Skip to main content

nominal_api/conjure/endpoints/authorization/
authorization_service.rs

1use conjure_http::endpoint;
2/// Authorization service manages the permissions for a user
3/// to access resources.
4#[conjure_http::conjure_endpoints(
5    name = "AuthorizationService",
6    use_legacy_error_serialization
7)]
8pub trait AuthorizationService {
9    /// Given a set of resources, returns the set of resources that the
10    /// user is authorized to access.
11    #[endpoint(
12        method = POST,
13        path = "/authorization/v1/authorize",
14        name = "authorize",
15        produces = conjure_http::server::conjure::CollectionResponseSerializer
16    )]
17    fn authorize(
18        &self,
19        #[auth]
20        auth_: conjure_object::BearerToken,
21        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
22        request: super::super::super::objects::authorization::AuthorizationRequest,
23    ) -> Result<
24        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
25        conjure_http::private::Error,
26    >;
27    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
28    /// is not authorized on the resource, will omit the resource from the response.
29    #[endpoint(
30        method = POST,
31        path = "/authorization/v1/batch-get-workspace-for-resource",
32        name = "batchGetWorkspaceForResource",
33        produces = conjure_http::server::conjure::CollectionResponseSerializer
34    )]
35    fn batch_get_workspace_for_resource(
36        &self,
37        #[auth]
38        auth_: conjure_object::BearerToken,
39        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
40        request: std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
41    ) -> Result<
42        std::collections::BTreeMap<
43            conjure_object::ResourceIdentifier,
44            super::super::super::objects::api::rids::WorkspaceRid,
45        >,
46        conjure_http::private::Error,
47    >;
48    /// Marks a set of resources as belonging to a workspace. Either all resources are
49    /// registered or none are.
50    /// If the user is not in the workspace, this will throw.
51    /// If a resource already belongs to a different workspace, this will throw.
52    /// If a resource already belongs to this workspace, this is a no-op.
53    #[endpoint(
54        method = POST,
55        path = "/authorization/v1/register-in-workspace",
56        name = "registerInWorkspace"
57    )]
58    fn register_in_workspace(
59        &self,
60        #[auth]
61        auth_: conjure_object::BearerToken,
62        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
63        request: super::super::super::objects::authorization::RegisterInWorkspaceRequest,
64    ) -> Result<(), conjure_http::private::Error>;
65    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
66    /// authenticated user is an admin and HTTP 403 otherwise.
67    #[endpoint(method = GET, path = "/authorization/v1/checkAdmin", name = "checkAdmin")]
68    fn check_admin(
69        &self,
70        #[auth]
71        auth_: conjure_object::BearerToken,
72    ) -> Result<(), conjure_http::private::Error>;
73    /// Checks if the email is allowed to register.
74    #[endpoint(
75        method = POST,
76        path = "/authorization/v1/is-email-allowed",
77        name = "isEmailAllowed",
78        produces = conjure_http::server::StdResponseSerializer
79    )]
80    fn is_email_allowed(
81        &self,
82        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
83        request: super::super::super::objects::authorization::IsEmailAllowedRequest,
84    ) -> Result<
85        super::super::super::objects::authorization::IsEmailAllowedResponse,
86        conjure_http::private::Error,
87    >;
88    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
89    #[endpoint(
90        method = POST,
91        path = "/authorization/v1/is-email-allowed-okta",
92        name = "isEmailAllowedOkta",
93        produces = conjure_http::server::StdResponseSerializer
94    )]
95    fn is_email_allowed_okta(
96        &self,
97        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
98        request: super::super::super::objects::authorization::OktaRegistrationRequest,
99    ) -> Result<
100        super::super::super::objects::authorization::OktaRegistrationResponse,
101        conjure_http::private::Error,
102    >;
103    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
104    /// is invalid or if the OIDC provider is not known.
