mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-01 19:36:32 +02:00
e4832cb4ed
* authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes
47 lines
1.3 KiB
Protocol Buffer
47 lines
1.3 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package authorize;
|
|
|
|
service Authorizer {
|
|
rpc IsAuthorized(IsAuthorizedRequest) returns (IsAuthorizedReply) {}
|
|
}
|
|
|
|
message IsAuthorizedRequest {
|
|
// User Context
|
|
//
|
|
string user_token = 1;
|
|
// Request Context
|
|
//
|
|
// Method specifies the HTTP method (GET, POST, PUT, etc.).
|
|
string request_method = 2;
|
|
// URL specifies either the URI being requested
|
|
string request_url = 3;
|
|
// host specifies the host on which the URL per RFC 7230, section 5.4
|
|
string request_host = 4;
|
|
// request_uri is the unmodified request-target of the
|
|
// Request-Line (RFC 7230, Section 3.1.1) as sent by the client
|
|
string request_request_uri = 5;
|
|
// RemoteAddr allows HTTP servers and other software to record
|
|
// the network address that sent the request, usually for
|
|
string request_remote_addr = 6;
|
|
// headers represents key-value pairs in an HTTP header; map[string][]string
|
|
message Headers { repeated string value = 1; }
|
|
map<string, Headers> request_headers = 7;
|
|
}
|
|
|
|
message IsAuthorizedReply {
|
|
bool allow = 1;
|
|
bool session_expired = 2; // special case
|
|
repeated string deny_reasons = 3;
|
|
string signed_jwt = 4;
|
|
string user = 5;
|
|
string email = 6;
|
|
repeated string groups = 7;
|
|
HTTPStatus http_status = 8;
|
|
}
|
|
|
|
message HTTPStatus {
|
|
int32 code = 1;
|
|
string message = 2;
|
|
map<string, string> headers = 3;
|
|
}
|