Documentation

Overview

    Package minter contains the main API of the token server.

    It is publicly accessible API used to mint various kinds of tokens.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var (
    	SignatureAlgorithm_name = map[int32]string{
    		0: "UNKNOWN_ALGO",
    		1: "SHA256_RSA_ALGO",
    	}
    	SignatureAlgorithm_value = map[string]int32{
    		"UNKNOWN_ALGO":    0,
    		"SHA256_RSA_ALGO": 1,
    	}
    )

      Enum value maps for SignatureAlgorithm.

      View Source
      var (
      	ErrorCode_name = map[int32]string{
      		0: "SUCCESS",
      		1: "UNSUPPORTED_SIGNATURE",
      		2: "UNSUPPORTED_TOKEN_TYPE",
      		3: "BAD_TIMESTAMP",
      		4: "BAD_CERTIFICATE_FORMAT",
      		5: "BAD_SIGNATURE",
      		6: "UNTRUSTED_CERTIFICATE",
      		7: "BAD_TOKEN_ARGUMENTS",
      		8: "MACHINE_TOKEN_MINTING_ERROR",
      	}
      	ErrorCode_value = map[string]int32{
      		"SUCCESS":                     0,
      		"UNSUPPORTED_SIGNATURE":       1,
      		"UNSUPPORTED_TOKEN_TYPE":      2,
      		"BAD_TIMESTAMP":               3,
      		"BAD_CERTIFICATE_FORMAT":      4,
      		"BAD_SIGNATURE":               5,
      		"UNTRUSTED_CERTIFICATE":       6,
      		"BAD_TOKEN_ARGUMENTS":         7,
      		"MACHINE_TOKEN_MINTING_ERROR": 8,
      	}
      )

        Enum value maps for ErrorCode.

        View Source
        var (
        	ServiceAccountTokenKind_name = map[int32]string{
        		0: "SERVICE_ACCOUNT_TOKEN_UNSPECIFIED",
        		1: "SERVICE_ACCOUNT_TOKEN_ACCESS_TOKEN",
        		2: "SERVICE_ACCOUNT_TOKEN_ID_TOKEN",
        	}
        	ServiceAccountTokenKind_value = map[string]int32{
        		"SERVICE_ACCOUNT_TOKEN_UNSPECIFIED":  0,
        		"SERVICE_ACCOUNT_TOKEN_ACCESS_TOKEN": 1,
        		"SERVICE_ACCOUNT_TOKEN_ID_TOKEN":     2,
        	}
        )

          Enum value maps for ServiceAccountTokenKind.

          View Source
          var File_go_chromium_org_luci_tokenserver_api_minter_v1_token_minter_proto protoreflect.FileDescriptor
          View Source
          var TokenMinter_ServiceDesc = grpc.ServiceDesc{
          	ServiceName: "tokenserver.minter.TokenMinter",
          	HandlerType: (*TokenMinterServer)(nil),
          	Methods: []grpc.MethodDesc{
          		{
          			MethodName: "MintMachineToken",
          			Handler:    _TokenMinter_MintMachineToken_Handler,
          		},
          		{
          			MethodName: "MintDelegationToken",
          			Handler:    _TokenMinter_MintDelegationToken_Handler,
          		},
          		{
          			MethodName: "MintOAuthTokenGrant",
          			Handler:    _TokenMinter_MintOAuthTokenGrant_Handler,
          		},
          		{
          			MethodName: "MintOAuthTokenViaGrant",
          			Handler:    _TokenMinter_MintOAuthTokenViaGrant_Handler,
          		},
          		{
          			MethodName: "MintProjectToken",
          			Handler:    _TokenMinter_MintProjectToken_Handler,
          		},
          		{
          			MethodName: "MintServiceAccountToken",
          			Handler:    _TokenMinter_MintServiceAccountToken_Handler,
          		},
          	},
          	Streams:  []grpc.StreamDesc{},
          	Metadata: "go.chromium.org/luci/tokenserver/api/minter/v1/token_minter.proto",
          }

            TokenMinter_ServiceDesc is the grpc.ServiceDesc for TokenMinter service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

            Functions

            func FileDescriptorSet

            func FileDescriptorSet() *descriptorpb.FileDescriptorSet

              FileDescriptorSet returns a descriptor set for this proto package, which includes all defined services, and all transitive dependencies.

              Will not return nil.

              Do NOT modify the returned descriptor.

              func RegisterTokenMinterServer

              func RegisterTokenMinterServer(s grpc.ServiceRegistrar, srv TokenMinterServer)

              Types

              type ErrorCode

              type ErrorCode int32

                Possible kinds of fatal errors.

                Non fatal errors are returned as grpc.Internal errors instead.

                const (
                	ErrorCode_SUCCESS                     ErrorCode = 0
                	ErrorCode_UNSUPPORTED_SIGNATURE       ErrorCode = 1 // used signature_algorithm is not supported
                	ErrorCode_UNSUPPORTED_TOKEN_TYPE      ErrorCode = 2 // requested token_type is not supported
                	ErrorCode_BAD_TIMESTAMP               ErrorCode = 3 // issued_at field is wrong
                	ErrorCode_BAD_CERTIFICATE_FORMAT      ErrorCode = 4 // malformed or unsupported certificate
                	ErrorCode_BAD_SIGNATURE               ErrorCode = 5 // signature doesn't match or can't be verified
                	ErrorCode_UNTRUSTED_CERTIFICATE       ErrorCode = 6 // invalid certificate or can't verify it yet
                	ErrorCode_BAD_TOKEN_ARGUMENTS         ErrorCode = 7 // FQDN or Scopes are invalid or not whitelisted
                	ErrorCode_MACHINE_TOKEN_MINTING_ERROR ErrorCode = 8 // unspecified fatal error when minting a machine token
                )

                func (ErrorCode) Descriptor

                func (ErrorCode) Descriptor() protoreflect.EnumDescriptor

                func (ErrorCode) Enum

                func (x ErrorCode) Enum() *ErrorCode

                func (ErrorCode) EnumDescriptor

                func (ErrorCode) EnumDescriptor() ([]byte, []int)

                  Deprecated: Use ErrorCode.Descriptor instead.

                  func (ErrorCode) Number

                  func (x ErrorCode) Number() protoreflect.EnumNumber

                  func (ErrorCode) String

                  func (x ErrorCode) String() string

                  func (ErrorCode) Type

                  type LuciMachineToken

                  type LuciMachineToken struct {
                  	MachineToken string                 `protobuf:"bytes,1,opt,name=machine_token,json=machineToken,proto3" json:"machine_token,omitempty"` // the actual token
                  	Expiry       *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiry,proto3" json:"expiry,omitempty"`                                 // when the token expires
                  	// contains filtered or unexported fields
                  }

                    LuciMachineToken is short lived machine token.

                    It is understood only by LUCI backends. It is a bearer token, that embeds machine hostname and details about the machine certificate it was issued for. It has short lifetime (usually 1h).

                    It is expected to be sent to backends in 'X-Luci-Machine-Token' HTTP header.

