fuchsia.auth.account

PROTOCOLS

AccountManager

Defined in fuchsia.auth.account/account_manager.fidl

AccountManager manages the overall state of Fuchsia accounts and personae on a Fuchsia device, installation of the AuthProviders that are used to obtain authentication tokens for these accounts, and access to TokenManagers for these accounts.

The AccountManager is the most powerful interface in the authentication system and is intended only for use by the most trusted parts of the system.

GetAccountIds

Returns a vector of all unlocked accounts provisioned on the current device.

Request

NameType

Response

NameType
account_ids vector<LocalAccountId>[128]

GetAccountAuthStates

Returns a vector of all unlocked accounts provisioned on the current device and the current authentication state for each.

Request

NameType

Response

NameType
status Status
account_auth_states vector<AccountAuthState>[128]

GetAccount

Connects an interface to read properties of and perform operations on one account.

id The account's identifier as returned by GetAccountIds() context_provider An AuthenticationContextProvider capable of supplying UI contexts used for interactive authentication on this account account The server end of an Account channel

Returns: status A Status indicating whether the operation was successful

Request

NameType
id LocalAccountId
auth_context_provider fuchsia.auth/AuthenticationContextProvider
account request<Account>

Response

NameType
status Status

RegisterAccountListener

Connects an interface that will receive changes in the provisioned accounts and their authentication state. Optionally this interface will also receive the initial set of accounts and authentication states onto which changes may be applied.

listener The client end of an AccountListener channel options An AccountListenerOptions that defines the set of events to be sent to the listener.

Returns: status A Status indicating whether the operation was successful

Request

NameType
listener AccountListener
options AccountListenerOptions

Response

NameType
status Status

RemoveAccount

Removes a provisioned Fuchsia account from the current device, revoking any credentials that are held for the account.

id The account's identifier as returned by GetAccountIds() force If true, continues removing the account even if revocation of credentials fails. If false, any revocation failure will result in an error and the account will remain. In this case, a subset of the credentials may have been deleted.

Returns: status A Status indicating whether the operation was successful

Request

NameType
id LocalAccountId
force bool

Response

NameType
status Status

ProvisionFromAuthProvider

Adds a Fuchsia account to the current device based on authenticating to a service provider (such as Google). If the service provider account is not already a recovery account for any Fuchsia account, a new Fuchsia account will be created with its recovery account set to the service provider account.

auth_context_provider An AuthenticationContextProvider capable of supplying UI contexts used for interactive authentication auth_provider_type A unique identifier for an installed AuthProvider that should be used to authenticate with the service provider lifetime The lifetime of the account.

Returns: status A Status indicating whether the operation was successful account_id The identifier of the newly added account, if the operation was successful.

Request

NameType
auth_context_provider fuchsia.auth/AuthenticationContextProvider
auth_provider_type string
lifetime Lifetime

Response

NameType
status Status
account_id LocalAccountId?

ProvisionNewAccount

Adds a new, initially empty, Fuchsia account to the current device.

lifetime The lifetime of the account.

Returns: status A Status indicating whether the operation was successful account_id The identifier of the newly added account, if the operation was successful.

Request

NameType
lifetime Lifetime

Response

NameType
status Status
account_id LocalAccountId?

AccountListener

Defined in fuchsia.auth.account/account_manager.fidl

An interface to receive events when the set of accounts on a device or the authentication states of these accounts change.

AccountListeners may be registered through the AccountManager interface and this registration also defines which types of event should be sent to the listener. Optionally, the AccountListener will recieve an initial state event onto which the change events may be safely accumulated.

All methods include an empty response to follow the "Throttle push using acknowledgements" FIDL design pattern.

OnInitialize

A method that is called to communicate the initial set of accounts and their authentication states. OnInitialize is called exactly once if and only if AccountListenerOptions.initial_state was set when creating the AccountListener. When called, it will always be the first call on the interface. If no accounts are present on the device the vector will be empty.

Request

NameType
account_auth_states vector<AccountAuthState>[128]

Response

NameType

OnAccountAdded

A method that is called when a new account is added to the device. This method is only called if AccountListenerOptions.add_account was set when creating the AccountListener.

Request

NameType
id LocalAccountId

Response

NameType

OnAccountRemoved

A method that is called when a provisioned account is removed. This method is only called if AccountListenerOptions.remove_account was set when creating the AccountListener.

