1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.iap.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/iam/v1/iam_policy.proto"; 24import "google/iam/v1/policy.proto"; 25import "google/protobuf/duration.proto"; 26import "google/protobuf/empty.proto"; 27import "google/protobuf/field_mask.proto"; 28import "google/protobuf/wrappers.proto"; 29 30option csharp_namespace = "Google.Cloud.Iap.V1"; 31option go_package = "cloud.google.com/go/iap/apiv1/iappb;iappb"; 32option java_multiple_files = true; 33option java_package = "com.google.cloud.iap.v1"; 34option php_namespace = "Google\\Cloud\\Iap\\V1"; 35option ruby_package = "Google::Cloud::Iap::V1"; 36option (google.api.resource_definition) = { 37 type: "iap.googleapis.com/TunnelLocation" 38 pattern: "projects/{project}/iap_tunnel/locations/{location}" 39}; 40 41// The Cloud Identity-Aware Proxy API. 42 43// APIs for Identity-Aware Proxy Admin configurations. 44service IdentityAwareProxyAdminService { 45 option (google.api.default_host) = "iap.googleapis.com"; 46 option (google.api.oauth_scopes) = 47 "https://www.googleapis.com/auth/cloud-platform"; 48 49 // Sets the access control policy for an Identity-Aware Proxy protected 50 // resource. Replaces any existing policy. 51 // More information about managing access via IAP can be found at: 52 // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 53 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) 54 returns (google.iam.v1.Policy) { 55 option (google.api.http) = { 56 post: "/v1/{resource=**}:setIamPolicy" 57 body: "*" 58 }; 59 } 60 61 // Gets the access control policy for an Identity-Aware Proxy protected 62 // resource. 63 // More information about managing access via IAP can be found at: 64 // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 65 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 66 returns (google.iam.v1.Policy) { 67 option (google.api.http) = { 68 post: "/v1/{resource=**}:getIamPolicy" 69 body: "*" 70 }; 71 } 72 73 // Returns permissions that a caller has on the Identity-Aware Proxy protected 74 // resource. 75 // More information about managing access via IAP can be found at: 76 // https://cloud.google.com/iap/docs/managing-access#managing_access_via_the_api 77 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) 78 returns (google.iam.v1.TestIamPermissionsResponse) { 79 option (google.api.http) = { 80 post: "/v1/{resource=**}:testIamPermissions" 81 body: "*" 82 }; 83 } 84 85 // Gets the IAP settings on a particular IAP protected resource. 86 rpc GetIapSettings(GetIapSettingsRequest) returns (IapSettings) { 87 option (google.api.http) = { 88 get: "/v1/{name=**}:iapSettings" 89 }; 90 } 91 92 // Updates the IAP settings on a particular IAP protected resource. It 93 // replaces all fields unless the `update_mask` is set. 94 rpc UpdateIapSettings(UpdateIapSettingsRequest) returns (IapSettings) { 95 option (google.api.http) = { 96 patch: "/v1/{iap_settings.name=**}:iapSettings" 97 body: "iap_settings" 98 }; 99 } 100 101 // Lists the existing TunnelDestGroups. To group across all locations, use a 102 // `-` as the location ID. For example: 103 // `/v1/projects/123/iap_tunnel/locations/-/destGroups` 104 rpc ListTunnelDestGroups(ListTunnelDestGroupsRequest) 105 returns (ListTunnelDestGroupsResponse) { 106 option (google.api.http) = { 107 get: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups" 108 }; 109 option (google.api.method_signature) = "parent"; 110 } 111 112 // Creates a new TunnelDestGroup. 113 rpc CreateTunnelDestGroup(CreateTunnelDestGroupRequest) 114 returns (TunnelDestGroup) { 115 option (google.api.http) = { 116 post: "/v1/{parent=projects/*/iap_tunnel/locations/*}/destGroups" 117 body: "tunnel_dest_group" 118 }; 119 option (google.api.method_signature) = 120 "parent,tunnel_dest_group,tunnel_dest_group_id"; 121 } 122 123 // Retrieves an existing TunnelDestGroup. 124 rpc GetTunnelDestGroup(GetTunnelDestGroupRequest) returns (TunnelDestGroup) { 125 option (google.api.http) = { 126 get: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}" 127 }; 128 option (google.api.method_signature) = "name"; 129 } 130 131 // Deletes a TunnelDestGroup. 