105    #[endpoint(
106        method = POST,
107        path = "/authorization/v1/user-orgs",
108        name = "getUserOrgs",
109        produces = conjure_http::server::StdResponseSerializer
110    )]
111    fn get_user_orgs(
112        &self,
113        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
114        request: super::super::super::objects::authorization::GetUserOrgsRequest,
115    ) -> Result<
116        super::super::super::objects::authorization::GetUserOrgsResponse,
117        conjure_http::private::Error,
118    >;
119    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
120    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
121    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
122    #[endpoint(
123        method = POST,
124        path = "/authorization/v1/access-token",
125        name = "getAccessToken",
126        produces = conjure_http::server::StdResponseSerializer
127    )]
128    fn get_access_token(
129        &self,
130        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
131        request: super::super::super::objects::authorization::GetAccessTokenRequest,
132    ) -> Result<
133        super::super::super::objects::authorization::GetAccessTokenResponse,
134        conjure_http::private::Error,
135    >;
136    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
137    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
138    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
139    /// known.
140    #[endpoint(
141        method = POST,
142        path = "/authorization/v1/refresh-access-token",
143        name = "refreshAccessToken",
144        produces = conjure_http::server::StdResponseSerializer
145    )]
146    fn refresh_access_token(
147        &self,
148        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
149        request: super::super::super::objects::authorization::RefreshAccessTokenRequest,
150    ) -> Result<
151        super::super::super::objects::authorization::RefreshAccessTokenResponse,
152        conjure_http::private::Error,
153    >;
154    /// Given an IDP issued id token, return the end session endpoint, accessed through the
155    /// .well-known/openid-configuration endpoint.
156    #[endpoint(
157        method = POST,
158        path = "/authorization/v1/get-idp-end-session-endpoint",
159        name = "getIdpEndSessionEndpoint",
160        produces = conjure_http::server::StdResponseSerializer
161    )]
162    fn get_idp_end_session_endpoint(
163        &self,
164        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
165        request: super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
166    ) -> Result<
167        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
168        conjure_http::private::Error,
169    >;
170    /// Provide a long-lived API key for making API requests.
171    /// The API key is irretrievable after initial creation.
172    #[endpoint(
173        method = POST,
174        path = "/authorization/v1/api-key",
175        name = "createApiKey",
176        produces = conjure_http::server::StdResponseSerializer
177    )]
178    fn create_api_key(
179        &self,
180        #[auth]
181        auth_: conjure_object::BearerToken,
182        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
183        request: super::super::super::objects::authorization::CreateApiKeyRequest,
184    ) -> Result<
185        super::super::super::objects::authorization::CreateApiKeyResponse,
186        conjure_http::private::Error,
187    >;
188    /// List all API keys in the organization.
189    #[endpoint(
190        method = POST,
191        path = "/authorization/v1/api-keys/org",
192        name = "listApiKeysInOrg",
193        produces = conjure_http::server::StdResponseSerializer
194    )]
195    fn list_api_keys_in_org(
196        &self,
197        #[auth]
198        auth_: conjure_object::BearerToken,
199        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
200        request: super::super::super::objects::authorization::ListApiKeyRequest,
201    ) -> Result<
202        super::super::super::objects::authorization::ListApiKeyResponse,
203        conjure_http::private::Error,
204    >;
205    /// List all API keys for the user.
206    #[endpoint(
207        method = POST,
208        path = "/authorization/v1/api-keys/user",
209        name = "listUserApiKeys",
210        produces = conjure_http::server::StdResponseSerializer
211    )]
212    fn list_user_api_keys(
213        &self,
214        #[auth]
215        auth_: conjure_object::BearerToken,
216        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
217        request: super::super::super::objects::authorization::ListApiKeyRequest,
218    ) -> Result<
219        super::super::super::objects::authorization::ListApiKeyResponse,
220        conjure_http::private::Error,
221    >;
222    /// Delete an API key.
223    #[endpoint(
224        method = PUT,
225        path = "/authorization/v1/api-key/{rid}/delete",
226        name = "revokeApiKey"
227    )]
228    fn revoke_api_key(
229        &self,
230        #[auth]
231        auth_: conjure_object::BearerToken,
232        #[path(
233            name = "rid",
234            decoder = conjure_http::server::conjure::FromPlainDecoder,
235            safe
236        )]
237        rid: super::super::super::objects::authorization::ApiKeyRid,
238    ) -> Result<(), conjure_http::private::Error>;
239}
240/// Authorization service manages the permissions for a user
241/// to access resources.
