|
|
|
@ -9,26 +9,35 @@ Caveats can only be used for reducing the scope of a token, never for increasing
|
|
|
|
|
|
|
|
|
|
|
|
Some caveats are specified in this specification, and must be understood by all servers. The use of non-standard caveats is allowed.
|
|
|
|
Some caveats are specified in this specification, and must be understood by all servers. The use of non-standard caveats is allowed.
|
|
|
|
|
|
|
|
|
|
|
|
All caveats must take the form:
|
|
|
|
All caveats must take the form::
|
|
|
|
|
|
|
|
|
|
|
|
`key` `operator` `value`
|
|
|
|
key operator value
|
|
|
|
where `key` is a non-empty string drawn from the character set [A-Za-z0-9_]
|
|
|
|
|
|
|
|
`operator` is a non-empty string which does not contain whitespace
|
|
|
|
where:
|
|
|
|
`value` is a non-empty string
|
|
|
|
- ``key`` is a non-empty string drawn from the character set [A-Za-z0-9_]
|
|
|
|
|
|
|
|
- ``operator`` is a non-empty string which does not contain whitespace
|
|
|
|
|
|
|
|
- ``value`` is a non-empty string
|
|
|
|
|
|
|
|
|
|
|
|
And these are joined by single space characters.
|
|
|
|
And these are joined by single space characters.
|
|
|
|
|
|
|
|
|
|
|
|
Specified caveats:
|
|
|
|
Specified caveats:
|
|
|
|
|
|
|
|
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
| Caveat name | Description | Legal Values |
|
|
|
|
| Caveat name | Description | Legal Values |
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
+=============+==================================================+================================================================================================+
|
|
|
|
| gen | Generation of the macaroon caveat spec. | 1 |
|
|
|
|
| gen | Generation of the macaroon caveat spec. | 1 |
|
|
|
|
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
| user_id | ID of the user for which this macaroon is valid. | Pure equality check. Operator must be =. |
|
|
|
|
| user_id | ID of the user for which this macaroon is valid. | Pure equality check. Operator must be =. |
|
|
|
|
| type | The purpose of this macaroon. | access - used to authorize any action except token refresh |
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
| refresh - only used to authorize a token refresh |
|
|
|
|
| type | The purpose of this macaroon. | - ``access``: used to authorize any action except token refresh |
|
|
|
|
|
|
|
|
| | | - ``refresh``: only used to authorize a token refresh |
|
|
|
|
|
|
|
|
| | | - ``login``: issued as a very short-lived token by third party login flows; proves that |
|
|
|
|
|
|
|
|
| | | authentication has happened but doesn't grant any privileges other than being able to be |
|
|
|
|
|
|
|
|
| | | exchanged for other tokens. |
|
|
|
|
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
| time | Time before/after which this macaroon is valid. | A POSIX timestamp in milliseconds (in UTC). |
|
|
|
|
| time | Time before/after which this macaroon is valid. | A POSIX timestamp in milliseconds (in UTC). |
|
|
|
|
| Operator < means the macaroon is valid before the timestamp, as interpreted by the server. |
|
|
|
|
| | | Operator < means the macaroon is valid before the timestamp, as interpreted by the server. |
|
|
|
|
| Operator > means the macaroon is valid after the timestamp, as interpreted by the server. |
|
|
|
|
| | | Operator > means the macaroon is valid after the timestamp, as interpreted by the server. |
|
|
|
|
| Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.|
|
|
|
|
| | | Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.|
|
|
|
|
| Note that exact equality of time is largely meaningless. |
|
|
|
|
| | | Note that exact equality of time is largely meaningless. |
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
|
|
|
|
|
Daniel Wagner-Hall
9 years ago