3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-04 21:06:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/internal/grpc/authorize/authorize.proto
Bobby DeSimone 8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-03-10 11:19:26 -07:00

41 lines
1.2 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package authorize;
service Authorizer {
rpc IsAuthorized(IsAuthorizedRequest) returns (IsAuthorizedReply) {}
}
message IsAuthorizedRequest {
// User Context
//
string user_token = 1;
// Request Context
//
// Method specifies the HTTP method (GET, POST, PUT, etc.).
string request_method = 2;
// URL specifies either the URI being requested
string request_url = 3;
// host specifies the host on which the URL per RFC 7230, section 5.4
string request_host = 4;
// request_uri is the unmodified request-target of the
// Request-Line (RFC 7230, Section 3.1.1) as sent by the client
string request_request_uri = 5;
// RemoteAddr allows HTTP servers and other software to record
// the network address that sent the request, usually for
string request_remote_addr = 6;
// headers represents key-value pairs in an HTTP header; map[string][]string
message Headers { repeated string value = 1; }
map<string, Headers> request_headers = 7;
}
message IsAuthorizedReply {
bool allow = 1;
bool session_expired = 2; // special case
repeated string deny_reasons = 3;
string signed_jwt = 4;
string user = 5;
string email = 6;
repeated string groups = 7;
}
Reference in a new issue View git blame Copy permalink