242#[conjure_http::conjure_endpoints(
243    name = "AuthorizationService",
244    use_legacy_error_serialization
245)]
246pub trait AsyncAuthorizationService {
247    /// Given a set of resources, returns the set of resources that the
248    /// user is authorized to access.
249    #[endpoint(
250        method = POST,
251        path = "/authorization/v1/authorize",
252        name = "authorize",
253        produces = conjure_http::server::conjure::CollectionResponseSerializer
254    )]
255    async fn authorize(
256        &self,
257        #[auth]
258        auth_: conjure_object::BearerToken,
259        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
260        request: super::super::super::objects::authorization::AuthorizationRequest,
261    ) -> Result<
262        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
263        conjure_http::private::Error,
264    >;
265    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
266    /// is not authorized on the resource, will omit the resource from the response.
267    #[endpoint(
268        method = POST,
269        path = "/authorization/v1/batch-get-workspace-for-resource",
270        name = "batchGetWorkspaceForResource",
271        produces = conjure_http::server::conjure::CollectionResponseSerializer
272    )]
273    async fn batch_get_workspace_for_resource(
274        &self,
275        #[auth]
276        auth_: conjure_object::BearerToken,
277        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
278        request: std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
279    ) -> Result<
280        std::collections::BTreeMap<
281            conjure_object::ResourceIdentifier,
282            super::super::super::objects::api::rids::WorkspaceRid,
283        >,
284        conjure_http::private::Error,
285    >;
286    /// Marks a set of resources as belonging to a workspace. Either all resources are
287    /// registered or none are.
288    /// If the user is not in the workspace, this will throw.
289    /// If a resource already belongs to a different workspace, this will throw.
290    /// If a resource already belongs to this workspace, this is a no-op.
291    #[endpoint(
292        method = POST,
293        path = "/authorization/v1/register-in-workspace",
294        name = "registerInWorkspace"
295    )]
296    async fn register_in_workspace(
297        &self,
298        #[auth]
299        auth_: conjure_object::BearerToken,
300        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
301        request: super::super::super::objects::authorization::RegisterInWorkspaceRequest,
302    ) -> Result<(), conjure_http::private::Error>;
303    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
304    /// authenticated user is an admin and HTTP 403 otherwise.
305    #[endpoint(method = GET, path = "/authorization/v1/checkAdmin", name = "checkAdmin")]
306    async fn check_admin(
307        &self,
308        #[auth]
309        auth_: conjure_object::BearerToken,
310    ) -> Result<(), conjure_http::private::Error>;
311    /// Checks if the email is allowed to register.
312    #[endpoint(
313        method = POST,
314        path = "/authorization/v1/is-email-allowed",
315        name = "isEmailAllowed",
316        produces = conjure_http::server::StdResponseSerializer
317    )]
318    async fn is_email_allowed(
319        &self,
320        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
321        request: super::super::super::objects::authorization::IsEmailAllowedRequest,
322    ) -> Result<
323        super::super::super::objects::authorization::IsEmailAllowedResponse,
324        conjure_http::private::Error,
325    >;
326    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
327    #[endpoint(
328        method = POST,
329        path = "/authorization/v1/is-email-allowed-okta",
330        name = "isEmailAllowedOkta",
331        produces = conjure_http::server::StdResponseSerializer
332    )]
333    async fn is_email_allowed_okta(
334        &self,
335        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
336        request: super::super::super::objects::authorization::OktaRegistrationRequest,
337    ) -> Result<
338        super::super::super::objects::authorization::OktaRegistrationResponse,
339        conjure_http::private::Error,
340    >;
341    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
342    /// is invalid or if the OIDC provider is not known.
