Documentation
¶
Overview ¶
Package constants holds the shared, compile-time constant values used across Authorizer — database types, authentication and authenticator methods, token and cookie names, webhook event names, audit event/actor/resource types, and related enumerations.
Index ¶
Constants ¶
const ( // AuditActorTypeUser identifies a regular user as the audit actor. AuditActorTypeUser = "user" // AuditActorTypeAdmin identifies an admin as the audit actor. AuditActorTypeAdmin = "admin" // AuditActorTypeServiceAccount identifies a machine/workload service account // as the audit actor (client_credentials grant, RFC 6749 §4.4). AuditActorTypeServiceAccount = "service_account" )
Audit actor type constants identify who performed an auditable action.
const ( // AuditResourceTypeUser represents a user entity. AuditResourceTypeUser = "user" // AuditResourceTypeSession represents a user session. AuditResourceTypeSession = "session" // AuditResourceTypeAdminSession represents an admin session. AuditResourceTypeAdminSession = "admin_session" // AuditResourceTypeWebhook represents a webhook entity. AuditResourceTypeWebhook = "webhook" // AuditResourceTypeEmailTemplate represents an email template entity. AuditResourceTypeEmailTemplate = "email_template" // AuditResourceTypeToken represents an auth token. AuditResourceTypeToken = "token" // AuditResourceTypeFgaModel represents a fine-grained authorization model. AuditResourceTypeFgaModel = "fga_model" // AuditResourceTypeFgaTuple represents a fine-grained authorization tuple. AuditResourceTypeFgaTuple = "fga_tuple" // AuditResourceTypeServiceAccount represents a machine/workload service account. AuditResourceTypeServiceAccount = "service_account" // AuditResourceTypeTrustedIssuer represents a trusted external JWT issuer. AuditResourceTypeTrustedIssuer = "trusted_issuer" // AuditResourceTypeOrgOIDCConnection represents a per-org upstream OIDC IdP. AuditResourceTypeOrgOIDCConnection = "org_oidc_connection" // AuditResourceTypeOrgSAMLConnection represents a per-org upstream SAML IdP. AuditResourceTypeOrgSAMLConnection = "org_saml_connection" // AuditResourceTypeOrganization represents an organization entity. AuditResourceTypeOrganization = "organization" // AuditResourceTypeOrgMembership represents an org membership entity. AuditResourceTypeOrgMembership = "org_membership" // AuditResourceTypeScimEndpoint represents a per-org SCIM endpoint. AuditResourceTypeScimEndpoint = "scim_endpoint" // AuditResourceTypeOrgDomain represents a per-org verified domain. AuditResourceTypeOrgDomain = "org_domain" )
Audit resource type constants identify the type of resource affected by an auditable action.
const ( // AuditLoginSuccessEvent is logged when a user successfully authenticates. AuditLoginSuccessEvent = "user.login_success" // AuditLoginFailedEvent is logged when a user authentication attempt fails. AuditLoginFailedEvent = "user.login_failed" // AuditSignupEvent is logged when a new user registers. AuditSignupEvent = "user.signup" // AuditLogoutEvent is logged when a user logs out. AuditLogoutEvent = "user.logout" // AuditPasswordChangedEvent is logged when a user changes their password. AuditPasswordChangedEvent = "user.password_changed" // AuditPasswordResetEvent is logged when a user resets their password via token or OTP. AuditPasswordResetEvent = "user.password_reset" // AuditForgotPasswordEvent is logged when a user requests a password reset. AuditForgotPasswordEvent = "user.forgot_password_requested" // AuditMagicLinkRequestedEvent is logged when a user requests a magic link login. AuditMagicLinkRequestedEvent = "user.magic_link_requested" // AuditEmailVerifiedEvent is logged when a user's email is verified. AuditEmailVerifiedEvent = "user.email_verified" // AuditPhoneVerifiedEvent is logged when a user's phone number is verified. AuditPhoneVerifiedEvent = "user.phone_verified" // AuditWebauthnCredentialAddedEvent is logged when a user registers a passkey. AuditWebauthnCredentialAddedEvent = "user.webauthn_credential_added" // AuditWebauthnCredentialDeletedEvent is logged when a user deletes a passkey. AuditWebauthnCredentialDeletedEvent = "user.webauthn_credential_deleted" // AuditMFAEnabledEvent is logged when a user enables multi-factor authentication. AuditMFAEnabledEvent = "user.mfa_enabled" // AuditMFADisabledEvent is logged when a user disables multi-factor authentication. AuditMFADisabledEvent = "user.mfa_disabled" // AuditProfileUpdatedEvent is logged when a user updates their profile. AuditProfileUpdatedEvent = "user.profile_updated" // AuditUserDeactivatedEvent is logged when a user deactivates their account. AuditUserDeactivatedEvent = "user.deactivated" // AuditOTPResentEvent is logged when an OTP is resent to a user. AuditOTPResentEvent = "user.otp_resent" // AuditVerifyEmailResentEvent is logged when a verification email is resent. AuditVerifyEmailResentEvent = "user.verify_email_resent" // AuditAdminLoginSuccessEvent is logged when an admin successfully authenticates. AuditAdminLoginSuccessEvent = "admin.login_success" // AuditAdminLoginFailedEvent is logged when an admin authentication attempt fails. AuditAdminLoginFailedEvent = "admin.login_failed" // AuditAdminLogoutEvent is logged when an admin logs out. AuditAdminLogoutEvent = "admin.logout" // AuditAdminUserCreatedEvent is logged when an admin creates a user. AuditAdminUserCreatedEvent = "admin.user_created" // AuditAdminUserUpdatedEvent is logged when an admin updates a user. AuditAdminUserUpdatedEvent = "admin.user_updated" // AuditAdminUserDeletedEvent is logged when an admin deletes a user. AuditAdminUserDeletedEvent = "admin.user_deleted" // AuditAdminAccessRevokedEvent is logged when an admin revokes a user's access. AuditAdminAccessRevokedEvent = "admin.access_revoked" // AuditAdminAccessEnabledEvent is logged when an admin restores a user's access. AuditAdminAccessEnabledEvent = "admin.access_enabled" // AuditAdminInviteSentEvent is logged when an admin sends a user invitation. AuditAdminInviteSentEvent = "admin.invite_sent" // AuditAdminConfigChangedEvent is logged when an admin modifies server configuration. AuditAdminConfigChangedEvent = "admin.config_changed" // AuditAdminWebhookCreatedEvent is logged when an admin creates a webhook. AuditAdminWebhookCreatedEvent = "admin.webhook_created" // AuditAdminWebhookUpdatedEvent is logged when an admin updates a webhook. AuditAdminWebhookUpdatedEvent = "admin.webhook_updated" // AuditAdminWebhookDeletedEvent is logged when an admin deletes a webhook. AuditAdminWebhookDeletedEvent = "admin.webhook_deleted" // AuditAdminEmailTemplateCreatedEvent is logged when an admin creates an email template. AuditAdminEmailTemplateCreatedEvent = "admin.email_template_created" // AuditAdminEmailTemplateUpdatedEvent is logged when an admin updates an email template. AuditAdminEmailTemplateUpdatedEvent = "admin.email_template_updated" // AuditAdminEmailTemplateDeletedEvent is logged when an admin deletes an email template. AuditAdminEmailTemplateDeletedEvent = "admin.email_template_deleted" // AuditAdminFgaModelWrittenEvent is logged when an admin writes a fine-grained authorization model. AuditAdminFgaModelWrittenEvent = "admin.fga_model_written" // AuditAdminFgaTuplesWrittenEvent is logged when an admin writes fine-grained authorization tuples. AuditAdminFgaTuplesWrittenEvent = "admin.fga_tuples_written" // AuditAdminFgaTuplesDeletedEvent is logged when an admin deletes fine-grained authorization tuples. AuditAdminFgaTuplesDeletedEvent = "admin.fga_tuples_deleted" // AuditAdminFgaResetEvent is logged when an admin resets the fine-grained authorization store // (deletes the model, all its versions, and all tuples). AuditAdminFgaResetEvent = "admin.fga_reset" // AuditOAuthLoginInitiatedEvent is logged when an OAuth login flow is started. AuditOAuthLoginInitiatedEvent = "oauth.login_initiated" // AuditOAuthCallbackSuccessEvent is logged when an OAuth callback completes successfully. AuditOAuthCallbackSuccessEvent = "oauth.callback_success" // AuditOAuthCallbackFailedEvent is logged when an OAuth callback fails. AuditOAuthCallbackFailedEvent = "oauth.callback_failed" // AuditSSOLoginInitiatedEvent is logged when an org OIDC SSO login is started. AuditSSOLoginInitiatedEvent = "sso.login_initiated" // AuditSSOCallbackSuccessEvent is logged when an org OIDC SSO callback succeeds. AuditSSOCallbackSuccessEvent = "sso.callback_success" // AuditSSOCallbackFailedEvent is logged when an org OIDC SSO callback fails. AuditSSOCallbackFailedEvent = "sso.callback_failed" // AuditSAMLLoginInitiatedEvent is logged when an org SAML SP login is started. AuditSAMLLoginInitiatedEvent = "saml.login_initiated" // AuditSAMLACSSuccessEvent is logged when an org SAML ACS assertion is accepted. AuditSAMLACSSuccessEvent = "saml.acs_success" // AuditSAMLACSFailedEvent is logged when an org SAML ACS assertion is rejected. AuditSAMLACSFailedEvent = "saml.acs_failed" // AuditTokenIssuedEvent is logged when a new token is issued. AuditTokenIssuedEvent = "token.issued" // AuditTokenRefreshedEvent is logged when a token is refreshed. AuditTokenRefreshedEvent = "token.refreshed" // AuditTokenRevokedEvent is logged when a token is revoked. AuditTokenRevokedEvent = "token.revoked" // AuditSessionCreatedEvent is logged when a new session is created. AuditSessionCreatedEvent = "session.created" // AuditSessionTerminatedEvent is logged when a session is terminated. AuditSessionTerminatedEvent = "session.terminated" // AuditClientCreatedEvent is logged when an admin creates a client. AuditClientCreatedEvent = "admin.client_created" // AuditClientUpdatedEvent is logged when an admin updates a client. AuditClientUpdatedEvent = "admin.client_updated" // AuditClientDeletedEvent is logged when an admin deletes a client. AuditClientDeletedEvent = "admin.client_deleted" // AuditClientSecretRotatedEvent is logged when a client secret is rotated. AuditClientSecretRotatedEvent = "admin.client_secret_rotated" // AuditClientDeactivatedEvent is logged when an admin disables a client. // Distinct from the generic update event so incident responders can query the kill-switch // signal directly without scanning all update payloads. AuditClientDeactivatedEvent = "admin.client_deactivated" // AuditClientActivatedEvent is logged when an admin re-enables a client. AuditClientActivatedEvent = "admin.client_activated" // AuditOrgOIDCConnectionCreatedEvent is logged when an admin creates an org OIDC connection. AuditOrgOIDCConnectionCreatedEvent = "admin.org_oidc_connection_created" // AuditOrgOIDCConnectionUpdatedEvent is logged when an admin updates an org OIDC connection. AuditOrgOIDCConnectionUpdatedEvent = "admin.org_oidc_connection_updated" // AuditOrgOIDCConnectionDeletedEvent is logged when an admin deletes an org OIDC connection. AuditOrgOIDCConnectionDeletedEvent = "admin.org_oidc_connection_deleted" // AuditOrgSAMLConnectionCreatedEvent is logged when an admin creates an org SAML connection. AuditOrgSAMLConnectionCreatedEvent = "admin.org_saml_connection_created" // AuditOrgSAMLConnectionUpdatedEvent is logged when an admin updates an org SAML connection. AuditOrgSAMLConnectionUpdatedEvent = "admin.org_saml_connection_updated" // AuditOrgSAMLConnectionDeletedEvent is logged when an admin deletes an org SAML connection. AuditOrgSAMLConnectionDeletedEvent = "admin.org_saml_connection_deleted" // AuditTrustedIssuerCreatedEvent is logged when an admin adds a trusted issuer. AuditTrustedIssuerCreatedEvent = "admin.trusted_issuer_created" // AuditTrustedIssuerUpdatedEvent is logged when an admin updates a trusted issuer. AuditTrustedIssuerUpdatedEvent = "admin.trusted_issuer_updated" // AuditTrustedIssuerDeletedEvent is logged when an admin deletes a trusted issuer. AuditTrustedIssuerDeletedEvent = "admin.trusted_issuer_deleted" // AuditTrustedIssuerTokenReviewChangedEvent is logged when EnableTokenReview is toggled. // Downgrading from online (true) to offline (false) is a security-posture change and // must be queryable independently of generic trusted_issuer_updated events. AuditTrustedIssuerTokenReviewChangedEvent = "admin.trusted_issuer_token_review_changed" // AuditOrganizationCreatedEvent is logged when an admin creates an organization. AuditOrganizationCreatedEvent = "admin.organization_created" // AuditOrganizationCreateFailedEvent is logged when organization creation fails. AuditOrganizationCreateFailedEvent = "admin.organization_create_failed" // AuditOrganizationUpdatedEvent is logged when an admin updates an organization. AuditOrganizationUpdatedEvent = "admin.organization_updated" // AuditOrganizationUpdateFailedEvent is logged when an organization update fails. AuditOrganizationUpdateFailedEvent = "admin.organization_update_failed" // AuditOrganizationDeletedEvent is logged when an admin deletes an organization. AuditOrganizationDeletedEvent = "admin.organization_deleted" // AuditOrganizationDeleteFailedEvent is logged when an organization delete fails. AuditOrganizationDeleteFailedEvent = "admin.organization_delete_failed" // AuditOrgMemberAddedEvent is logged when an admin adds a user to an organization. AuditOrgMemberAddedEvent = "admin.org_member_added" // AuditOrgMemberAddFailedEvent is logged when adding an org member fails. AuditOrgMemberAddFailedEvent = "admin.org_member_add_failed" // AuditOrgMemberRemovedEvent is logged when an admin removes a user from an organization. AuditOrgMemberRemovedEvent = "admin.org_member_removed" // AuditOrgMemberRemoveFailedEvent is logged when removing an org member fails. AuditOrgMemberRemoveFailedEvent = "admin.org_member_remove_failed" // AuditScimEndpointCreatedEvent is logged when an admin creates a SCIM endpoint. AuditScimEndpointCreatedEvent = "admin.scim_endpoint_created" // AuditScimEndpointCreateFailedEvent is logged when SCIM endpoint creation fails. AuditScimEndpointCreateFailedEvent = "admin.scim_endpoint_create_failed" // AuditScimTokenRotatedEvent is logged when an admin rotates a SCIM token. AuditScimTokenRotatedEvent = "admin.scim_token_rotated" // AuditScimTokenRotateFailedEvent is logged when a SCIM token rotation fails. AuditScimTokenRotateFailedEvent = "admin.scim_token_rotate_failed" // AuditScimEndpointDeletedEvent is logged when an admin deletes a SCIM endpoint. AuditScimEndpointDeletedEvent = "admin.scim_endpoint_deleted" // AuditScimEndpointDeleteFailedEvent is logged when a SCIM endpoint delete fails. AuditScimEndpointDeleteFailedEvent = "admin.scim_endpoint_delete_failed" // AuditOrgDomainRequestedEvent is logged when an org admin requests a domain // verification challenge (a DNS TXT proof is minted; no durable row yet). AuditOrgDomainRequestedEvent = "admin.org_domain_requested" // AuditOrgDomainRequestFailedEvent is logged when a domain request fails. AuditOrgDomainRequestFailedEvent = "admin.org_domain_request_failed" // AuditOrgDomainVerifiedEvent is logged when a domain is verified (DNS TXT or // super-admin trusted-assert) and the verified row is inserted. AuditOrgDomainVerifiedEvent = "admin.org_domain_verified" // AuditOrgDomainVerifyFailedEvent is logged when a domain verification fails. AuditOrgDomainVerifyFailedEvent = "admin.org_domain_verify_failed" // AuditOrgDomainDeletedEvent is logged when a verified domain is deleted. AuditOrgDomainDeletedEvent = "admin.org_domain_deleted" // AuditOrgDomainDeleteFailedEvent is logged when a verified domain delete fails. AuditOrgDomainDeleteFailedEvent = "admin.org_domain_delete_failed" // AuditTokenClientCredentialsEvent is logged when a service account obtains a token // via the client_credentials grant (RFC 6749 §4.4). AuditTokenClientCredentialsEvent = "token.client_credentials" // AuditTokenClientCredentialsFailedEvent is logged when a client_credentials // authentication attempt fails (unknown client_id, inactive account, or // wrong secret) — mirrors AuditLoginFailedEvent for the human login path. AuditTokenClientCredentialsFailedEvent = "token.client_credentials_failed" // AuditTokenExchangeEvent is logged when a token exchange occurs (RFC 8693). AuditTokenExchangeEvent = "token.exchange" // AuditWorkloadAuthEvent is logged when a workload authenticates via client_assertion // (K8s SA token, SPIFFE JWT-SVID, or generic OIDC workload token). AuditWorkloadAuthEvent = "token.workload_auth" )
Audit event type constants used for structured audit logging. Each constant represents a specific auditable action in the system, organized by domain: user authentication, admin operations, OAuth, token lifecycle, and session management.
