Authentication tokens

Bearer token (JWT: RFC 7516) issued by the identity partner (IdP) to attest a user's identity.

JSON representation
{
  "aud": string,
  "email": string,
  "exp": string,
  "iat": string,
  "iss": string,
  "google_email": string,
  ...
}
Fields
aud

string

The audience, as identified by the IdP. Should be checked against the local configuration.

email

string (UTF-8)

The user's email address.

exp

string

Expiration time.

iat

string

Issuance time.

iss

string

The token issuer. Should be validated against the trusted set of authentication issuers.

google_email

string

An optional claim, to be used when the email claim in this JWT is different from the user's Google Workspace email ID. This claim carries the user's Google Workspace email identity.

...

Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter.

KACLS authentication token for PrivilegedUnwrap

Bearer token (JWT: RFC 7516) issued by the identity partner (IdP) to attest a user's identity.

This is only used on PrivilegedUnwrap. During PrivilegedUnwrap, if a KACLS JWT is used in place of an IDP authentication token, the recipient KACLS must first fetch the JWKS of the issuer, then verify the token signature, before checking the claims.

JSON representation
{
  "aud": string,
  "exp": string,
  "iat": string,
  "iss": string,
  "kacls_url": string,
  "resource_name": string
  ...
}
Fields
aud

string

The audience, as identified by the IdP. For Drive client-side encryption (CSE) PrivilegedUnwrap operations, this should be kacls-migration.

exp

string

Expiration time.

iat

string

Issuance time.

iss

string

The token issuer. Should be validated against the trusted set of authentication issuers. Must match the KACLS_URL of the requesting KACLS. The public key set of the issuer can be found at /certs.

kacls_url

string

URL of current KACLS, that the data is being decrypted on.

resource_name

string

An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.

...

Your Key Access Control List Service (KACLS) is free to use any other claims (location, custom claim, etc) to evaluate the perimeter.