package types

Get desktop application:
View/edit binary Protocol Buffers messages

BearerToken is information authenticating a single request. It's intended to be wrapped in a SecureToken.

• string username = 1

• string request_id = 2

Credential represents a WebAuthn public-key credential.

• int64 id = 1

  A synthetic identifier to distingish between cases where a credential is revoked and re-added, or two users have the same credential.

• bytes credential_id = 2

  The id of the credential, as determined by the authenticator.

• bytes public_key = 3

  The public key of the credential, used to verify signataures from an authenticator.

• optional User user = 4

  The user that enrolled this credential.

• string name = 5

  The name that the user gave this; for display purposes only.

• optional google.protobuf.Timestamp created_at = 6

  When this credential was enrolled.

• optional google.protobuf.Timestamp deleted_at = 7

  When this credential was revoked, or zero if not revoked.

• bytes created_by_session_id = 8

  The session id that was in use to access the enrollment page. We don't use this anywhere, it's just for audit purposes. (That's why it's just the ID and not the full Session object.)

• bytes aaguid = 9

  The AAGUID of the authenticator. (Supposedly this identifies the manufacturer of the authenticator.)

• int64 sign_count = 10

  The last-seen sign count of the authenticator. If the sign count is less than this when logging in, we know the credential has been cloned.

Header is an HTTP header.

Used in: jsso.Allow

• string key = 1

• string value = 2

RedirectToken is a request to redirect to a new URI. It is issued when authentication fails to allow the user to immediately go to their original destination after they log in, without allowing arbitrary sites on the Internet to trick you into visiting them.

• string uri = 1

• optional google.protobuf.Any message = 1

  We use an Any here because it includes the type of the message. This means that when we sign one of these tokens, we also sign the type of the token, ensuring that validation does not succeed on the wrong type of message.

• optional google.protobuf.Timestamp issued_at = 2

  When this token was created.

Session links a token (the id) and a user. If expires_at is less than or equal to the current time, the session is expired.

• bytes id = 1

• optional User user = 2

• optional SessionMetadata metadata = 3

• optional google.protobuf.Timestamp created_at = 4

• optional google.protobuf.Timestamp expires_at = 5

• repeated string taints = 6

SessionMetadata stores extra information about a session. Extra information isn't used by JSSO itself, but might be useful for audit logs, evaluating policy rules, etc.

Used in: Session

• string ip_address = 1

• string user_agent = 2

• string revocation_reason = 3

SetCookieRequest is a request to set a session cookie. It's intended to be wrapped in a SecureToken, so that a gRPC request can return a token and it can be passed to a regular HTTP service that sets an HttpOnly cookie.

• bytes session_id = 1

  The session ID to set.

• string redirect_url = 2

  Where to redirect after setting the cookie.

• optional google.protobuf.Timestamp session_expires_at = 3

  When the session cookie should expire.

User represents something that can log in.

Used in: jsso.EditUserReply, jsso.EditUserRequest, jsso.GenerateEnrollmentLinkRequest, jsso.StartEnrollmentReply, jsso.WhoAmIReply, Credential, Session

• int64 id = 1

• string username = 2

• optional google.protobuf.Timestamp created_at = 3

• optional google.protobuf.Timestamp disabled_at = 4