemberFromGroupResponse { + string id = 1; + User member = 2; +} + +message DeleteMemberFromGroupRequest { + string group_id = 1; + string user_id = 2; +} + +message DeleteMemberFromGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + + +message AddSubgroupToGroupRequest { + string group_id = 1; + string subgroup_id = 2; +} +message AddSubgroupToGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + +message GetSubgroupFromGroupRequest { + string group_id = 1; + string subgroup_id = 2; +} + +message GetSubgroupFromGroupResponse { + string id = 1; + Group group = 2; +} + +message DeleteSubgroupFromGroupRequest { + string group_id = 1; + string subgroup_id = 2; +} + +message DeleteSubgroupFromGroupResponse { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + +message Group { + yabs.core.api.v1.Header header = 1; //API Header from yabs/api/core.proto + yabs.core.api.v1.Metadata metadata = 2; //API Metadata from yabs/api/core.proto + string id = 3; + repeated User members = 4; + repeated Group subgroups = 5; +} + +message Groups { + repeated Group groups = 1; +} + +message Role { + string id = 1; + string name = 2; + string description = 3; +} + +message Roles { + repeated Role roles = 1; +} + +message Authorization { + string id = 1; + Group group = 2; + Role role = 3; + User user = 4; +} + +message Authorizations { + Authorization authorization = 1; +} + +message User { + string id = 1; + string preferred_username = 2; + string familyname = 3; + string givenname = 4; + + string email = 5; + bool email_verified = 6; + + string phone_number = 7; + bool phone_number_verified = 8; + + string password = 9; +} + +message Users { + repeated User users = 1; +} \ No newline at end of file diff --git a/api/external/oidc.proto b/api/external/oidc.proto new file mode 100644 index 0000000..d928cbc --- /dev/null +++ b/api/external/oidc.proto @@ -0,0 +1,222 @@ +syntax = "proto3"; + +// schema tags are required for application/x-www-form-urlencoded + +package yabslabs.auth.oidc.api.v1; +option go_package = "api"; + +option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { + info: { + title: "Authorization Service of yabs"; + version: "1.0"; + contact: { + url: "https://github.com/yabslabs/auth" + }; + }; + + schemes: HTTPS; + + consumes: "application/json"; + consumes: "application/grpc"; + + produces: "application/json"; + produces: "application/grpc"; +}; + +service OidcService { + + // OIDC discovery endpoint + // provides information about this service + rpc GetConfiguration (google.protobuf.Empty) returns (OidcConfiguration) { + option (google.api.http) = { + get: "/.well-known/openid-configuration" + }; + } + + // OIDC token endpoint, returns token(s) + // can be used for: + // - code exchange (exchange oidc auth code to appropiate tokens: 'authorization_code') + // - issue tokens (ex. access token for services, etc... ex. grant_types: 'client_credentials', 'password', 'urn:yabs:iam:grant_type:role_token') + // - exchange tokens (ex. to obtain an ob-token: 'urn:ietf:params:oauth:grant-type:token-exchange', 'urn:yabs:iam:grant_type:ob_token') + // supported grant types are exposed via the discovery endpoint. + // The following types are included: + // - client_credentials (request token for a service) + // - authorization_code (exchange a user-code for the corresponding tokens) + // - password (authorize a user directly; only permitted clients, needs role ResourceOwnerCredentialsGrantType, usage should be as limited as possible) + // - urn:ietf:params:oauth:grant-type:token-exchange (token exchange => get ob token) + // - urn:yabs:iam:grant_type:ob_token (on behalf token for a user to call a service) + // - urn:yabs:iam:grant_type:role_token (obtain a role token: get roles of apps inside a token) + // Client-Authorization can be done via Basic, Token or Body. + // For security reasons Token should be preferred. + // Client-Authorization is needed for all grant types expect client_credentials. + rpc GetAuthToken (AuthTokenRequest) returns (AuthTokenResponse) { + option (google.api.http) = { + post: "/token/auth" + body: "*" + }; + } + + // corresponding endpoint for oidc request with grant type client_credentials + // should be used to obtain a token for a client/service. Does not support users. + // Client-Credentials can be sent via Basic or Body. For security reasons Basic should be preferred. + rpc GetAccessToken (AccessTokenRequest) returns (TokenResponse) { + option (google.api.http) = { + post: "/token/access" + body: "*" + }; + } + + // corresponding endpoint for oidc request with grant type urn:yabs:iam:grant_type:role_token + // should be used to obtain a roletoken for specified apps. + // Client needs to authenticated. + rpc GetRoleToken (RoleTokenRequest) returns (TokenResponse) { + option (google.api.http) = { + post: "/token/roles" + body: "*" + }; + } + + // corresponding endpoint for oidc request with grant type urn:yabs:iam:grant_type:ob_token or urn:ietf:params:oauth:grant-type:token-exchange + // should be used to obtain an ob token to call another service on behalf of a user. + // Client needs to authenticated. + rpc GetObToken (ObTokenRequest) returns (TokenResponse) { + option (google.api.http) = { + post: "/token/ob" + body: "*" + }; + } + + // OIDC introspect endpoint + // validates a token, client needs to be authenticated. + rpc IntrospectToken (IntrospectTokenRequest) returns (IntrospectTokenResponse) { + option (google.api.http) = { + post: "/token/introspect" + body: "*" + }; + } + + // OIDC Keys endpoint + // returns the public keys used to sign the tokens + rpc GetKeys (google.protobuf.Empty) returns (Keys) { + option (google.api.http) = { + get: "/keys" + }; + } + + // OIDC UserInfo endpoint + // returns information about the current user + // user needs to be authenticated via token + rpc GetUserInfo (google.protobuf.Empty) returns (User) { + option (google.api.http) = { + get: "/me" + }; + + //this needs an auth methode + } + +} + +message Keys { + repeated Key keys = 1; +} + +message Key { + string use = 1; + string kty = 2; + string kid = 3; + string alg = 4; + string n = 5; + string e = 6; + string d = 9; + string p = 7; + string q = 8; +} + +message AccessTokenRequest { + string client_id = 1; + string client_secret = 2; + repeated string scope = 3; +} + +message RoleTokenRequest { + string subject_token = 1 [(validator.field) = {string_not_empty: true}]; + repeated string apps = 2 [(validator.field) = {repeated_count_min: 1}]; +} + +message ObTokenRequest { + string subject_token = 1 [(validator.field) = {string_not_empty: true}]; + string resource = 2 [(validator.field) = {string_not_empty: true}]; +} + +message TokenResponse { + string token = 1; + int64 expires_in = 2; +} + +message AuthTokenRequest { + string grant_type = 1 [(gogoproto.moretags) = "schema:\"grant_type\"", (validator.field) = {string_not_empty: true}]; + + // client auth via body, basic or token + string client_id = 2 [(gogoproto.moretags) = "schema:\"client_id\""]; + string client_secret = 3 [(gogoproto.moretags) = "schema:\"client_secret\""]; + + // grant type authorization_code + string code = 4 [(gogoproto.moretags) = "schema:\"code\""]; + string redirect_uri = 5 [(gogoproto.moretags) = "schema:\"redirect_uri\""]; + + // grant type client_credentials + repeated string scope = 6 [(gogoproto.moretags) = "schema:\"scope\""]; + + // grant type ob_token/urn:ietf:params:oauth:grant-type:token-exchange, role_token + string subject_token = 7 [(gogoproto.moretags) = "schema:\"subject_token\""]; + string subject_token_type = 8 [(gogoproto.moretags) = "schema:\"subject_token_type\""]; + + // grant type role_token + repeated string apps = 9 [(gogoproto.moretags) = "schema:\"apps\""]; + + // grant type ob_token/urn:ietf:params:oauth:grant-type:token-exchange + string resource = 11 [(gogoproto.moretags) = "schema:\"resource\""]; + + // grant type password + string username = 12 [(gogoproto.moretags) = "schema:\"username\""]; + string password = 13 [(gogoproto.moretags) = "schema:\"password\""]; +} + +message AuthTokenResponse { + string access_token = 1 [(gogoproto.moretags) = "schema:\"access_token\""]; + string id_token = 2 [(gogoproto.moretags) = "schema:\"id_token\""]; + string token_type = 3 [(gogoproto.moretags) = "schema:\"token_type\""]; + int64 expires_in = 4 [(gogoproto.moretags) = "schema:\"expires_in\""]; + + // token exchange + string issued_token_type = 5 [(gogoproto.moretags) = "schema:\"issued_token_type\""]; +} + +message IntrospectTokenRequest { + string token = 1; +} + +message IntrospectTokenResponse { + bool active = 1; + string sub = 2; + int64 exp = 3; +} + +message OidcConfiguration { + string issuer = 1; + string authorization_endpoint = 2; + string token_endpoint = 3; + string introspection_endpoint = 4; + string userinfo_endpoint = 5; + string end_session_endpoint = 6; + string check_session_iframe = 7; + string jwks_uri = 8; + repeated string scopes_supported = 9; + repeated string response_types_supported = 10; + repeated string response_modes_supported = 11; + repeated string grant_types_supported = 12; + repeated string subject_types_supported = 13; + repeated string id_token_signing_alg_values_supported = 14; + repeated string token_endpoint_auth_methods_supported = 15; + repeated string claims_supported = 16; +} \ No newline at end of file diff --git a/api/external/saml.proto b/api/external/saml.proto new file mode 100644 index 0000000..90bdb57 --- /dev/null +++ b/api/external/saml.