From a85b3b04c1b4f5c24031c3af653924e6f16c12d2 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Mon, 26 Oct 2020 10:20:23 -0600 Subject: [PATCH] store raw id token so it can be passed to the logout url (#1543) --- authenticate/handlers.go | 15 +++- internal/identity/claims.go | 11 +++ internal/identity/identity/identity.go | 7 ++ internal/identity/manager/manager.go | 5 +- internal/identity/mock_provider.go | 6 +- internal/identity/oauth/github/github.go | 5 +- internal/identity/oidc/oidc.go | 13 +++- internal/identity/providers.go | 5 +- pkg/grpc/session/session.go | 8 +++ pkg/grpc/session/session.pb.go | 89 +++++++++++++----------- pkg/grpc/session/session.proto | 1 + 11 files changed, 112 insertions(+), 53 deletions(-) create mode 100644 internal/identity/identity/identity.go diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 5f352e668..14eabbb95 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -239,9 +239,11 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error { state := a.state.Load() + var rawIDToken string sessionState, err := a.getSessionFromCtx(ctx) if err == nil { if s, _ := session.Get(ctx, state.dataBrokerClient, sessionState.ID); s != nil && s.OauthToken != nil { + rawIDToken = s.GetIdToken().GetRaw() if err := a.provider.Load().Revoke(ctx, manager.FromOAuthToken(s.OauthToken)); err != nil { log.Warn().Err(err).Msg("failed to revoke access token") } @@ -265,6 +267,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error { endSessionURL, err := a.provider.Load().LogOut() if err == nil && redirectString != "" { params := url.Values{} + params.Add("id_token_hint", rawIDToken) params.Add("post_logout_redirect_uri", redirectString) endSessionURL.RawQuery = params.Encode() redirectString = endSessionURL.String() @@ -380,14 +383,14 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request) // Successful Authentication Response: rfc6749#section-4.1.2 & OIDC#3.1.2.5 // // Exchange the supplied Authorization Code for a valid user session. - var claims identity.Claims + var claims identity.SessionClaims accessToken, err := a.provider.Load().Authenticate(ctx, code, &claims) if err != nil { return nil, fmt.Errorf("error redeeming authenticate code: %w", err) } s := sessions.State{ID: uuid.New().String()} - err = claims.Claims(&s) + err = claims.Claims.Claims(&s) if err != nil { return nil, fmt.Errorf("error unmarshaling session state: %w", err) } @@ -533,7 +536,12 @@ func (a *Authenticate) Dashboard(w http.ResponseWriter, r *http.Request) error { return a.templates.ExecuteTemplate(w, "dashboard.html", input) } -func (a *Authenticate) saveSessionToDataBroker(ctx context.Context, sessionState *sessions.State, claims identity.Claims, accessToken *oauth2.Token) error { +func (a *Authenticate) saveSessionToDataBroker( + ctx context.Context, + sessionState *sessions.State, + claims identity.SessionClaims, + accessToken *oauth2.Token, +) error { state := a.state.Load() options := a.options.Load() @@ -553,6 +561,7 @@ func (a *Authenticate) saveSessionToDataBroker(ctx context.Context, sessionState }, OauthToken: manager.ToOAuthToken(accessToken), } + s.SetRawIDToken(claims.RawIDToken) s.AddClaims(claims.Flatten()) // if no user exists yet, create a new one diff --git a/internal/identity/claims.go b/internal/identity/claims.go index fc31700a6..fb6ab5ff2 100644 --- a/internal/identity/claims.go +++ b/internal/identity/claims.go @@ -11,6 +11,17 @@ import ( "github.com/pomerium/pomerium/pkg/protoutil" ) +// SessionClaims are claims that are attached to a session so we can store the raw id token. +type SessionClaims struct { + Claims + RawIDToken string +} + +// SetRawIDToken sets the raw id token. +func (claims *SessionClaims) SetRawIDToken(rawIDToken string) { + claims.RawIDToken = rawIDToken +} + // Claims are JWT claims. type Claims map[string]interface{} diff --git a/internal/identity/identity/identity.go b/internal/identity/identity/identity.go new file mode 100644 index 000000000..dda7c46d6 --- /dev/null +++ b/internal/identity/identity/identity.go @@ -0,0 +1,7 @@ +// Package identity is a package to avoid a dependency cycle. +package identity + +// State is the state for authentication. +type State interface { + SetRawIDToken(rawIDToken string) +} diff --git a/internal/identity/manager/manager.go b/internal/identity/manager/manager.go index 80d73cc06..b6099b068 100644 --- a/internal/identity/manager/manager.go +++ b/internal/identity/manager/manager.go @@ -15,6 +15,7 @@ import ( "gopkg.in/tomb.v2" "github.com/pomerium/pomerium/internal/directory" + "github.com/pomerium/pomerium/internal/identity/identity" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/scheduler" "github.com/pomerium/pomerium/pkg/grpc/databroker" @@ -24,9 +25,9 @@ import ( // Authenticator is an identity.Provider with only the methods needed by the manager. type Authenticator interface { - Refresh(context.Context, *oauth2.Token, interface{}) (*oauth2.Token, error) + Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error) Revoke(context.Context, *oauth2.Token) error - UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error + UpdateUserInfo(context.Context, *oauth2.Token, interface{}) error } type ( diff --git a/internal/identity/mock_provider.go b/internal/identity/mock_provider.go index c330204d4..b208359a1 100644 --- a/internal/identity/mock_provider.go +++ b/internal/identity/mock_provider.go @@ -5,6 +5,8 @@ import ( "net/url" "golang.org/x/oauth2" + + "github.com/pomerium/pomerium/internal/identity/identity" ) // MockProvider provides a mocked implementation of the providers interface. @@ -21,12 +23,12 @@ type MockProvider struct { } // Authenticate is a mocked providers function. -func (mp MockProvider) Authenticate(context.Context, string, interface{}) (*oauth2.Token, error) { +func (mp MockProvider) Authenticate(context.Context, string, identity.State) (*oauth2.Token, error) { return &mp.AuthenticateResponse, mp.AuthenticateError } // Refresh is a mocked providers function. -func (mp MockProvider) Refresh(context.Context, *oauth2.Token, interface{}) (*oauth2.Token, error) { +func (mp MockProvider) Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error) { return &mp.RefreshResponse, mp.RefreshError } diff --git a/internal/identity/oauth/github/github.go b/internal/identity/oauth/github/github.go index ee05cd6f6..8d6389553 100644 --- a/internal/identity/oauth/github/github.go +++ b/internal/identity/oauth/github/github.go @@ -17,6 +17,7 @@ import ( "gopkg.in/square/go-jose.v2/jwt" "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/identity/identity" "github.com/pomerium/pomerium/internal/identity/oauth" "github.com/pomerium/pomerium/internal/identity/oidc" "github.com/pomerium/pomerium/internal/log" @@ -77,7 +78,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) { // Authenticate creates an identity session with github from a authorization code, and follows up // call to the user and user group endpoint with the -func (p *Provider) Authenticate(ctx context.Context, code string, v interface{}) (*oauth2.Token, error) { +func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error) { oauth2Token, err := p.Oauth.Exchange(ctx, code) if err != nil { return nil, fmt.Errorf("github: token exchange failed %v", err) @@ -112,7 +113,7 @@ func (p *Provider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interf } // Refresh is a no-op for github, because github sessions never expire. -func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v interface{}) (*oauth2.Token, error) { +func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v identity.State) (*oauth2.Token, error) { t.Expiry = time.Now().Add(refreshDeadline) return t, nil } diff --git a/internal/identity/oidc/oidc.go b/internal/identity/oidc/oidc.go index 2cea249f4..262a22567 100644 --- a/internal/identity/oidc/oidc.go +++ b/internal/identity/oidc/oidc.go @@ -15,6 +15,7 @@ import ( "golang.org/x/oauth2" "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/identity/identity" "github.com/pomerium/pomerium/internal/identity/oauth" "github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/version" @@ -105,7 +106,7 @@ func (p *Provider) GetSignInURL(state string) string { // Authenticate converts an authorization code returned from the identity // provider into a token which is then converted into a user session. -func (p *Provider) Authenticate(ctx context.Context, code string, v interface{}) (*oauth2.Token, error) { +func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error) { // Exchange converts an authorization code into a token. oauth2Token, err := p.Oauth.Exchange(ctx, code) if err != nil { @@ -117,6 +118,10 @@ func (p *Provider) Authenticate(ctx context.Context, code string, v interface{}) return nil, fmt.Errorf("identity/oidc: failed getting id_token: %w", err) } + if rawIDToken, ok := oauth2Token.Extra("id_token").(string); ok { + v.SetRawIDToken(rawIDToken) + } + // hydrate `v` using claims inside the returned `id_token` // https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint if err := idToken.Claims(v); err != nil { @@ -148,7 +153,7 @@ func (p *Provider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interf // Refresh renews a user's session using an oidc refresh token without reprompting the user. // Group membership is also refreshed. // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens -func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v interface{}) (*oauth2.Token, error) { +func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v identity.State) (*oauth2.Token, error) { if t == nil { return nil, ErrMissingAccessToken } @@ -165,6 +170,10 @@ func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v interface{}) // https://github.com/FusionAuth/fusionauth-issues/issues/110#issuecomment-481526544 idToken, err := p.getIDToken(ctx, newToken) if err == nil { + if rawIDToken, ok := newToken.Extra("id_token").(string); ok { + v.SetRawIDToken(rawIDToken) + } + if err := idToken.Claims(v); err != nil { return nil, fmt.Errorf("identity/oidc: couldn't unmarshal extra claims %w", err) } diff --git a/internal/identity/providers.go b/internal/identity/providers.go index 74d51ef42..3382cc2c1 100644 --- a/internal/identity/providers.go +++ b/internal/identity/providers.go @@ -10,6 +10,7 @@ import ( "golang.org/x/oauth2" + "github.com/pomerium/pomerium/internal/identity/identity" "github.com/pomerium/pomerium/internal/identity/oauth" "github.com/pomerium/pomerium/internal/identity/oauth/github" "github.com/pomerium/pomerium/internal/identity/oidc" @@ -23,8 +24,8 @@ import ( // Authenticator is an interface representing the ability to authenticate with an identity provider. type Authenticator interface { - Authenticate(context.Context, string, interface{}) (*oauth2.Token, error) - Refresh(context.Context, *oauth2.Token, interface{}) (*oauth2.Token, error) + Authenticate(context.Context, string, identity.State) (*oauth2.Token, error) + Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error) Revoke(context.Context, *oauth2.Token) error GetSignInURL(state string) string Name() string diff --git a/pkg/grpc/session/session.go b/pkg/grpc/session/session.go index 6fe126d7e..f801d9639 