                    The token here is supposed to be treated as an opaque base64-encoded blob, but in reality it is serialized MachineTokenEnvelope, see machine_token.proto and read the comment there for more info about the token format.

                    func (*LuciMachineToken) Descriptor

                    func (*LuciMachineToken) Descriptor() ([]byte, []int)

                      Deprecated: Use LuciMachineToken.ProtoReflect.Descriptor instead.

                      func (*LuciMachineToken) GetExpiry

                      func (x *LuciMachineToken) GetExpiry() *timestamppb.Timestamp

                      func (*LuciMachineToken) GetMachineToken

                      func (x *LuciMachineToken) GetMachineToken() string

                      func (*LuciMachineToken) ProtoMessage

                      func (*LuciMachineToken) ProtoMessage()

                      func (*LuciMachineToken) ProtoReflect

                      func (x *LuciMachineToken) ProtoReflect() protoreflect.Message

                      func (*LuciMachineToken) Reset

                      func (x *LuciMachineToken) Reset()

                      func (*LuciMachineToken) String

                      func (x *LuciMachineToken) String() string

                      type MachineTokenRequest

                      type MachineTokenRequest struct {
                      
                      	// The certificate that identifies a caller (as ASN1-serialized blob).
                      	//
                      	// It will be used to extract machine FQDN (it's CN of the cert) and CA name
                      	// to use to check the cert.
                      	Certificate []byte `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
                      	// The signature algorithm used to sign this request.
                      	//
                      	// Defines what's in MintMachineTokenRequest.signature field.
                      	SignatureAlgorithm SignatureAlgorithm `` /* 159-byte string literal not displayed */
                      	// Timestamp when this request was created, by the issuer clock.
                      	IssuedAt *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
                      	// The token type being requested.
                      	//
                      	// Defines what fields of the response are set.
                      	TokenType api.MachineTokenType `protobuf:"varint,4,opt,name=token_type,json=tokenType,proto3,enum=tokenserver.MachineTokenType" json:"token_type,omitempty"`
                      	// contains filtered or unexported fields
                      }

                        MachineTokenRequest contains the actual request parameters.

                        func (*MachineTokenRequest) Descriptor

                        func (*MachineTokenRequest) Descriptor() ([]byte, []int)

                          Deprecated: Use MachineTokenRequest.ProtoReflect.Descriptor instead.

                          func (*MachineTokenRequest) GetCertificate

                          func (x *MachineTokenRequest) GetCertificate() []byte

                          func (*MachineTokenRequest) GetIssuedAt

                          func (x *MachineTokenRequest) GetIssuedAt() *timestamppb.Timestamp

                          func (*MachineTokenRequest) GetSignatureAlgorithm

                          func (x *MachineTokenRequest) GetSignatureAlgorithm() SignatureAlgorithm

                          func (*MachineTokenRequest) GetTokenType

                          func (x *MachineTokenRequest) GetTokenType() api.MachineTokenType

                          func (*MachineTokenRequest) ProtoMessage

                          func (*MachineTokenRequest) ProtoMessage()

                          func (*MachineTokenRequest) ProtoReflect

                          func (x *MachineTokenRequest) ProtoReflect() protoreflect.Message

                          func (*MachineTokenRequest) Reset

                          func (x *MachineTokenRequest) Reset()

                          func (*MachineTokenRequest) String

                          func (x *MachineTokenRequest) String() string

                          type MachineTokenResponse

                          type MachineTokenResponse struct {
                          
                          	// Identifier of the service and its version that produced the token.
                          	//
                          	// Has the form "<app-id>/<module-version>". Reported to the monitoring by
                          	// the client. This is _not_ a part of the token.
                          	ServiceVersion string `protobuf:"bytes,2,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                          	// The generated token.
                          	//
                          	// The exact field set here depends on a requested type of the token, see
                          	// MachineTokenRequest.token_type.
                          	//
                          	// Types that are assignable to TokenType:
                          	//	*MachineTokenResponse_LuciMachineToken
                          	TokenType isMachineTokenResponse_TokenType `protobuf_oneof:"token_type"`
                          	// contains filtered or unexported fields
                          }

                            MachineTokenResponse contains a token requested by MachineTokenRequest.

                            func (*MachineTokenResponse) Descriptor

                            func (*MachineTokenResponse) Descriptor() ([]byte, []int)

                              Deprecated: Use MachineTokenResponse.ProtoReflect.Descriptor instead.

                              func (*MachineTokenResponse) GetLuciMachineToken

                              func (x *MachineTokenResponse) GetLuciMachineToken() *LuciMachineToken

                              func (*MachineTokenResponse) GetServiceVersion

                              func (x *MachineTokenResponse) GetServiceVersion() string

                              func (*MachineTokenResponse) GetTokenType

                              func (m *MachineTokenResponse) GetTokenType() isMachineTokenResponse_TokenType

                              func (*MachineTokenResponse) ProtoMessage

                              func (*MachineTokenResponse) ProtoMessage()

                              func (*MachineTokenResponse) ProtoReflect

                              func (x *MachineTokenResponse) ProtoReflect() protoreflect.Message

                              func (*MachineTokenResponse) Reset

                              func (x *MachineTokenResponse) Reset()

                              func (*MachineTokenResponse) String

                              func (x *MachineTokenResponse) String() string

                              type MachineTokenResponse_LuciMachineToken

                              type MachineTokenResponse_LuciMachineToken struct {
                              	LuciMachineToken *LuciMachineToken `protobuf:"bytes,21,opt,name=luci_machine_token,json=luciMachineToken,proto3,oneof"`
                              }

                              type MintDelegationTokenRequest

                              type MintDelegationTokenRequest struct {
                              
                              	// Identity whose authority is delegated.
                              	//
                              	// A string of the form "user:<email>" or a special token "REQUESTOR" that
                              	// means to delegate caller's own identity. The token server will check its
                              	// ACLs to make sure the caller is authorized to impersonate this identity.
                              	//
                              	// Required.
                              	DelegatedIdentity string `protobuf:"bytes,1,opt,name=delegated_identity,json=delegatedIdentity,proto3" json:"delegated_identity,omitempty"`
                              	// How long the token should be considered valid (in seconds).
                              	//
                              	// Default is 3600 sec.
                              	ValidityDuration int64 `protobuf:"varint,2,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
                              	// Who will be able to use the new token.
                              	//
                              	// Each item can be an identity string (e.g. "user:<email>"), a "group:<name>"
                              	// string, special "*" string which means "Any bearer can use the token", or
                              	// "REQUESTOR" string which means "Whoever is making this call can use the
                              	// token".
                              	//
                              	// This is semantically is a set, the order of elements doesn't matter.
                              	//
                              	// Required.
                              	Audience []string `protobuf:"bytes,3,rep,name=audience,proto3" json:"audience,omitempty"`
                              	// What services should accept the new token.
                              	//
                              	// List of LUCI services (specified as service identities, e.g.
                              	// "service:app-id" or as https:// root URLs e.g. "https://<host>") that
                              	// should accept this token. May also contain special "*" string, which
                              	// means "All LUCI services".
                              	//
                              	// This is semantically is a set, the order of elements doesn't matter.
                              	//
                              	// Required.
                              	Services []string `protobuf:"bytes,4,rep,name=services,proto3" json:"services,omitempty"`
                              	// Optional reason why the token is created.
                              	//
                              	// Used only for logging and auditing purposes. Doesn't become part of the
                              	// token.
                              	Intent string `protobuf:"bytes,5,opt,name=intent,proto3" json:"intent,omitempty"`
                              	// Arbitrary key:value pairs embedded into the token by whoever requested it.
                              	// Convey circumstance of why the token is created.
                              	//
                              	// Services that accept the token may use them for additional authorization
                              	// decisions. Please use extremely carefully, only when you control both sides
                              	// of the delegation link and can guarantee that services involved understand
                              	// the tags.
                              	Tags []string `protobuf:"bytes,6,rep,name=tags,proto3" json:"tags,omitempty"`
                              	// contains filtered or unexported fields
                              }

                                MintDelegationTokenRequest is passed to MintDelegationToken.