const ( // AuthRecipeMethodBasicAuth is the basic_auth auth method AuthRecipeMethodBasicAuth = "basic_auth" // AuthRecipeMethodMobileBasicAuth is the mobile basic_auth method, where user can signup using mobile number and password AuthRecipeMethodMobileBasicAuth = "mobile_basic_auth" // AuthRecipeMethodMagicLinkLogin is the magic_link_login auth method AuthRecipeMethodMagicLinkLogin = "magic_link_login" // AuthRecipeMethodMobileOTP is the mobile_otp auth method AuthRecipeMethodMobileOTP = "mobile_otp" // AuthRecipeMethodWebauthn is the webauthn/passkey auth method AuthRecipeMethodWebauthn = "webauthn" // AuthRecipeMethodGoogle is the google auth method AuthRecipeMethodGoogle = "google" // AuthRecipeMethodGithub is the github auth method AuthRecipeMethodGithub = "github" // AuthRecipeMethodFacebook is the facebook auth method AuthRecipeMethodFacebook = "facebook" // AuthRecipeMethodLinkedin is the linkedin auth method AuthRecipeMethodLinkedIn = "linkedin" // AuthRecipeMethodApple is the apple auth method AuthRecipeMethodApple = "apple" // AuthRecipeMethodDiscord is the discord auth method AuthRecipeMethodDiscord = "discord" // AuthRecipeMethodTwitter is the twitter auth method AuthRecipeMethodTwitter = "twitter" // AuthRecipeMethodMicrosoft is the microsoft auth method AuthRecipeMethodMicrosoft = "microsoft" // AuthRecipeMethodTwitch is the twitch auth method AuthRecipeMethodTwitch = "twitch" // AuthRecipeMethodRoblox is the roblox auth method AuthRecipeMethodRoblox = "roblox" // AuthRecipeMethodSSO is the login_method stamped on sessions established via // a per-org OIDC SSO broker flow. It namespaces the memory-store session key // ("sso:<user_id>") the same way the social recipes do. AuthRecipeMethodSSO = "sso" // AuthRecipeMethodServiceAccount is the login_method stamped on machine // access tokens issued via the client_credentials grant (RFC 6749 §4.4). // It is not a human login recipe — it namespaces the memory-store session // key ("service_account:<id>") so ValidateAccessToken derives the same key // the token endpoint registered the token under, keeping machine tokens on // the existing stateful validation path with zero special-casing. AuthRecipeMethodServiceAccount = "service_account" )
const ( // ClientKindInteractive is a human-facing login client (browser/app // authorization_code + PKCE flows). ClientKindInteractive = "interactive" // ClientKindServiceAccount is a machine/workload client using the // client_credentials grant or workload identity federation. ClientKindServiceAccount = "service_account" )
Client.Kind discriminator values. Immutable after creation.
const ( // TokenEndpointAuthMethodClientSecretBasic sends client_id/client_secret in // the HTTP Authorization header (RFC 6749 §2.3.1). TokenEndpointAuthMethodClientSecretBasic = "client_secret_basic" // TokenEndpointAuthMethodClientSecretPost sends client_id/client_secret in // the request body. TokenEndpointAuthMethodClientSecretPost = "client_secret_post" // TokenEndpointAuthMethodNone is a public client with no secret; it proves // possession via PKCE. TokenEndpointAuthMethodNone = "none" )
Client.TokenEndpointAuthMethod values (RFC 7591 §2 / OIDC Core §9).
const ( // AppCookieName is the name of the cookie that is used to store the application token AppCookieName = "cookie" // AdminCookieName is the name of the cookie that is used to store the admin token AdminCookieName = "authorizer-admin" // MfaCookieName is the name of the cookie that is used to store the mfa session MfaCookieName = "mfa" )
const ( // DbTypePostgres is the postgres database type DbTypePostgres = "postgres" // DbTypeSqlite is the sqlite database type DbTypeSqlite = "sqlite" // DbTypeLibSQL is the libsql / Turso database type DbTypeLibSQL = "libsql" // DbTypeMysql is the mysql database type DbTypeMysql = "mysql" // DbTypeSqlserver is the sqlserver database type DbTypeSqlserver = "sqlserver" // DbTypeYugabyte is the yugabyte database type DbTypeYugabyte = "yugabyte" // DbTypeMariaDB is the mariadb database type DbTypeMariaDB = "mariadb" // DbTypePlanetScaleDB is the planetscale database type DbTypePlanetScaleDB = "planetscale" // DbTypeCockroachDB is the cockroach database type DbTypeCockroachDB = "cockroachdb" // DbTypeArangoDB is the arangodb database type DbTypeArangoDB = "arangodb" // DbTypeMongoDB is the mongodb database type DbTypeMongoDB = "mongodb" // DbTypeCassandraDB is the cassandra database type DbTypeCassandraDB = "cassandradb" // DbTypeScyllaDB is the scylla database type DbTypeScyllaDB = "scylladb" // DbTypeDynamoDB is the Dynamo database type DbTypeDynamoDB = "dynamodb" // DbTypeCouchbaseDB is the Couchbase database type DbTypeCouchbaseDB = "couchbase" )
const ( // GrantTypeAuthorizationCode is the standard browser-redirect grant (RFC 6749 §4.1). GrantTypeAuthorizationCode = "authorization_code" // GrantTypeRefreshToken rotates an existing refresh token (RFC 6749 §6). GrantTypeRefreshToken = "refresh_token" // GrantTypeClientCredentials issues tokens for machine/service identities // without a human resource owner (RFC 6749 §4.4). // Authenticate using client_id (= Client.ID) and client_secret, // or via client_assertion for workload identity federation (Phases 3–5). GrantTypeClientCredentials = "client_credentials" // GrantTypeTokenExchange enables on-behalf-of delegation and workload-to-user // token exchange (RFC 8693). GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" )
OAuth2 grant type URNs for the token endpoint (RFC 6749 + RFC 8693).