132 rpc DeleteTunnelDestGroup(DeleteTunnelDestGroupRequest) 133 returns (google.protobuf.Empty) { 134 option (google.api.http) = { 135 delete: "/v1/{name=projects/*/iap_tunnel/locations/*/destGroups/*}" 136 }; 137 option (google.api.method_signature) = "name"; 138 } 139 140 // Updates a TunnelDestGroup. 141 rpc UpdateTunnelDestGroup(UpdateTunnelDestGroupRequest) 142 returns (TunnelDestGroup) { 143 option (google.api.http) = { 144 patch: "/v1/{tunnel_dest_group.name=projects/*/iap_tunnel/locations/*/destGroups/*}" 145 body: "tunnel_dest_group" 146 }; 147 option (google.api.method_signature) = "tunnel_dest_group,update_mask"; 148 } 149} 150 151// API to programmatically create, list and retrieve Identity Aware Proxy (IAP) 152// OAuth brands; and create, retrieve, delete and reset-secret of IAP OAuth 153// clients. 154service IdentityAwareProxyOAuthService { 155 option (google.api.default_host) = "iap.googleapis.com"; 156 option (google.api.oauth_scopes) = 157 "https://www.googleapis.com/auth/cloud-platform"; 158 159 // Lists the existing brands for the project. 160 rpc ListBrands(ListBrandsRequest) returns (ListBrandsResponse) { 161 option (google.api.http) = { 162 get: "/v1/{parent=projects/*}/brands" 163 }; 164 } 165 166 // Constructs a new OAuth brand for the project if one does not exist. 167 // The created brand is "internal only", meaning that OAuth clients created 168 // under it only accept requests from users who belong to the same Google 169 // Workspace organization as the project. The brand is created in an 170 // un-reviewed status. NOTE: The "internal only" status can be manually 171 // changed in the Google Cloud Console. Requires that a brand does not already 172 // exist for the project, and that the specified support email is owned by the 173 // caller. 174 rpc CreateBrand(CreateBrandRequest) returns (Brand) { 175 option (google.api.http) = { 176 post: "/v1/{parent=projects/*}/brands" 177 body: "brand" 178 }; 179 } 180 181 // Retrieves the OAuth brand of the project. 182 rpc GetBrand(GetBrandRequest) returns (Brand) { 183 option (google.api.http) = { 184 get: "/v1/{name=projects/*/brands/*}" 185 }; 186 } 187 188 // Creates an Identity Aware Proxy (IAP) OAuth client. The client is owned 189 // by IAP. Requires that the brand for the project exists and that it is 190 // set for internal-only use. 191 rpc CreateIdentityAwareProxyClient(CreateIdentityAwareProxyClientRequest) 192 returns (IdentityAwareProxyClient) { 193 option (google.api.http) = { 194 post: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients" 195 body: "identity_aware_proxy_client" 196 }; 197 } 198 199 // Lists the existing clients for the brand. 200 rpc ListIdentityAwareProxyClients(ListIdentityAwareProxyClientsRequest) 201 returns (ListIdentityAwareProxyClientsResponse) { 202 option (google.api.http) = { 203 get: "/v1/{parent=projects/*/brands/*}/identityAwareProxyClients" 204 }; 205 } 206 207 // Retrieves an Identity Aware Proxy (IAP) OAuth client. 208 // Requires that the client is owned by IAP. 209 rpc GetIdentityAwareProxyClient(GetIdentityAwareProxyClientRequest) 210 returns (IdentityAwareProxyClient) { 211 option (google.api.http) = { 212 get: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}" 213 }; 214 } 215 216 // Resets an Identity Aware Proxy (IAP) OAuth client secret. Useful if the 217 // secret was compromised. Requires that the client is owned by IAP. 218 rpc ResetIdentityAwareProxyClientSecret( 219 ResetIdentityAwareProxyClientSecretRequest) 220 returns (IdentityAwareProxyClient) { 221 option (google.api.http) = { 222 post: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}:resetSecret" 223 body: "*" 224 }; 225 } 226 227 // Deletes an Identity Aware Proxy (IAP) OAuth client. Useful for removing 228 // obsolete clients, managing the number of clients in a given project, and 229 // cleaning up after tests. Requires that the client is owned by IAP. 230 rpc DeleteIdentityAwareProxyClient(DeleteIdentityAwareProxyClientRequest) 231 returns (google.protobuf.Empty) { 232 option (google.api.http) = { 233 delete: "/v1/{name=projects/*/brands/*/identityAwareProxyClients/*}" 234 }; 235 } 236} 237 238// The request to ListTunnelDestGroups. 