mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 02:16:28 +02:00
83 lines
3.1 KiB
Protocol Buffer
83 lines
3.1 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package oauth21;
|
|
|
|
import "buf/validate/validate.proto";
|
|
|
|
option go_package = "github.com/pomerium/pomerium/internal/oauth21/gen";
|
|
|
|
// Defines messages for OAuth 2.1 Token Endpoint requests and responses.
|
|
// Based on draft-ietf-oauth-v2-1-12.
|
|
|
|
// Represents the request sent to the Token Endpoint (Section 3.2.2).
|
|
// Different parameters are required based on the grant_type.
|
|
message TokenRequest {
|
|
// REQUIRED. Identifies the grant type being used.
|
|
// See Sections 3.2.2, 4.1.3, 4.2.1, 4.3.1, 4.4.
|
|
string grant_type = 1 [
|
|
(buf.validate.field).string = {
|
|
in: ["authorization_code", "refresh_token", "client_credentials"],
|
|
}
|
|
];
|
|
|
|
// --- Authorization Code Grant Parameters (Section 4.1.3) ---
|
|
|
|
// REQUIRED for grant_type="authorization_code".
|
|
// The authorization code received from the authorization server.
|
|
optional string code = 2 [
|
|
(buf.validate.field).string = {
|
|
min_len: 1,
|
|
}
|
|
];
|
|
option (buf.validate.message).cel = {
|
|
id: "token_request.code_required_for_auth_code_grant",
|
|
message: "code is required when grant_type is 'authorization_code'",
|
|
expression: "(this.grant_type != 'authorization_code') || has(this.code)",
|
|
};
|
|
|
|
// REQUIRED for grant_type="authorization_code" if the original authorization request
|
|
// included a "code_challenge". MUST NOT be sent otherwise. (Section 4.1.3)
|
|
// The original PKCE code verifier string.
|
|
optional string code_verifier = 3 [(buf.validate.field).string = {
|
|
min_len: 43,
|
|
max_len: 128,
|
|
}];
|
|
|
|
// REQUIRED for grant_type="authorization_code" if the client is public
|
|
// and not authenticating with the authorization server via other means. (Section 4.1.3)
|
|
// Also used for body-parameter client authentication (Section 2.4.1) or
|
|
// when grant_type requires public client identification (Section 3.2.2).
|
|
optional string client_id = 4 [
|
|
(buf.validate.field).string.min_len = 1
|
|
];
|
|
|
|
// --- Refresh Token Grant Parameters (Section 4.3.1) ---
|
|
|
|
// REQUIRED for grant_type="refresh_token".
|
|
// The refresh token issued to the client.
|
|
optional string refresh_token = 5 [
|
|
(buf.validate.field).string = {
|
|
min_len: 1,
|
|
}
|
|
];
|
|
option (buf.validate.message).cel = {
|
|
id: "token_request.refresh_token_required_for_refresh_token_grant",
|
|
message: "refresh_token is required when grant_type is 'refresh_token'",
|
|
expression: "(this.grant_type != 'refresh_token') || has(this.refresh_token)",
|
|
};
|
|
|
|
// --- Client Credentials Grant & Refresh Token Grant Parameters ---
|
|
|
|
// OPTIONAL for grant_type="client_credentials" (Section 4.2.1) or
|
|
// grant_type="refresh_token" (Section 4.3.1).
|
|
// The requested scope of the access request. Space-delimited list.
|
|
optional string scope = 6 [(buf.validate.field).string.min_len = 1];
|
|
|
|
// --- Client Authentication via Body Parameters (Section 2.4.1) ---
|
|
// Used when including credentials directly in the request body instead of e.g. HTTP Basic Auth.
|
|
// client_id (field 4) is also used in this case.
|
|
|
|
// REQUIRED when using body parameters for client authentication.
|
|
// The client secret.
|
|
optional string client_secret = 7 [(buf.validate.field).string.min_len = 1];
|
|
}
|