constants

package
v0.0.0-...-43c1654 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2026 License: Apache-2.0 Imports: 0 Imported by: 0

Documentation

Overview

Package constants holds the shared, compile-time constant values used across Authorizer — database types, authentication and authenticator methods, token and cookie names, webhook event names, audit event/actor/resource types, and related enumerations.

Index

Constants

View Source
const (
	// AuditActorTypeUser identifies a regular user as the audit actor.
	AuditActorTypeUser = "user"
	// AuditActorTypeAdmin identifies an admin as the audit actor.
	AuditActorTypeAdmin = "admin"
	// AuditActorTypeServiceAccount identifies a machine/workload service account
	// as the audit actor (client_credentials grant, RFC 6749 §4.4).
	AuditActorTypeServiceAccount = "service_account"
)

Audit actor type constants identify who performed an auditable action.

View Source
const (
	// AuditResourceTypeUser represents a user entity.
	AuditResourceTypeUser = "user"
	// AuditResourceTypeSession represents a user session.
	AuditResourceTypeSession = "session"
	// AuditResourceTypeAdminSession represents an admin session.
	AuditResourceTypeAdminSession = "admin_session"
	// AuditResourceTypeWebhook represents a webhook entity.
	AuditResourceTypeWebhook = "webhook"
	// AuditResourceTypeEmailTemplate represents an email template entity.
	AuditResourceTypeEmailTemplate = "email_template"
	// AuditResourceTypeToken represents an auth token.
	AuditResourceTypeToken = "token"
	// AuditResourceTypeFgaModel represents a fine-grained authorization model.
	AuditResourceTypeFgaModel = "fga_model"
	// AuditResourceTypeFgaTuple represents a fine-grained authorization tuple.
	AuditResourceTypeFgaTuple = "fga_tuple"
	// AuditResourceTypeServiceAccount represents a machine/workload service account.
	AuditResourceTypeServiceAccount = "service_account"
	// AuditResourceTypeTrustedIssuer represents a trusted external JWT issuer.
	AuditResourceTypeTrustedIssuer = "trusted_issuer"
	// AuditResourceTypeOrgOIDCConnection represents a per-org upstream OIDC IdP.
	AuditResourceTypeOrgOIDCConnection = "org_oidc_connection"
	// AuditResourceTypeOrgSAMLConnection represents a per-org upstream SAML IdP.
	AuditResourceTypeOrgSAMLConnection = "org_saml_connection"
	// AuditResourceTypeOrganization represents an organization entity.
	AuditResourceTypeOrganization = "organization"
	// AuditResourceTypeOrgMembership represents an org membership entity.
	AuditResourceTypeOrgMembership = "org_membership"
	// AuditResourceTypeScimEndpoint represents a per-org SCIM endpoint.
	AuditResourceTypeScimEndpoint = "scim_endpoint"
	// AuditResourceTypeOrgDomain represents a per-org verified domain.
	AuditResourceTypeOrgDomain = "org_domain"
)

Audit resource type constants identify the type of resource affected by an auditable action.

View Source
const (
	// AuditLoginSuccessEvent is logged when a user successfully authenticates.
	AuditLoginSuccessEvent = "user.login_success"
	// AuditLoginFailedEvent is logged when a user authentication attempt fails.
	AuditLoginFailedEvent = "user.login_failed"
	// AuditSignupEvent is logged when a new user registers.
	AuditSignupEvent = "user.signup"
	// AuditLogoutEvent is logged when a user logs out.
	AuditLogoutEvent = "user.logout"
	// AuditPasswordChangedEvent is logged when a user changes their password.
	AuditPasswordChangedEvent = "user.password_changed"
	// AuditPasswordResetEvent is logged when a user resets their password via token or OTP.
	AuditPasswordResetEvent = "user.password_reset"
	// AuditForgotPasswordEvent is logged when a user requests a password reset.
	AuditForgotPasswordEvent = "user.forgot_password_requested"
	// AuditMagicLinkRequestedEvent is logged when a user requests a magic link login.
	AuditMagicLinkRequestedEvent = "user.magic_link_requested"
	// AuditEmailVerifiedEvent is logged when a user's email is verified.
	AuditEmailVerifiedEvent = "user.email_verified"
	// AuditPhoneVerifiedEvent is logged when a user's phone number is verified.
	AuditPhoneVerifiedEvent = "user.phone_verified"
	// AuditWebauthnCredentialAddedEvent is logged when a user registers a passkey.
	AuditWebauthnCredentialAddedEvent = "user.webauthn_credential_added"
	// AuditWebauthnCredentialDeletedEvent is logged when a user deletes a passkey.
	AuditWebauthnCredentialDeletedEvent = "user.webauthn_credential_deleted"
	// AuditMFAEnabledEvent is logged when a user enables multi-factor authentication.
	AuditMFAEnabledEvent = "user.mfa_enabled"
	// AuditMFADisabledEvent is logged when a user disables multi-factor authentication.
	AuditMFADisabledEvent = "user.mfa_disabled"
	// AuditProfileUpdatedEvent is logged when a user updates their profile.
	AuditProfileUpdatedEvent = "user.profile_updated"
	// AuditUserDeactivatedEvent is logged when a user deactivates their account.
	AuditUserDeactivatedEvent = "user.deactivated"
	// AuditOTPResentEvent is logged when an OTP is resent to a user.
	AuditOTPResentEvent = "user.otp_resent"
	// AuditVerifyEmailResentEvent is logged when a verification email is resent.
	AuditVerifyEmailResentEvent = "user.verify_email_resent"

