tailcfg: add Token{Request,Response} types

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2022-03-22 21:49:27 -07:00 committed by Maisem Ali
parent 01adcfa688
commit 035e8ab00e
1 changed files with 39 additions and 0 deletions

View File

@ -1672,3 +1672,42 @@ type OverTLSPublicKeyResponse struct {
// control/controlbase and control/controlhttp)
PublicKey key.MachinePublic `json:"publicKey"`
}
// TokenRequest is a request to get an OIDC ID token for an audience.
// The token can be presented to any resource provider which offers OIDC
// Federation.
//
// It is JSON-encoded and sent over Noise to "/machine/id-token".
type TokenRequest struct {
// CapVersion is the client's current CapabilityVersion.
CapVersion CapabilityVersion
// NodeKey is the client's current node key.
NodeKey key.NodePublic
// Audience the token is being requested for.
Audience string
}
// TokenResponse is the response to a TokenRequest.
type TokenResponse struct {
// IDToken is a JWT encoding the following standard claims:
//
// `sub` | the MagicDNS name of the node
// `aud` | Audience from the request
// `exp` | Token expiry
// `iat` | Token issuance time
// `iss` | Issuer
// `jti` | Random token identifier
// `nbf` | Not before time
//
// It also encodes the following Tailscale specific claims:
//
// `key` | the node public key
// `addresses` | the Tailscale IPs of the node
// `nid` | the node ID
// `node` | the name of the node
// `domain` | the domain of the node, it has the same format as MapResponse.Domain.
// `tags` | an array of <domain:tag> on the node (like alice.github:tag:foo or example.com:tag:foo)
// `user` | user emailish (like alice.github:alice@github or example.com:bob@example.com), if not tagged
// `uid` | user ID, if not tagged
IDToken string `json:"id_token"`
}