方法:delegate
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
此调用会返回一个新的身份验证 JSON Web 令牌 (JWT),该令牌允许实体代表原始身份验证 JWT 中经过身份验证的用户访问指定资源。当实体需要代表用户执行操作时,该参数用于将范围受限的访问权限委托给封装或解封装的另一个实体。
HTTP 请求
POST https://<base_url>/delegate
将 <base_url>
替换为密钥访问控制列表服务 (KACLS) 网址。
路径参数
无。
请求正文
请求正文包含请求的 JSON 表示形式:
JSON 表示法 |
{
"authentication": string,
"authorization": string,
"reason": string
}
|
字段 |
authentication |
string
由第三方签发的 JWT,用于断言用户身份。如需了解详情,请参阅身份验证部分。
|
authorization |
string
包含 delegated_to 和 resource_name 声明的 JWT,用于断言由 delegated_to 声明标识的实体可以代表用户访问 resource_name 。如需了解详情,请参阅授权令牌。
|
reason |
string (UTF-8)
一个传递 JSON 字符串,用于提供有关操作的其他背景信息。提供的 JSON 应先经过清理,然后再显示。大小上限:1 KB。
|
所需处理步骤
KACLS 必须至少执行以下步骤:
- 验证授权令牌和身份验证令牌。如需了解详情,请参阅授权令牌和身份验证令牌。
- 检查授权令牌和身份验证令牌是否属于同一用户。
如需了解详情,请参阅加密和解密数据。
- 检查授权令牌中的
kacls_url
声明是否与当前的 KACLS 网址一致。这样一来,系统便可检测到由内部人员或恶意网域管理员配置的潜在中间人服务器。
- 如果授权令牌中存在
kacls_owner_domain
声明,请检查该值是否与 KACLS 所有者的 Google Workspace 网域一致。这有助于防止未经授权的用户向 Google 注册您的 KACLS。
- 记录操作,包括发起操作的用户、
delegated_to
、resource_name
以及请求中传递的原因。
- 生成、签名并返回一个 JWT 令牌,其中包含授权令牌中的
delegated_to
和 resource_name
声明。
KACLS 可以免费执行额外的安全检查,包括基于 JWT 声明的检查。
响应正文
如果成功,此方法将返回包含 delegated_to
和 resource_name
声明的身份验证 JWT。此令牌稍后可用于在对 Wrap 和 Unwrap 方法的调用中进行身份验证。如果出现错误,应返回结构化错误回复。
JSON 表示法 |
{
"delegated_authentication": string
}
|
字段 |
delegated_authentication |
string
一种委托身份验证 JWT,可供原始身份验证 JWT 中提及的用户访问 resource_name 。如需了解详情,请参阅 delegate 的 KACLS 身份验证令牌。
|
示例
请求
POST https://mykacls.example.com/v1/delegate
{
"authentication": "eyJhbGciOi...",
"authorization": "eyJhbGciOi...delegated_to\":\"other_entity_id\",\"resource_name\":\"meeting_id\"...}",
"reason": "{client:'meet' op:'delegate_access'}"
}
响应
{
"delegated_authentication": "eyJhbGciOi...delegated_to_from_authz_token...resource_name_from_authz_token...}"
}
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-26。
[null,null,["最后更新时间 (UTC):2025-07-26。"],[],[],null,["# Method: delegate\n\nThis call returns a new authentication JSON Web Token (JWT) that allows\nan entity to access a specified resource on behalf of the user\nauthenticated in the original authentication JWT. It is used to delegate\nscoped access to [wrap](/workspace/cse/reference/wrap) or\n[unwrap](/workspace/cse/reference/unwrap) to another entity when that\nentity needs to act on behalf of the user.\n\n### HTTP request\n\n`POST https://\u003cbase_url\u003e/delegate`\n\nReplace `\u003cbase_url\u003e` with the Key Access Control List Service (KACLS) URL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains a JSON representation of the request:\n\n| JSON representation ||\n|---------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"reason\": string } ``` |\n\n| Fields ||\n|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by a third-party asserting who the user is. See the authentication section for details. |\n| `authorization` | `string` A JWT with `delegated_to` and `resource_name` claims asserting that the entity identified by `delegated_to` claim is allowed to access `resource_name` on behalf of the user. For more information, see [Authorization Tokens](/workspace/cse/reference/authorization-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n\n### Required processing steps\n\nThe KACLS must perform at least these steps:\n\n- Validate both authorization and authentication tokens. For more information, see [Authorization Tokens](/workspace/cse/reference/authorization-tokens) and [Authentication Tokens](/workspace/cse/reference/authentication-tokens).\n- Check that authorization and authentication tokens are for the same user. For more information, see [Encrypt and decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n- Check that the `kacls_url` claim in the authorization token matches the current KACLS URL. This allows detection of potential man-in-the-middle servers configured by insiders or rogue domain admins.\n- If the `kacls_owner_domain` claim exists in the authorization token, check that the value matches the KACLS owner's Google Workspace domain. This helps prevent unauthorized users from registering your KACLS with Google.\n- Log the operation, including the user originating it, the `delegated_to`, the `resource_name`, and the reason passed in the request.\n- Generate, sign, and return a JWT token containing `delegated_to` and `resource_name` claims from the authorization token.\n\nThe KACLS is free to perform additional security checks, including JWT claim\nbased ones.\n\n### Response body\n\nIf successful, this method returns an authentication JWT containing\n`delegated_to` and `resource_name` claims. This token can later be used for\nauthentication in calls to the Wrap and Unwrap methods. In case of an error, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|------------------------------------------------|---|\n| ``` { \"delegated_authentication\": string } ``` |\n\n| Fields ||\n|----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `delegated_authentication` | `string` A delegated authentication JWT valid for accessing `resource_name` by the user mentioned in the original authentication JWT. For more information, see [KACLS authentication token for `delegate`](/workspace/cse/reference/authentication-tokens#kacls_authentication_token_for_delegate). |\n\n### Example\n\n#### Request\n\n POST https://mykacls.example.com/v1/delegate\n {\n \"authentication\": \"eyJhbGciOi...\",\n \"authorization\": \"eyJhbGciOi...delegated_to\\\":\\\"other_entity_id\\\",\\\"resource_name\\\":\\\"meeting_id\\\"...}\",\n \"reason\": \"{client:'meet' op:'delegate_access'}\"\n }\n\n#### Response\n\n {\n \"delegated_authentication\": \"eyJhbGciOi...delegated_to_from_authz_token...resource_name_from_authz_token...}\"\n }"]]