const ( // ClientAssertionTypeJWTBearer identifies a JWT as the client credential // in the client_assertion parameter (RFC 7523). // Used for Kubernetes SA tokens and generic OIDC workload tokens (Phases 3–4). ClientAssertionTypeJWTBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" // ClientAssertionTypeJWTSPIFFE identifies a SPIFFE JWT-SVID as the client // credential (draft-schwenkschuster-oauth-spiffe-client-auth-00). // PREVIEW: the underlying draft expired 2026-01-02 and is not WG-adopted. // This URN is not IANA-registered and may change. Ship as experimental only. ClientAssertionTypeJWTSPIFFE = "urn:ietf:params:oauth:client-assertion-type:jwt-spiffe" )
OAuth2 client assertion type URNs (RFC 7521 / RFC 7523).
const ( // TokenTypeURNAccessToken identifies an OAuth2 access token. TokenTypeURNAccessToken = "urn:ietf:params:oauth:token-type:access_token" // TokenTypeURNRefreshToken identifies an OAuth2 refresh token. TokenTypeURNRefreshToken = "urn:ietf:params:oauth:token-type:refresh_token" // TokenTypeURNIDToken identifies an OpenID Connect ID token. TokenTypeURNIDToken = "urn:ietf:params:oauth:token-type:id_token" // TokenTypeURNJWT identifies a generic JWT. TokenTypeURNJWT = "urn:ietf:params:oauth:token-type:jwt" )
RFC 8693 token type URNs used in subject_token_type and issued_token_type.
const ( // KeySourceOIDCDiscovery fetches the JWKS URI from the issuer's OpenID // Connect discovery document (/.well-known/openid-configuration). // Not suitable for private K8s clusters that do not expose discovery publicly. KeySourceOIDCDiscovery = "oidc_discovery" // KeySourceStaticJWKSURL fetches JWKS directly from a configured URL. // Preferred for private clusters — avoids exposing K8s discovery endpoints. KeySourceStaticJWKSURL = "static_jwks_url" // KeySourceSPIFFEBundleEndpoint fetches keys from a SPIFFE bundle endpoint. // Requires SpiffeRefreshHintSeconds to be honoured at runtime (Phase 5). KeySourceSPIFFEBundleEndpoint = "spiffe_bundle_endpoint" )
TrustedIssuer key source types controlling how JWKS are fetched.
const ( // IssuerTypeKubernetesSA identifies a Kubernetes projected ServiceAccount token. IssuerTypeKubernetesSA = "kubernetes_sa" // IssuerTypeSPIFFEJWT identifies a SPIFFE JWT-SVID (Phase 5, preview). IssuerTypeSPIFFEJWT = "spiffe_jwt" // IssuerTypeOIDC identifies a generic OIDC token from an external IdP. IssuerTypeOIDC = "oidc" // IssuerTypeCloudOIDC identifies a cloud-provider workload identity token // (AWS IRSA, GCP Workload Identity, Azure Managed Identity). IssuerTypeCloudOIDC = "cloud_oidc" )
TrustedIssuer issuer type identifiers.
const ( // AuthMethodJWTAssertion uses a JWT as the client_assertion (Phases 3–5, default). AuthMethodJWTAssertion = "jwt_assertion" // AuthMethodX509MTLS uses an X.509-SVID via mTLS (Phase 6). AuthMethodX509MTLS = "x509_mtls" )
TrustedIssuer authentication method identifiers.
