身份验证令牌
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
身份合作伙伴 (IdP) 签发的不记名令牌 (JWT:RFC 7516),用于证明用户身份。
JSON 表示法 |
{
"aud": string,
"email": string,
"exp": string,
"iat": string,
"iss": string,
"google_email": string,
...
}
|
字段 |
aud |
string
由 IdP 标识的受众群体。应根据本地配置进行检查。
|
email |
string (UTF-8)
用户的电子邮件地址。
|
exp |
string
到期时间。
|
iat |
string
发卡时间。
|
iss |
string
令牌颁发者。应针对可信的身份验证签发者集进行验证。
|
google_email |
string
一个可选声明,当此 JWT 中的电子邮件声明与用户的 Google Workspace 电子邮件 ID 不同时使用。此声明包含用户的 Google Workspace 电子邮件身份信息。
|
... |
您的密钥访问控制列表服务 (KACLS) 可以免费使用任何其他声明(位置信息、自定义声明等)来评估安全边界。
|
delegate
的 KACLS 身份验证令牌
身份验证令牌包含一个 JSON Web 令牌 (JWT)(JWT:RFC 7516),该令牌是不记名身份验证令牌。
有时,用户无法直接在客户端上进行身份验证。在这些情况下,用户可以将其对特定资源的访问权限委托给相应客户端。这是通过签发新的委托身份验证令牌来实现的,该令牌会限制原始身份验证令牌的范围。
委托的身份验证令牌与普通身份验证令牌类似,但多了一项声明:
声明 |
delegated_to |
string
要将身份验证委托给的实体的标识符。
|
身份验证令牌中的 resource_name
声明在委托上下文中用于标识由数据加密密钥 (DEK) 加密的委托有效对象。
令牌由密钥访问控制列表服务 (KACLS) 使用 Delegate
调用进行颁发。它可以是 KACLS 能够验证的自签名 JWT,也可以是 KACLS 通过可信调用使用任何其他 IdP 来进行验证。
为了使委托的身份验证令牌被视为有效,必须为同一操作提供委托的授权令牌。委托授权令牌与普通授权令牌类似,但包含额外的声明 delegated_to
。delegated_to
和 resource_name
声明的值必须与委托身份验证令牌中的值一致。
我们建议您为委托的身份验证令牌设置 15 分钟的有效时间值,以避免在发生泄漏时被重复使用。
JSON 表示法 |
{
"email": string,
"iss": string,
"aud": string,
"exp": string,
"iat": string,
"google_email": string,
"delegated_to": string,
"resource_name": string
...
}
|
字段 |
email |
string (UTF-8)
用户的电子邮件地址(采用 UTF-8 格式)。
|
iss |
string
应根据可信的身份验证发卡机构集验证令牌发卡机构。
|
aud |
string
由 IdP 标识的受众群体。应根据本地配置进行检查。
|
exp |
string
应检查到期时间。
|
iat |
string
签发时间,应进行检查。
|
delegated_to |
string
要将身份验证委托给的实体的标识符。
|
resource_name |
string
由 DEK 加密的对象的标识符,委托对该对象有效。
|
... |
KACLS 可以免费使用任何其他声明(位置、自定义声明等)来评估安全边界。
|
PrivilegedUnwrap
的 KACLS 身份验证令牌
身份合作伙伴 (IdP) 签发的不记名令牌 (JWT:RFC 7516),用于证明用户身份。
此属性仅在 PrivilegedUnwrap
上使用。在 PrivilegedUnwrap
期间,如果使用 KACLS JWT 代替 IDP 身份验证令牌,接收方 KACLS 必须先提取颁发者的 JWKS,然后验证令牌签名,最后检查声明。
JSON 表示法 |
{
"aud": string,
"exp": string,
"iat": string,
"iss": string,
"kacls_url": string,
"resource_name": string
...
}
|
字段 |
aud |
string
由 IdP 标识的受众群体。对于云端硬盘客户端加密功能 (CSE) PrivilegedUnwrap 操作,此值应为 kacls-migration 。
|
exp |
string
到期时间。
|
iat |
string
发卡时间。
|
iss |
string
令牌颁发者。应针对可信的身份验证签发者集进行验证。必须与请求 KACLS 的 KACLS_URL 相匹配。签发者的公钥集可在 /certs 中找到。
|
kacls_url |
string
当前 KACLS 的网址,数据正在该网址上解密。
|
resource_name |
string
由 DEK 加密的对象的标识符。大小上限:128 字节。
|
... |
您的密钥访问控制列表服务 (KACLS) 可以免费使用任何其他声明(位置信息、自定义声明等)来评估安全边界。
|
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-04。
[null,null,["最后更新时间 (UTC):2025-08-04。"],[[["\u003cp\u003eKACLS uses bearer tokens (JWTs) issued by an identity provider (IdP) to verify user identity and authorize access.\u003c/p\u003e\n"],["\u003cp\u003eJWTs contain essential claims like audience, email, expiration, issuance, issuer, and potentially a Google Workspace email for specific scenarios.\u003c/p\u003e\n"],["\u003cp\u003eFor \u003ccode\u003ePrivilegedUnwrap\u003c/code\u003e operations, a KACLS JWT is used, requiring the recipient KACLS to verify the token signature and claims after fetching the issuer's JWKS.\u003c/p\u003e\n"],["\u003cp\u003eKACLS JWTs include specific claims like \u003ccode\u003ekacls_url\u003c/code\u003e and \u003ccode\u003eresource_name\u003c/code\u003e relevant to the decryption process.\u003c/p\u003e\n"],["\u003cp\u003eKACLS offers flexibility by allowing the use of additional claims for perimeter evaluation and custom authorization logic.\u003c/p\u003e\n"]]],["The document outlines two types of Bearer tokens (JWTs) used for user identity and KACLS authentication. User identity tokens, issued by the IdP, include fields like `aud`, `email`, `exp`, `iat`, `iss`, and `google_email` for email verification. KACLS authentication tokens, used during `PrivilegedUnwrap`, contain `aud` (specifically `kacls-migration`), `exp`, `iat`, `iss`, `kacls_url`, and `resource_name`. KACLS must verify the KACLS JWT's signature and claims after fetching the issuer's JWKS. Both types allow for custom claims.\n"],null,["# Authentication tokens\n\nBearer token ([JWT: RFC 7516](https://tools.ietf.org/html/rfc7516))\nissued by the identity partner (IdP) to attest a user's identity.\n\n| JSON representation ||\n|----------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"aud\": string, \"email\": string, \"exp\": string, \"iat\": string, \"iss\": string, \"google_email\": string, ... } ``` |\n\n| Fields ||\n|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `aud` | `string` The audience, as identified by the IdP. Should be checked against the local configuration. |\n| `email` | `string (UTF-8)` The user's email address. |\n| `exp` | `string` Expiration time. |\n| `iat` | `string` Issuance time. |\n| `iss` | `string` The token issuer. Should be validated against the trusted set of authentication issuers. |\n| `google_email` | `string` An optional claim, to be used when the email claim in this JWT is different from the user's Google Workspace email ID. This claim carries the user's Google Workspace email identity. |\n| `...` | Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter. |\n\nKACLS authentication token for `delegate`\n-----------------------------------------\n\nThe authentication token contains a JSON Web Token (JWT) ([JWT: RFC 7516](https://tools.ietf.org/html/rfc7516))\nthat is a bearer authentication token.\n\nSometimes a user is not able to authenticate on a client directly.\nIn these cases the user can delegate their access to a specific\nresource to that client. This is achieved through issuing a new\ndelegated authentication token that limits the scope of the original\nauthentication token.\n\nThe delegated authentication token is similar to the ordinary\nauthentication token with one additional claim:\n\n| claim ||\n|----------------|----------------------------------------------------------------------|\n| `delegated_to` | `string` An identifier for the entity to delegate authentication to. |\n\nThe `resource_name` claim in the authentication token is, in a\ndelegation context, used for identifying the object encrypted by the\nData Encryption Key (DEK) for which the delegation is valid.\n\nThe token is issued by the Key Access Control List Service (KACLS)\nusing the `Delegate` call. It may be either self-signed JWTs\nthat KACLS is able to validate, or KACLS may use any other IdP to do\nthat, through a trusted call.\n\nIn order for the delegated authentication token to be considered valid, a\ndelegated authorization token must be provided for the same operation. The\ndelegated authorization token is similar to the ordinary authorization token,\nbut contains the additional claim `delegated_to`. The values of the\n`delegated_to` and `resource_name` claims must match the values in the\ndelegated authentication token.\n\nWe recommend that you set a lifetime value of 15 minutes for the delegated\nauthentication tokens to avoid potential reuse in case of leakage.\n\n| JSON representation ||\n|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"email\": string, \"iss\": string, \"aud\": string, \"exp\": string, \"iat\": string, \"google_email\": string, \"delegated_to\": string, \"resource_name\": string ... } ``` |\n\n| Fields ||\n|-----------------|-------------------------------------------------------------------------------------------------------|\n| `email` | `string (UTF-8)` The user's UTF-8 formatted email address. |\n| `iss` | `string` The token issuer, should be validated against the trusted set of authentication issuers. |\n| `aud` | `string` The audience, as identified by the IdP. Should be checked against the local configuration. |\n| `exp` | `string` Expiration time, should be checked. |\n| `iat` | `string` Issuance time, should be checked. |\n| `delegated_to` | `string` An identifier for the entity to delegate authentication to. |\n| `resource_name` | `string` An identifier for the object encrypted by the DEK, for which the delegation is valid. |\n| `...` | The KACLS is free to use any other claims (location, custom claim, etc...) to evaluate the perimeter. |\n\nKACLS authentication token for `PrivilegedUnwrap`\n-------------------------------------------------\n\nBearer token ([JWT: RFC 7516](https://tools.ietf.org/html/rfc7516))\nissued by the identity partner (IdP) to attest a user's identity.\n\nThis is only used on `PrivilegedUnwrap`. During `PrivilegedUnwrap`, if a KACLS\nJWT is used in place of an IDP authentication token, the recipient KACLS must\nfirst fetch the JWKS of the issuer, then verify the token signature, before\nchecking the claims.\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"aud\": string, \"exp\": string, \"iat\": string, \"iss\": string, \"kacls_url\": string, \"resource_name\": string ... } ``` |\n\n| Fields ||\n|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `aud` | `string` The audience, as identified by the IdP. For Drive client-side encryption (CSE) `PrivilegedUnwrap` operations, this should be `kacls-migration`. |\n| `exp` | `string` Expiration time. |\n| `iat` | `string` Issuance time. |\n| `iss` | `string` The token issuer. Should be validated against the trusted set of authentication issuers. Must match the `KACLS_URL` of the requesting KACLS. The public key set of the issuer can be found at /certs. |\n| `kacls_url` | `string` URL of current KACLS, that the data is being decrypted on. |\n| `resource_name` | `string` An identifier for the object encrypted by the DEK. Maximum size: 128 bytes. |\n| `...` | Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter. |"]]