diff --git a/shared/protos/identity_client.proto b/shared/protos/identity_client.proto index 13cf91b7a..e7fffbc9e 100644 --- a/shared/protos/identity_client.proto +++ b/shared/protos/identity_client.proto @@ -1,222 +1,290 @@ syntax = "proto3"; package identity.client; // RPCs from a client (iOS, Android, or web) to identity service service IdentityClientService { // Account actions // Called by user to register with the Identity Service (PAKE only) // Due to limitations of grpc-web, the Opaque challenge+response // needs to be split up over two unary requests // Start/Finish is used here to align with opaque protocol rpc RegisterPasswordUserStart(RegistrationStartRequest) returns ( RegistrationStartResponse) {} rpc RegisterPasswordUserFinish(RegistrationFinishRequest) returns ( RegistrationFinishResponse) {} // Called by user to update password and receive new access token rpc UpdateUserPasswordStart(UpdateUserPasswordStartRequest) returns (UpdateUserPasswordStartResponse) {} rpc UpdateUserPasswordFinish(UpdateUserPasswordFinishRequest) returns (UpdateUserPasswordFinishResponse) {} // Called by user to register device and get an access token rpc LoginPasswordUserStart(OpaqueLoginStartRequest) returns (OpaqueLoginStartResponse) {} rpc LoginPasswordUserFinish(OpaqueLoginFinishRequest) returns (OpaqueLoginFinishResponse) {} rpc LoginWalletUser(WalletLoginRequest) returns (WalletLoginResponse) {} // Called by a user to delete their own account rpc DeleteUser(DeleteUserRequest) returns (Empty) {} // Sign-In with Ethereum actions // Called by clients to get a nonce for a Sign-In with Ethereum message rpc GenerateNonce(Empty) returns (GenerateNonceResponse) {} + + // X3DH actions + + // Called by clients to get all device keys associated with a user in order + // to open a new channel of communication on any of their devices + rpc GetDeviceKeysForUser(DeviceKeysForUserRequest) returns + (DeviceKeysForUserResponse) {} + // Called by clients to get required keys for opening a connection + // to a keyserver + rpc GetKeyserverKeys(KeyserverKeysRequest) returns + (KeyserverKeysResponse) {} + // Replenish one-time preKeys + rpc UploadOneTimeKeys(UploadOneTimeKeysRequest) returns (Empty) {} + // Rotate a devices preKey and preKey signature + // Rotated for deniability of older messages + rpc RefreshUserPreKeys(RefreshUserPreKeysRequest) returns (Empty) {} } // Helper types message Empty {} // Key information needed for starting a X3DH session message IdentityKeyInfo { // JSON payload containing Olm Identity keys // Sessions for users will contain both IdentityKeys and NotifKeys // For keyservers, this will only contain IdentityKeys string payload = 1; // Payload signed with the signing ed25519 key string payloadSignature = 2; // Signed message used for SIWE (optional) // This correlates a given wallet with the identity of a device optional string socialProof = 3; } // Ephemeral information provided to create initial message // Prekeys are generally rotated periodically // One-time Prekeys are "consumed" after first use message PreKeyResponse { // Rotating preKey, validated to be associatd with IdentityKeys // through signature string preKey = 4; string preKeySignature = 5; // One time key, removed from available list of one time keys after requested // Client is also intended to remove OPKs after initial message optional string onetimePrekey = 6; } // Information needed when establishing communication to someone else's device message RemoteDeviceInfo { IdentityKeyInfo identityInfo = 1; PreKeyResponse identityPrekeys = 2; PreKeyResponse notifPrekeys = 3; } // Information needed when establishing communication to a keyserver message KeyserverSessionInfo { IdentityKeyInfo identityInfo = 1; PreKeyResponse identityPrekeys = 2; } // RegisterUser // Ephemeral information provided so others can create initial message // to this device // // Prekeys are generally rotated periodically // One-time Prekeys are "consumed" after first use, so many need to // be provide to avoid exhausting them. message PreKeyRegistrationUpload { // Rotating preKey, validated to be associatd with IdentityKeys // through signature string preKey = 1; string preKeySignature = 2; // One time keys // Removed from available list after requested by another client repeated string onetimePrekeys = 3; } // Bundle of information needed for creating an initial message using X3DH message DeviceKeyUpload { IdentityKeyInfo deviceKeyInfo = 1; PreKeyRegistrationUpload