login¶
Contents¶
-
Services
-
Messages
LoginService¶
Login service provides APIs for interactions with the OAuth2 OIDC provider.
Login¶
rpc Login(LoginRequest) LoginResponse
(-- api-linter: core::0136::verb-noun=disabled aip.dev/not-precedent: We need to do this because current name suits best. --) Login API interacts with central using provided email + password and returns an ID Token which can be used by the user for API authentication.
RefreshToken¶
rpc RefreshToken(RefreshTokenRequest) RefreshTokenResponse
(-- api-linter: core::0127::http-template-syntax=disabled aip.dev/not-precedent: We need to do this because current name suits best. --) RefreshToken API returns an ID Token in exchange for a valid refresh token.
GetOIDCInfo¶
rpc GetOIDCInfo(.google.protobuf.Empty) OIDCInfo
GetOIDCInfo API returns an oidc configurations for user client. (-- api-linter: core::0131::request-message-name=disabled aip.dev/not-precedent: We need to do this because api does not require input. --)
Logout¶
rpc Logout(.google.protobuf.Empty) .google.protobuf.Empty
Logout API returns removes the session cookie of the user and invalidates the access token. (-- api-linter: core::0131::request-message-name=disabled aip.dev/not-precedent: We need to do this because api does not require input. --) (-- api-linter: core::0136::verb-noun=disabled aip.dev/not-precedent: We need to do this because for logout, it attempts invaldation of both refreshToken and idToken, therfore mentioning both nouns makes it verbose--)
Messages¶
Claims¶
Claims provides information about the claims in the token.
| Field | Type | Description |
|---|---|---|
| iss | string | Issuer of the tokens. |
| sub | string | Subject is the unique identifier of the user account. |
| name | string | Name of the user account. |
| string | Email of the user account. | |
| roles | repeated string | Roles of the user account. |
| groups | repeated string | Groups in which this user account is part of. |
LoginRequest¶
Request for getting the user ID token in exchange for the given username and password.
| Field | Type | Description |
|---|---|---|
| string | User email. | |
| password | string | User password. |
LoginResponse¶
Response primarily returns a valid ID token in exchange for the given email and password.
| Field | Type | Description |
|---|---|---|
| id_token | string | ID token containing the claims about user authentication. |
| refresh_token | string | Special token used to obtain additional access tokens. |
| claims | Claims | Name/value pairs that contain user information. |
| expires_by | google.protobuf.Timestamp | (-- api-linter: core::0142::time-field-names=disabled aip.dev/not-precedent: We need to do this because current name suits best. --) Expiry time for the returned ID token. |
OIDCInfo¶
Response returns the OIDC configuration for the clients.
| Field | Type | Description |
|---|---|---|
| issuer | string | Issuer of the ID tokens. |
| auth_url | string | OIDC provider's authentication URL. |
| client_id | string | ID of the OIDC client. |
| redirect_url | string | URL to redirect after authentication. |
RefreshTokenRequest¶
Request for getting the user ID token in exchange for the given refresh token.
| Field | Type | Description |
|---|---|---|
| refresh_token | string | Special token used to obtain additional access token. |
RefreshTokenResponse¶
Reponse primarily returns a valid ID token in exchange for the given refresh token.
| Field | Type | Description |
|---|---|---|
| id_token | string | Access token containing the claims about user authentication. |
| refresh_token | string | Special token used to obtain additional access tokens. |
| claims | Claims | Name/value pairs that contain user information. |
| expires_by | google.protobuf.Timestamp | (-- api-linter: core::0142::time-field-names=disabled aip.dev/not-precedent: We need to do this because current name suits best. --) Expiry time for the returned ID token. |