	// AuditAdminLoginSuccessEvent is logged when an admin successfully authenticates.
	AuditAdminLoginSuccessEvent = "admin.login_success"
	// AuditAdminLoginFailedEvent is logged when an admin authentication attempt fails.
	AuditAdminLoginFailedEvent = "admin.login_failed"
	// AuditAdminLogoutEvent is logged when an admin logs out.
	AuditAdminLogoutEvent = "admin.logout"
	// AuditAdminUserCreatedEvent is logged when an admin creates a user.
	AuditAdminUserCreatedEvent = "admin.user_created"
	// AuditAdminUserUpdatedEvent is logged when an admin updates a user.
	AuditAdminUserUpdatedEvent = "admin.user_updated"
	// AuditAdminUserDeletedEvent is logged when an admin deletes a user.
	AuditAdminUserDeletedEvent = "admin.user_deleted"
	// AuditAdminAccessRevokedEvent is logged when an admin revokes a user's access.
	AuditAdminAccessRevokedEvent = "admin.access_revoked"
	// AuditAdminAccessEnabledEvent is logged when an admin restores a user's access.
	AuditAdminAccessEnabledEvent = "admin.access_enabled"
	// AuditAdminInviteSentEvent is logged when an admin sends a user invitation.
	AuditAdminInviteSentEvent = "admin.invite_sent"
	// AuditAdminConfigChangedEvent is logged when an admin modifies server configuration.
	AuditAdminConfigChangedEvent = "admin.config_changed"
	// AuditAdminWebhookCreatedEvent is logged when an admin creates a webhook.
	AuditAdminWebhookCreatedEvent = "admin.webhook_created"
	// AuditAdminWebhookUpdatedEvent is logged when an admin updates a webhook.
	AuditAdminWebhookUpdatedEvent = "admin.webhook_updated"
	// AuditAdminWebhookDeletedEvent is logged when an admin deletes a webhook.
	AuditAdminWebhookDeletedEvent = "admin.webhook_deleted"
	// AuditAdminEmailTemplateCreatedEvent is logged when an admin creates an email template.
	AuditAdminEmailTemplateCreatedEvent = "admin.email_template_created"
	// AuditAdminEmailTemplateUpdatedEvent is logged when an admin updates an email template.
	AuditAdminEmailTemplateUpdatedEvent = "admin.email_template_updated"
	// AuditAdminEmailTemplateDeletedEvent is logged when an admin deletes an email template.
	AuditAdminEmailTemplateDeletedEvent = "admin.email_template_deleted"
	// AuditAdminFgaModelWrittenEvent is logged when an admin writes a fine-grained authorization model.
	AuditAdminFgaModelWrittenEvent = "admin.fga_model_written"
	// AuditAdminFgaTuplesWrittenEvent is logged when an admin writes fine-grained authorization tuples.
	AuditAdminFgaTuplesWrittenEvent = "admin.fga_tuples_written"
	// AuditAdminFgaTuplesDeletedEvent is logged when an admin deletes fine-grained authorization tuples.
	AuditAdminFgaTuplesDeletedEvent = "admin.fga_tuples_deleted"
	// AuditAdminFgaResetEvent is logged when an admin resets the fine-grained authorization store
	// (deletes the model, all its versions, and all tuples).
	AuditAdminFgaResetEvent = "admin.fga_reset"

