storj/satellite/satellitedb/dbx/oauth.dbx
Egon Elbre f13d0f7df0 satellite/satellitedb/dbx: document oauth tables
Change-Id: Ide327699f4b7b35f46c9356d558221ece5bd77a9
2023-02-28 09:07:58 +00:00

128 lines
3.6 KiB
Plaintext

// oauth_client stores information about known clients developed against stroj.
model oauth_client (
key id
index ( fields user_id )
// id is a unique identifier for the client.
field id blob
// encrypted_secret is a token that the client uses to authenticate.
field encrypted_secret blob ( updatable )
// redirect_url is the uri where the user should be redirected after authentication.
field redirect_url text ( updatable )
// user_id is a UUID which refers to user.id.
field user_id blob
// app_name is text that should be displayed as the application requesting authentication.
field app_name text ( updatable )
// app_logo_url is icon that should be shown for the application.
field app_logo_url text ( updatable )
)
create oauth_client (
noreturn
)
read one (
select oauth_client
where oauth_client.id = ?
)
update oauth_client (
where oauth_client.id = ?
noreturn
)
delete oauth_client (
where oauth_client.id = ?
)
// oauth_code are single use tokens that are handed off to the third party applications.
// they're exchanged for an access_token (and maybe a refresh_token).
// they can only be claimed once.
model oauth_code (
key code
index ( fields user_id )
index ( fields client_id )
// client_id is the oauth_client.id that requested this user.
field client_id blob
// user_id is the user.id that tries to use this token.
field user_id blob
// scope is Access Token Scope which specifies what the user is allowed to access.
field scope text
// redirect_url is the location that user should be redirected to.
field redirect_url text
// challenge is used for PKCE authorization flow. It is created from code verifier that the
// client uses to verify the response.
field challenge text
// challenge_method is used for PKCE authorization flow.
// It is the method that was used to generate the challenge.
field challenge_method text
// code contains the authorization code which the client will later exchange for an access token.
field code text
// created_at specifies when the code was created.
field created_at timestamp
// expires_at specifies when the code is invalid.
field expires_at timestamp
// claimed_at specifies the time when the code was used.
field claimed_at timestamp ( nullable, updatable )
)
create oauth_code (
noreturn
)
read one (
select oauth_code
where oauth_code.code = ?
where oauth_code.claimed_at = null
)
update oauth_code (
where oauth_code.code = ?
where oauth_code.claimed_at = null
noreturn
)
// oauth_token can be an access or refresh token
model oauth_token (
key token
index ( fields user_id )
index ( fields client_id )
// client_id is the oauth_client.id that requested this user.
field client_id blob
// user_id is the user.id that tries to use this token.
field user_id blob
// scope is Access Token Scope which specifies what the user is allowed to access.
field scope text
// kind specifies the purpose of the token. It refers to oidc.OAuthTokenKind. unknown=0, access=1, refresh=2, rest=3.
field kind int
// token is the access which is implemented as an encrypted macaroon.
field token blob
// created_at is when the token was created.
field created_at timestamp
// expires_at says when the token becomes invalid.
field expires_at timestamp ( updatable )
)
create oauth_token (
noreturn
)
read one (
select oauth_token
where oauth_token.kind = ?
where oauth_token.token = ?
)
update oauth_token (
where oauth_token.token = ?
where oauth_token.kind = ?
noreturn
)