239message ListTunnelDestGroupsRequest { 240 // Required. Google Cloud Project ID and location. 241 // In the following format: 242 // `projects/{project_number/id}/iap_tunnel/locations/{location}`. 243 // A `-` can be used for the location to group across all locations. 244 string parent = 1 [ 245 (google.api.field_behavior) = REQUIRED, 246 (google.api.resource_reference) = { 247 type: "iap.googleapis.com/TunnelLocation" 248 } 249 ]; 250 251 // The maximum number of groups to return. The service might return fewer than 252 // this value. 253 // If unspecified, at most 100 groups are returned. 254 // The maximum value is 1000; values above 1000 are coerced to 1000. 255 int32 page_size = 2; 256 257 // A page token, received from a previous `ListTunnelDestGroups` 258 // call. Provide this to retrieve the subsequent page. 259 // 260 // When paginating, all other parameters provided to 261 // `ListTunnelDestGroups` must match the call that provided the page 262 // token. 263 string page_token = 3; 264} 265 266// The response from ListTunnelDestGroups. 267message ListTunnelDestGroupsResponse { 268 // TunnelDestGroup existing in the project. 269 repeated TunnelDestGroup tunnel_dest_groups = 1; 270 271 // A token that you can send as `page_token` to retrieve the next page. 272 // If this field is omitted, there are no subsequent pages. 273 string next_page_token = 2; 274} 275 276// The request to CreateTunnelDestGroup. 277message CreateTunnelDestGroupRequest { 278 // Required. Google Cloud Project ID and location. 279 // In the following format: 280 // `projects/{project_number/id}/iap_tunnel/locations/{location}`. 281 string parent = 1 [ 282 (google.api.field_behavior) = REQUIRED, 283 (google.api.resource_reference) = { 284 child_type: "iap.googleapis.com/TunnelDestGroup" 285 } 286 ]; 287 288 // Required. The TunnelDestGroup to create. 289 TunnelDestGroup tunnel_dest_group = 2 290 [(google.api.field_behavior) = REQUIRED]; 291 292 // Required. The ID to use for the TunnelDestGroup, which becomes the final 293 // component of the resource name. 294 // 295 // This value must be 4-63 characters, and valid characters 296 // are `[a-z]-`. 297 string tunnel_dest_group_id = 3 [(google.api.field_behavior) = REQUIRED]; 298} 299 300// The request to GetTunnelDestGroup. 301message GetTunnelDestGroupRequest { 302 // Required. Name of the TunnelDestGroup to be fetched. 303 // In the following format: 304 // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`. 305 string name = 1 [ 306 (google.api.field_behavior) = REQUIRED, 307 (google.api.resource_reference) = { 308 type: "iap.googleapis.com/TunnelDestGroup" 309 } 310 ]; 311} 312 313// The request to DeleteTunnelDestGroup. 314message DeleteTunnelDestGroupRequest { 315 // Required. Name of the TunnelDestGroup to delete. 316 // In the following format: 317 // `projects/{project_number/id}/iap_tunnel/locations/{location}/destGroups/{dest_group}`. 318 string name = 1 [ 319 (google.api.field_behavior) = REQUIRED, 320 (google.api.resource_reference) = { 321 type: "iap.googleapis.com/TunnelDestGroup" 322 } 323 ]; 324} 325 326// The request to UpdateTunnelDestGroup. 327message UpdateTunnelDestGroupRequest { 328 // Required. The new values for the TunnelDestGroup. 329 TunnelDestGroup tunnel_dest_group = 1 330 [(google.api.field_behavior) = REQUIRED]; 331 332 // A field mask that specifies which IAP settings to update. 333 // If omitted, then all of the settings are updated. See 334 // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask 335 google.protobuf.FieldMask update_mask = 2; 336} 337 338// A TunnelDestGroup. 