IAM: oauth2 token exchange grant (istio#343)

Adds configuration and API to support token exchange grants.

Author: llinder

generated/jsonschema/tetrateio.api.iam.v2/GrantRequest.jsonschema

@@ -8,7 +8,11 @@
                 "REFRESH_TOKEN",
                 1,
                 "DEVICE_CODE_URN",
-                2
+                2,
+                "CLIENT_CREDENTIALS",
+                3,
+                "TOKEN_EXCHANGE",
+                4
             ],
             "oneOf": [
                 {
@@ -38,6 +42,37 @@
         "client_id": {
             "type": "string",
             "description": "Client ID for which the token grant request is being made.\n This is optional and when absent, TSB will use an appropriate client ID from configuration\n for the grant type being request.\n For a refresh grant type, this parameter may be required to ensure the appropriate client\n configuration is used."
+        },
+        "resource": {
+            "type": "string",
+            "description": "A URI that indicates the target service or resource where the client intends to use the requested token.\n This is used with the token exchange grant and should be the URI of TSB."
+        },
+        "subject_token": {
+            "type": "string",
+            "description": "A token that represents the identity of the party on behalf of whom the request is being made.\n This is used with the token exchange grant and should be either an ID Token or Access Token from the configured\n offline token grant client."
+        },
+        "subject_token_type": {
+            "enum": [
+                "TOKEN_TYPE_UNSPECIFIED",
+                0,
+                "TOKEN_TYPE_ACCESS_TOKEN",
+                1,
+                "TOKEN_TYPE_REFRESH_TOKEN",
+                2,
+                "TOKEN_TYPE_ID_TOKEN",
+                3,
+                "TOKEN_TYPE_JWT",
+                4
+            ],
+            "oneOf": [
+                {
+                    "type": "string"
+                },
+                {
+                    "type": "integer"
+                }
+            ],
+            "description": "An identifier that indicates the type of the security token in the \"subject_token\" parameter.\n This is used with the token exchange grant."
         }
     },
     "additionalProperties": true,

generated/ts/iam/v2/oauth_service_pb.d.ts

@@ -83,6 +83,15 @@ export class GrantRequest extends jspb.Message {
   getClientId(): string;
   setClientId(value: string): void;
 
+  getResource(): string;
+  setResource(value: string): void;
+
+  getSubjectToken(): string;
+  setSubjectToken(value: string): void;
+
+  getSubjectTokenType(): TokenTypeMap[keyof TokenTypeMap];
+  setSubjectTokenType(value: TokenTypeMap[keyof TokenTypeMap]): void;
+
   serializeBinary(): Uint8Array;
   toObject(includeInstance?: boolean): GrantRequest.AsObject;
   static toObject(includeInstance: boolean, msg: GrantRequest): GrantRequest.AsObject;
@@ -100,6 +109,9 @@ export namespace GrantRequest {
     refreshToken: string,
     scopeList: Array<string>,
     clientId: string,
+    resource: string,
+    subjectToken: string,
+    subjectTokenType: TokenTypeMap[keyof TokenTypeMap],
   }
 }
 
@@ -151,6 +163,8 @@ export interface GrantTypeMap {
   UNSPECIFIED: 0;
   REFRESH_TOKEN: 1;
   DEVICE_CODE_URN: 2;
+  CLIENT_CREDENTIALS: 3;
+  TOKEN_EXCHANGE: 4;
 }
 
 export const GrantType: GrantTypeMap;
@@ -171,3 +185,13 @@ export interface ErrorMap {
 
 export const Error: ErrorMap;
 
+export interface TokenTypeMap {
+  TOKEN_TYPE_UNSPECIFIED: 0;
+  TOKEN_TYPE_ACCESS_TOKEN: 1;
+  TOKEN_TYPE_REFRESH_TOKEN: 2;
+  TOKEN_TYPE_ID_TOKEN: 3;
+  TOKEN_TYPE_JWT: 4;
+}
+
+export const TokenType: TokenTypeMap;
+

