fuchsia.identity.external

Defines the protocols used to interface with non-Fuchsia forms of identity, such as OAuth and OpenID identity providers.

New identity providers or service providers may be added to the system by implementing the server side of one or more of these protocols, the core identity system will act as the client.

Clients wishing to acquire tokens should use the system token management protocols in fuchsia.identity.tokens instead of depending on this library directly.

PROTOCOLS

Oauth

Defined in fuchsia.identity.external/auth_provider.fidl

A protocol to request the creation, exchange, and revokation of Oauth 2.0 tokens.

CreateRefreshToken

Creates a new refresh token. If this request is successful the refresh token will be returned. Optionally an access token with the default client ID and scope may also be returned (if no token is available the fields in access_token will be unpopulated).

Request

NameType
request OauthRefreshTokenRequest

Response

NameType
result Oauth_CreateRefreshToken_Result

GetAccessTokenFromRefreshToken

Exchanges a refresh token for an access token.

Request

NameType
request OauthAccessTokenFromOauthRefreshTokenRequest

Response

NameType
result Oauth_GetAccessTokenFromRefreshToken_Result

RevokeRefreshToken

Attempts to revoke the supplied refresh token.

Request

NameType
refresh_token fuchsia.identity.tokens/OauthRefreshToken

Response

NameType
result Oauth_RevokeRefreshToken_Result

RevokeAccessToken

Attempts to revoke the supplied access token.

Request

NameType
access_token fuchsia.identity.tokens/OauthAccessToken

Response

NameType
result Oauth_RevokeAccessToken_Result

OpenIdConnect

Defined in fuchsia.identity.external/auth_provider.fidl

A protocol to request the creation, exchange, and revokation of OpenID Connect tokens.

RevokeIdToken

Attempts to revoke the supplied ID token.

Request

NameType
id_token fuchsia.identity.tokens/OpenIdToken

Response

NameType
result OpenIdConnect_RevokeIdToken_Result

OauthOpenIdConnect

Defined in fuchsia.identity.external/auth_provider.fidl

A protocol to perform exchanges between Oauth 2.0 and OpenID Connect tokens.

GetIdTokenFromRefreshToken

Exchanges an OAuth refresh token for an OpenID Connect ID token.

Request

NameType
request OpenIdTokenFromOauthRefreshTokenRequest

Response

NameType
result OauthOpenIdConnect_GetIdTokenFromRefreshToken_Result

GetUserInfoFromAccessToken

Exchanges an OAuth access token for an OpenID Connect UserInfo.

Request

NameType
request OpenIdUserInfoFromOauthAccessTokenRequest

Response

NameType
result OauthOpenIdConnect_GetUserInfoFromAccessToken_Result

STRUCTS

Oauth_CreateRefreshToken_Response

generated

NameTypeDescriptionDefault
refresh_token fuchsia.identity.tokens/OauthRefreshToken No default
access_token fuchsia.identity.tokens/OauthAccessToken No default

Oauth_GetAccessTokenFromRefreshToken_Response

generated

NameTypeDescriptionDefault
access_token fuchsia.identity.tokens/OauthAccessToken No default

Oauth_RevokeRefreshToken_Response

generated

NameTypeDescriptionDefault

Oauth_RevokeAccessToken_Response

generated

NameTypeDescriptionDefault

OpenIdConnect_RevokeIdToken_Response

generated

NameTypeDescriptionDefault

OauthOpenIdConnect_GetIdTokenFromRefreshToken_Response

generated

NameTypeDescriptionDefault
id_token fuchsia.identity.tokens/OpenIdToken No default

OauthOpenIdConnect_GetUserInfoFromAccessToken_Response

generated

NameTypeDescriptionDefault
user_info fuchsia.identity.tokens/OpenIdUserInfo No default

ENUMS

Error

Type: uint32

Defined in fuchsia.identity.external/common.fidl

Specifies the reason that a fuchsia.identity.external method failed.

NameValueDescription
UNKNOWN 1

Some other problem occurred that cannot be classified using one of the more specific statuses.

INTERNAL 2

An internal error occurred. This usually indicates a bug within the component implementation.

CONFIG 3

The component instance was not configured correctly at initialization and is unable to perform useful work.

