1// Copyright 2019 Google LLC. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15 16syntax = "proto3"; 17 18package google.api; 19 20option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig"; 21option java_multiple_files = true; 22option java_outer_classname = "AuthProto"; 23option java_package = "com.google.api"; 24option objc_class_prefix = "GAPI"; 25 26// `Authentication` defines the authentication configuration for an API. 27// 28// Example for an API targeted for external use: 29// 30// name: calendar.googleapis.com 31// authentication: 32// providers: 33// - id: google_calendar_auth 34// jwks_uri: https://www.googleapis.com/oauth2/v1/certs 35// issuer: https://securetoken.google.com 36// rules: 37// - selector: "*" 38// requirements: 39// provider_id: google_calendar_auth 40message Authentication { 41 // A list of authentication rules that apply to individual API methods. 42 // 43 // **NOTE:** All service configuration rules follow "last one wins" order. 44 repeated AuthenticationRule rules = 3; 45 46 // Defines a set of authentication providers that a service supports. 47 repeated AuthProvider providers = 4; 48} 49 50// Authentication rules for the service. 51// 52// By default, if a method has any authentication requirements, every request 53// must include a valid credential matching one of the requirements. 54// It's an error to include more than one kind of credential in a single 55// request. 56// 57// If a method doesn't have any auth requirements, request credentials will be 58// ignored. 59message AuthenticationRule { 60 // Selects the methods to which this rule applies. 61 // 62 // Refer to [selector][google.api.DocumentationRule.selector] for syntax details. 63 string selector = 1; 64 65 // The requirements for OAuth credentials. 66 OAuthRequirements oauth = 2; 67 68 // If true, the service accepts API keys without any other credential. 69 bool allow_without_credential = 5; 70 71 // Requirements for additional authentication providers. 72 repeated AuthRequirement requirements = 7; 73} 74 75// Configuration for an authentication provider, including support for 76// [JSON Web Token 77// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). 78message AuthProvider { 79 // The unique identifier of the auth provider. It will be referred to by 80 // `AuthRequirement.provider_id`. 81 // 82 // Example: "bookstore_auth". 83 string id = 1; 84 85 // Identifies the principal that issued the JWT. See 86 // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 87 // Usually a URL or an email address. 88 // 89 // Example: https://securetoken.google.com 90 // Example: 1234567-compute@developer.gserviceaccount.com 91 string issuer = 2; 92 93 // URL of the provider's public key set to validate signature of the JWT. See 94 // [OpenID 95 // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). 96 // Optional if the key set document: 97 // - can be retrieved from 98 // [OpenID 99 // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html of 100 // the issuer. 101 // - can be inferred from the email domain of the issuer (e.g. a Google 102 // service account). 103 // 104 // Example: https://www.googleapis.com/oauth2/v1/certs 105 string jwks_uri = 3; 106 107 // The list of JWT 108 // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3). 109 // that are allowed to access. A JWT containing any of these audiences will 110 // be accepted. When this setting is absent, only JWTs with audience 111 // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]" 112 // will be accepted. For example, if no audiences are in the setting, 113 // LibraryService API will only accept JWTs with the following audience 114 // "https://library-example.googleapis.com/google.example.library.v1.LibraryService". 115 // 116 // Example: 117 // 118 // audiences: bookstore_android.apps.googleusercontent.com, 119 // bookstore_web.apps.googleusercontent.com 120 string audiences = 4; 121 122 // Redirect URL if JWT token is required but not present or is expired. 123 // Implement authorizationUrl of securityDefinitions in OpenAPI spec. 124 string authorization_url = 5; 125} 126 127// OAuth scopes are a way to define data and permissions on data. For example, 128// there are scopes defined for "Read-only access to Google Calendar" and 129// "Access to Cloud Platform". Users can consent to a scope for an application, 130// giving it permission to access that data on their behalf. 131// 132// OAuth scope specifications should be fairly coarse grained; a user will need 133// to see and understand the text description of what your scope means. 134// 135// In most cases: use one or at most two OAuth scopes for an entire family of 136// products. If your product has multiple APIs, you should probably be sharing 137// the OAuth scope across all of those APIs. 138// 139// When you need finer grained OAuth consent screens: talk with your product 140// management about how developers will use them in practice. 141// 142// Please note that even though each of the canonical scopes is enough for a 143// request to be accepted and passed to the backend, a request can still fail 144// due to the backend requiring additional scopes or permissions. 145message OAuthRequirements { 146 // The list of publicly documented OAuth scopes that are allowed access. An 147 // OAuth token containing any of these scopes will be accepted. 148 // 149 // Example: 150 // 151 // canonical_scopes: https://www.googleapis.com/auth/calendar, 152 // https://www.googleapis.com/auth/calendar.read 153 string canonical_scopes = 1; 154} 155 156// User-defined authentication requirements, including support for 157// [JSON Web Token 158// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). 159message AuthRequirement { 160 // [id][google.api.AuthProvider.id] from authentication provider. 161 // 162 // Example: 163 // 164 // provider_id: bookstore_auth 165 string provider_id = 1; 166 167 // NOTE: This will be deprecated soon, once AuthProvider.audiences is 168 // implemented and accepted in all the runtime components. 169 // 170 // The list of JWT 171 // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3). 172 // that are allowed to access. A JWT containing any of these audiences will 173 // be accepted. When this setting is absent, only JWTs with audience 174 // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]" 175 // will be accepted. For example, if no audiences are in the setting, 176 // LibraryService API will only accept JWTs with the following audience 177 // "https://library-example.googleapis.com/google.example.library.v1.LibraryService". 178 // 179 // Example: 180 // 181 // audiences: bookstore_android.apps.googleusercontent.com, 182 // bookstore_web.apps.googleusercontent.com 183 string audiences = 2; 184} 185