                                func (*MintDelegationTokenRequest) Descriptor

                                func (*MintDelegationTokenRequest) Descriptor() ([]byte, []int)

                                  Deprecated: Use MintDelegationTokenRequest.ProtoReflect.Descriptor instead.

                                  func (*MintDelegationTokenRequest) GetAudience

                                  func (x *MintDelegationTokenRequest) GetAudience() []string

                                  func (*MintDelegationTokenRequest) GetDelegatedIdentity

                                  func (x *MintDelegationTokenRequest) GetDelegatedIdentity() string

                                  func (*MintDelegationTokenRequest) GetIntent

                                  func (x *MintDelegationTokenRequest) GetIntent() string

                                  func (*MintDelegationTokenRequest) GetServices

                                  func (x *MintDelegationTokenRequest) GetServices() []string

                                  func (*MintDelegationTokenRequest) GetTags

                                  func (x *MintDelegationTokenRequest) GetTags() []string

                                  func (*MintDelegationTokenRequest) GetValidityDuration

                                  func (x *MintDelegationTokenRequest) GetValidityDuration() int64

                                  func (*MintDelegationTokenRequest) ProtoMessage

                                  func (*MintDelegationTokenRequest) ProtoMessage()

                                  func (*MintDelegationTokenRequest) ProtoReflect

                                  func (*MintDelegationTokenRequest) Reset

                                  func (x *MintDelegationTokenRequest) Reset()

                                  func (*MintDelegationTokenRequest) String

                                  func (x *MintDelegationTokenRequest) String() string

                                  type MintDelegationTokenResponse

                                  type MintDelegationTokenResponse struct {
                                  
                                  	// The actual base64-encoded signed token.
                                  	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
                                  	// Same data as in 'token' in deserialized form, just for convenience.
                                  	//
                                  	// Mostly for JSON encoding users, since they may not understand proto-encoded
                                  	// tokens.
                                  	DelegationSubtoken *messages.Subtoken `protobuf:"bytes,2,opt,name=delegation_subtoken,json=delegationSubtoken,proto3" json:"delegation_subtoken,omitempty"`
                                  	// Identifier of the service and its version that produced the token.
                                  	//
                                  	// Has the form "<app-id>/<module-version>". This is _not_ part of the token.
                                  	// Used only for logging and monitoring.
                                  	ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                  	// contains filtered or unexported fields
                                  }

                                    MintDelegationTokenResponse is returned by MintDelegationToken on success.

                                    Errors are returned via standard gRPC codes.

                                    func (*MintDelegationTokenResponse) Descriptor

                                    func (*MintDelegationTokenResponse) Descriptor() ([]byte, []int)

                                      Deprecated: Use MintDelegationTokenResponse.ProtoReflect.Descriptor instead.

                                      func (*MintDelegationTokenResponse) GetDelegationSubtoken

                                      func (x *MintDelegationTokenResponse) GetDelegationSubtoken() *messages.Subtoken

                                      func (*MintDelegationTokenResponse) GetServiceVersion

                                      func (x *MintDelegationTokenResponse) GetServiceVersion() string

                                      func (*MintDelegationTokenResponse) GetToken

                                      func (x *MintDelegationTokenResponse) GetToken() string

                                      func (*MintDelegationTokenResponse) ProtoMessage

                                      func (*MintDelegationTokenResponse) ProtoMessage()

                                      func (*MintDelegationTokenResponse) ProtoReflect

                                      func (*MintDelegationTokenResponse) Reset

                                      func (x *MintDelegationTokenResponse) Reset()

                                      func (*MintDelegationTokenResponse) String

                                      func (x *MintDelegationTokenResponse) String() string

                                      type MintMachineTokenRequest

                                      type MintMachineTokenRequest struct {
                                      
                                      	// The protobuf-serialized MachineTokenRequest message, signed by the private
                                      	// key that matches MachineTokenRequest.certificate.
                                      	//
                                      	// We have to send it as a byte blob to avoid dealing with possible protobuf
                                      	// serialization inconsistencies when checking the signature.
                                      	SerializedTokenRequest []byte `` /* 129-byte string literal not displayed */
                                      	// The signature of 'serialized_token_parameters' blob.
                                      	//
                                      	// See MachineTokenRequest.signature_algorithm for exact meaning.
                                      	Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
                                      	// contains filtered or unexported fields
                                      }

                                        MintMachineTokenRequest wraps a serialized and signed MachineTokenRequest message.

                                        func (*MintMachineTokenRequest) Descriptor

                                        func (*MintMachineTokenRequest) Descriptor() ([]byte, []int)

                                          Deprecated: Use MintMachineTokenRequest.ProtoReflect.Descriptor instead.

                                          func (*MintMachineTokenRequest) GetSerializedTokenRequest

                                          func (x *MintMachineTokenRequest) GetSerializedTokenRequest() []byte

                                          func (*MintMachineTokenRequest) GetSignature

                                          func (x *MintMachineTokenRequest) GetSignature() []byte

                                          func (*MintMachineTokenRequest) ProtoMessage

                                          func (*MintMachineTokenRequest) ProtoMessage()

                                          func (*MintMachineTokenRequest) ProtoReflect

                                          func (x *MintMachineTokenRequest) ProtoReflect() protoreflect.Message

                                          func (*MintMachineTokenRequest) Reset

                                          func (x *MintMachineTokenRequest) Reset()

                                          func (*MintMachineTokenRequest) String

                                          func (x *MintMachineTokenRequest) String() string

                                          type MintMachineTokenResponse

                                          type MintMachineTokenResponse struct {
                                          
                                          	// Possible kinds of fatal errors.
                                          	//
                                          	// Non fatal errors are returned as grpc.Internal errors instead.
                                          	ErrorCode ErrorCode `protobuf:"varint,1,opt,name=error_code,json=errorCode,proto3,enum=tokenserver.minter.ErrorCode" json:"error_code,omitempty"`
                                          	// Optional detailed error message.
                                          	ErrorMessage string `protobuf:"bytes,2,opt,name=error_message,json=errorMessage,proto3" json:"error_message,omitempty"`
                                          	// On success (SUCCESS error code) contains the produced token.
                                          	TokenResponse *MachineTokenResponse `protobuf:"bytes,3,opt,name=token_response,json=tokenResponse,proto3" json:"token_response,omitempty"`
                                          	// Identifier of the service and its version that produced the response.
                                          	//
                                          	// Set for both successful responses and errors. On success, it is identical
                                          	// to token_response.service_version.
                                          	ServiceVersion string `protobuf:"bytes,4,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                          	// contains filtered or unexported fields
                                          }

                                            MintMachineTokenResponse is returned by MintMachineToken if the server processed the request.

                                            It's returned even if server refuses to mint a token. It contains the error details in that case.

                                            func (*MintMachineTokenResponse) Descriptor

                                            func (*MintMachineTokenResponse) Descriptor() ([]byte, []int)

                                              Deprecated: Use MintMachineTokenResponse.ProtoReflect.Descriptor instead.

