| // Package identity defines services for identity providers in the veyron ecosystem. |
| package identity |
| |
| // OAuthBlesser exchanges OAuth access tokens for |
| // an email address from an OAuth-based identity provider and uses the email |
| // address obtained to bless the client. |
| // |
| // OAuth is described in RFC 6749 (http://tools.ietf.org/html/rfc6749), |
| // though the Google implementation also has informative documentation at |
| // https://developers.google.com/accounts/docs/OAuth2 |
| // |
| // WARNING: There is no binding between the channel over which the access token |
| // was obtained (typically https) and the channel used to make the RPC (a |
| // veyron virtual circuit). |
| // Thus, if Mallory possesses the access token associated with Alice's account, |
| // she may be able to obtain a blessing with Alice's name on it. |
| // |
| // TODO(ashankar): Update this to use the new security model: |
| // (blessing security.WireBlessing, error) |
| type OAuthBlesser interface { |
| // BlessUsingAccessToken uses the provided access token to obtain the email |
| // address and returns a blessing. |
| BlessUsingAccessToken(token string) (blessing any, err error) |
| } |
| |
| // MacaroonBlesser returns a blessing given the provided macaroon string. |
| type MacaroonBlesser interface { |
| // Bless uses the provided macaroon (which contains email and caveats) |
| // to return a blessing for the client. |
| Bless(macaroon string) (blessing any, err error) |
| } |
