package oidc.token.v1

Get desktop application:
View/edit binary Protocol Buffers messages

• rpc Introspect (IntrospectRequest, IntrospectResponse)

  introspection_api.proto:31

  message IntrospectRequest

  introspection_api.proto:37

  https://tools.ietf.org/html/rfc7662#section-2.1

  • string issuer = 1

    REQUIRED. Token issuer URL.

  • optional client.v1.Client client = 2

    REQUIRED. Client that invoke the token introspection.

  • string token = 3

    REQUIRED. The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens, this is the "refresh_token" value returned from the token endpoint as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types are outside the scope of this specification.

  • optional string token_type_hint = 4

    OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. Values for this field are defined in the "OAuth Token Type Hints" registry defined in OAuth Token Revocation [RFC7009]

  message IntrospectResponse

  introspection_api.proto:65

  https://tools.ietf.org/html/rfc7662#section-2.2

  • optional core.v1.Error error = 1

  • optional Token token = 2

    OPTIONAL. The matching token instance.

• rpc Revoke (RevokeRequest, RevokeResponse)

  revocation_api.proto:30

  message RevokeRequest

  revocation_api.proto:36

  https://tools.ietf.org/html/rfc7009#section-2.1

  • string issuer = 1

    REQUIRED. Token issuer URL.

  • optional client.v1.Client client = 2

    REQUIRED. Client that invoke the token revocation.

  • string token = 3

    REQUIRED. The token that the client wants to get revoked.

  • optional string token_type_hint = 4

    OPTIONAL. A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values:

  message RevokeResponse

  revocation_api.proto:58

  • optional core.v1.Error error = 1

Used in: Token

• string issuer = 1

  OPTIONAL. Token issuer URI

• string subject = 2

  OPTIONAL. Identity subject

• string client_id = 3

  OPTIONAL. Client identifier.

• optional Actor act = 4

  OPTIONAL. Actor chain.

• string access_token = 1

• string token_type = 2

• fixed64 expires_in = 3

• optional string refresh_token = 4

• optional string id_token = 5

Used in: flow.v1.TokenResponse, IntrospectResponse

• string issuer = 1

  REQUIRED. Token issuer.

• TokenType token_type = 2

  REQUIRED. Token type.

• string token_id = 3

  REQUIRED. Token identifier.

• optional TokenMeta metadata = 4

  REQUIRED. Token meta output of token endpoint.

• TokenStatus status = 5

  REQUIRED. Token status.

• string value = 6

  REQUIRED. Final token value.

• optional string phantom = 7

  OPTIONAL. Phantom token value.

• optional TokenConfirmation confirmation = 8

  OPTIONAL. Token confirmation

• repeated Actor actor = 9

  OPTIONAL. Actor.

• repeated Actor may_act = 10

  OPTIONAL. Authorized Actor.

Used in: flow.v1.RegistrationRequest, flow.v1.TokenRequest, Token

• string jkt = 1

Used in: Token

• string issuer = 1

  REQUIRED. Token issuer URI

• string subject = 2

  REQUIRED. Identity subject

• fixed64 issued_at = 3

  REQUIRED. Unix timestamp of the creation date

• fixed64 not_before = 4

  REQUIRED. Unix timestamp of the usability date

• fixed64 expires_at = 5

  REQUIRED. Unix timestamp of the expiration date

• string client_id = 6

  REQUIRED. Token owner.

• string scope = 7

  REQUIRED. Space delimited JSON string containing requested scope.

• string audience = 8

  REQUIRED. Targeted application identifier.

• optional string acr = 9

  OPTIONAL. String specifying an authentication context class reference value that identifies the authentication context class that was satisfied by the user-authentication event performed. https://datatracker.ietf.org/doc/html/rfc9470#name-oauth-20-token-introspectio

• optional fixed64 auth_time = 10

  OPTIONAL. Time when the user authentication occurred. A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the date/time of the authentication event. https://datatracker.ietf.org/doc/html/rfc9470#name-oauth-20-token-introspectio

Used in: Token

• TOKEN_STATUS_UNSPECIFIED = 0

• TOKEN_STATUS_UNKNOWN = 1

• TOKEN_STATUS_ACTIVE = 2

• TOKEN_STATUS_EXPIRED = 3

• TOKEN_STATUS_REVOKED = 4

Used in: Token

• TOKEN_TYPE_UNSPECIFIED = 0

• TOKEN_TYPE_UNKNOWN = 1

• TOKEN_TYPE_ACCESS_TOKEN = 2

• TOKEN_TYPE_REFRESH_TOKEN = 3

• TOKEN_TYPE_ID_TOKEN = 4

• TOKEN_TYPE_PHANTOM_TOKEN = 5