| // Copyright 2015 The Vanadium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // Package identity defines interfaces for Vanadium identity providers. |
| package identity |
| |
| import "v.io/v23/security" |
| |
| // OAuthBlesser exchanges OAuth access tokens for |
| // an email address from an OAuth-based identity provider and uses the email |
| // address obtained to bless the client. |
| // |
| // OAuth is described in RFC 6749 (http://tools.ietf.org/html/rfc6749), |
| // though the Google implementation also has informative documentation at |
| // https://developers.google.com/accounts/docs/OAuth2 |
| // |
| // WARNING: There is no binding between the channel over which the access token |
| // was obtained (typically https) and the channel used to make the RPC (a |
| // vanadium virtual circuit). |
| // Thus, if Mallory possesses the access token associated with Alice's account, |
| // she may be able to obtain a blessing with Alice's name on it. |
| type OAuthBlesser interface { |
| // BlessUsingAccessToken uses the provided access token to obtain the email |
| // address and returns a blessing along with the email address. |
| BlessUsingAccessToken(token string) (blessing security.WireBlessings, email string | error) |
| } |
| |
| // MacaroonBlesser returns a blessing given the provided macaroon string. |
| type MacaroonBlesser interface { |
| // Bless uses the provided macaroon (which contains email and caveats) |
| // to return a blessing for the client. |
| Bless(macaroon string) (blessing security.WireBlessings | error) |
| } |
| |
| // BlessingRootResponse is the struct representing the JSON response provided |
| // by the "blessing-root" route of the identity service. |
| type BlessingRootResponse struct { |
| // Names of the blessings. |
| Names []string |
| // Base64 der-encoded public key. |
| PublicKey string |
| } |