                                              func (*MintMachineTokenResponse) GetErrorCode

                                              func (x *MintMachineTokenResponse) GetErrorCode() ErrorCode

                                              func (*MintMachineTokenResponse) GetErrorMessage

                                              func (x *MintMachineTokenResponse) GetErrorMessage() string

                                              func (*MintMachineTokenResponse) GetServiceVersion

                                              func (x *MintMachineTokenResponse) GetServiceVersion() string

                                              func (*MintMachineTokenResponse) GetTokenResponse

                                              func (x *MintMachineTokenResponse) GetTokenResponse() *MachineTokenResponse

                                              func (*MintMachineTokenResponse) ProtoMessage

                                              func (*MintMachineTokenResponse) ProtoMessage()

                                              func (*MintMachineTokenResponse) ProtoReflect

                                              func (x *MintMachineTokenResponse) ProtoReflect() protoreflect.Message

                                              func (*MintMachineTokenResponse) Reset

                                              func (x *MintMachineTokenResponse) Reset()

                                              func (*MintMachineTokenResponse) String

                                              func (x *MintMachineTokenResponse) String() string

                                              type MintOAuthTokenGrantRequest

                                              type MintOAuthTokenGrantRequest struct {
                                              
                                              	// Service account identity the end user wants to act as.
                                              	//
                                              	// A string of the form "<email>".
                                              	//
                                              	// Required.
                                              	ServiceAccount string `protobuf:"bytes,1,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
                                              	// How long the generated grant should be considered valid (in seconds).
                                              	//
                                              	// Default is 3600 sec.
                                              	ValidityDuration int64 `protobuf:"varint,2,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
                                              	// An end user that wants to act as the service account (perhaps indirectly).
                                              	//
                                              	// A string of the form "user:<email>". On Swarming, this is an identity of
                                              	// a user that posted the task.
                                              	//
                                              	// TODO(vadimsh): Verify that this user is present during MintOAuthTokenGrant
                                              	// RPC by requiring the end user's credentials, e.g make Swarming forward
                                              	// user's OAuth token to the token server, where it can be validated.
                                              	//
                                              	// Required.
                                              	EndUser string `protobuf:"bytes,3,opt,name=end_user,json=endUser,proto3" json:"end_user,omitempty"`
                                              	// Arbitrary key:value pairs describing circumstances of this call.
                                              	//
                                              	// Used only for logging and auditing purposes. Not involved in authorization
                                              	// and don't become part of the grant.
                                              	AuditTags []string `protobuf:"bytes,4,rep,name=audit_tags,json=auditTags,proto3" json:"audit_tags,omitempty"`
                                              	// contains filtered or unexported fields
                                              }

                                                MintOAuthTokenGrantRequest is passed to MintOAuthTokenGrant.

                                                Additional implicit field is the identity of whoever makes this call. It becomes 'wielder_identity' of the generated token.

                                                func (*MintOAuthTokenGrantRequest) Descriptor

                                                func (*MintOAuthTokenGrantRequest) Descriptor() ([]byte, []int)

                                                  Deprecated: Use MintOAuthTokenGrantRequest.ProtoReflect.Descriptor instead.

                                                  func (*MintOAuthTokenGrantRequest) GetAuditTags

                                                  func (x *MintOAuthTokenGrantRequest) GetAuditTags() []string

                                                  func (*MintOAuthTokenGrantRequest) GetEndUser

                                                  func (x *MintOAuthTokenGrantRequest) GetEndUser() string

                                                  func (*MintOAuthTokenGrantRequest) GetServiceAccount

                                                  func (x *MintOAuthTokenGrantRequest) GetServiceAccount() string

                                                  func (*MintOAuthTokenGrantRequest) GetValidityDuration

                                                  func (x *MintOAuthTokenGrantRequest) GetValidityDuration() int64

                                                  func (*MintOAuthTokenGrantRequest) ProtoMessage

                                                  func (*MintOAuthTokenGrantRequest) ProtoMessage()

                                                  func (*MintOAuthTokenGrantRequest) ProtoReflect

                                                  func (*MintOAuthTokenGrantRequest) Reset

                                                  func (x *MintOAuthTokenGrantRequest) Reset()

                                                  func (*MintOAuthTokenGrantRequest) String

                                                  func (x *MintOAuthTokenGrantRequest) String() string

                                                  type MintOAuthTokenGrantResponse

                                                  type MintOAuthTokenGrantResponse struct {
                                                  	GrantToken string                 `protobuf:"bytes,1,opt,name=grant_token,json=grantToken,proto3" json:"grant_token,omitempty"` // an opaque urlsafe token
                                                  	Expiry     *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiry,proto3" json:"expiry,omitempty"`                           // when this token expires
                                                  	// Identifier of the service and its version that produced the token.
                                                  	//
                                                  	// Has the form "<app-id>/<module-version>". This is _not_ part of the token.
                                                  	// Used only for logging and monitoring.
                                                  	ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                                  	// contains filtered or unexported fields
                                                  }

                                                    MintOAuthTokenGrantResponse is returned by MintOAuthTokenGrant.

                                                    func (*MintOAuthTokenGrantResponse) Descriptor

                                                    func (*MintOAuthTokenGrantResponse) Descriptor() ([]byte, []int)

                                                      Deprecated: Use MintOAuthTokenGrantResponse.ProtoReflect.Descriptor instead.

                                                      func (*MintOAuthTokenGrantResponse) GetExpiry

                                                      func (*MintOAuthTokenGrantResponse) GetGrantToken

                                                      func (x *MintOAuthTokenGrantResponse) GetGrantToken() string

                                                      func (*MintOAuthTokenGrantResponse) GetServiceVersion

                                                      func (x *MintOAuthTokenGrantResponse) GetServiceVersion() string

                                                      func (*MintOAuthTokenGrantResponse) ProtoMessage

                                                      func (*MintOAuthTokenGrantResponse) ProtoMessage()

                                                      func (*MintOAuthTokenGrantResponse) ProtoReflect

                                                      func (*MintOAuthTokenGrantResponse) Reset

                                                      func (x *MintOAuthTokenGrantResponse) Reset()

                                                      func (*MintOAuthTokenGrantResponse) String

                                                      func (x *MintOAuthTokenGrantResponse) String() string

                                                      type MintOAuthTokenViaGrantRequest

                                                      type MintOAuthTokenViaGrantRequest struct {
                                                      
                                                      	// A previously generated grant, as returned by MintOAuthTokenGrant.
                                                      	GrantToken string `protobuf:"bytes,1,opt,name=grant_token,json=grantToken,proto3" json:"grant_token,omitempty"`
                                                      	// The list of OAuth scopes the access token should have.
                                                      	//
                                                      	// The server may reject the request if some scopes are not allowed.
                                                      	OauthScope []string `protobuf:"bytes,2,rep,name=oauth_scope,json=oauthScope,proto3" json:"oauth_scope,omitempty"`
                                                      	// Minimally accepted validity duration of the returned OAuth token (seconds).
                                                      	//
                                                      	// The server may return a token that lives longer than this. The maximum is
                                                      	// 1h. An attempt to get a token that lives longer than 1h will result in
                                                      	// an error.
                                                      	//
                                                      	// The returned token validity duration doesn't depend on the lifetime of
                                                      	// the grant: it's possible to use a grant that expires in 1 sec to get an
                                                      	// access token that lives for 1h.
                                                      	//
                                                      	// Default is 300 sec.
                                                      	MinValidityDuration int64 `protobuf:"varint,3,opt,name=min_validity_duration,json=minValidityDuration,proto3" json:"min_validity_duration,omitempty"`
                                                      	// Arbitrary key:value pairs describing circumstances of this call.
                                                      	//
                                                      	// Used only for logging and auditing purposes. Not involved in authorization.
                                                      	AuditTags []string `protobuf:"bytes,4,rep,name=audit_tags,json=auditTags,proto3" json:"audit_tags,omitempty"`
                                                      	// contains filtered or unexported fields
                                                      }

                                                        MintOAuthTokenViaGrantRequest is passed to MintOAuthTokenViaGrant.

                                                        Additional implicit field is the identity of whoever makes this call. It is compared against 'wielder_identity' inside the token.