343    #[endpoint(
344        method = POST,
345        path = "/authorization/v1/user-orgs",
346        name = "getUserOrgs",
347        produces = conjure_http::server::StdResponseSerializer
348    )]
349    async fn get_user_orgs(
350        &self,
351        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
352        request: super::super::super::objects::authorization::GetUserOrgsRequest,
353    ) -> Result<
354        super::super::super::objects::authorization::GetUserOrgsResponse,
355        conjure_http::private::Error,
356    >;
357    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
358    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
359    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
360    #[endpoint(
361        method = POST,
362        path = "/authorization/v1/access-token",
363        name = "getAccessToken",
364        produces = conjure_http::server::StdResponseSerializer
365    )]
366    async fn get_access_token(
367        &self,
368        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
369        request: super::super::super::objects::authorization::GetAccessTokenRequest,
370    ) -> Result<
371        super::super::super::objects::authorization::GetAccessTokenResponse,
372        conjure_http::private::Error,
373    >;
374    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
375    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
376    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
377    /// known.
378    #[endpoint(
379        method = POST,
380        path = "/authorization/v1/refresh-access-token",
381        name = "refreshAccessToken",
382        produces = conjure_http::server::StdResponseSerializer
383    )]
384    async fn refresh_access_token(
385        &self,
386        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
387        request: super::super::super::objects::authorization::RefreshAccessTokenRequest,
388    ) -> Result<
389        super::super::super::objects::authorization::RefreshAccessTokenResponse,
390        conjure_http::private::Error,
391    >;
392    /// Given an IDP issued id token, return the end session endpoint, accessed through the
393    /// .well-known/openid-configuration endpoint.
394    #[endpoint(
395        method = POST,
396        path = "/authorization/v1/get-idp-end-session-endpoint",
397        name = "getIdpEndSessionEndpoint",
398        produces = conjure_http::server::StdResponseSerializer
399    )]
400    async fn get_idp_end_session_endpoint(
401        &self,
402        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
403        request: super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
404    ) -> Result<
405        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
406        conjure_http::private::Error,
407    >;
408    /// Provide a long-lived API key for making API requests.
409    /// The API key is irretrievable after initial creation.
410    #[endpoint(
411        method = POST,
412        path = "/authorization/v1/api-key",
413        name = "createApiKey",
414        produces = conjure_http::server::StdResponseSerializer
415    )]
416    async fn create_api_key(
417        &self,
418        #[auth]
419        auth_: conjure_object::BearerToken,
420        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
421        request: super::super::super::objects::authorization::CreateApiKeyRequest,
422    ) -> Result<
423        super::super::super::objects::authorization::CreateApiKeyResponse,
424        conjure_http::private::Error,
425    >;
426    /// List all API keys in the organization.
427    #[endpoint(
428        method = POST,
429        path = "/authorization/v1/api-keys/org",
430        name = "listApiKeysInOrg",
431        produces = conjure_http::server::StdResponseSerializer
432    )]
433    async fn list_api_keys_in_org(
434        &self,
435        #[auth]
436        auth_: conjure_object::BearerToken,
437        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
438        request: super::super::super::objects::authorization::ListApiKeyRequest,
439    ) -> Result<
440        super::super::super::objects::authorization::ListApiKeyResponse,
441        conjure_http::private::Error,
442    >;
443    /// List all API keys for the user.
444    #[endpoint(
445        method = POST,
446        path = "/authorization/v1/api-keys/user",
447        name = "listUserApiKeys",
448        produces = conjure_http::server::StdResponseSerializer
449    )]
450    async fn list_user_api_keys(
451        &self,
452        #[auth]
453        auth_: conjure_object::BearerToken,
454        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
455        request: super::super::super::objects::authorization::ListApiKeyRequest,
456    ) -> Result<
457        super::super::super::objects::authorization::ListApiKeyResponse,
458        conjure_http::private::Error,
459    >;
460    /// Delete an API key.
461    #[endpoint(
462        method = PUT,
463        path = "/authorization/v1/api-key/{rid}/delete",
464        name = "revokeApiKey"
465    )]
466    async fn revoke_api_key(
467        &self,
468        #[auth]
469        auth_: conjure_object::BearerToken,
470        #[path(
471            name = "rid",
472            decoder = conjure_http::server::conjure::FromPlainDecoder,
473            safe
474        )]
475        rid: super::super::super::objects::authorization::ApiKeyRid,
476    ) -> Result<(), conjure_http::private::Error>;
477}
478/// Authorization service manages the permissions for a user
479/// to access resources.