339message TunnelDestGroup { 340 option (google.api.resource) = { 341 type: "iap.googleapis.com/TunnelDestGroup" 342 pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}" 343 }; 344 345 // Required. Immutable. Identifier for the TunnelDestGroup. Must be unique 346 // within the project and contain only lower case letters (a-z) and dashes 347 // (-). 348 string name = 1 [ 349 (google.api.field_behavior) = REQUIRED, 350 (google.api.field_behavior) = IMMUTABLE 351 ]; 352 353 // Unordered list. List of CIDRs that this group applies to. 354 repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST]; 355 356 // Unordered list. List of FQDNs that this group applies to. 357 repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST]; 358} 359 360// The request sent to GetIapSettings. 361message GetIapSettingsRequest { 362 // Required. The resource name for which to retrieve the settings. 363 // Authorization: Requires the `getSettings` permission for the associated 364 // resource. 365 string name = 1 [(google.api.field_behavior) = REQUIRED]; 366} 367 368// The request sent to UpdateIapSettings. 369message UpdateIapSettingsRequest { 370 // Required. The new values for the IAP settings to be updated. 371 // Authorization: Requires the `updateSettings` permission for the associated 372 // resource. 373 IapSettings iap_settings = 1 [(google.api.field_behavior) = REQUIRED]; 374 375 // The field mask specifying which IAP settings should be updated. 376 // If omitted, then all of the settings are updated. See 377 // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask. 378 // 379 // Note: All IAP reauth settings must always be set together, using the 380 // field mask: `iapSettings.accessSettings.reauthSettings`. 381 google.protobuf.FieldMask update_mask = 2; 382} 383 384// The IAP configurable settings. 385message IapSettings { 386 // Required. The resource name of the IAP protected resource. 387 string name = 1 [(google.api.field_behavior) = REQUIRED]; 388 389 // Top level wrapper for all access related setting in IAP 390 AccessSettings access_settings = 5; 391 392 // Top level wrapper for all application related settings in IAP 393 ApplicationSettings application_settings = 6; 394} 395 396// Access related settings for IAP protected apps. 397message AccessSettings { 398 // GCIP claims and endpoint configurations for 3p identity providers. 399 GcipSettings gcip_settings = 1; 400 401 // Configuration to allow cross-origin requests via IAP. 402 CorsSettings cors_settings = 2; 403 404 // Settings to configure IAP's OAuth behavior. 405 OAuthSettings oauth_settings = 3; 406 407 // Settings to configure reauthentication policies in IAP. 408 ReauthSettings reauth_settings = 6; 409 410 // Settings to configure and enable allowed domains. 411 AllowedDomainsSettings allowed_domains_settings = 7; 412} 413 414// Allows customers to configure tenant_id for GCIP instance per-app. 415message GcipSettings { 416 // GCIP tenant ids that are linked to the IAP resource. 417 // tenant_ids could be a string beginning with a number character to indicate 418 // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber> 419 // to indicate authenticating with GCIP agent flow. 420 // If agent flow is used, tenant_ids should only contain one single element, 421 // while for tenant flow, tenant_ids can contain multiple elements. 422 repeated string tenant_ids = 1; 423 424 // Login page URI associated with the GCIP tenants. 425 // Typically, all resources within the same project share the same login page, 426 // though it could be overridden at the sub resource level. 427 google.protobuf.StringValue login_page_uri = 2; 428} 429 430// Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS 431// call to bypass authentication and authorization. 432message CorsSettings { 433 // Configuration to allow HTTP OPTIONS calls to skip authorization. If 434 // undefined, IAP will not apply any special logic to OPTIONS requests. 435 google.protobuf.BoolValue allow_http_options = 1; 436} 437 438// Configuration for OAuth login&consent flow behavior as well as for OAuth 439// Credentials. 