Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
POST /v1/auth/m2m
AddAuthMachineToMachineConfig creates a new auth machine to machine config.
DeLeTe /v1/auth/m2m/{id}
DeleteAuthMachineToMachineConfig deletes the specific auth machine to machine config. In case a specified auth machine to machine config does not exist is deleted, no error will be returned.
POST /v1/auth/m2m/exchange
exchangeAuthMachineToMachineToken exchanges a given identity token for a Central access token based on configured auth machine to machine configs.
PUT /v1/auth/m2m/{config.id}
UpdateAuthMachineToMachineConfig updates an existing auth machine to machine config. In case the auth machine to machine config does not exist, a new one will be created.
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
config.id |
UUID of the config. Note that when adding a machine to machine config, this field should not be set. |
X |
null |
Mappings map an identity token’s claim values to a specific role within Central.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
A key within the identity token’s claim value to use. |
|||
valueexpression |
String |
A regular expression that will be evaluated against values of the identity token claim identified by the specified key. This regular expressions is in Re2 format, see more here: https://github.com/google/re2/wiki/Syntax. |
|||
role |
String |
The role which should be issued when the key and value match for a particular identity token. |
RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
attributeKey |
String |
||||
attributeValue |
String |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DeSCRIPTOR): any.Unpack(foo) ...
example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
typeUrl |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
|||
value |
byte[] |
Must be a valid serialized protocol buffer of the above specified type. |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
error |
String |
||||
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Next Tag: 15.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
type |
String |
||||
uiendpoint |
String |
||||
enabled |
Boolean |
||||
config |
Map of |
Config holds auth provider specific configuration. each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PeM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PeM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use. |
|||
loginUrl |
String |
The login URL will be provided by the backend, and may not be specified in a request. |
|||
validated |
Boolean |
||||
extraUiendpoints |
List of |
UI endpoints which to allow in addition to |
|||
active |
Boolean |
||||
requiredAttributes |
List of AuthProviderRequiredAttribute |
||||
traits |
|||||
claimMappings |
Map of |
Specifies claims from IdP token that will be copied to Rox token attributes. each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider. |
|||
lastUpdated |
Date |
Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt). |
date-time |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
serialStr |
String |
||||
serial |
String |
int64 |
|||
id |
String |
||||
type |
UNKNOWN_SeRVICe, SeNSOR_SeRVICe, CeNTRAL_SeRVICe, CeNTRAL_DB_SeRVICe, ReMOTe_SeRVICe, COLLeCTOR_SeRVICe, MONITORING_UI_SeRVICe, MONITORING_DB_SeRVICe, MONITORING_CLIeNT_SeRVICe, BeNCHMARK_SeRVICe, SCANNeR_SeRVICe, SCANNeR_DB_SeRVICe, ADMISSION_CONTROL_SeRVICe, SCANNeR_V4_INDeXeR_SeRVICe, SCANNeR_V4_MATCHeR_SeRVICe, SCANNeR_V4_DB_SeRVICe, |
||||
initBundleId |
String |
Next available tag: 16
enum Values |
---|
UNKNOWN_SeRVICe |
SeNSOR_SeRVICe |
CeNTRAL_SeRVICe |
CeNTRAL_DB_SeRVICe |
ReMOTe_SeRVICe |
COLLeCTOR_SeRVICe |
MONITORING_UI_SeRVICe |
MONITORING_DB_SeRVICe |
MONITORING_CLIeNT_SeRVICe |
BeNCHMARK_SeRVICe |
SCANNeR_SeRVICe |
SCANNeR_DB_SeRVICe |
ADMISSION_CONTROL_SeRVICe |
SCANNeR_V4_INDeXeR_SeRVICe |
SCANNeR_V4_MATCHeR_SeRVICe |
SCANNeR_V4_DB_SeRVICe |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
mutabilityMode |
ALLOW_MUTATe, ALLOW_MUTATe_FORCeD, |
||||
visibility |
VISIBLe, HIDDeN, |
||||
origin |
IMPeRATIVe, DeFAULT, DeCLARATIVe, DeCLARATIVe_ORPHANeD, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
username |
String |
||||
friendlyName |
String |
||||
permissions |
|||||
roles |
List of StorageUserInfoRole |
Role is wire compatible with the old format of storage.Role and hence only includes role name and associated permissions.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
resourceToAccess |
Map of StorageAccess |
eXPeRIMeNTAL. NOTe: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATe and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATe_FORCeD forbids all modifying operations except object removal with force bit on.
Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATe to ALLOW_MUTATe_FORCeD is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATe.
enum Values |
---|
ALLOW_MUTATe |
ALLOW_MUTATe_FORCeD |
Origin specifies the origin of an object. Objects can have four different origins: - IMPeRATIVe: the object was created via the API. This is assumed by default. - DeFAULT: the object is a default object, such as default roles, access scopes etc. - DeCLARATIVe: the object is created via declarative configuration. - DeCLARATIVe_ORPHANeD: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DeCLARATIVe origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPeRATIVe origin. Objects with the DeFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPeRATIVe origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DeCLARATIVe_ORPHANeD origin are not allowed to be modified via either API or declarative configuration. DeCLARATIVe_ORPHANeD resource can become DeCLARATIVe again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.
enum Values |
---|
IMPeRATIVe |
DeFAULT |
DeCLARATIVe |
DeCLARATIVe_ORPHANeD |
eXPeRIMeNTAL. visibility allows to specify whether the object should be visible for certain APIs.
enum Values |
---|
VISIBLe |
HIDDeN |
ResourceToAccess represents a collection of permissions. It is wire compatible with the old format of storage.Role and replaces it in places where only aggregated permissions are required.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
resourceToAccess |
Map of StorageAccess |
AuthMachineToMachineConfig determines rules for exchanging an identity token from a third party with a Central access token. The M2M stands for machine to machine, as this is the intended use-case for the config.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
UUID of the config. Note that when adding a machine to machine config, this field should not be set. |
|||
type |
GeNeRIC, GITHUB_ACTIONS, |
||||
tokenexpirationDuration |
String |
Sets the expiration of the token returned from the exchangeAuthMachineToMachineToken API call. Possible valid time units are: s, m, h. The maximum allowed expiration duration is 24h. As an example: 2h45m. For additional information on the validation of the duration, see: https://pkg.go.dev/time#ParseDuration. |
|||
mappings |
At least one mapping is required to resolve to a valid role for the access token to be successfully generated. |
||||
issuer |
String |
The issuer of the related OIDC provider issuing the ID tokens to exchange. Must be non-empty string containing URL when type is GeNeRIC. In case of GitHub actions, this must be empty or set to https://token.actions.githubusercontent.com. Issuer is a unique key, therefore there may be at most one GITHUB_ACTIONS config, and each GeNeRIC config must have a distinct issuer. |
The type of the auth machine to machine config. Currently supports GitHub actions or any other generic OIDC provider to use for verifying and exchanging the token.
enum Values |
---|
GeNeRIC |
GITHUB_ACTIONS |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
userId |
String |
||||
serviceId |
|||||
expires |
Date |
date-time |
|||
refreshUrl |
String |
||||
authProvider |
|||||
userInfo |
|||||
userAttributes |
List of V1UserAttribute |
||||
idpToken |
String |
Token returned to ACS by the underlying identity provider. This field is set only in a few, specific contexts. Do not rely on this field being present in the response. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
idToken |
String |
Identity token that is supposed to be exchanged. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
accessToken |
String |
The exchanged access token. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
configs |
List of V1AuthMachineToMachineConfig |