forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgithub_com_openshift_api_oauth_v1.proto
231 lines (173 loc) · 8.82 KB
/
github_com_openshift_api_oauth_v1.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = 'proto2';
package gb.xjqchip.workers.dev.openshift.api.oauth.v1;
import "k8s.io/api/core/v1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "v1";
// ClusterRoleScopeRestriction describes restrictions on cluster role scopes
message ClusterRoleScopeRestriction {
// RoleNames is the list of cluster roles that can referenced. * means anything
repeated string roleNames = 1;
// Namespaces is the list of namespaces that can be referenced. * means any of them (including *)
repeated string namespaces = 2;
// AllowEscalation indicates whether you can request roles and their escalating resources
optional bool allowEscalation = 3;
}
// OAuthAccessToken describes an OAuth access token
message OAuthAccessToken {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// ClientName references the client that created this token.
optional string clientName = 2;
// ExpiresIn is the seconds from CreationTime before this token expires.
optional int64 expiresIn = 3;
// Scopes is an array of the requested scopes.
repeated string scopes = 4;
// RedirectURI is the redirection associated with the token.
optional string redirectURI = 5;
// UserName is the user name associated with this token
optional string userName = 6;
// UserUID is the unique UID associated with this token
optional string userUID = 7;
// AuthorizeToken contains the token that authorized this token
optional string authorizeToken = 8;
// RefreshToken is the value by which this token can be renewed. Can be blank.
optional string refreshToken = 9;
// InactivityTimeoutSeconds is the value in seconds, from the
// CreationTimestamp, after which this token can no longer be used.
// The value is automatically incremented when the token is used.
optional int32 inactivityTimeoutSeconds = 10;
}
// OAuthAccessTokenList is a collection of OAuth access tokens
message OAuthAccessTokenList {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// Items is the list of OAuth access tokens
repeated OAuthAccessToken items = 2;
}
// OAuthAuthorizeToken describes an OAuth authorization token
message OAuthAuthorizeToken {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// ClientName references the client that created this token.
optional string clientName = 2;
// ExpiresIn is the seconds from CreationTime before this token expires.
optional int64 expiresIn = 3;
// Scopes is an array of the requested scopes.
repeated string scopes = 4;
// RedirectURI is the redirection associated with the token.
optional string redirectURI = 5;
// State data from request
optional string state = 6;
// UserName is the user name associated with this token
optional string userName = 7;
// UserUID is the unique UID associated with this token. UserUID and UserName must both match
// for this token to be valid.
optional string userUID = 8;
// CodeChallenge is the optional code_challenge associated with this authorization code, as described in rfc7636
optional string codeChallenge = 9;
// CodeChallengeMethod is the optional code_challenge_method associated with this authorization code, as described in rfc7636
optional string codeChallengeMethod = 10;
}
// OAuthAuthorizeTokenList is a collection of OAuth authorization tokens
message OAuthAuthorizeTokenList {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// Items is the list of OAuth authorization tokens
repeated OAuthAuthorizeToken items = 2;
}
// OAuthClient describes an OAuth client
message OAuthClient {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Secret is the unique secret associated with a client
optional string secret = 2;
// AdditionalSecrets holds other secrets that may be used to identify the client. This is useful for rotation
// and for service account token validation
repeated string additionalSecrets = 3;
// RespondWithChallenges indicates whether the client wants authentication needed responses made in the form of challenges instead of redirects
optional bool respondWithChallenges = 4;
// RedirectURIs is the valid redirection URIs associated with a client
// +patchStrategy=merge
repeated string redirectURIs = 5;
// GrantMethod determines how to handle grants for this client. If no method is provided, the
// cluster default grant handling method will be used. Valid grant handling methods are:
// - auto: always approves grant requests, useful for trusted clients
// - prompt: prompts the end user for approval of grant requests, useful for third-party clients
// - deny: always denies grant requests, useful for black-listed clients
optional string grantMethod = 6;
// ScopeRestrictions describes which scopes this client can request. Each requested scope
// is checked against each restriction. If any restriction matches, then the scope is allowed.
// If no restriction matches, then the scope is denied.
repeated ScopeRestriction scopeRestrictions = 7;
// AccessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client.
// 0 means no expiration.
optional int32 accessTokenMaxAgeSeconds = 8;
// AccessTokenInactivityTimeoutSeconds overrides the default token
// inactivity timeout for tokens granted to this client.
// The value represents the maximum amount of time that can occur between
// consecutive uses of the token. Tokens become invalid if they are not
// used within this temporal window. The user will need to acquire a new
// token to regain access once a token times out.
// This value needs to be set only if the default set in configuration is
// not appropriate for this client. Valid values are:
// - 0: Tokens for this client never time out
// - X: Tokens time out if there is no activity for X seconds
// The current minimum allowed value for X is 300 (5 minutes)
optional int32 accessTokenInactivityTimeoutSeconds = 9;
}
// OAuthClientAuthorization describes an authorization created by an OAuth client
message OAuthClientAuthorization {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// ClientName references the client that created this authorization
optional string clientName = 2;
// UserName is the user name that authorized this client
optional string userName = 3;
// UserUID is the unique UID associated with this authorization. UserUID and UserName
// must both match for this authorization to be valid.
optional string userUID = 4;
// Scopes is an array of the granted scopes.
repeated string scopes = 5;
}
// OAuthClientAuthorizationList is a collection of OAuth client authorizations
message OAuthClientAuthorizationList {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// Items is the list of OAuth client authorizations
repeated OAuthClientAuthorization items = 2;
}
// OAuthClientList is a collection of OAuth clients
message OAuthClientList {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// Items is the list of OAuth clients
repeated OAuthClient items = 2;
}
// OAuthRedirectReference is a reference to an OAuth redirect object.
message OAuthRedirectReference {
// Standard object's metadata.
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// The reference to an redirect object in the current namespace.
optional RedirectReference reference = 2;
}
// RedirectReference specifies the target in the current namespace that resolves into redirect URIs. Only the 'Route' kind is currently allowed.
message RedirectReference {
// The group of the target that is being referred to.
optional string group = 1;
// The kind of the target that is being referred to. Currently, only 'Route' is allowed.
optional string kind = 2;
// The name of the target that is being referred to. e.g. name of the Route.
optional string name = 3;
}
// ScopeRestriction describe one restriction on scopes. Exactly one option must be non-nil.
message ScopeRestriction {
// ExactValues means the scope has to match a particular set of strings exactly
repeated string literals = 1;
// ClusterRole describes a set of restrictions for cluster role scoping.
optional ClusterRoleScopeRestriction clusterRole = 2;
}