Documentation
¶
Overview ¶
Package api implements the HTTP server for the IdP.
Index ¶
Constants ¶
View Source
const ( ActionLogin = "auth.login" ActionLoginFailed = "auth.login.failed" ActionLoginMFA = "auth.login.mfa" ActionLoginMFAFailed = "auth.login.mfa.failed" ActionLogout = "auth.logout" ActionTokenIssued = "auth.token.issued" ActionTokenRevoked = "auth.token.revoked" ActionTokenRefreshed = "auth.token.refreshed" // ActionBackchannelLogout records each OIDC Back-Channel Logout 1.0 // notification auth POSTs to an RP's backchannel_logout_uri. One entry // per RP per notification; failures (HTTP non-2xx, dial errors) are // recorded with the http status / error in metadata. The push is best- // effort so a failure does NOT cause the originating logout to roll back. ActionBackchannelLogout = "auth.logout.backchannel" ActionUserCreated = "admin.user.created" ActionUserUpdated = "admin.user.updated" ActionUserDeleted = "admin.user.deleted" // ActionUserCompromisedReset bundles the "assume credentials are // leaked, invalidate everything" admin action: temp password issued // + must_change_password set, MFA wiped, auth sessions deleted, // back-channel logout broadcast, AWS federation sessions revoked. // One audit row covers the whole sequence so investigations see the // intentional bundled action rather than five disconnected events. ActionUserCompromisedReset = "admin.user.compromised_reset" ActionClientCreated = "admin.client.created" ActionClientUpdated = "admin.client.updated" ActionClientDeleted = "admin.client.deleted" ActionClientSecretRotated = "admin.client.secret.rotated" // Group lifecycle — managed via portal; fanned out to downstream SCIM/IAM provisioners. ActionGroupCreated = "admin.group.created" ActionGroupUpdated = "admin.group.updated" ActionGroupDeleted = "admin.group.deleted" ActionMFATOTPEnrolled = "mfa.totp.enrolled" ActionMFATOTPDeleted = "mfa.totp.deleted" ActionMFAWebAuthnEnrolled = "mfa.webauthn.enrolled" ActionMFAWebAuthnDeleted = "mfa.webauthn.deleted" ActionIntegrationCreated = "admin.integration.created" ActionIntegrationUpdated = "admin.integration.updated" ActionIntegrationDeleted = "admin.integration.deleted" ActionIntegrationTested = "admin.integration.tested" ActionIntegrationSynced = "admin.integration.synced" // AWS OIDC federation events — separate from admin.integration.* because // these touch the federation catalog (accounts/roles/assignments) and // the federation runtime (token exchange + role-side revocation), not // the generic app_integrations row. ActionAWSAccountCreated = "admin.aws.account.created" ActionAWSAccountUpdated = "admin.aws.account.updated" ActionAWSAccountDeleted = "admin.aws.account.deleted" ActionAWSRoleCreated = "admin.aws.role.created" ActionAWSRoleUpdated = "admin.aws.role.updated" ActionAWSRoleDeleted = "admin.aws.role.deleted" ActionAWSAssignmentCreated = "admin.aws.assignment.created" ActionAWSAssignmentDeleted = "admin.aws.assignment.deleted" ActionAWSConsoleAssumed = "aws.console.assumed" ActionAWSConsoleAssumeFailed = "aws.console.assume.failed" ActionAWSFederationRevoked = "aws.federation.revoked" // ActionAWSFederationRevokedManual is the operator-triggered variant // (the "Revoke AWS sessions" button on the user edit page). Distinct // from the auto-revoke that runs on full deactivation so investigations // can tell "admin pulled the cord intentionally" apart from "user was // deactivated and revocation came along for the ride." ActionAWSFederationRevokedManual = "aws.federation.revoked.manual" ActionAWSFederationRevokeReaped = "aws.federation.revoke.reaped" // Device authorization grant (RFC 8628) lifecycle. Four distinct // events keyed off the device_grants state machine — separate so // investigations can distinguish "code created but never approved" // (likely user gave up) from "approved then denied at /token" // (likely replay attempt) at audit-tail time. ActionDeviceAuthorizationCreated = "auth.device.authorization.created" ActionDeviceCodeApproved = "auth.device.code.approved" ActionDeviceCodeDenied = "auth.device.code.denied" ActionDeviceCodeRedeemed = "auth.device.code.redeemed" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Store store.Store
Signer *internaljwt.Signer
Policy *policy.Engine
WAHandler *mfa.WAHandler
KP bcrypto.KeyProvider
Provisioners *provision.Registry
OutboundTLS *tls.Config
Audit audit.Sink
AuditSource journal.Source
Issuer string
AWSAudience string
// StepUpMFATTL bounds how recently the user must have completed an
// MFA challenge for sensitive role assumption to proceed without
// re-prompting. Zero or negative falls back to the package default.
StepUpMFATTL time.Duration
MasterKey []byte
Log *slog.Logger
AllowRegistration bool
}
Config holds server constructor options.
Source Files
¶
- admin.go
- audit.go
- audit_stream.go
- aws_credentials.go
- backchannel_logout.go
- discovery.go
- github.go
- mfa_api.go
- middleware.go
- oauth2.go
- provision.go
- server.go
- web.go
- web_portal.go
- web_portal_apps.go
- web_portal_aws.go
- web_portal_aws_admin.go
- web_portal_device.go
- web_portal_groups.go
- web_portal_integrations.go
- web_portal_step_up.go
- web_sso.go
Click to show internal directories.
Click to hide internal directories.