| Jiri Simsa | 756772c | 2015-03-25 15:40:54 -0700 | [diff] [blame] | 1 | // Copyright 2015 The Vanadium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style |
| 3 | // license that can be found in the LICENSE file. |
| 4 | |
| Todd Wang | 8c4e5cc | 2015-04-09 11:30:52 -0700 | [diff] [blame] | 5 | // Package identity defines interfaces for Vanadium identity providers. |
| Asim Shankar | 6107179 | 2014-07-22 13:03:18 -0700 | [diff] [blame] | 6 | package identity |
| 7 | |
| Jiri Simsa | 6ac9522 | 2015-02-23 16:11:49 -0800 | [diff] [blame] | 8 | import "v.io/v23/security" |
| Asim Shankar | b3a82ba | 2014-10-29 11:41:27 -0700 | [diff] [blame] | 9 | |
| Suharsh Sivakumar | d308c7e | 2014-10-03 12:46:50 -0700 | [diff] [blame] | 10 | // OAuthBlesser exchanges OAuth access tokens for |
| Asim Shankar | 7a72175 | 2014-08-02 14:27:23 -0700 | [diff] [blame] | 11 | // an email address from an OAuth-based identity provider and uses the email |
| 12 | // address obtained to bless the client. |
| Asim Shankar | 6107179 | 2014-07-22 13:03:18 -0700 | [diff] [blame] | 13 | // |
| Asim Shankar | 7a72175 | 2014-08-02 14:27:23 -0700 | [diff] [blame] | 14 | // OAuth is described in RFC 6749 (http://tools.ietf.org/html/rfc6749), |
| 15 | // though the Google implementation also has informative documentation at |
| 16 | // https://developers.google.com/accounts/docs/OAuth2 |
| 17 | // |
| Ankur | cb02c52 | 2015-08-18 19:27:43 -0700 | [diff] [blame] | 18 | // WARNING: There is no binding between the channel over which the access |
| 19 | // token was obtained (typically https) and the channel used to make the RPC |
| 20 | // (a vanadium virtual circuit). Thus, if Mallory possesses the access token |
| 21 | // associated with Alice's account she may be able to obtain a blessing with |
| 22 | // Alice's name on it. |
| 23 | // |
| 24 | // TODO(ataly): Get rid of this service once all clients have been |
| 25 | // switched to use the HTTP OAuthBlessingHandler service. |
| Asim Shankar | 6107179 | 2014-07-22 13:03:18 -0700 | [diff] [blame] | 26 | type OAuthBlesser interface { |
| Asim Shankar | 7a72175 | 2014-08-02 14:27:23 -0700 | [diff] [blame] | 27 | // BlessUsingAccessToken uses the provided access token to obtain the email |
| Ankur | 3c33d42 | 2014-10-09 11:53:25 -0700 | [diff] [blame] | 28 | // address and returns a blessing along with the email address. |
| Todd Wang | 383e88c | 2014-12-18 01:52:34 -0800 | [diff] [blame] | 29 | BlessUsingAccessToken(token string) (blessing security.WireBlessings, email string | error) |
| Suharsh Sivakumar | 6069de7 | 2015-08-06 17:25:33 -0700 | [diff] [blame] | 30 | BlessUsingAccessTokenWithCaveats(token string, caveats []security.Caveat) (blessing security.WireBlessings, email string | error) |
| Jiri Simsa | 519c507 | 2014-09-17 21:37:57 -0700 | [diff] [blame] | 31 | } |
| Suharsh Sivakumar | d308c7e | 2014-10-03 12:46:50 -0700 | [diff] [blame] | 32 | |
| 33 | // MacaroonBlesser returns a blessing given the provided macaroon string. |
| 34 | type MacaroonBlesser interface { |
| 35 | // Bless uses the provided macaroon (which contains email and caveats) |
| 36 | // to return a blessing for the client. |
| Todd Wang | 383e88c | 2014-12-18 01:52:34 -0800 | [diff] [blame] | 37 | Bless(macaroon string) (blessing security.WireBlessings | error) |
| Suharsh Sivakumar | d308c7e | 2014-10-03 12:46:50 -0700 | [diff] [blame] | 38 | } |
| Suharsh Sivakumar | c004811 | 2015-03-19 11:48:28 -0700 | [diff] [blame] | 39 | |
| 40 | // BlessingRootResponse is the struct representing the JSON response provided |
| 41 | // by the "blessing-root" route of the identity service. |
| 42 | type BlessingRootResponse struct { |
| 43 | // Names of the blessings. |
| 44 | Names []string |
| 45 | // Base64 der-encoded public key. |
| 46 | PublicKey string |
| 47 | } |