440message OAuthSettings { 441 // Domain hint to send as hd=? parameter in OAuth request flow. Enables 442 // redirect to primary IDP by skipping Google's login screen. 443 // https://developers.google.com/identity/protocols/OpenIDConnect#hd-param 444 // Note: IAP does not verify that the id token's hd claim matches this value 445 // since access behavior is managed by IAM policies. 446 google.protobuf.StringValue login_hint = 2; 447 448 // List of OAuth client IDs allowed to programmatically authenticate with IAP. 449 repeated string programmatic_clients = 5; 450} 451 452// Configuration for IAP reauthentication policies. 453message ReauthSettings { 454 // Types of reauthentication methods supported by IAP. 455 enum Method { 456 // Reauthentication disabled. 457 METHOD_UNSPECIFIED = 0; 458 459 // Prompts the user to log in again. 460 LOGIN = 1; 461 462 PASSWORD = 2 [deprecated = true]; 463 464 // User must use their secure key 2nd factor device. 465 SECURE_KEY = 3; 466 467 // User can use any enabled 2nd factor. 468 ENROLLED_SECOND_FACTORS = 4; 469 } 470 471 // Type of policy in the case of hierarchial policies. 472 enum PolicyType { 473 // Default value. This value is unused. 474 POLICY_TYPE_UNSPECIFIED = 0; 475 476 // This policy acts as a minimum to other policies, lower in the hierarchy. 477 // Effective policy may only be the same or stricter. 478 MINIMUM = 1; 479 480 // This policy acts as a default if no other reauth policy is set. 481 DEFAULT = 2; 482 } 483 484 // Reauth method requested. 485 Method method = 1; 486 487 // Reauth session lifetime, how long before a user has to reauthenticate 488 // again. 489 google.protobuf.Duration max_age = 2; 490 491 // How IAP determines the effective policy in cases of hierarchial policies. 492 // Policies are merged from higher in the hierarchy to lower in the hierarchy. 493 PolicyType policy_type = 3; 494} 495 496// Configuration for IAP allowed domains. Lets you to restrict access to an app 497// and allow access to only the domains that you list. 498message AllowedDomainsSettings { 499 // Configuration for customers to opt in for the feature. 500 optional bool enable = 1; 501 502 // List of trusted domains. 503 repeated string domains = 2; 504} 505 506// Wrapper over application specific settings for IAP. 507message ApplicationSettings { 508 // Settings to configure IAP's behavior for a service mesh. 509 CsmSettings csm_settings = 1; 510 511 // Customization for Access Denied page. 512 AccessDeniedPageSettings access_denied_page_settings = 2; 513 514 // The Domain value to set for cookies generated by IAP. This value is not 515 // validated by the API, but will be ignored at runtime if invalid. 516 google.protobuf.StringValue cookie_domain = 3; 517 518 // Settings to configure attribute propagation. 519 AttributePropagationSettings attribute_propagation_settings = 4; 520} 521 522// Configuration for RCToken generated for service mesh workloads protected by 523// IAP. RCToken are IAP generated JWTs that can be verified at the application. 524// The RCToken is primarily used for service mesh deployments, and can be scoped 525// to a single mesh by configuring the audience field accordingly. 526message CsmSettings { 527 // Audience claim set in the generated RCToken. This value is not validated by 528 // IAP. 529 google.protobuf.StringValue rctoken_aud = 1; 530} 531 532// Custom content configuration for access denied page. 533// IAP allows customers to define a custom URI to use as the error page when 534// access is denied to users. If IAP prevents access to this page, the default 535// IAP error page will be displayed instead. 536message AccessDeniedPageSettings { 537 // The URI to be redirected to when access is denied. 538 google.protobuf.StringValue access_denied_page_uri = 1; 539 540 // Whether to generate a troubleshooting URL on access denied events to this 541 // application. 542 google.protobuf.BoolValue generate_troubleshooting_uri = 2; 543 544 // Whether to generate remediation token on access denied events to this 545 // application. 