                                                        func (*MintOAuthTokenViaGrantRequest) Descriptor

                                                        func (*MintOAuthTokenViaGrantRequest) Descriptor() ([]byte, []int)

                                                          Deprecated: Use MintOAuthTokenViaGrantRequest.ProtoReflect.Descriptor instead.

                                                          func (*MintOAuthTokenViaGrantRequest) GetAuditTags

                                                          func (x *MintOAuthTokenViaGrantRequest) GetAuditTags() []string

                                                          func (*MintOAuthTokenViaGrantRequest) GetGrantToken

                                                          func (x *MintOAuthTokenViaGrantRequest) GetGrantToken() string

                                                          func (*MintOAuthTokenViaGrantRequest) GetMinValidityDuration

                                                          func (x *MintOAuthTokenViaGrantRequest) GetMinValidityDuration() int64

                                                          func (*MintOAuthTokenViaGrantRequest) GetOauthScope

                                                          func (x *MintOAuthTokenViaGrantRequest) GetOauthScope() []string

                                                          func (*MintOAuthTokenViaGrantRequest) ProtoMessage

                                                          func (*MintOAuthTokenViaGrantRequest) ProtoMessage()

                                                          func (*MintOAuthTokenViaGrantRequest) ProtoReflect

                                                          func (*MintOAuthTokenViaGrantRequest) Reset

                                                          func (x *MintOAuthTokenViaGrantRequest) Reset()

                                                          func (*MintOAuthTokenViaGrantRequest) String

                                                          type MintOAuthTokenViaGrantResponse

                                                          type MintOAuthTokenViaGrantResponse struct {
                                                          	AccessToken string                 `protobuf:"bytes,1,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"` // service account OAuth2 access token
                                                          	Expiry      *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiry,proto3" json:"expiry,omitempty"`                              // when this token expires
                                                          	// Identifier of the service and its version that produced the token.
                                                          	//
                                                          	// Has the form "<app-id>/<module-version>". Used only for logging and
                                                          	// monitoring.
                                                          	ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                                          	// contains filtered or unexported fields
                                                          }

                                                            MintOAuthTokenViaGrantResponse is returned by MintOAuthTokenViaGrant.

                                                            func (*MintOAuthTokenViaGrantResponse) Descriptor

                                                            func (*MintOAuthTokenViaGrantResponse) Descriptor() ([]byte, []int)

                                                              Deprecated: Use MintOAuthTokenViaGrantResponse.ProtoReflect.Descriptor instead.

                                                              func (*MintOAuthTokenViaGrantResponse) GetAccessToken

                                                              func (x *MintOAuthTokenViaGrantResponse) GetAccessToken() string

                                                              func (*MintOAuthTokenViaGrantResponse) GetExpiry

                                                              func (*MintOAuthTokenViaGrantResponse) GetServiceVersion

                                                              func (x *MintOAuthTokenViaGrantResponse) GetServiceVersion() string

                                                              func (*MintOAuthTokenViaGrantResponse) ProtoMessage

                                                              func (*MintOAuthTokenViaGrantResponse) ProtoMessage()

                                                              func (*MintOAuthTokenViaGrantResponse) ProtoReflect

                                                              func (*MintOAuthTokenViaGrantResponse) Reset

                                                              func (x *MintOAuthTokenViaGrantResponse) Reset()

                                                              func (*MintOAuthTokenViaGrantResponse) String

                                                              type MintProjectTokenRequest

                                                              type MintProjectTokenRequest struct {
                                                              
                                                              	// Luci project to which this token will be bound.
                                                              	LuciProject string `protobuf:"bytes,1,opt,name=luci_project,json=luciProject,proto3" json:"luci_project,omitempty"`
                                                              	// Requested OAuth scopes for the token.
                                                              	OauthScope []string `protobuf:"bytes,2,rep,name=oauth_scope,json=oauthScope,proto3" json:"oauth_scope,omitempty"`
                                                              	// Minimum token validity duration in seconds.
                                                              	MinValidityDuration int64 `protobuf:"varint,3,opt,name=min_validity_duration,json=minValidityDuration,proto3" json:"min_validity_duration,omitempty"`
                                                              	// Arbitrary key:value pairs describing circumstances of this call.
                                                              	//
                                                              	// Used only for logging and auditing purposes. Not involved in authorization.
                                                              	AuditTags []string `protobuf:"bytes,4,rep,name=audit_tags,json=auditTags,proto3" json:"audit_tags,omitempty"`
                                                              	// contains filtered or unexported fields
                                                              }

                                                                MintProjectTokenRequest is passed to MintProjectToken.

                                                                func (*MintProjectTokenRequest) Descriptor

                                                                func (*MintProjectTokenRequest) Descriptor() ([]byte, []int)

                                                                  Deprecated: Use MintProjectTokenRequest.ProtoReflect.Descriptor instead.

                                                                  func (*MintProjectTokenRequest) GetAuditTags

                                                                  func (x *MintProjectTokenRequest) GetAuditTags() []string

                                                                  func (*MintProjectTokenRequest) GetLuciProject

                                                                  func (x *MintProjectTokenRequest) GetLuciProject() string

                                                                  func (*MintProjectTokenRequest) GetMinValidityDuration

                                                                  func (x *MintProjectTokenRequest) GetMinValidityDuration() int64

                                                                  func (*MintProjectTokenRequest) GetOauthScope

                                                                  func (x *MintProjectTokenRequest) GetOauthScope() []string

                                                                  func (*MintProjectTokenRequest) ProtoMessage

                                                                  func (*MintProjectTokenRequest) ProtoMessage()

                                                                  func (*MintProjectTokenRequest) ProtoReflect

                                                                  func (x *MintProjectTokenRequest) ProtoReflect() protoreflect.Message

                                                                  func (*MintProjectTokenRequest) Reset

                                                                  func (x *MintProjectTokenRequest) Reset()

                                                                  func (*MintProjectTokenRequest) String

                                                                  func (x *MintProjectTokenRequest) String() string

                                                                  type MintProjectTokenResponse

                                                                  type MintProjectTokenResponse struct {
                                                                  
                                                                  	// Full service account email.
                                                                  	ServiceAccountEmail string `protobuf:"bytes,1,opt,name=service_account_email,json=serviceAccountEmail,proto3" json:"service_account_email,omitempty"`
                                                                  	// OAuth access token.
                                                                  	AccessToken string `protobuf:"bytes,2,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"`
                                                                  	// Token expiration timestamp.
                                                                  	Expiry *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expiry,proto3" json:"expiry,omitempty"`
                                                                  	// Identifier of the service and its version that produced the token.
                                                                  	//
                                                                  	// Has the form "<app-id>/<module-version>". Used only for logging and
                                                                  	// monitoring.
                                                                  	ServiceVersion string `protobuf:"bytes,4,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                                                  	// contains filtered or unexported fields
                                                                  }

                                                                    MintProjectTokenResponse is returned by MintProjectToken.

                                                                    func (*MintProjectTokenResponse) Descriptor

                                                                    func (*MintProjectTokenResponse) Descriptor() ([]byte, []int)

                                                                      Deprecated: Use MintProjectTokenResponse.ProtoReflect.Descriptor instead.

