package oidc.flow.v1

Get desktop application:
View/edit binary Protocol Buffers messages

• rpc Authorize (AuthorizeRequest, AuthorizeResponse)

  flow_api.proto:33

  message AuthorizeRequest

  flow_api.proto:39

  • string issuer = 1

    REQUIRED. Issuer uri.

  • optional client.v1.Client client = 2

    REQUIRED. Client that requests the authorization requests registration.

  • string subject = 3

    REQUIRED. User identity.

  • optional AuthorizationRequest request = 4

    REQUIRED. Authorization request object.

  message AuthorizeResponse

  flow_api.proto:54

  https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2

  • optional core.v1.Error error = 1

  • string code = 2

    REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.

  • string state = 3

    REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client.

  • string redirect_uri = 4

    REQUIRED. Assembled redirection uri to application.

  • string client_id = 5

    REQUIRED. the client_id of the client the response is intended for.

  • fixed64 expires_in = 6

    A JSON number that represents the lifetime of the authorization code in seconds. The authorization code lifetime is at the discretion of the AS.

  • string issuer = 7

    REQUIRED https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ The "iss" parameter value is the issuer identifier of the authorization server which created the authorization response, as defined in [RFC8414]. Its value MUST be a URL that uses the "https" scheme without any query or fragment components. If the authorization server provides metadata as defined in [RFC8414], the value of the parameter "iss" MUST be identical to the authorization server metadata value "issuer".

  • string response_mode = 8

    REQUIRED. The authorization request request response mode.

• rpc Token (TokenRequest, TokenResponse)

  flow_api.proto:34

  message TokenRequest

  flow_api.proto:137

  • string issuer = 1

    REQUIRED. Issuer url.

  • optional client.v1.Client client = 2

    REQUIRED. The client that request token generation.

  • string grant_type = 3

    REQUIRED. The grant_type value to use.

  • optional string scope = 4

    OPTIONAL. Scope to use for token request

  • optional token.v1.TokenConfirmation token_confirmation = 5

    OPTIONAL. Token confirmation.

  • repeated string resource = 6

    OPTIONAL https://tools.ietf.org/html/rfc8707 Indicates the target service or resource to which access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of [RFC3986]. The URI MUST NOT include a fragment component. It SHOULD NOT include a query component, but it is recognized that there are cases that make a query component a useful and necessary part of the resource parameter, such as when one or more query parameters are used to scope requests to an application. The "resource" parameter URI value is an identifier representing the identity of the resource, which MAY be a locator that corresponds to a network-addressable location where the target resource is hosted. Multiple "resource" parameters MAY be used to indicate that the requested token is intended to be used at multiple resources.

  • optional string audience = 7

    OPTIONAL. The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the "resource" parameter but with the client providing a logical name for the target service. Interpretation of the name requires that the value be something that both the client and the authorization server understand. An OAuth client identifier, a SAML entity identifier [OASIS.saml-core-2.0-os], and an OpenID Connect Issuer Identifier [OpenID.Core] are examples of things that might be used as "audience" parameter values. However, "audience" values used with a given authorization server must be unique within that server to ensure that they are properly interpreted as the intended type of value. Multiple "audience" parameters may be used to indicate that the issued token is intended to be used at the multiple audiences listed. The "audience" and "resource" parameters may be used together to indicate multiple target services with a mix of logical names and resource URIs.

  • oneof grant

    REQUIRED.

    • GrantAuthorizationCode authorization_code = 10

      tools.ietf.org/html/rfc6749#section-1.3.1

    • GrantClientCredentials client_credentials = 11

      tools.ietf.org/html/rfc6749#section-4.4

    • GrantDeviceCode device_code = 12

      tools.ietf.org/html/rfc8628#section-3.4

    • GrantRefreshToken refresh_token = 13

      tools.ietf.org/html/rfc6749#section-1.5

    • GrantTokenExchange token_exchange = 14

      https://tools.ietf.org/html/rfc8693#section-2.1

  message TokenResponse

  flow_api.proto:204

  • optional core.v1.Error error = 1

  • optional token.v1.Token access_token = 2

    REQUIRED. Access token information used to generate the final one.

  • optional token.v1.Token refresh_token = 3

    OPTIONAL. Refresh token information used to generate the final one.

  • optional token.v1.Token id_token = 4

    OPTIONAL. ID Token information.

  • string issuer = 5

    REQUIRED. Issuer url.

  • optional string issued_token_type = 6

    OPTIONAL. An identifier, as described in Section 3, for the representation of the issued security token. REQUIRED for RFC8693.

  • optional string scope = 7

    OPTIONAL if the scope of the issued security token is identical to the scope requested by the client; otherwise, it is REQUIRED.

An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.

Used in: AuthorizeRequest, RegistrationRequest, session.v1.AuthorizationCodeSession

• string scope = 1

  REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.

• string response_type = 2

  REQUIRED. OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.

• string client_id = 3

  REQUIRED. OAuth 2.0 Client Identifier valid at the Authorization Server.

• string redirect_uri = 4

  REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.

• string state = 5

  RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

• optional string response_mode = 6

  OPTIONAL. Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.

• string nonce = 7

  OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.5.3

• optional string display = 8

  OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.

• optional string prompt = 9

  OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

• optional uint64 max_age = 10

  OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.

• optional string ui_locales = 11

  OPTIONAL. End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

• optional string id_token_hint = 12

  OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

• optional string acr_values = 13

  OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

• optional string request = 14

  OPTIONAL. This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the request parameters.

• optional string request_uri = 15

  OPTIONAL. This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.