546 optional google.protobuf.BoolValue remediation_token_generation_enabled = 3; 547} 548 549// Configuration for propagating attributes to applications protected 550// by IAP. 551message AttributePropagationSettings { 552 // Supported output credentials for attribute propagation. Each output 553 // credential maps to a "field" in the response. For example, selecting JWT 554 // will propagate all attributes in the IAP JWT, header in the headers, etc. 555 enum OutputCredentials { 556 // An output credential is required. 557 OUTPUT_CREDENTIALS_UNSPECIFIED = 0; 558 559 // Propagate attributes in the headers with "x-goog-iap-attr-" prefix. 560 HEADER = 1; 561 562 // Propagate attributes in the JWT of the form: `"additional_claims": { 563 // "my_attribute": ["value1", "value2"] }` 564 JWT = 2; 565 566 // Propagate attributes in the RCToken of the form: `"additional_claims": { 567 // "my_attribute": ["value1", "value2"] }` 568 RCTOKEN = 3; 569 } 570 571 // Raw string CEL expression. Must return a list of attributes. A maximum of 572 // 45 attributes can be selected. Expressions can select different attribute 573 // types from `attributes`: `attributes.saml_attributes`, 574 // `attributes.iap_attributes`. The following functions are supported: 575 // 576 // - filter `<list>.filter(<iter_var>, <predicate>)`: Returns a subset of 577 // `<list>` where `<predicate>` is true for every item. 578 // 579 // - in `<var> in <list>`: Returns true if `<list>` contains `<var>`. 580 // 581 // - selectByName `<list>.selectByName(<string>)`: Returns the attribute 582 // in 583 // `<list>` with the given `<string>` name, otherwise returns empty. 584 // 585 // - emitAs `<attribute>.emitAs(<string>)`: Sets the `<attribute>` name 586 // field to the given `<string>` for propagation in selected output 587 // credentials. 588 // 589 // - strict `<attribute>.strict()`: Ignores the `x-goog-iap-attr-` prefix 590 // for the provided `<attribute>` when propagating with the `HEADER` output 591 // credential, such as request headers. 592 // 593 // - append `<target_list>.append(<attribute>)` OR 594 // `<target_list>.append(<list>)`: Appends the provided `<attribute>` or 595 // `<list>` to the end of `<target_list>`. 596 // 597 // Example expression: `attributes.saml_attributes.filter(x, x.name in 598 // ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())` 599 optional string expression = 1; 600 601 // Which output credentials attributes selected by the CEL expression should 602 // be propagated in. All attributes will be fully duplicated in each selected 603 // output credential. 604 repeated OutputCredentials output_credentials = 2; 605 606 // Whether the provided attribute propagation settings should be evaluated on 607 // user requests. If set to true, attributes returned from the expression will 608 // be propagated in the set output credentials. 609 optional bool enable = 3; 610} 611 612// The request sent to ListBrands. 613message ListBrandsRequest { 614 // Required. GCP Project number/id. 615 // In the following format: projects/{project_number/id}. 616 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 617} 618 619// Response message for ListBrands. 620message ListBrandsResponse { 621 // Brands existing in the project. 622 repeated Brand brands = 1; 623} 624 625// The request sent to CreateBrand. 626message CreateBrandRequest { 627 // Required. GCP Project number/id under which the brand is to be created. 628 // In the following format: projects/{project_number/id}. 629 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 630 631 // Required. The brand to be created. 632 Brand brand = 2 [(google.api.field_behavior) = REQUIRED]; 633} 634 635// The request sent to GetBrand. 636message GetBrandRequest { 637 // Required. Name of the brand to be fetched. 638 // In the following format: projects/{project_number/id}/brands/{brand}. 639 string name = 1 [(google.api.field_behavior) = REQUIRED]; 640} 641 642// The request sent to ListIdentityAwareProxyClients. 