generated/ts/iam/v2/oauth_service_pb.js

@@ -25,6 +25,7 @@ goog.exportSymbol('proto.tetrateio.api.iam.v2.Error', null, global);
 goog.exportSymbol('proto.tetrateio.api.iam.v2.GrantRequest', null, global);
 goog.exportSymbol('proto.tetrateio.api.iam.v2.GrantResponse', null, global);
 goog.exportSymbol('proto.tetrateio.api.iam.v2.GrantType', null, global);
+goog.exportSymbol('proto.tetrateio.api.iam.v2.TokenType', null, global);
 /**
  * Generated by JsPbCodeGenerator.
  * @param {Array=} opt_data Optional initial data array, typically from a
@@ -563,7 +564,10 @@ proto.tetrateio.api.iam.v2.GrantRequest.toObject = function(includeInstance, msg
     deviceCode: jspb.Message.getFieldWithDefault(msg, 2, ""),
     refreshToken: jspb.Message.getFieldWithDefault(msg, 3, ""),
     scopeList: (f = jspb.Message.getRepeatedField(msg, 4)) == null ? undefined : f,
-    clientId: jspb.Message.getFieldWithDefault(msg, 5, "")
+    clientId: jspb.Message.getFieldWithDefault(msg, 5, ""),
+    resource: jspb.Message.getFieldWithDefault(msg, 6, ""),
+    subjectToken: jspb.Message.getFieldWithDefault(msg, 7, ""),
+    subjectTokenType: jspb.Message.getFieldWithDefault(msg, 8, 0)
   };
 
   if (includeInstance) {
@@ -620,6 +624,18 @@ proto.tetrateio.api.iam.v2.GrantRequest.deserializeBinaryFromReader = function(m
       var value = /** @type {string} */ (reader.readString());
       msg.setClientId(value);
       break;
+    case 6:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setResource(value);
+      break;
+    case 7:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setSubjectToken(value);
+      break;
+    case 8:
+      var value = /** @type {!proto.tetrateio.api.iam.v2.TokenType} */ (reader.readEnum());
+      msg.setSubjectTokenType(value);
+      break;
     default:
       reader.skipField();
       break;
@@ -684,6 +700,27 @@ proto.tetrateio.api.iam.v2.GrantRequest.serializeBinaryToWriter = function(messa
       f
     );
   }
+  f = message.getResource();
+  if (f.length > 0) {
+    writer.writeString(
+      6,
+      f
+    );
+  }
+  f = message.getSubjectToken();
+  if (f.length > 0) {
+    writer.writeString(
+      7,
+      f
+    );
+  }
+  f = message.getSubjectTokenType();
+  if (f !== 0.0) {
+    writer.writeEnum(
+      8,
+      f
+    );
+  }
 };
 
 
@@ -796,6 +833,60 @@ proto.tetrateio.api.iam.v2.GrantRequest.prototype.setClientId = function(value)
 };
 
 
+/**
+ * optional string resource = 6;
+ * @return {string}
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.getResource = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 6, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.tetrateio.api.iam.v2.GrantRequest} returns this
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.setResource = function(value) {
+  return jspb.Message.setProto3StringField(this, 6, value);
+};
+
+
+/**
+ * optional string subject_token = 7;
+ * @return {string}
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.getSubjectToken = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 7, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.tetrateio.api.iam.v2.GrantRequest} returns this
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.setSubjectToken = function(value) {
+  return jspb.Message.setProto3StringField(this, 7, value);
+};
+
+
+/**
+ * optional TokenType subject_token_type = 8;
+ * @return {!proto.tetrateio.api.iam.v2.TokenType}
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.getSubjectTokenType = function() {
+  return /** @type {!proto.tetrateio.api.iam.v2.TokenType} */ (jspb.Message.getFieldWithDefault(this, 8, 0));
+};
+
+
+/**
+ * @param {!proto.tetrateio.api.iam.v2.TokenType} value
+ * @return {!proto.tetrateio.api.iam.v2.GrantRequest} returns this
+ */
+proto.tetrateio.api.iam.v2.GrantRequest.prototype.setSubjectTokenType = function(value) {
+  return jspb.Message.setProto3EnumField(this, 8, value);
+};
+
+
 
 
 
@@ -1112,7 +1203,9 @@ proto.tetrateio.api.iam.v2.GrantResponse.prototype.setErrorMessage = function(va
 proto.tetrateio.api.iam.v2.GrantType = {
   UNSPECIFIED: 0,
   REFRESH_TOKEN: 1,
-  DEVICE_CODE_URN: 2
+  DEVICE_CODE_URN: 2,
+  CLIENT_CREDENTIALS: 3,
+  TOKEN_EXCHANGE: 4
 };
 
 /**
@@ -1132,4 +1225,15 @@ proto.tetrateio.api.iam.v2.Error = {
   SERVER_ERROR: 10
 };
 
+/**
+ * @enum {number}
+ */
+proto.tetrateio.api.iam.v2.TokenType = {
+  TOKEN_TYPE_UNSPECIFIED: 0,
+  TOKEN_TYPE_ACCESS_TOKEN: 1,
+  TOKEN_TYPE_REFRESH_TOKEN: 2,
+  TOKEN_TYPE_ID_TOKEN: 3,
+  TOKEN_TYPE_JWT: 4
+};
+
 goog.object.extend(exports, proto.tetrateio.api.iam.v2);