zhenyi
06e8ee96a5
- Add TokenClaims message for JWT payload structure with user id, issuer, timestamps, and scopes - Implement IssueTokenRequest/Response for creating access and refresh tokens with TTL support - Create RefreshTokenRequest/Response for token rotation functionality - Define RevokeTokenRequest/Response with support for single token or user-wide revocation - Add VerifyTokenRequest/Response for validating JWT tokens with detailed claims information - Implement signing key distribution system with GetSigningKeysRequest/Response - Create TokenService gRPC service with IssueToken, RefreshToken, RevokeToken, VerifyToken, and GetSigningKeys methods - Add build.rs configuration to compile proto files using tonic_prost_build - Include channel, channel_settings, member, and permission protocol definitions for IM services - Generate Rust code bindings through pb/core.rs and pb/im.rs modules
125 lines
4.1 KiB
Protocol Buffer
125 lines
4.1 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package appks.core.v1;
|
|
|
|
// ============================================================
|
|
// JWT Payload
|
|
// ============================================================
|
|
|
|
message TokenClaims {
|
|
string sub = 1; // user id (uuid)
|
|
string iss = 2; // issuer (e.g. "appks")
|
|
int64 iat = 3; // issued at (unix seconds)
|
|
int64 exp = 4; // expires at (unix seconds)
|
|
string jti = 5; // unique token id (for revocation)
|
|
string scope = 6; // space-separated scopes
|
|
map<string, string> extra = 7; // extensible fields (workspace_id, role, etc.)
|
|
}
|
|
|
|
// ============================================================
|
|
// Issue (appks REST API → core)
|
|
// ============================================================
|
|
|
|
message IssueTokenRequest {
|
|
string user_id = 1;
|
|
int64 ttl_secs = 2; // access token lifetime
|
|
repeated string scopes = 3;
|
|
map<string, string> extra = 4;
|
|
}
|
|
|
|
message IssueTokenResponse {
|
|
string access_token = 1; // JWT
|
|
string refresh_token = 2; // opaque, stored in Redis
|
|
int64 expires_at = 3;
|
|
string key_id = 4; // kid header for the signing key
|
|
}
|
|
|
|
// ============================================================
|
|
// Refresh
|
|
// ============================================================
|
|
|
|
message RefreshTokenRequest {
|
|
string refresh_token = 1;
|
|
}
|
|
|
|
message RefreshTokenResponse {
|
|
string access_token = 1;
|
|
string refresh_token = 2; // rotated
|
|
int64 expires_at = 3;
|
|
string key_id = 4;
|
|
}
|
|
|
|
// ============================================================
|
|
// Revoke
|
|
// ============================================================
|
|
|
|
message RevokeTokenRequest {
|
|
oneof target {
|
|
string jti = 1; // revoke single token
|
|
string user_id = 2; // revoke all tokens for user
|
|
}
|
|
}
|
|
|
|
message RevokeTokenResponse {
|
|
int32 revoked_count = 1;
|
|
}
|
|
|
|
// ============================================================
|
|
// Verify (imks → core, RPC 模式)
|
|
// imks 把客户端携带的 JWT 发给 core 验证
|
|
// ============================================================
|
|
|
|
message VerifyTokenRequest {
|
|
string token = 1;
|
|
}
|
|
|
|
message VerifyTokenResponse {
|
|
bool valid = 1;
|
|
TokenClaims claims = 2; // only set when valid = true
|
|
string reason = 3; // "expired", "revoked", "invalid_signature", etc.
|
|
}
|
|
|
|
// ============================================================
|
|
// Key Distribution (imks → core, 本地验证模式)
|
|
// imks 拉取公钥/解密密钥,本地验证 JWT,无需每次 RPC
|
|
// 密钥窗口 3h,imks 定期刷新
|
|
// ============================================================
|
|
|
|
message SigningKey {
|
|
string kid = 1; // key id (matches JWT header kid)
|
|
string algorithm = 2; // "HS256", "RS256", "EdDSA", ...
|
|
string key_material = 3; // 对称: base64 secret / 非对称: PEM public key
|
|
int64 issued_at = 4; // 签发时间
|
|
int64 expires_at = 5; // 过期时间 (issued_at + 3h window)
|
|
bool active = 6; // 是否为当前活跃签名密钥
|
|
}
|
|
|
|
message GetSigningKeysRequest {
|
|
// 空 = 返回所有未过期密钥
|
|
// 非空 = 只返回指定 kid 的密钥
|
|
string kid = 1;
|
|
}
|
|
|
|
message GetSigningKeysResponse {
|
|
repeated SigningKey keys = 1; // 可能同时有多个有效密钥(滚动窗口)
|
|
int64 next_rotation_at = 2; // 下次密钥轮换时间,imks 据此安排刷新
|
|
}
|
|
|
|
// ============================================================
|
|
// Service
|
|
// ============================================================
|
|
|
|
service TokenService {
|
|
// --- 令牌生命周期 (appks REST handler 调用) ---
|
|
rpc IssueToken(IssueTokenRequest) returns (IssueTokenResponse);
|
|
rpc RefreshToken(RefreshTokenRequest) returns (RefreshTokenResponse);
|
|
rpc RevokeToken(RevokeTokenRequest) returns (RevokeTokenResponse);
|
|
|
|
// --- imks 验证 (RPC 模式) ---
|
|
rpc VerifyToken(VerifyTokenRequest) returns (VerifyTokenResponse);
|
|
|
|
// --- imks 密钥拉取 (本地验证模式) ---
|
|
// imks 启动时拉取,之后根据 next_rotation_at 定期刷新
|
|
rpc GetSigningKeys(GetSigningKeysRequest) returns (GetSigningKeysResponse);
|
|
}
|