643message ListIdentityAwareProxyClientsRequest { 644 // Required. Full brand path. 645 // In the following format: projects/{project_number/id}/brands/{brand}. 646 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 647 648 // The maximum number of clients to return. The service may return fewer than 649 // this value. 650 // If unspecified, at most 100 clients will be returned. 651 // The maximum value is 1000; values above 1000 will be coerced to 1000. 652 int32 page_size = 2; 653 654 // A page token, received from a previous `ListIdentityAwareProxyClients` 655 // call. Provide this to retrieve the subsequent page. 656 // 657 // When paginating, all other parameters provided to 658 // `ListIdentityAwareProxyClients` must match the call that provided the page 659 // token. 660 string page_token = 3; 661} 662 663// Response message for ListIdentityAwareProxyClients. 664message ListIdentityAwareProxyClientsResponse { 665 // Clients existing in the brand. 666 repeated IdentityAwareProxyClient identity_aware_proxy_clients = 1; 667 668 // A token, which can be send as `page_token` to retrieve the next page. 669 // If this field is omitted, there are no subsequent pages. 670 string next_page_token = 2; 671} 672 673// The request sent to CreateIdentityAwareProxyClient. 674message CreateIdentityAwareProxyClientRequest { 675 // Required. Path to create the client in. 676 // In the following format: 677 // projects/{project_number/id}/brands/{brand}. 678 // The project must belong to a G Suite account. 679 string parent = 1 [(google.api.field_behavior) = REQUIRED]; 680 681 // Required. Identity Aware Proxy Client to be created. 682 IdentityAwareProxyClient identity_aware_proxy_client = 2 683 [(google.api.field_behavior) = REQUIRED]; 684} 685 686// The request sent to GetIdentityAwareProxyClient. 687message GetIdentityAwareProxyClientRequest { 688 // Required. Name of the Identity Aware Proxy client to be fetched. 689 // In the following format: 690 // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 691 string name = 1 [(google.api.field_behavior) = REQUIRED]; 692} 693 694// The request sent to ResetIdentityAwareProxyClientSecret. 695message ResetIdentityAwareProxyClientSecretRequest { 696 // Required. Name of the Identity Aware Proxy client to that will have its 697 // secret reset. In the following format: 698 // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 699 string name = 1 [(google.api.field_behavior) = REQUIRED]; 700} 701 702// The request sent to DeleteIdentityAwareProxyClient. 703message DeleteIdentityAwareProxyClientRequest { 704 // Required. Name of the Identity Aware Proxy client to be deleted. 705 // In the following format: 706 // projects/{project_number/id}/brands/{brand}/identityAwareProxyClients/{client_id}. 707 string name = 1 [(google.api.field_behavior) = REQUIRED]; 708} 709 710// OAuth brand data. 711// NOTE: Only contains a portion of the data that describes a brand. 712message Brand { 713 // Output only. Identifier of the brand. 714 // NOTE: GCP project number achieves the same brand identification purpose as 715 // only one brand per project can be created. 716 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 717 718 // Support email displayed on the OAuth consent screen. 719 string support_email = 2; 720 721 // Application name displayed on OAuth consent screen. 722 string application_title = 3; 723 724 // Output only. Whether the brand is only intended for usage inside the 725 // G Suite organization only. 726 bool org_internal_only = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 727} 728 729// Contains the data that describes an Identity Aware Proxy owned client. 730message IdentityAwareProxyClient { 731 // Output only. Unique identifier of the OAuth client. 732 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 733 734 // Output only. Client secret of the OAuth client. 735 string secret = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 736 737 // Human-friendly name given to the OAuth client. 738 string display_name = 3; 739} 740