From 035e8ab00e2f3eb5b5d2a2ed22f5ce93f7bc1998 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Tue, 22 Mar 2022 21:49:27 -0700
Subject: [PATCH] tailcfg: add Token{Request,Response} types

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 tailcfg/tailcfg.go | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go
index 7a16c65aa..e853a1394 100644
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -1672,3 +1672,42 @@ type OverTLSPublicKeyResponse struct {
 	// control/controlbase and control/controlhttp)
 	PublicKey key.MachinePublic `json:"publicKey"`
 }
+
+// TokenRequest is a request to get an OIDC ID token for an audience.
+// The token can be presented to any resource provider which offers OIDC
+// Federation.
+//
+// It is JSON-encoded and sent over Noise to "/machine/id-token".
+type TokenRequest struct {
+	// CapVersion is the client's current CapabilityVersion.
+	CapVersion CapabilityVersion
+	// NodeKey is the client's current node key.
+	NodeKey key.NodePublic
+	// Audience the token is being requested for.
+	Audience string
+}
+
+// TokenResponse is the response to a TokenRequest.
+type TokenResponse struct {
+	// IDToken is a JWT encoding the following standard claims:
+	//
+	//   `sub` | the MagicDNS name of the node
+	//   `aud` | Audience from the request
+	//   `exp` | Token expiry
+	//   `iat` | Token issuance time
+	//   `iss` | Issuer
+	//   `jti` | Random token identifier
+	//   `nbf` | Not before time
+	//
+	// It also encodes the following Tailscale specific claims:
+	//
+	//   `key`       | the node public key
+	//   `addresses` | the Tailscale IPs of the node
+	//   `nid`       | the node ID
+	//   `node`      | the name of the node
+	//   `domain`    | the domain of the node, it has the same format as MapResponse.Domain.
+	//   `tags`      | an array of <domain:tag> on the node (like alice.github:tag:foo or example.com:tag:foo)
+	//   `user`      | user emailish (like alice.github:alice@github or example.com:bob@example.com), if not tagged
+	//   `uid`       | user ID, if not tagged
+	IDToken string `json:"id_token"`
+}