identityUpload = 2; PreKeyRegistrationUpload notifUpload = 3; } // Request for registering a new user message RegistrationStartRequest { // Message sent to initiate PAKE registration (step 1) bytes opaqueRegistrationRequest = 1; string username = 2; // Information needed to open a new channel to current user's device DeviceKeyUpload deviceKeyUpload = 3; } // Messages sent from a client to Identity Service message RegistrationFinishRequest { // Identifier to correlate RegisterStart session string sessionID = 1; // Final message in PAKE registration bytes opaqueRegistrationUpload = 2; } // Messages sent from Identity Service to client message RegistrationStartResponse { // Identifier used to correlate start request with finish request string sessionID = 1; // sent to the user upon reception of the PAKE registration attempt // (step 2) bytes opaqueRegistrationResponse = 2; } message RegistrationFinishResponse { // After successful unpacking of user credentials, return token string accessToken = 2; } // UpdateUserPassword // Request for updating a user, similar to registration but need a // access token to validate user before updating password message UpdateUserPasswordStartRequest { // Message sent to initiate PAKE registration (step 1) bytes opaqueRegistrationRequest = 1; // Used to validate user, before attempting to update password string accessToken = 3; } // Do a user registration, but overwrite the existing credentials // after validation of user message UpdateUserPasswordFinishRequest { // Identifier used to correlate start and finish request string sessionID = 1; // Opaque client registration upload (step 3) bytes opaqueRegistrationUpload = 2; } message UpdateUserPasswordStartResponse { // Identifier used to correlate start request with finish request string sessionID = 1; bytes opaqueRegistrationResponse = 2; } message UpdateUserPasswordFinishResponse { // After validating client reponse, mint a new token string accessToken = 2; } // LoginUser message OpaqueLoginStartRequest { string username = 1; // Message sent to initiate PAKE login (step 1) bytes opaqueLoginRequest = 2; // Information specific to a user's device needed to open a new channel of // communication with this user DeviceKeyUpload deviceKeyUpload = 3; } message OpaqueLoginFinishRequest { // Identifier used to correlate start request with finish request string sessionID = 1; // Message containing client's reponse to server challenge. // Used to verify that client holds password secret (Step 3) bytes opaqueLoginUpload = 2; } message OpaqueLoginStartResponse { // Identifier used to correlate start request with finish request string sessionID = 1; // Opaque challenge sent from server to client attempting to login (Step 2) bytes opaqueLoginResponse = 2; } message OpaqueLoginFinishResponse { // Mint and return a new key upon successful login string accessToken = 2; } message WalletLoginRequest { // ed25519 key for the given user's device string siweMessage = 1; string siweSignature = 2; // Information specific to a user's device needed to open a new channel of // communication with this user DeviceKeyUpload deviceKeyUpload = 3; } message WalletLoginResponse { string accessToken = 1; } // DeleteUser message DeleteUserRequest { string accessToken = 1; } // GenerateNonce message GenerateNonceResponse{ string nonce = 1; } + +// GetDeviceKeysForUser + +message DeviceKeysForUserRequest { + oneof identifier { + string username = 1; + string walletAddress = 2; + } +} + +message DeviceKeysForUserResponse { + // Map is keyed on devices' public ed25519 key used for signing + map devices = 1; +} + +// GetKeyserverKeys + +// All keyserver must be registered with an existing user. +// Conversely, one or zero keyservers can registered to a user. +message KeyserverKeysRequest { + oneof identifier { + string username = 1; + string walletAddress = 2; + } +} + +message KeyserverKeysResponse { + KeyserverSessionInfo keyserverInfo = 1; +} + +// UploadOneTimeKeys + +// As OPKs get exhausted, they need to be refreshed +message UploadOneTimeKeysRequest { + // Use device associated with token to insert OPKs + string accessToken = 1; + repeated string oneTimePreKeys = 2; +} + +// RefreshUserPreKeys + +message PreKeyUpload { + // Rotating preKey, validated to be associatd with IdentityKeys + // through signature + string preKey = 1; + string preKeySignature = 2; +} + +message RefreshUserPreKeysRequest { + string accessToken = 1; + PreKeyUpload newPreKeys = 2; +}