Request

NameType
id LocalAccountId

Response

NameType

OnAuthStateChanged

A method that is called when the authentication state of any provisioned account changes.

Request

NameType
account_auth_state AccountAuthState

Response

NameType

AuthListener

Defined in fuchsia.auth.account/account_manager.fidl

An interface to receive events when the authentication state of an account changes.

AuthListeners may be registered through the AuthTarget interface and this registration also defines the types of authentication state changes that should be sent to the listener.

All methods include an empty response to follow the "Throttle push using acknowledgements" FIDL design pattern.

OnInitialize

A method that is called when the AccountListener is first connected.

Request

NameType
auth_state fuchsia.auth/AuthState

Response

NameType

OnAuthStateChanged

A method that is called when the authentication state of the account changes.

Request

NameType
auth_state fuchsia.auth/AuthState

Response

NameType

AuthTarget

Defined in fuchsia.auth.account/account_manager.fidl

An interface that is extended by other interfaces defining an entity (referred to as the "target") with an authentication state, such as a Fuchsia account or persona.

AuthTarget defines a set of methods to monitor the current authentication state of an entity and to request changes in that authentication state.

GetAuthState

Returns the current AuthState of the target.

Request

NameType

Response

NameType
status Status
auth_state fuchsia.auth/AuthState?

RegisterAuthListener

Connects an interface that will receive changes in the authentication state of the target.

listener The client end of an AuthListener channel initial_state If true, the listener will receive the initial auth state in addition to any changes. granularity An AuthChangeGranularity expressing the magnitude of change in authentication state than should lead to a callback

Returns: status A Status indicating whether the operation was successful

Request

NameType
listener AuthListener
initial_state bool
granularity fuchsia.auth/AuthChangeGranularity

Response

NameType
status Status

Account

Defined in fuchsia.auth.account/account_manager.fidl

An Account exposes information about the personae and recovery account for a Fuchsia account, and provides methods to manipulate these.

An Account provides access to sensitive long term identifiers and is only intended only for use by a small number of trusted system components.

GetAuthState

Returns the current AuthState of the target.

Request

NameType

Response

NameType
status Status
auth_state fuchsia.auth/AuthState?

RegisterAuthListener

Connects an interface that will receive changes in the authentication state of the target.

listener The client end of an AuthListener channel initial_state If true, the listener will receive the initial auth state in addition to any changes. granularity An AuthChangeGranularity expressing the magnitude of change in authentication state than should lead to a callback

Returns: status A Status indicating whether the operation was successful

Request

NameType
listener AuthListener
initial_state bool
granularity fuchsia.auth/AuthChangeGranularity

Response

NameType
status Status

GetAccountName

Returns a human readable name for the account. Account names are set by a human and are not guaranteed to be meaningful or unique, even among the accounts on a single device.

Request

NameType

Response

NameType
name string[128]

GetLifetime

Returns the account's lifetime.

Request

NameType

Response

NameType
lifetime Lifetime

GetPersonaIds

Returns a vector of all the personae defined for the account. NOTE: Currently all Fuchsia accounts have exactly one persona.

Request

NameType

Response

NameType
persona_ids vector<LocalPersonaId>[128]

GetDefaultPersona

Connects an interface to read properties of and access tokens for the default persona for the account.

persona The client end of a Persona channel

Returns: status A Status indicating whether the operation was successful id The identifier for the default persona if the operation was successful

Request

NameType
persona request<Persona>

Response

NameType
status Status
id LocalPersonaId?

GetPersona

Connects an interface to read properties of and access tokens for one of the personae for the account.

id The persona's identifier as returned by GetPersonaIds() persona The client end of a Persona channel

Returns: status A Status indicating whether the operation was successful

Request

NameType
id LocalPersonaId
persona request<Persona>

Response

NameType
status Status

GetRecoveryAccount

Returns the service provider account that can be used to access the Fuchsia account if more direct methods of authentication are not available, provided such an account exists.

Returns: status A Status indicating whether the operation was successful The ServiceProviderAccount used for recovery if the operation was successful and a recovery account exists.

Request

NameType

Response

NameType
status Status
account fuchsia.auth/ServiceProviderAccount?

SetRecoveryAccount

Sets the service provider account that can be used to access the Fuchsia account if more direct methods of authentication are not available.

account The ServiceProviderAccount to use as the recovery account. This must be an existing account that has already been provisioned on the current device using TokenManager.

