Documentation
¶
Index ¶
Constants ¶
const ( AppIntegrationProviderSCIM = "scim" AppIntegrationProviderIAM = "aws_iam" AppIntegrationProviderAWSFederation = "aws_federation" )
AppIntegrationProvider enumerates the supported provider types stored in AppIntegration.Provider. Keep in sync with the provisioner builders in cmd/authd/main.go.
const ( AppIntegrationAuthBearer = "bearer" // RP-issued bearer token; stored encrypted on the row AppIntegrationAuthMTLS = "mtls" // client cert from AUTH_SCIM_* env vars )
AppIntegrationAuthMode enumerates the mutually-exclusive ways auth proves itself to a downstream SCIM endpoint. AWS IAM ignores this field — credentials always come from the AWS SDK's default chain.
const ( DeviceGrantStatusPending = "pending" DeviceGrantStatusApproved = "approved" DeviceGrantStatusDenied = "denied" DeviceGrantStatusRedeemed = "redeemed" DeviceGrantStatusExpired = "expired" )
DeviceGrant status values. State machine:
pending → approved (user clicks Approve at /device/confirm) pending → denied (user clicks Deny) pending → expired (lazy transition at /token if expires_at passed) approved → redeemed (CLI exchanges device_code at /token)
`expired` is also written by the periodic reaper for housekeeping; redeemed and denied rows linger briefly for audit before reap.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSAccount ¶ added in v0.2.0
type AWSAccount struct {
ID uuid.UUID
AccountID string
Alias string
OIDCProviderARN string
CreatedAt time.Time
UpdatedAt time.Time
}
AWSAccount is one AWS account that auth federates into. account_id is the numeric account ID, alias is the human label, and oidc_provider_arn is what auth needs to identify which OIDC provider object to reference in role trust policies (matches the principal: arn:aws:iam::<account>:oidc-provider/... shape — auth doesn't call AWS to read this, the operator records it once at setup time so the federation handler can emit the right session-tag confirmation in the audit row).
type AWSRevokedUser ¶ added in v0.2.0
AWSRevokedUser is one (role, user-uuid) entry that the revocation provisioner has added to the role's AuthRevokedUsers inline policy. RevokedAt is when the entry was added; the reaper trims rows older than the role's MaxSessionDurationSec — by then every session denied by the statement has expired naturally.
type AWSRole ¶ added in v0.2.0
type AWSRole struct {
ID uuid.UUID
AccountID uuid.UUID
RoleARN string
Slug string
DisplayName string
RequireStepUpMFA bool
MaxSessionDurationSec int
CreatedAt time.Time
UpdatedAt time.Time
}
AWSRole is one assumable IAM role. Slug is a URL/CLI-safe stable identifier the user supplies in `auth-aws-creds get --role <slug>` and `/aws/credentials?role=<slug>`. Audience is server-global (configured via AUTH_AWS_AUDIENCE), not per-role — every minted JWT carries the same `aud` claim, and per-role authorization happens via aws:RequestTag/<key> conditions in trust policies.
RequireStepUpMFA forces a fresh MFA prompt before token mint regardless of session age. MaxSessionDurationSec is passed as DurationSeconds on AssumeRoleWithWebIdentity and capped by the role's AWS-side MaxSessionDuration.
type AWSRoleAssignment ¶ added in v0.2.0
type AWSRoleAssignment struct {
ID uuid.UUID
GroupID uuid.UUID
RoleID uuid.UUID
CreatedAt time.Time
}
AWSRoleAssignment links a SCIM group to an AWS role. Membership in the group grants the user the right to assume the role via the portal. The pair (group_id, role_id) is unique.
type AppIntegration ¶
type AppIntegration struct {
ID uuid.UUID
Name string
Provider string
Enabled bool
Config AppIntegrationConfig
EncryptedToken []byte
EncryptedDEK []byte
CreatedAt time.Time
UpdatedAt time.Time
}
AppIntegration is a single outbound provisioning target. Tokens are envelope-encrypted via bcrypto.EncryptEnvelope (matching mfa/totp.go); the EncryptedToken/EncryptedDEK pair is nil for IAM-style providers that source credentials from elsewhere.
type AppIntegrationConfig ¶
type AppIntegrationConfig struct {
BaseURL string `json:"base_url,omitempty"`
TimeoutMS int `json:"timeout_ms,omitempty"`
GroupMap map[string]string `json:"group_map,omitempty"`
// AuthMode applies to SCIM integrations only: "bearer" or "mtls".