UNSUPPORTED_OPERATION 4

The requested operation is not supported by this implementation. An example is requesting a type of token that the service provider does not support.

INVALID_REQUEST 5

The method request was not valid or was malformed in some way, such as omitting required fields. Invalid requests for unsupported operations will return UNSUPPORTED_OPERATION.

RESOURCE 6

A local resource error occurred such as an I/O, FIDL, or memory allocation failure.

NETWORK 7

A network error occurred while communicating with the auth server or the server was unreachable.

SERVER 8

The auth server returned a failure or an invalid response. This may indicate either a failure of the server itself or an incompatibility between the server and the component implementation.

INVALID_TOKEN 9

The token supplied to perform an exchange operation is not valid and should be discarded. This can occur following server-side revocation.

INSUFFICIENT_TOKEN 10

The token supplied to perform an exchange operation was valid but was not sufficiently powerful to complete the requested exchange.

ABORTED 11

The user cancelled or failed an interactive authentication operation.

TABLES

OauthRefreshTokenRequest

Defined in fuchsia.identity.external/auth_provider.fidl

The request format used to create a new OAuth 2.0 Refresh Token.

OrdinalNameTypeDescription
1 account_id fuchsia.identity.tokens/AccountId

The account to create the token for, if known. If omitted, the user will be prompted to specify an account.

2 ui_context fuchsia.auth/AuthenticationUIContext

A UI Context used to overlay a view in which the user can interactively authenticate. This field is required.

OauthAccessTokenFromOauthRefreshTokenRequest

Defined in fuchsia.identity.external/auth_provider.fidl

The request format used to exchange an OAuth 2.0 Refresh Token for an Access Token.

OrdinalNameTypeDescription
1 refresh_token fuchsia.identity.tokens/OauthRefreshToken

The Refresh token to exchange. This field is required.

2 client_id fuchsia.identity.tokens/ClientId

The OAuth ClientID for the component requesting the token. If absent, a default ClientID defined by the implementation will be used.

3 scopes vector<string>[128]

The list of OAuth scope strings to request. If absent or empty, a default set of scopes defined by the implementation will be used.

OpenIdTokenFromOauthRefreshTokenRequest

Defined in fuchsia.identity.external/auth_provider.fidl

The request format used to exchange an OAuth 2.0 Refresh Token for an OpenID Connect ID token.

OrdinalNameTypeDescription
1 refresh_token fuchsia.identity.tokens/OauthRefreshToken

The refresh token to exchange. This field is required.

2 audiences vector<string>[16]

The OpenID audience strings that the ID token should be issued to. If absent or empty, a default set of scopes defined by the implementation will be used.

OpenIdUserInfoFromOauthAccessTokenRequest

Defined in fuchsia.identity.external/auth_provider.fidl

The request format used to exchange an OAuth 2.0 Access Token for a User Info response as defined by OpenID Connect.

OrdinalNameTypeDescription
1 access_token fuchsia.identity.tokens/OauthAccessToken

The Access token to exchange. This field is required.

UNIONS

Oauth_CreateRefreshToken_Result

generated

NameTypeDescription
response Oauth_CreateRefreshToken_Response
err Error

Oauth_GetAccessTokenFromRefreshToken_Result

generated

NameTypeDescription
response Oauth_GetAccessTokenFromRefreshToken_Response
err Error

Oauth_RevokeRefreshToken_Result

generated

NameTypeDescription
response Oauth_RevokeRefreshToken_Response
err Error

Oauth_RevokeAccessToken_Result

generated

NameTypeDescription
response Oauth_RevokeAccessToken_Response
err Error

OpenIdConnect_RevokeIdToken_Result

generated

NameTypeDescription
response OpenIdConnect_RevokeIdToken_Response
err Error

OauthOpenIdConnect_GetIdTokenFromRefreshToken_Result

generated

NameTypeDescription
response OauthOpenIdConnect_GetIdTokenFromRefreshToken_Response
err Error

OauthOpenIdConnect_GetUserInfoFromAccessToken_Result

generated

NameTypeDescription
response OauthOpenIdConnect_GetUserInfoFromAccessToken_Response
err Error