1// Copyright 2019 Google LLC.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15
16syntax = "proto3";
17
18package google.api;
19
20option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
21option java_multiple_files = true;
22option java_outer_classname = "AuthProto";
23option java_package = "com.google.api";
24option objc_class_prefix = "GAPI";
25
26// `Authentication` defines the authentication configuration for an API.
27//
28// Example for an API targeted for external use:
29//
30//     name: calendar.googleapis.com
31//     authentication:
32//       providers:
33//       - id: google_calendar_auth
34//         jwks_uri: https://www.googleapis.com/oauth2/v1/certs
35//         issuer: https://securetoken.google.com
36//       rules:
37//       - selector: "*"
38//         requirements:
39//           provider_id: google_calendar_auth
40message Authentication {
41  // A list of authentication rules that apply to individual API methods.
42  //
43  // **NOTE:** All service configuration rules follow "last one wins" order.
44  repeated AuthenticationRule rules = 3;
45
46  // Defines a set of authentication providers that a service supports.
47  repeated AuthProvider providers = 4;
48}
49
50// Authentication rules for the service.
51//
52// By default, if a method has any authentication requirements, every request
53// must include a valid credential matching one of the requirements.
54// It's an error to include more than one kind of credential in a single
55// request.
56//
57// If a method doesn't have any auth requirements, request credentials will be
58// ignored.
59message AuthenticationRule {
60  // Selects the methods to which this rule applies.
61  //
62  // Refer to [selector][google.api.DocumentationRule.selector] for syntax details.
63  string selector = 1;
64
65  // The requirements for OAuth credentials.
66  OAuthRequirements oauth = 2;
67
68  // If true, the service accepts API keys without any other credential.
69  bool allow_without_credential = 5;
70
71  // Requirements for additional authentication providers.
72  repeated AuthRequirement requirements = 7;
73}
74
75// Configuration for an authentication provider, including support for
76// [JSON Web Token
77// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
78message AuthProvider {
79  // The unique identifier of the auth provider. It will be referred to by
80  // `AuthRequirement.provider_id`.
81  //
82  // Example: "bookstore_auth".
83  string id = 1;
84
85  // Identifies the principal that issued the JWT. See
86  // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
87  // Usually a URL or an email address.
88  //
89  // Example: https://securetoken.google.com
90  // Example: 1234567-compute@developer.gserviceaccount.com
91  string issuer = 2;
92
93  // URL of the provider's public key set to validate signature of the JWT. See
94  // [OpenID
95  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
96  // Optional if the key set document:
97  //  - can be retrieved from
98  //    [OpenID
99  //    Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html of
100  //    the issuer.
101  //  - can be inferred from the email domain of the issuer (e.g. a Google
102  //  service account).
103  //
104  // Example: https://www.googleapis.com/oauth2/v1/certs
105  string jwks_uri = 3;
106
107  // The list of JWT
108  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
109  // that are allowed to access. A JWT containing any of these audiences will
110  // be accepted. When this setting is absent, only JWTs with audience
111  // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]"
112  // will be accepted. For example, if no audiences are in the setting,
113  // LibraryService API will only accept JWTs with the following audience
114  // "https://library-example.googleapis.com/google.example.library.v1.LibraryService".
115  //
116  // Example:
117  //
118  //     audiences: bookstore_android.apps.googleusercontent.com,
119  //                bookstore_web.apps.googleusercontent.com
120  string audiences = 4;
121
122  // Redirect URL if JWT token is required but not present or is expired.
123  // Implement authorizationUrl of securityDefinitions in OpenAPI spec.
124  string authorization_url = 5;
125}
126
127// OAuth scopes are a way to define data and permissions on data. For example,
128// there are scopes defined for "Read-only access to Google Calendar" and
129// "Access to Cloud Platform". Users can consent to a scope for an application,
130// giving it permission to access that data on their behalf.
131//
132// OAuth scope specifications should be fairly coarse grained; a user will need
133// to see and understand the text description of what your scope means.
134//
135// In most cases: use one or at most two OAuth scopes for an entire family of
136// products. If your product has multiple APIs, you should probably be sharing
137// the OAuth scope across all of those APIs.
138//
139// When you need finer grained OAuth consent screens: talk with your product
140// management about how developers will use them in practice.
141//
142// Please note that even though each of the canonical scopes is enough for a
143// request to be accepted and passed to the backend, a request can still fail
144// due to the backend requiring additional scopes or permissions.
145message OAuthRequirements {
146  // The list of publicly documented OAuth scopes that are allowed access. An
147  // OAuth token containing any of these scopes will be accepted.
148  //
149  // Example:
150  //
151  //      canonical_scopes: https://www.googleapis.com/auth/calendar,
152  //                        https://www.googleapis.com/auth/calendar.read
153  string canonical_scopes = 1;
154}
155
156// User-defined authentication requirements, including support for
157// [JSON Web Token
158// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
159message AuthRequirement {
160  // [id][google.api.AuthProvider.id] from authentication provider.
161  //
162  // Example:
163  //
164  //     provider_id: bookstore_auth
165  string provider_id = 1;
166
167  // NOTE: This will be deprecated soon, once AuthProvider.audiences is
168  // implemented and accepted in all the runtime components.
169  //
170  // The list of JWT
171  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
172  // that are allowed to access. A JWT containing any of these audiences will
173  // be accepted. When this setting is absent, only JWTs with audience
174  // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]"
175  // will be accepted. For example, if no audiences are in the setting,
176  // LibraryService API will only accept JWTs with the following audience
177  // "https://library-example.googleapis.com/google.example.library.v1.LibraryService".
178  //
179  // Example:
180  //
181  //     audiences: bookstore_android.apps.googleusercontent.com,
182  //                bookstore_web.apps.googleusercontent.com
183  string audiences = 2;
184}
185