100644 --- a/pkg/grpc/session/session.go +++ b/pkg/grpc/session/session.go @@ -69,3 +69,11 @@ func (x *Session) AddClaims(claims identity.FlattenedClaims) { x.Claims[k] = svs } } + +// SetRawIDToken sets the raw id token. +func (x *Session) SetRawIDToken(rawIDToken string) { + if x.IdToken == nil { + x.IdToken = new(IDToken) + } + x.IdToken.Raw = rawIDToken +} diff --git a/pkg/grpc/session/session.pb.go b/pkg/grpc/session/session.pb.go index 70036e597..16c47cbf5 100644 --- a/pkg/grpc/session/session.pb.go +++ b/pkg/grpc/session/session.pb.go @@ -36,6 +36,7 @@ type IDToken struct { Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"` ExpiresAt *timestamp.Timestamp `protobuf:"bytes,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` IssuedAt *timestamp.Timestamp `protobuf:"bytes,4,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"` + Raw string `protobuf:"bytes,5,opt,name=raw,proto3" json:"raw,omitempty"` } func (x *IDToken) Reset() { @@ -98,6 +99,13 @@ func (x *IDToken) GetIssuedAt() *timestamp.Timestamp { return nil } +func (x *IDToken) GetRaw() string { + if x != nil { + return x.Raw + } + return "" +} + type OAuthToken struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -272,7 +280,7 @@ var file_session_proto_rawDesc = []byte{ 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, - 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xaf, 0x01, 0x0a, 0x07, 0x49, 0x44, 0x54, 0x6f, + 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc1, 0x01, 0x0a, 0x07, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, @@ -283,45 +291,46 @@ var file_session_proto_rawDesc = []byte{ 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, - 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x41, 0x74, 0x22, 0xae, 0x01, 0x0a, 0x0a, 0x4f, 0x41, - 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x63, 0x63, 0x65, - 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, - 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x74, - 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x09, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, - 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, - 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, - 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, - 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xf7, 0x02, 0x0a, 0x07, 0x53, - 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, - 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, - 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, - 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x0a, 0x65, 0x78, 0x70, - 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, - 0x65, 0x73, 0x41, 0x74, 0x12, 0x2b, 0x0a, 0x08, 0x69, 0x64, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, - 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x2e, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x07, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, - 0x6e, 0x12, 0x34, 0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, - 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x2e, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x0a, 0x6f, 0x61, 0x75, - 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, - 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x55, 0x0a, - 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, - 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, - 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, - 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x41, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x72, 0x61, 0x77, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x72, 0x61, 0x77, 0x22, 0xae, 0x01, 0x0a, 0x0a, + 0x4f, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1d, 0x0a, + 0x0a, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x39, 0x0a, 0x0a, + 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, + 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65, + 0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, + 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xf7, 0x02, 0x0a, + 0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, + 0x69, 0x64, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x39, 0x0a, 0x0a, 0x65, + 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x5f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78, 0x70, + 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x2b, 0x0a, 0x08, 0x69, 0x64, 0x5f, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x07, 0x69, 0x64, 0x54, 0x6f, + 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x65, 0x73, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x4f, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x0a, 0x6f, + 0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x06, 0x63, 0x6c, 0x61, + 0x69, 0x6d, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x73, 0x65, 0x73, 0x73, + 0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69, + 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, + 0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, + 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, + 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, + 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, + 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/grpc/session/session.proto b/pkg/grpc/session/session.proto index 88b8547d2..b3119421a 100644 --- a/pkg/grpc/session/session.proto +++ b/pkg/grpc/session/session.proto @@ -12,6 +12,7 @@ message IDToken { string subject = 2; google.protobuf.Timestamp expires_at = 3; google.protobuf.Timestamp issued_at = 4; + string raw = 5; } message OAuthToken {