                                                                      func (*MintProjectTokenResponse) GetAccessToken

                                                                      func (x *MintProjectTokenResponse) GetAccessToken() string

                                                                      func (*MintProjectTokenResponse) GetExpiry

                                                                      func (*MintProjectTokenResponse) GetServiceAccountEmail

                                                                      func (x *MintProjectTokenResponse) GetServiceAccountEmail() string

                                                                      func (*MintProjectTokenResponse) GetServiceVersion

                                                                      func (x *MintProjectTokenResponse) GetServiceVersion() string

                                                                      func (*MintProjectTokenResponse) ProtoMessage

                                                                      func (*MintProjectTokenResponse) ProtoMessage()

                                                                      func (*MintProjectTokenResponse) ProtoReflect

                                                                      func (x *MintProjectTokenResponse) ProtoReflect() protoreflect.Message

                                                                      func (*MintProjectTokenResponse) Reset

                                                                      func (x *MintProjectTokenResponse) Reset()

                                                                      func (*MintProjectTokenResponse) String

                                                                      func (x *MintProjectTokenResponse) String() string

                                                                      type MintServiceAccountTokenRequest

                                                                      type MintServiceAccountTokenRequest struct {
                                                                      
                                                                      	// What kind of a token is being requested. Required.
                                                                      	TokenKind ServiceAccountTokenKind `` /* 137-byte string literal not displayed */
                                                                      	// Email of a service account to grab the token for. Required.
                                                                      	ServiceAccount string `protobuf:"bytes,2,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
                                                                      	// A LUCI realm to use to authorize the call. Required.
                                                                      	Realm string `protobuf:"bytes,3,opt,name=realm,proto3" json:"realm,omitempty"`
                                                                      	// A list of scopes the OAuth2 access token should have.
                                                                      	//
                                                                      	// Must be set if token_kind is SERVICE_ACCOUNT_TOKEN_ACCESS_TOKEN and must
                                                                      	// be empty otherwise.
                                                                      	OauthScope []string `protobuf:"bytes,4,rep,name=oauth_scope,json=oauthScope,proto3" json:"oauth_scope,omitempty"`
                                                                      	// An audience the ID token should have.
                                                                      	//
                                                                      	// Must be set if token_kind is SERVICE_ACCOUNT_TOKEN_ID_TOKEN and must
                                                                      	// be empty otherwise.
                                                                      	IdTokenAudience string `protobuf:"bytes,5,opt,name=id_token_audience,json=idTokenAudience,proto3" json:"id_token_audience,omitempty"`
                                                                      	// Minimally accepted validity duration of the returned token (seconds).
                                                                      	//
                                                                      	// The server may return a token that lives longer than this. The maximum is
                                                                      	// 1h. An attempt to get a token that lives longer than 1h will result in
                                                                      	// an error.
                                                                      	//
                                                                      	// Default is 300 sec.
                                                                      	MinValidityDuration int64 `protobuf:"varint,6,opt,name=min_validity_duration,json=minValidityDuration,proto3" json:"min_validity_duration,omitempty"`
                                                                      	// Arbitrary key:value pairs describing circumstances of this call.
                                                                      	//
                                                                      	// Used only for logging and auditing purposes. Not involved in authorization.
                                                                      	AuditTags []string `protobuf:"bytes,7,rep,name=audit_tags,json=auditTags,proto3" json:"audit_tags,omitempty"`
                                                                      	// contains filtered or unexported fields
                                                                      }

                                                                        MintServiceAccountTokenRequest is passed to MintServiceAccountToken.

                                                                        func (*MintServiceAccountTokenRequest) Descriptor

                                                                        func (*MintServiceAccountTokenRequest) Descriptor() ([]byte, []int)

                                                                          Deprecated: Use MintServiceAccountTokenRequest.ProtoReflect.Descriptor instead.

                                                                          func (*MintServiceAccountTokenRequest) GetAuditTags

                                                                          func (x *MintServiceAccountTokenRequest) GetAuditTags() []string

                                                                          func (*MintServiceAccountTokenRequest) GetIdTokenAudience

                                                                          func (x *MintServiceAccountTokenRequest) GetIdTokenAudience() string

                                                                          func (*MintServiceAccountTokenRequest) GetMinValidityDuration

                                                                          func (x *MintServiceAccountTokenRequest) GetMinValidityDuration() int64

                                                                          func (*MintServiceAccountTokenRequest) GetOauthScope

                                                                          func (x *MintServiceAccountTokenRequest) GetOauthScope() []string

                                                                          func (*MintServiceAccountTokenRequest) GetRealm

                                                                          func (x *MintServiceAccountTokenRequest) GetRealm() string

                                                                          func (*MintServiceAccountTokenRequest) GetServiceAccount

                                                                          func (x *MintServiceAccountTokenRequest) GetServiceAccount() string

                                                                          func (*MintServiceAccountTokenRequest) GetTokenKind

                                                                          func (*MintServiceAccountTokenRequest) ProtoMessage

                                                                          func (*MintServiceAccountTokenRequest) ProtoMessage()

                                                                          func (*MintServiceAccountTokenRequest) ProtoReflect

                                                                          func (*MintServiceAccountTokenRequest) Reset

                                                                          func (x *MintServiceAccountTokenRequest) Reset()

                                                                          func (*MintServiceAccountTokenRequest) String

                                                                          type MintServiceAccountTokenResponse

                                                                          type MintServiceAccountTokenResponse struct {
                                                                          	Token  string                 `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`   // the produced token
                                                                          	Expiry *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiry,proto3" json:"expiry,omitempty"` // when this token expires
                                                                          	// Identifier of the service and its version that produced the token.
                                                                          	//
                                                                          	// Has the form "<app-id>/<module-version>". Used only for logging and
                                                                          	// monitoring.
                                                                          	ServiceVersion string `protobuf:"bytes,3,opt,name=service_version,json=serviceVersion,proto3" json:"service_version,omitempty"`
                                                                          	// contains filtered or unexported fields
                                                                          }

                                                                            MintServiceAccountTokenResponse is returned by MintServiceAccountToken.

                                                                            func (*MintServiceAccountTokenResponse) Descriptor

                                                                            func (*MintServiceAccountTokenResponse) Descriptor() ([]byte, []int)

                                                                              Deprecated: Use MintServiceAccountTokenResponse.ProtoReflect.Descriptor instead.

                                                                              func (*MintServiceAccountTokenResponse) GetExpiry

                                                                              func (*MintServiceAccountTokenResponse) GetServiceVersion

                                                                              func (x *MintServiceAccountTokenResponse) GetServiceVersion() string

                                                                              func (*MintServiceAccountTokenResponse) GetToken

                                                                              func (*MintServiceAccountTokenResponse) ProtoMessage

                                                                              func (*MintServiceAccountTokenResponse) ProtoMessage()

                                                                              func (*MintServiceAccountTokenResponse) ProtoReflect

                                                                              func (*MintServiceAccountTokenResponse) Reset

                                                                              func (*MintServiceAccountTokenResponse) String

                                                                              type ServiceAccountTokenKind

                                                                              type ServiceAccountTokenKind int32

                                                                                Used by MintServiceAccountToken.

                                                                                const (
                                                                                	ServiceAccountTokenKind_SERVICE_ACCOUNT_TOKEN_UNSPECIFIED  ServiceAccountTokenKind = 0
                                                                                	ServiceAccountTokenKind_SERVICE_ACCOUNT_TOKEN_ACCESS_TOKEN ServiceAccountTokenKind = 1 // ask for an OAuth2 access token
                                                                                	ServiceAccountTokenKind_SERVICE_ACCOUNT_TOKEN_ID_TOKEN     ServiceAccountTokenKind = 2 // ask for an OpenID ID token
                                                                                )

                                                                                func (ServiceAccountTokenKind) Descriptor

                                                                                func (ServiceAccountTokenKind) Enum

                                                                                func (ServiceAccountTokenKind) EnumDescriptor

                                                                                func (ServiceAccountTokenKind) EnumDescriptor() ([]byte, []int)

                                                                                  Deprecated: Use ServiceAccountTokenKind.Descriptor instead.