const ( // - query: for Authorization Code grant. 302 Found triggers redirect. ResponseModeQuery = "query" // - fragment: for Implicit grant. 302 Found triggers redirect. ResponseModeFragment = "fragment" // - form_post: 200 OK with response parameters embedded in an HTML form as hidden parameters. ResponseModeFormPost = "form_post" // - web_message: For Silent Authentication. Uses HTML5 web messaging. ResponseModeWebMessage = "web_message" // For the Authorization Code grant, use response_type=code to include the authorization code. ResponseTypeCode = "code" // For the Implicit grant, use response_type=token to include an access token. ResponseTypeToken = "token" // For the Implicit grant of id_token, use response_type=id_token to include an identifier token. ResponseTypeIDToken = "id_token" // Constant indicating the "signup" screen hint for customizing authentication process and redirect to a signup page. ScreenHintSignUp = "signup" )
const ( // Ref: https://github.com/qor/auth/blob/master/providers/google/google.go // deprecated and not used. instead we follow open id approach for google login GoogleUserInfoURL = "https://www.googleapis.com/oauth2/v3/userinfo" // Ref: https://github.com/qor/auth/blob/master/providers/facebook/facebook.go#L18 FacebookUserInfoURL = "https://graph.facebook.com/me?fields=id,first_name,last_name,name,email,picture&access_token=" // Ref: https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#3-your-github-app-accesses-the-api-with-the-users-access-token GithubUserInfoURL = "https://api.github.com/user" // Get github user emails when user info email is empty Ref: https://stackoverflow.com/a/35387123 GithubUserEmails = "https://api.github.com/user/emails" // Ref: https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api LinkedInUserInfoURL = "" /* 142-byte string literal not displayed */ LinkedInEmailURL = "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))" TwitterUserInfoURL = "https://api.twitter.com/2/users/me?user.fields=id,name,profile_image_url,username" // RobloxUserInfoURL is the URL to get user info from Roblox RobloxUserInfoURL = "https://apis.roblox.com/oauth/v1/userinfo" DiscordUserInfoURL = "https://discord.com/api/oauth2/@me" // Get microsoft user info. // Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo MicrosoftUserInfoURL = "https://graph.microsoft.com/oidc/userinfo" )
const ( // TokenTypeRefreshToken is the refresh_token token type TokenTypeRefreshToken = "refresh_token" // TokenTypeAccessToken is the access_token token type TokenTypeAccessToken = "access_token" // TokenTypeIdentityToken is the identity_token token type TokenTypeIdentityToken = "id_token" // TokenTypeSessionToken is the session_token type used for browser session TokenTypeSessionToken = "session_token" )
const ( // ProtocolGraphQL marks an operation served via the GraphQL endpoint. ProtocolGraphQL = "graphql" // ProtocolGRPC marks an operation served via a direct gRPC call. ProtocolGRPC = "grpc" // ProtocolREST marks an operation served via the REST (grpc-gateway) surface. ProtocolREST = "rest" )
Transport protocol identifiers. Recorded on RequestMetadata and surfaced in audit logs (audit.Event.Protocol → audit metadata) and the authorizer_api_operations_total metric so each performed operation is attributable to the protocol it came in on. Low-cardinality; safe as metric label values.
const ( // TrustKindClientAssertion is the default kind. Every pre-existing row (which // may have no kind column value) is treated as this kind on read // (TrustedIssuer.EffectiveKind), so an upgrade never breaks existing // client_assertion trust rows. TrustKindClientAssertion = "client_assertion_trust" // TrustKindSSOOIDC is a per-org upstream OIDC IdP brokered by Authorizer. TrustKindSSOOIDC = "sso_oidc" // TrustKindSSOSAML is reserved for the per-org SAML SP connection. // ponytail: reserved only — SAML SP (signature-wrapping/XSW validation) ships // in its own PR so it gets a focused security review. TrustKindSSOSAML = "sso_saml" )
TrustedIssuer.Kind discriminator values (design §4.3 / §5 K1). Immutable after creation. The unified authorizer_trusted_issuers table serves two distinct trust relationships that MUST NOT be confused (design §5.2 CR1):
- client_assertion_trust: an external JWT issuer whose tokens authenticate an OAuth *client* (RFC 7523 client_assertion). Subject-pinned, org-global.
- sso_oidc: a per-organization upstream OIDC IdP that Authorizer brokers as a Relying Party. Org-scoped (OrgID set), NO subject pin — it federates end users, it can never authenticate a client.