Returns: status A Status indicating whether the operation was successful

Request

NameType
account fuchsia.auth/ServiceProviderAccount

Response

NameType
status Status

Persona

Defined in fuchsia.auth.account/account_manager.fidl

A Persona exposes basic information about a Fuchsia persona and access to the authentication tokens that are visible through it.

Note a Persona purposefully does not provide access to a long term identifier for the persona. This is to support components in the system that work with short lived identifiers (e.g. SessionManager), but note that long term identifiers can usually still be derived via the TokenManger interface.

GetAuthState

Returns the current AuthState of the target.

Request

NameType

Response

NameType
status Status
auth_state fuchsia.auth/AuthState?

RegisterAuthListener

Connects an interface that will receive changes in the authentication state of the target.

listener The client end of an AuthListener channel initial_state If true, the listener will receive the initial auth state in addition to any changes. granularity An AuthChangeGranularity expressing the magnitude of change in authentication state than should lead to a callback

Returns: status A Status indicating whether the operation was successful

Request

NameType
listener AuthListener
initial_state bool
granularity fuchsia.auth/AuthChangeGranularity

Response

NameType
status Status

GetLifetime

Returns the lifetime of this persona.

Request

NameType

Response

NameType
lifetime Lifetime

GetTokenManager

Connects an interface to acquire and revoke authentication tokens for service provider (aka cloud service) accounts that are visible through this persona.

application_url A url for the Fuchsia agent that this interface will be used by. Applications are only allowed to access tokens that they created. token_manager The client end of a Persona channel

Returns: status A Status indicating whether the operation was successful

Request

NameType
application_url string
token_manager request<fuchsia.auth/TokenManager>

Response

NameType
status Status

STRUCTS

GlobalAccountId

Defined in fuchsia.auth.account/account_manager.fidl

A globally unique identifier for a Fuchsia account that is constant across the devices that the account is provisioned on. Identifiers are not human readable.

NameTypeDescriptionDefault
id vector<uint8>[256] No default

LocalAccountId

Defined in fuchsia.auth.account/account_manager.fidl

A unique identifier for a Fuchsia account on the current device. If the account is removed and re-added it will receive a different LocalAccountId. The same account will have different LocalAccountIds on different devices and a particular LocalAccountId value may refer to different accounts on different devices.

NameTypeDescriptionDefault
id uint64 No default

LocalPersonaId

Defined in fuchsia.auth.account/account_manager.fidl

A unique identifier for a Persona of a Fuchsia account on the current device. If the account is removed and re-added its personae will receive different LocalPersonaIds. A particular LocalPersonaId value may refer to different personae and/or different accounts on different devices. The LocalAccountId for an account cannot be derived from the LocalPersonaId of its personae.

NameTypeDescriptionDefault
id uint64 No default

AccountAuthState

Defined in fuchsia.auth.account/account_manager.fidl

An AuthState along with the account that it applies to.

NameTypeDescriptionDefault
account_id LocalAccountId No default
auth_state fuchsia.auth/AuthState No default

AccountListenerOptions

Defined in fuchsia.auth.account/account_manager.fidl

The configuration for an AccountListener, defining the set of events that it will receive.

NameTypeDescriptionDefault
initial_state bool If true, the listener will receive the initial auth state for all accounts. No default
add_account bool If true, the listener will receive events when a new account is added to the device. No default
remove_account bool If true, the listener will receive events. No default
granularity fuchsia.auth/AuthChangeGranularity An `AuthChangeGranularity` expressing the magnitude of change in authentication state that will lead to AuthStateChange events. No default

ENUMS

Status

Type: uint32

Defined in fuchsia.auth.account/account_manager.fidl

Specifies the success/failure status of AccountManager calls.

NameValueDescription
OK 0
INTERNAL_ERROR 1
INVALID_REQUEST 2
IO_ERROR 3
NETWORK_ERROR 4
NOT_FOUND 5
UNKNOWN_ERROR 6
REMOVAL_IN_PROGRESS 7

Lifetime

Type: uint8

Defined in fuchsia.auth.account/account_manager.fidl

Provides an upper bound to how long a Fuchsia account can live on the device.

NameValueDescription
EPHEMERAL 1
PERSISTENT 2

CONSTANTS

NameValueType
MAX_ACCOUNTS_PER_DEVICE 128 uint32
MAX_PERSONAE_PER_ACCOUNT 128 uint32
MAX_ID_SIZE 256 uint32
MAX_NAME_SIZE 128 uint32