                                                                                  func (ServiceAccountTokenKind) Number

                                                                                  func (ServiceAccountTokenKind) String

                                                                                  func (x ServiceAccountTokenKind) String() string

                                                                                  func (ServiceAccountTokenKind) Type

                                                                                  type SignatureAlgorithm

                                                                                  type SignatureAlgorithm int32

                                                                                    Supported ways of singing the request.

                                                                                    const (
                                                                                    	SignatureAlgorithm_UNKNOWN_ALGO    SignatureAlgorithm = 0 // used if the field is not initialized
                                                                                    	SignatureAlgorithm_SHA256_RSA_ALGO SignatureAlgorithm = 1 // matches x509's sha256WithRSAEncryption
                                                                                    )

                                                                                    func (SignatureAlgorithm) Descriptor

                                                                                    func (SignatureAlgorithm) Enum

                                                                                    func (SignatureAlgorithm) EnumDescriptor

                                                                                    func (SignatureAlgorithm) EnumDescriptor() ([]byte, []int)

                                                                                      Deprecated: Use SignatureAlgorithm.Descriptor instead.

                                                                                      func (SignatureAlgorithm) Number

                                                                                      func (SignatureAlgorithm) String

                                                                                      func (x SignatureAlgorithm) String() string

                                                                                      func (SignatureAlgorithm) Type

                                                                                      type TokenMinterClient

                                                                                      type TokenMinterClient interface {
                                                                                      	// MintMachineToken generates a new token for an authenticated machine.
                                                                                      	//
                                                                                      	// It checks that provided certificate was signed by some trusted CA, and it
                                                                                      	// is still valid (non-expired and hasn't been revoked). It then checks that
                                                                                      	// the request was signed by the corresponding private key. Finally it checks
                                                                                      	// that the caller is authorized to generate requested kind of token.
                                                                                      	//
                                                                                      	// If everything checks out, it generates and returns a new machine token.
                                                                                      	//
                                                                                      	// On fatal error it returns detailed error response via same
                                                                                      	// MintMachineTokenResponse. On transient errors it returns generic
                                                                                      	// grpc.Internal error.
                                                                                      	MintMachineToken(ctx context.Context, in *MintMachineTokenRequest, opts ...grpc.CallOption) (*MintMachineTokenResponse, error)
                                                                                      	// MintDelegationToken generates a new bearer delegation token.
                                                                                      	//
                                                                                      	// Such token can be sent in 'X-Delegation-Token-V1' header (alongside regular
                                                                                      	// credentials like OAuth2 access token) to convey that the caller should be
                                                                                      	// authentication as 'delegated_identity' specified in the token.
                                                                                      	//
                                                                                      	// The delegation tokens are subject to multiple restrictions (embedded in
                                                                                      	// the token):
                                                                                      	//   * They have expiration time.
                                                                                      	//   * They are usable only if presented with a credential of someone from
                                                                                      	//     the 'audience' list.
                                                                                      	//   * They are usable only on services specified in the 'services' list.
                                                                                      	//
                                                                                      	// The token server must be configured in advance with all expected
                                                                                      	// combinations of (caller identity, delegated identity, audience, service)
                                                                                      	// tuples. See DelegationRule in config.proto.
                                                                                      	MintDelegationToken(ctx context.Context, in *MintDelegationTokenRequest, opts ...grpc.CallOption) (*MintDelegationTokenResponse, error)
                                                                                      	// MintOAuthTokenGrant generates a new grant for getting an OAuth2 token.
                                                                                      	//
                                                                                      	// This is a special (opaque for clients) token that asserts that the caller
                                                                                      	// at the time of the call was allowed to act as a particular service account
                                                                                      	// to perform a task authorized by an end-user.
                                                                                      	//
                                                                                      	// The returned grant can be used later (when the end-user is no longer
                                                                                      	// present) to get a real OAuth2 access token via MintOAuthTokenViaGrant call.
                                                                                      	//
                                                                                      	// This pair of RPCs is used to "delay" generation of service account OAuth
                                                                                      	// token until some later time, when it is actually needed. This is used by
                                                                                      	// Swarming:
                                                                                      	//   1. When the task is posted, Swarming calls MintOAuthTokenGrant to verify
                                                                                      	//      that the end-user is allowed to act as the requested service account
                                                                                      	//      on Swarming. On success, Swarming stores the grant in the task
                                                                                      	//      metadata.
                                                                                      	//   2. At a later time, when the task is executing and it needs an access
                                                                                      	//      token, Swarming calls MintOAuthTokenViaGrant to convert the grant into
                                                                                      	//      a real OAuth2 token.
                                                                                      	//
                                                                                      	// The returned grant can be used multiple times (as long as its validity
                                                                                      	// duration and the token server policy allows).
                                                                                      	//
                                                                                      	// The token server must be configured in advance with all expected
                                                                                      	// combinations of (caller identity, service account name, end users) tuples.
                                                                                      	// See ServiceAccountRule in config.proto.
                                                                                      	//
                                                                                      	// MintOAuthTokenGrant will check that the requested usage is allowed by the
                                                                                      	// rules. Later, MintOAuthTokenViaGrant will recheck this too.
                                                                                      	//
                                                                                      	// Note: in the process of being replaced with MintServiceAccountToken.
                                                                                      	MintOAuthTokenGrant(ctx context.Context, in *MintOAuthTokenGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenGrantResponse, error)
                                                                                      	// MintOAuthTokenViaGrant converts an OAuth2 token grant into an access token.
                                                                                      	//
                                                                                      	// The grant must be previously generated by MintOAuthTokenGrant function, see
                                                                                      	// its docs for more details.
                                                                                      	//
                                                                                      	// Note: in the process of being replaced with MintServiceAccountToken.
                                                                                      	MintOAuthTokenViaGrant(ctx context.Context, in *MintOAuthTokenViaGrantRequest, opts ...grpc.CallOption) (*MintOAuthTokenViaGrantResponse, error)
                                                                                      	// MintProjectToken mints an OAuth2 access token that represents an identity
                                                                                      	// associated with a LUCI project.
                                                                                      	//
                                                                                      	// Project-scoped tokens prevent accidental cross-project identity confusion
                                                                                      	// when LUCI services access project specific resources such as a source code
                                                                                      	// repository.
                                                                                      	MintProjectToken(ctx context.Context, in *MintProjectTokenRequest, opts ...grpc.CallOption) (*MintProjectTokenResponse, error)
                                                                                      	// MintServiceAccountToken mints an OAuth2 access token or OpenID ID token
                                                                                      	// that belongs to some service account using LUCI Realms for authorization.
                                                                                      	//
                                                                                      	// As an input it takes a service account email and a name of a LUCI Realm the
                                                                                      	// caller is operating in. To authorize the call the token server checks the
                                                                                      	// following conditions:
                                                                                      	//   1. The caller has luci.serviceAccounts.mintToken permission in the
                                                                                      	//      realm, allowing them to "impersonate" all service accounts belonging
                                                                                      	//      to this realm.
                                                                                      	//   2. The service account has luci.serviceAccounts.existInRealm permission
                                                                                      	//      in the realm. This makes the account "belong" to the realm.
                                                                                      	//   3. Realm's LUCI project has the service account associated with it in
                                                                                      	//      the project_owned_accounts.cfg global config file. This makes sure
                                                                                      	//      different LUCI projects can't just arbitrary use each others accounts
                                                                                      	//      by adding them to their respective realms.cfg. See also comments for
                                                                                      	//      ServiceAccountsProjectMapping in api/admin/v1/config.proto.
                                                                                      	MintServiceAccountToken(ctx context.Context, in *MintServiceAccountTokenRequest, opts ...grpc.CallOption) (*MintServiceAccountTokenResponse, error)
                                                                                      }

                                                                                        TokenMinterClient is the client API for TokenMinter service.