// Empty defaults to "bearer" for backward compatibility with rows
// created before this field was added.
AuthMode string `json:"auth_mode,omitempty"`
}
AppIntegrationConfig is the non-secret JSON payload persisted alongside an AppIntegration. SCIM providers populate BaseURL + TimeoutMS + AuthMode; AWS IAM uses GroupMap (SCIM display name → IAM group name). Unknown fields for the chosen provider are ignored at runtime.
type Client ¶
type Client struct {
ID uuid.UUID
ClientID string
ClientSecretHash string
Name string
RedirectURIs []string
Scopes []string
Public bool
BackchannelLogoutURI *string
ShowInPortal bool
LaunchURL string
BrandColor string
IconURL string
VisibleToAll bool
// AllowDeviceGrant opts this client into the RFC 8628 device
// authorization flow. Off by default; ops flips on for headless
// clients (auth-aws-creds and similar). /device_authorization
// rejects clients without this flag set.
AllowDeviceGrant bool
SecretRotatedAt time.Time
CreatedAt time.Time
}
Client is an OAuth2/OIDC client registration.
BackchannelLogoutURI, when non-nil, opts the client into OIDC Back-Channel Logout 1.0: on every event that ends a user's session at the OP (portal logout, admin deactivation, SCIM deprovision, password reset) auth POSTs a signed logout_token JWT to this URI so the RP can invalidate its local session state without waiting for the credential to expire.
The Portal* fields drive /portal/apps. ShowInPortal gates the tile; LaunchURL is where the tile's click navigates (typically the RP's initiate-login endpoint, e.g. https://vault.example.com/ui/vault/auth/oidc — NOT auth's /authorize, since the RP needs to set its own state/nonce for the code flow). BrandColor and IconURL are cosmetic. VisibleToAll makes the tile show to every authenticated user; when false, visibility is scoped via the client_visibility table (SCIM-group join, parallel to aws_role_assignments).
type DeviceGrant ¶ added in v0.3.0
type DeviceGrant struct {
ID uuid.UUID
DeviceCodeHash string
UserCodeHash string
ClientID uuid.UUID
Scopes []string
Status string
UserID *uuid.UUID
MFAVerified bool
MFAVerifiedAt *time.Time
ApproverIP string
IntervalSec int
LastPolledAt *time.Time
CreatedAt time.Time
ExpiresAt time.Time
}
DeviceGrant backs RFC 8628. See migration 018 for the schema doc. device_code and user_code are stored hashed; the plaintext values only exist in memory at creation time, are returned to the caller once, and are otherwise unrecoverable. mfa_verified / mfa_verified_at are captured at approval time from the approver's portal session so the issued bearer session inherits a stable MFA snapshot.
type Session ¶
type Session struct {
ID uuid.UUID
UserID uuid.UUID
ClientID uuid.UUID
AccessTokenHash string
RefreshTokenHash string
Scopes []string
AccessExpiresAt time.Time
RefreshExpiresAt time.Time
LastActivityAt time.Time
MFAVerified bool
// MFAVerifiedAt is when the session last completed an MFA challenge.
// MFAVerified is "ever?" — kept for the audit/policy code paths that
// just need a yes/no — and MFAVerifiedAt is "when?", used by step-up
// gates that demand a freshly proven MFA. Nil for sessions that
// never saw an MFA prompt (e.g. user has MFA disabled).
MFAVerifiedAt *time.Time
CreatedAt time.Time
}
Session backs both portal cookies and OIDC bearer credentials. The two expiry columns split what used to be a single field:
- AccessExpiresAt — when the bearer access token stops being honoured by bearerAuth. Slid forward on portal hits and on each refresh-token exchange. Matches the `expires_in` value advertised to RPs.
- RefreshExpiresAt — when the refresh token grant stops working. Slid forward on each successful refresh exchange.
An absolute session lifetime is enforced in code as `now - CreatedAt > absoluteSessionTTL` rather than via a third column — re-auth at /authorize resets it by minting a new row.
type SigningKey ¶
type TOTPCredential ¶
type User ¶
type User struct {
ID uuid.UUID
Email string
PasswordHash string
Name string
Active bool
SCIMExternalID string
MFAEnabled bool
IsAdmin bool
PasswordChangedAt time.Time
FailedAttempts int
LockedUntil *time.Time
// MustChangePassword routes the user to /portal/login/change-password
// after successful CheckPassword, instead of issuing a session. Set by
// admin reset actions; cleared automatically when the user rotates.
MustChangePassword bool
CreatedAt time.Time
UpdatedAt time.Time
}