480#[conjure_http::conjure_endpoints(
481    name = "AuthorizationService",
482    use_legacy_error_serialization,
483    local
484)]
485pub trait LocalAsyncAuthorizationService {
486    /// Given a set of resources, returns the set of resources that the
487    /// user is authorized to access.
488    #[endpoint(
489        method = POST,
490        path = "/authorization/v1/authorize",
491        name = "authorize",
492        produces = conjure_http::server::conjure::CollectionResponseSerializer
493    )]
494    async fn authorize(
495        &self,
496        #[auth]
497        auth_: conjure_object::BearerToken,
498        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
499        request: super::super::super::objects::authorization::AuthorizationRequest,
500    ) -> Result<
501        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
502        conjure_http::private::Error,
503    >;
504    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
505    /// is not authorized on the resource, will omit the resource from the response.
506    #[endpoint(
507        method = POST,
508        path = "/authorization/v1/batch-get-workspace-for-resource",
509        name = "batchGetWorkspaceForResource",
510        produces = conjure_http::server::conjure::CollectionResponseSerializer
511    )]
512    async fn batch_get_workspace_for_resource(
513        &self,
514        #[auth]
515        auth_: conjure_object::BearerToken,
516        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
517        request: std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
518    ) -> Result<
519        std::collections::BTreeMap<
520            conjure_object::ResourceIdentifier,
521            super::super::super::objects::api::rids::WorkspaceRid,
522        >,
523        conjure_http::private::Error,
524    >;
525    /// Marks a set of resources as belonging to a workspace. Either all resources are
526    /// registered or none are.
527    /// If the user is not in the workspace, this will throw.
528    /// If a resource already belongs to a different workspace, this will throw.
529    /// If a resource already belongs to this workspace, this is a no-op.
530    #[endpoint(
531        method = POST,
532        path = "/authorization/v1/register-in-workspace",
533        name = "registerInWorkspace"
534    )]
535    async fn register_in_workspace(
536        &self,
537        #[auth]
538        auth_: conjure_object::BearerToken,
539        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
540        request: super::super::super::objects::authorization::RegisterInWorkspaceRequest,
541    ) -> Result<(), conjure_http::private::Error>;
542    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
543    /// authenticated user is an admin and HTTP 403 otherwise.
544    #[endpoint(method = GET, path = "/authorization/v1/checkAdmin", name = "checkAdmin")]
545    async fn check_admin(
546        &self,
547        #[auth]
548        auth_: conjure_object::BearerToken,
549    ) -> Result<(), conjure_http::private::Error>;
550    /// Checks if the email is allowed to register.
551    #[endpoint(
552        method = POST,
553        path = "/authorization/v1/is-email-allowed",
554        name = "isEmailAllowed",
555        produces = conjure_http::server::StdResponseSerializer
556    )]
557    async fn is_email_allowed(
558        &self,
559        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
560        request: super::super::super::objects::authorization::IsEmailAllowedRequest,
561    ) -> Result<
562        super::super::super::objects::authorization::IsEmailAllowedResponse,
563        conjure_http::private::Error,
564    >;
565    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
566    #[endpoint(
567        method = POST,
568        path = "/authorization/v1/is-email-allowed-okta",
569        name = "isEmailAllowedOkta",
570        produces = conjure_http::server::StdResponseSerializer
571    )]
572    async fn is_email_allowed_okta(
573        &self,
574        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
575        request: super::super::super::objects::authorization::OktaRegistrationRequest,
576    ) -> Result<
577        super::super::super::objects::authorization::OktaRegistrationResponse,
578        conjure_http::private::Error,
579    >;
580    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
581    /// is invalid or if the OIDC provider is not known.
