-
Notifications
You must be signed in to change notification settings - Fork 11
/
auth.proto
76 lines (57 loc) · 2.18 KB
/
auth.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
syntax = "proto3";
package auth;
import "google/protobuf/timestamp.proto";
enum Role {
RELAYER = 0;
SEARCHER = 1;
VALIDATOR = 2;
SHREDSTREAM_SUBSCRIBER = 3;
}
message GenerateAuthChallengeRequest {
/// Role the client is attempting to generate tokens for.
Role role = 1;
/// Client's 32 byte pubkey.
bytes pubkey = 2;
}
message GenerateAuthChallengeResponse {
string challenge = 1;
}
message GenerateAuthTokensRequest {
/// The pre-signed challenge.
string challenge = 1;
/// The signing keypair's corresponding 32 byte pubkey.
bytes client_pubkey = 2;
/// The 64 byte signature of the challenge signed by the client's private key. The private key must correspond to
// the pubkey passed in the [GenerateAuthChallenge] method. The client is expected to sign the challenge token
// prepended with their pubkey. For example sign(pubkey, challenge).
bytes signed_challenge = 3;
}
message Token {
/// The token.
string value = 1;
/// When the token will expire.
google.protobuf.Timestamp expires_at_utc = 2;
}
message GenerateAuthTokensResponse {
/// The token granting access to resources.
Token access_token = 1;
/// The token used to refresh the access_token. This has a longer TTL than the access_token.
Token refresh_token = 2;
}
message RefreshAccessTokenRequest {
/// Non-expired refresh token obtained from the [GenerateAuthTokens] method.
string refresh_token = 1;
}
message RefreshAccessTokenResponse {
/// Fresh access_token.
Token access_token = 1;
}
/// This service is responsible for issuing auth tokens to clients for API access.
service AuthService {
/// Returns a challenge, client is expected to sign this challenge with an appropriate keypair in order to obtain access tokens.
rpc GenerateAuthChallenge(GenerateAuthChallengeRequest) returns (GenerateAuthChallengeResponse) {}
/// Provides the client with the initial pair of auth tokens for API access.
rpc GenerateAuthTokens(GenerateAuthTokensRequest) returns (GenerateAuthTokensResponse) {}
/// Call this method with a non-expired refresh token to obtain a new access token.
rpc RefreshAccessToken(RefreshAccessTokenRequest) returns (RefreshAccessTokenResponse) {}
}