Default package
Get desktop application:
View/edit binary Protocol Buffers messages
/////////////////////////////////////////////////////////////////////// X509-SVID Profile ///////////////////////////////////////////////////////////////////////
rpc FetchX509SVID (, stream )
workload.proto:14Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to, as well as related information like trust bundles and CRLs. As this information changes, subsequent messages will be streamed from the server.
message
workload.proto:43The X509SVIDRequest message conveys parameters for requesting an X.509-SVID. There are currently no request parameters.
(message has no fields)
message
workload.proto:48The X509SVIDResponse message carries X.509-SVIDs and related information, including a set of global CRLs and a list of bundles the workload may use for federating with foreign trust domains.
repeated svids = 1
Required. A list of X509SVID messages, each of which includes a single X.509-SVID, its private key, and the bundle for the trust domain.
repeated bytes crl = 2
Optional. ASN.1 DER encoded certificate revocation lists.
map<string, bytes> federated_bundles = 3
Optional. CA certificate bundles belonging to foreign trust domains that the workload should trust, keyed by the SPIFFE ID of the foreign trust domain. Bundles are ASN.1 DER encoded.
rpc FetchX509Bundles (, stream )
workload.proto:20Fetch trust bundles and CRLs. Useful for clients that only need to validate SVIDs without obtaining an SVID for themself. As this information changes, subsequent messages will be streamed from the server.
message
workload.proto:87The X509BundlesRequest message conveys parameters for requesting X.509 bundles. There are currently no such parameters.
(message has no fields)
message
workload.proto:92The X509BundlesResponse message carries a set of global CRLs and a map of trust bundles the workload should trust.
repeated bytes crl = 1
Optional. ASN.1 DER encoded certificate revocation lists.
map<string, bytes> bundles = 2
Required. CA certificate bundles belonging to trust domains that the workload should trust, keyed by the SPIFFE ID of the trust domain. Bundles are ASN.1 DER encoded.
rpc FetchJWTSVID (, )
workload.proto:29Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, for the requested audience. If an optional SPIFFE ID is requested, only the JWT-SVID for that SPIFFE ID is returned.
message
workload.proto:102repeated string audience = 1
Required. The audience(s) the workload intends to authenticate against.
string spiffe_id = 2
Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all JWT-SVIDs to which the workload is entitled are requested.
message
workload.proto:112The JWTSVIDResponse message conveys JWT-SVIDs.
repeated svids = 1
Required. The list of returned JWT-SVIDs.
rpc FetchJWTBundles (, stream )
workload.proto:34Fetches the JWT bundles, formatted as JWKS documents, keyed by the SPIFFE ID of the trust domain. As this information changes, subsequent messages will be streamed from the server.
message
workload.proto:134The JWTBundlesRequest message conveys parameters for requesting JWT bundles. There are currently no such parameters.
(message has no fields)
message
workload.proto:137The JWTBundlesReponse conveys JWT bundles.
map<string, bytes> bundles = 1
Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust domain.
rpc ValidateJWTSVID (, )
workload.proto:38Validates a JWT-SVID against the requested audience. Returns the SPIFFE ID of the JWT-SVID and JWT claims.
message
workload.proto:145The ValidateJWTSVIDRequest message conveys request parameters for JWT-SVID validation.
string audience = 1
Required. The audience of the validating party. The JWT-SVID must contain an audience claim which contains this value in order to succesfully validate.
string svid = 2
Required. The JWT-SVID to validate, encoded using JWS Compact Serialization.
message
workload.proto:157The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results.
string spiffe_id = 1
Required. The SPIFFE ID of the validated JWT-SVID.
optional claims = 2
Optional. Arbitrary claims contained within the payload of the validated JWT-SVID.
message
workload.proto:118The JWTSVID message carries the JWT-SVID token and associated metadata.
Used in:
string spiffe_id = 1
Required. The SPIFFE ID of the JWT-SVID.
string svid = 2
Required. Encoded JWT using JWS Compact Serialization.
string hint = 3
Optional. An operator-specified string used to provide guidance on how this identity should be used by a workload when more than one SVID is returned. For example, `internal` and `external` to indicate an SVID for internal or external use, respectively.
message
workload.proto:64The X509SVID message carries a single SVID and all associated information, including the X.509 bundle for the trust domain.
Used in:
string spiffe_id = 1
Required. The SPIFFE ID of the SVID in this entry
bytes x509_svid = 2
Required. ASN.1 DER encoded certificate chain. MAY include intermediates, the leaf certificate (or SVID itself) MUST come first.
bytes x509_svid_key = 3
Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
bytes bundle = 4
Required. ASN.1 DER encoded X.509 bundle for the trust domain.
string hint = 5
Optional. An operator-specified string used to provide guidance on how this identity should be used by a workload when more than one SVID is returned. For example, `internal` and `external` to indicate an SVID for internal or external use, respectively.