• string code_challenge = 16

  REQUIRED. This parameter enables PKCE flow.

• string code_challenge_method = 17

  REQUIRED. This parameter enables PKCE flow.

• string audience = 18

  REQUIRED. Add targeted audience.

• optional string dpop_proof = 19

  OPTIONAL. https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-5

• repeated string resource = 20

  OPTIONAL https://tools.ietf.org/html/rfc8707 Indicates the target service or resource to which access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of [RFC3986]. The URI MUST NOT include a fragment component. It SHOULD NOT include a query component, but it is recognized that there are cases that make a query component a useful and necessary part of the resource parameter, such as when one or more query parameters are used to scope requests to an application. The "resource" parameter URI value is an identifier representing the identity of the resource, which MAY be a locator that corresponds to a network-addressable location where the target resource is hosted. Multiple "resource" parameters MAY be used to indicate that the requested token is intended to be used at multiple resources.

• optional string iss = 21

  OPTIONAL. Issuer url used for JARM decoding.

• optional string login_hint_token = 22

  OPTIONAL. A token containing information identifying the end-user for whom authentication is being requested. The particular details and security requirements for the login_hint_token as well as how the end-user is identified by its content are deployment or profile specific.

• optional string login_hint = 23

  OPTIONAL. A hint to the OpenID Provider regarding the end-user for whom authentication is being requested. The value may contain an email address, phone number, account number, subject identifier, username, etc., which identifies the end-user to the OP. The value may be directly collected from the user by the Client before requesting authentication at the OP, for example, but may also be obtained by other means.

https://tools.ietf.org/html/rfc8628#section-3.1

Used in: session.v1.DeviceCodeSession

• string issuer = 1

  REQUIRED. Issuer uri.

• string client_id = 2

  REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].

• optional string scope = 3

  OPTIONAL. The scope of the access request as defined by Section 3.3 of [RFC6749].

• optional string audience = 4

  OPTIONAL. The target audience.

https://tools.ietf.org/html/rfc8628#section-3.2

• optional core.v1.Error error = 1

• string device_code = 2

  REQUIRED. The device verification code.

• string user_code = 3

  REQUIRED. The end-user verification code.

• string verification_uri = 4

  REQUIRED. The end-user verification URI on the authorization server. The URI should be short and easy to remember as end users will be asked to manually type it into their user agent.

• optional string verification_uri_complete = 5

  OPTIONAL. A verification URI that includes the "user_code" (or other information with the same function as the "user_code"), which is designed for non-textual transmission.

• fixed64 expires_in = 6

  REQUIRED. The lifetime in seconds of the "device_code" and "user_code".

• fixed64 interval = 7

  OPTIONAL. The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. If no value is provided, clients MUST use 5 as the default.

• string issuer = 8

  REQUIRED. Issuer url.

• string issuer = 1

  REQUIRED. Issuer uri.

• string user_code = 2

  REQUIRED. The end-user verification code.

• string subject = 3

  REQUIRED. User identity.

• optional core.v1.Error error = 1

Used in: TokenRequest

• string code = 1

• string redirect_uri = 2

• string code_verifier = 3

• optional string dpop_jkt = 4

  OPTIONAL. Authorization Code Binding to DPoP Key. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-09#section-10

Used in: TokenRequest

(message has no fields)

https://tools.ietf.org/html/rfc8628#section-3.4

Used in: TokenRequest

• string device_code = 1

  REQUIRED. The device verification code, "device_code" from the device authorization response, defined in Section 3.2.

• string client_id = 2

  REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].

Used in: TokenRequest

• string refresh_token = 1

https://tools.ietf.org/html/rfc8693#section-2.1

Used in: TokenRequest

• optional string requested_token_type = 1

  OPTIONAL. An identifier, as described in Section 3, for the type of the requested security token. If the requested type is unspecified, the issued token type is at the discretion of the authorization server and may be dictated by knowledge of the requirements of the service or resource indicated by the "resource" or "audience" parameter.

• string subject_token = 2

  REQUIRED. A security token that represents the identity of the party on behalf of whom the request is being made. Typically, the subject of this token will be the subject of the security token issued in response to the request.

• string subject_token_type = 3

  REQUIRED. An identifier, as described in Section 3, that indicates the type of the security token in the "subject_token" parameter.

• optional string actor_token = 4

  OPTIONAL. A security token that represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject.

• optional string actor_token_type = 5

  An identifier, as described in Section 3, that indicates the type of the security token in the "actor_token" parameter. This is REQUIRED when the "actor_token" parameter is present in the request but MUST NOT be included otherwise.

• string issuer = 1

  REQUIRED. Issuer uri.

• optional client.v1.Client client = 2

  REQUIRED. Client that requests the authorization requests registration.

• optional AuthorizationRequest request = 3

  REQUIRED. The request to register.

• optional token.v1.TokenConfirmation confirmation = 4

  OPTIONAL. DPoP Proof confirmation.

• optional core.v1.Error error = 1

  https://tools.ietf.org/html/draft-lodderstedt-oauth-par-01#section-2.2

• string request_uri = 2

  The request URI corresponding to the authorization request posted. This URI is used as reference to the respective request data in the subsequent authorization request only. The way the authorization process obtains the authorization request data is at the discretion of the authorization server and out of scope of this specification. There is no need to make the authorization request data available to other parties via this URI.

• fixed64 expires_in = 3

  A JSON number that represents the lifetime of the request URI in seconds. The request URI lifetime is at the discretion of the AS.

• string issuer = 4

  Issuer URI.