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +// schema tags are required for application/x-www-form-urlencoded + +package yabslabs.auth.saml.api.v1; +option go_package = "api"; + +option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { + info: { + title: "Authorization Service of yabs"; + version: "1.0"; + contact: { + url: "https://github.com/yabslabs/auth" + }; + }; + + schemes: HTTPS; + + consumes: "application/json"; + consumes: "application/grpc"; + + produces: "application/json"; + produces: "application/grpc"; +}; + +service SamlService { + //TODO add SAMl Method +} \ No newline at end of file diff --git a/api/internal/groups.proto b/api/internal/groups.proto new file mode 100644 index 0000000..e69de29 diff --git a/api/internal/tenants.proto b/api/internal/tenants.proto new file mode 100644 index 0000000..e69de29 diff --git a/authAPI/auth.proto b/authAPI/auth.proto deleted file mode 100644 index 357808d..0000000 --- a/authAPI/auth.proto +++ /dev/null @@ -1,149 +0,0 @@ -syntax = "proto3"; - -import "google/api/annotations.proto"; -import "google/protobuf/empty.proto"; -import "google/protobuf/timestamp.proto"; -import "protoc-gen-swagger/options/annotations.proto"; -import "github.com/mwitkow/go-proto-validators/validator.proto"; -import "github.com/lyft/protoc-gen-validate/validate/validate.proto"; - -package yabslabs.auth.api.v1; -option go_package = "authAPI"; - -option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { - info: { - title: "Authorization Service of SecureConnect"; - version: "1.0"; - contact: { - url: "https://github.com/yabslabs/auth" - }; - }; - - schemes: HTTPS; - - consumes: "application/json"; - consumes: "application/grpc"; - - produces: "application/json"; - produces: "application/grpc"; -}; - -service AuthService { - - option (yabslabs.auth.api.v1.service_auth) = { - resource_name: "AUTH-V1" - }; -} - -message UserID{ - string id = 1; -} - -message UserRequest{ - string id =1 ; - string firstname =2; - string lastname = 3; - string password = 4; - string email = 5 [(validate.rules).string.email = true]; - string seq = 6; -} - -message User{ - string id =1; - string firstname = 2; - string lastname = 3; - string password = 4; - string email = 5 [(validate.rules).string.email = true]; - google.protobuf.Timestamp creationDate = 6; - google.protobuf.Timestamp changeDate = 7; - string seq = 8; -} - -message Users{ - repeated User users = 1; -} - -message GroupRequest{ - string id = 1; - string name = 2; - repeated string subgroups = 3; - string seq = 4; - repeated string projects = 5; - repeated string users = 6; -} - -message Group{ - string id = 1; - string name = 2; - repeated Group subgroups = 3; - google.protobuf.Timestamp creationDate = 4; - google.protobuf.Timestamp changeDate = 5; - string seq = 6; - repeated Project projects = 7; - repeated User users = 8; -} - -message Groups{ - repeated Group groups = 1; -} -message ProejctID{ - string id = 1; -} - -message ProjectRequest{ - string id = 1; - string name = 2; - string seq = 3; -} - -message Project{ - string id = 1; - string name = 2; - google.protobuf.Timestamp creationDate = 3; - google.protobuf.Timestamp changeDate = 4; - string seq = 5; -} - -message Projects{ - repeated Project projects = 1; -} - -message AuthorizationID{ - string id = 1; -} - -message AuthorizationRequest{ - string id = 1; - string groupid = 2; - string roleid = 3; - string userid = 4; - string seq = 5; -} - -message Authorization{ - string id = 1; - Group group = 2; - Role role = 3; - User user = 4; - google.protobuf.Timestamp creationDate = 5; - string seq = 6; -} - -message Authorizations{ - repeated Authorization authorizations = 1; -} - -message RoleID{ - string id = 1; -} - -message Role{ - string id = 1; - string name = 2; - google.protobuf.Timestamp creationDate = 3; - string seq = 4; -} - -message Roles{ - repeated Role roles = 1; -} \ No newline at end of file