                                                                                        For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

                                                                                        type TokenMinterServer

                                                                                        type TokenMinterServer interface {
                                                                                        	// MintMachineToken generates a new token for an authenticated machine.
                                                                                        	//
                                                                                        	// It checks that provided certificate was signed by some trusted CA, and it
                                                                                        	// is still valid (non-expired and hasn't been revoked). It then checks that
                                                                                        	// the request was signed by the corresponding private key. Finally it checks
                                                                                        	// that the caller is authorized to generate requested kind of token.
                                                                                        	//
                                                                                        	// If everything checks out, it generates and returns a new machine token.
                                                                                        	//
                                                                                        	// On fatal error it returns detailed error response via same
                                                                                        	// MintMachineTokenResponse. On transient errors it returns generic
                                                                                        	// grpc.Internal error.
                                                                                        	MintMachineToken(context.Context, *MintMachineTokenRequest) (*MintMachineTokenResponse, error)
                                                                                        	// MintDelegationToken generates a new bearer delegation token.
                                                                                        	//
                                                                                        	// Such token can be sent in 'X-Delegation-Token-V1' header (alongside regular
                                                                                        	// credentials like OAuth2 access token) to convey that the caller should be
                                                                                        	// authentication as 'delegated_identity' specified in the token.
                                                                                        	//
                                                                                        	// The delegation tokens are subject to multiple restrictions (embedded in
                                                                                        	// the token):
                                                                                        	//   * They have expiration time.
                                                                                        	//   * They are usable only if presented with a credential of someone from
                                                                                        	//     the 'audience' list.
                                                                                        	//   * They are usable only on services specified in the 'services' list.
                                                                                        	//
                                                                                        	// The token server must be configured in advance with all expected
                                                                                        	// combinations of (caller identity, delegated identity, audience, service)
                                                                                        	// tuples. See DelegationRule in config.proto.
                                                                                        	MintDelegationToken(context.Context, *MintDelegationTokenRequest) (*MintDelegationTokenResponse, error)
                                                                                        	// MintOAuthTokenGrant generates a new grant for getting an OAuth2 token.
                                                                                        	//
                                                                                        	// This is a special (opaque for clients) token that asserts that the caller
                                                                                        	// at the time of the call was allowed to act as a particular service account
                                                                                        	// to perform a task authorized by an end-user.
                                                                                        	//
                                                                                        	// The returned grant can be used later (when the end-user is no longer
                                                                                        	// present) to get a real OAuth2 access token via MintOAuthTokenViaGrant call.
                                                                                        	//
                                                                                        	// This pair of RPCs is used to "delay" generation of service account OAuth
                                                                                        	// token until some later time, when it is actually needed. This is used by
                                                                                        	// Swarming:
                                                                                        	//   1. When the task is posted, Swarming calls MintOAuthTokenGrant to verify
                                                                                        	//      that the end-user is allowed to act as the requested service account
                                                                                        	//      on Swarming. On success, Swarming stores the grant in the task
                                                                                        	//      metadata.
                                                                                        	//   2. At a later time, when the task is executing and it needs an access
                                                                                        	//      token, Swarming calls MintOAuthTokenViaGrant to convert the grant into
                                                                                        	//      a real OAuth2 token.
                                                                                        	//
                                                                                        	// The returned grant can be used multiple times (as long as its validity
                                                                                        	// duration and the token server policy allows).
                                                                                        	//
                                                                                        	// The token server must be configured in advance with all expected
                                                                                        	// combinations of (caller identity, service account name, end users) tuples.
                                                                                        	// See ServiceAccountRule in config.proto.
                                                                                        	//
                                                                                        	// MintOAuthTokenGrant will check that the requested usage is allowed by the
                                                                                        	// rules. Later, MintOAuthTokenViaGrant will recheck this too.
                                                                                        	//
                                                                                        	// Note: in the process of being replaced with MintServiceAccountToken.
                                                                                        	MintOAuthTokenGrant(context.Context, *MintOAuthTokenGrantRequest) (*MintOAuthTokenGrantResponse, error)
                                                                                        	// MintOAuthTokenViaGrant converts an OAuth2 token grant into an access token.
                                                                                        	//
                                                                                        	// The grant must be previously generated by MintOAuthTokenGrant function, see
                                                                                        	// its docs for more details.
                                                                                        	//
                                                                                        	// Note: in the process of being replaced with MintServiceAccountToken.
                                                                                        	MintOAuthTokenViaGrant(context.Context, *MintOAuthTokenViaGrantRequest) (*MintOAuthTokenViaGrantResponse, error)
                                                                                        	// MintProjectToken mints an OAuth2 access token that represents an identity
                                                                                        	// associated with a LUCI project.
                                                                                        	//
                                                                                        	// Project-scoped tokens prevent accidental cross-project identity confusion
                                                                                        	// when LUCI services access project specific resources such as a source code
                                                                                        	// repository.
                                                                                        	MintProjectToken(context.Context, *MintProjectTokenRequest) (*MintProjectTokenResponse, error)
                                                                                        	// MintServiceAccountToken mints an OAuth2 access token or OpenID ID token
                                                                                        	// that belongs to some service account using LUCI Realms for authorization.
                                                                                        	//
                                                                                        	// As an input it takes a service account email and a name of a LUCI Realm the
                                                                                        	// caller is operating in. To authorize the call the token server checks the
                                                                                        	// following conditions:
                                                                                        	//   1. The caller has luci.serviceAccounts.mintToken permission in the
                                                                                        	//      realm, allowing them to "impersonate" all service accounts belonging
                                                                                        	//      to this realm.
                                                                                        	//   2. The service account has luci.serviceAccounts.existInRealm permission
                                                                                        	//      in the realm. This makes the account "belong" to the realm.
                                                                                        	//   3. Realm's LUCI project has the service account associated with it in
                                                                                        	//      the project_owned_accounts.cfg global config file. This makes sure
                                                                                        	//      different LUCI projects can't just arbitrary use each others accounts
                                                                                        	//      by adding them to their respective realms.cfg. See also comments for
                                                                                        	//      ServiceAccountsProjectMapping in api/admin/v1/config.proto.
                                                                                        	MintServiceAccountToken(context.Context, *MintServiceAccountTokenRequest) (*MintServiceAccountTokenResponse, error)
                                                                                        	// contains filtered or unexported methods
                                                                                        }

                                                                                          TokenMinterServer is the server API for TokenMinter service. All implementations must embed UnimplementedTokenMinterServer for forward compatibility

                                                                                          type UnimplementedTokenMinterServer

                                                                                          type UnimplementedTokenMinterServer struct {
                                                                                          }

                                                                                            UnimplementedTokenMinterServer must be embedded to have forward compatible implementations.

                                                                                            func (UnimplementedTokenMinterServer) MintMachineToken

                                                                                            func (UnimplementedTokenMinterServer) MintProjectToken

                                                                                            type UnsafeTokenMinterServer

                                                                                            type UnsafeTokenMinterServer interface {
                                                                                            	// contains filtered or unexported methods
                                                                                            }

                                                                                              UnsafeTokenMinterServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to TokenMinterServer will result in compilation errors.