- sso_saml: reserved for the SAML Service Provider (separate PR).
const ( // VerificationTypeBasicAuthSignup is the basic_auth_signup verification type VerificationTypeBasicAuthSignup = "basic_auth_signup" // VerificationTypeMagicLinkLogin is the magic_link_login verification type VerificationTypeMagicLinkLogin = "magic_link_login" // VerificationTypeUpdateEmail is the update_email verification type VerificationTypeUpdateEmail = "update_email" // VerificationTypeForgotPassword is the forgot_password verification type VerificationTypeForgotPassword = "forgot_password" // VerificationTypeInviteMember is the invite_member verification type VerificationTypeInviteMember = "invite_member" // VerificationTypeOTP is the otp verification type VerificationTypeOTP = "verify_otp" )
const ( // UserLoginWebhookEvent name for login event UserLoginWebhookEvent = `user.login` // UserCreatedWebhookEvent name for user creation event // This is triggered when user entry is created but still not verified UserCreatedWebhookEvent = `user.created` // UserSignUpWebhookEvent name for signup event UserSignUpWebhookEvent = `user.signup` // UserAccessRevokedWebhookEvent name for user access revoke event UserAccessRevokedWebhookEvent = `user.access_revoked` // UserAccessEnabledWebhookEvent name for user access enable event UserAccessEnabledWebhookEvent = `user.access_enabled` // UserDeletedWebhookEvent name for user deleted event UserDeletedWebhookEvent = `user.deleted` // UserDeactivatedWebhookEvent name for user deactivated event UserDeactivatedWebhookEvent = `user.deactivated` )
const ( // ResourceCreatedWebhookEvent is fired when an authorization resource is created. ResourceCreatedWebhookEvent = "resource.created" // ResourceUpdatedWebhookEvent is fired when an authorization resource is updated. ResourceUpdatedWebhookEvent = "resource.updated" // ResourceDeletedWebhookEvent is fired when an authorization resource is deleted. ResourceDeletedWebhookEvent = "resource.deleted" // ScopeCreatedWebhookEvent is fired when an authorization scope is created. ScopeCreatedWebhookEvent = "scope.created" // ScopeUpdatedWebhookEvent is fired when an authorization scope is updated. ScopeUpdatedWebhookEvent = "scope.updated" // ScopeDeletedWebhookEvent is fired when an authorization scope is deleted. ScopeDeletedWebhookEvent = "scope.deleted" // PolicyCreatedWebhookEvent is fired when an authorization policy is created. PolicyCreatedWebhookEvent = "policy.created" // PolicyUpdatedWebhookEvent is fired when an authorization policy is updated. PolicyUpdatedWebhookEvent = "policy.updated" // PolicyDeletedWebhookEvent is fired when an authorization policy is deleted. PolicyDeletedWebhookEvent = "policy.deleted" // PermissionCreatedWebhookEvent is fired when an authorization permission is created. PermissionCreatedWebhookEvent = "permission.created" // PermissionUpdatedWebhookEvent is fired when an authorization permission is updated. PermissionUpdatedWebhookEvent = "permission.updated" // PermissionDeletedWebhookEvent is fired when an authorization permission is deleted. PermissionDeletedWebhookEvent = "permission.deleted" // PermissionCheckDeniedWebhookEvent is fired when a permission check is denied // in enforcing mode. Useful for agent kill-switches and security alerting. PermissionCheckDeniedWebhookEvent = "permission.check_denied" )
const (
// EnvKeyTOTPAuthenticator key for env variable TOTP
EnvKeyTOTPAuthenticator = "totp"
)
Authenticators Methods
const OrgRoleAdmin = "authorizer:org_admin"
OrgRoleAdmin is the reserved, namespaced OrgMembership role that grants a user org-scoped admin rights (manage their own org's SSO/SCIM/domain config and members) without being a platform super-admin.
It is intentionally the namespaced string "authorizer:org_admin", NOT the bare "admin": app-defined org roles are free-form and commonly include "admin" or "owner" for the app's own RBAC meaning, so reserving the bare string would silently hand SSO/SCIM control to every member a tenant already made an app-level admin. The ":" namespace cannot collide with a normal app role. Existing bare-"admin" memberships are NEVER auto-promoted — this role must be granted explicitly.
const (
// TestEnv is used for testing
TestEnv = "test"
)
Variables ¶
var DefaultLimit = 10
DefaultLimit is the default limit for pagination
var VERSION = "0.0.1"
var ( // VerificationTypes is slice of all verification types VerificationTypes = []string{ VerificationTypeBasicAuthSignup, VerificationTypeMagicLinkLogin, VerificationTypeUpdateEmail, VerificationTypeForgotPassword, VerificationTypeInviteMember, } )
Functions ¶
This section is empty.
Types ¶
This section is empty.