582    #[endpoint(
583        method = POST,
584        path = "/authorization/v1/user-orgs",
585        name = "getUserOrgs",
586        produces = conjure_http::server::StdResponseSerializer
587    )]
588    async fn get_user_orgs(
589        &self,
590        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
591        request: super::super::super::objects::authorization::GetUserOrgsRequest,
592    ) -> Result<
593        super::super::super::objects::authorization::GetUserOrgsResponse,
594        conjure_http::private::Error,
595    >;
596    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
597    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
598    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
599    #[endpoint(
600        method = POST,
601        path = "/authorization/v1/access-token",
602        name = "getAccessToken",
603        produces = conjure_http::server::StdResponseSerializer
604    )]
605    async fn get_access_token(
606        &self,
607        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
608        request: super::super::super::objects::authorization::GetAccessTokenRequest,
609    ) -> Result<
610        super::super::super::objects::authorization::GetAccessTokenResponse,
611        conjure_http::private::Error,
612    >;
613    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
614    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
615    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
616    /// known.
617    #[endpoint(
618        method = POST,
619        path = "/authorization/v1/refresh-access-token",
620        name = "refreshAccessToken",
621        produces = conjure_http::server::StdResponseSerializer
622    )]
623    async fn refresh_access_token(
624        &self,
625        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
626        request: super::super::super::objects::authorization::RefreshAccessTokenRequest,
627    ) -> Result<
628        super::super::super::objects::authorization::RefreshAccessTokenResponse,
629        conjure_http::private::Error,
630    >;
631    /// Given an IDP issued id token, return the end session endpoint, accessed through the
632    /// .well-known/openid-configuration endpoint.
633    #[endpoint(
634        method = POST,
635        path = "/authorization/v1/get-idp-end-session-endpoint",
636        name = "getIdpEndSessionEndpoint",
637        produces = conjure_http::server::StdResponseSerializer
638    )]
639    async fn get_idp_end_session_endpoint(
640        &self,
641        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
642        request: super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
643    ) -> Result<
644        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
645        conjure_http::private::Error,
646    >;
647    /// Provide a long-lived API key for making API requests.
648    /// The API key is irretrievable after initial creation.
649    #[endpoint(
650        method = POST,
651        path = "/authorization/v1/api-key",
652        name = "createApiKey",
653        produces = conjure_http::server::StdResponseSerializer
654    )]
655    async fn create_api_key(
656        &self,
657        #[auth]
658        auth_: conjure_object::BearerToken,
659        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
660        request: super::super::super::objects::authorization::CreateApiKeyRequest,
661    ) -> Result<
662        super::super::super::objects::authorization::CreateApiKeyResponse,
663        conjure_http::private::Error,
664    >;
665    /// List all API keys in the organization.
666    #[endpoint(
667        method = POST,
668        path = "/authorization/v1/api-keys/org",
669        name = "listApiKeysInOrg",
670        produces = conjure_http::server::StdResponseSerializer
671    )]
672    async fn list_api_keys_in_org(
673        &self,
674        #[auth]
675        auth_: conjure_object::BearerToken,
676        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
677        request: super::super::super::objects::authorization::ListApiKeyRequest,
678    ) -> Result<
679        super::super::super::objects::authorization::ListApiKeyResponse,
680        conjure_http::private::Error,
681    >;
682    /// List all API keys for the user.
683    #[endpoint(
684        method = POST,
685        path = "/authorization/v1/api-keys/user",
686        name = "listUserApiKeys",
687        produces = conjure_http::server::StdResponseSerializer
688    )]
689    async fn list_user_api_keys(
690        &self,
691        #[auth]
692        auth_: conjure_object::BearerToken,
693        #[body(deserializer = conjure_http::server::StdRequestDeserializer)]
694        request: super::super::super::objects::authorization::ListApiKeyRequest,
695    ) -> Result<
696        super::super::super::objects::authorization::ListApiKeyResponse,
697        conjure_http::private::Error,
698    >;
699    /// Delete an API key.
700    #[endpoint(
701        method = PUT,
702        path = "/authorization/v1/api-key/{rid}/delete",
703        name = "revokeApiKey"
704    )]
705    async fn revoke_api_key(
706        &self,
707        #[auth]
708        auth_: conjure_object::BearerToken,
709        #[path(
710            name = "rid",
711            decoder = conjure_http::server::conjure::FromPlainDecoder,
712            safe
713        )]
714        rid: super::super::super::objects::authorization::ApiKeyRid,
715    ) -> Result<(), conjure_http::private::Error>;
716}