	// AuditOAuthLoginInitiatedEvent is logged when an OAuth login flow is started.
	AuditOAuthLoginInitiatedEvent = "oauth.login_initiated"
	// AuditOAuthCallbackSuccessEvent is logged when an OAuth callback completes successfully.
	AuditOAuthCallbackSuccessEvent = "oauth.callback_success"
	// AuditOAuthCallbackFailedEvent is logged when an OAuth callback fails.
	AuditOAuthCallbackFailedEvent = "oauth.callback_failed"
	// AuditSSOLoginInitiatedEvent is logged when an org OIDC SSO login is started.
	AuditSSOLoginInitiatedEvent = "sso.login_initiated"
	// AuditSSOCallbackSuccessEvent is logged when an org OIDC SSO callback succeeds.
	AuditSSOCallbackSuccessEvent = "sso.callback_success"
	// AuditSSOCallbackFailedEvent is logged when an org OIDC SSO callback fails.
	AuditSSOCallbackFailedEvent = "sso.callback_failed"
	// AuditSAMLLoginInitiatedEvent is logged when an org SAML SP login is started.
	AuditSAMLLoginInitiatedEvent = "saml.login_initiated"
	// AuditSAMLACSSuccessEvent is logged when an org SAML ACS assertion is accepted.
	AuditSAMLACSSuccessEvent = "saml.acs_success"
	// AuditSAMLACSFailedEvent is logged when an org SAML ACS assertion is rejected.
	AuditSAMLACSFailedEvent = "saml.acs_failed"

	// AuditTokenIssuedEvent is logged when a new token is issued.
	AuditTokenIssuedEvent = "token.issued"
	// AuditTokenRefreshedEvent is logged when a token is refreshed.
	AuditTokenRefreshedEvent = "token.refreshed"
	// AuditTokenRevokedEvent is logged when a token is revoked.
	AuditTokenRevokedEvent = "token.revoked"

	// AuditSessionCreatedEvent is logged when a new session is created.
	AuditSessionCreatedEvent = "session.created"
	// AuditSessionTerminatedEvent is logged when a session is terminated.
	AuditSessionTerminatedEvent = "session.terminated"

	// AuditClientCreatedEvent is logged when an admin creates a client.
	AuditClientCreatedEvent = "admin.client_created"
	// AuditClientUpdatedEvent is logged when an admin updates a client.
	AuditClientUpdatedEvent = "admin.client_updated"
	// AuditClientDeletedEvent is logged when an admin deletes a client.
	AuditClientDeletedEvent = "admin.client_deleted"
	// AuditClientSecretRotatedEvent is logged when a client secret is rotated.
	AuditClientSecretRotatedEvent = "admin.client_secret_rotated"
	// AuditClientDeactivatedEvent is logged when an admin disables a client.
	// Distinct from the generic update event so incident responders can query the kill-switch
	// signal directly without scanning all update payloads.
	AuditClientDeactivatedEvent = "admin.client_deactivated"
	// AuditClientActivatedEvent is logged when an admin re-enables a client.
	AuditClientActivatedEvent = "admin.client_activated"

	// AuditOrgOIDCConnectionCreatedEvent is logged when an admin creates an org OIDC connection.
	AuditOrgOIDCConnectionCreatedEvent = "admin.org_oidc_connection_created"
	// AuditOrgOIDCConnectionUpdatedEvent is logged when an admin updates an org OIDC connection.
	AuditOrgOIDCConnectionUpdatedEvent = "admin.org_oidc_connection_updated"
	// AuditOrgOIDCConnectionDeletedEvent is logged when an admin deletes an org OIDC connection.
	AuditOrgOIDCConnectionDeletedEvent = "admin.org_oidc_connection_deleted"
	// AuditOrgSAMLConnectionCreatedEvent is logged when an admin creates an org SAML connection.
	AuditOrgSAMLConnectionCreatedEvent = "admin.org_saml_connection_created"
	// AuditOrgSAMLConnectionUpdatedEvent is logged when an admin updates an org SAML connection.
	AuditOrgSAMLConnectionUpdatedEvent = "admin.org_saml_connection_updated"
	// AuditOrgSAMLConnectionDeletedEvent is logged when an admin deletes an org SAML connection.
	AuditOrgSAMLConnectionDeletedEvent = "admin.org_saml_connection_deleted"
	// AuditTrustedIssuerCreatedEvent is logged when an admin adds a trusted issuer.
	AuditTrustedIssuerCreatedEvent = "admin.trusted_issuer_created"
	// AuditTrustedIssuerUpdatedEvent is logged when an admin updates a trusted issuer.
	AuditTrustedIssuerUpdatedEvent = "admin.trusted_issuer_updated"
	// AuditTrustedIssuerDeletedEvent is logged when an admin deletes a trusted issuer.
	AuditTrustedIssuerDeletedEvent = "admin.trusted_issuer_deleted"
	// AuditTrustedIssuerTokenReviewChangedEvent is logged when EnableTokenReview is toggled.
	// Downgrading from online (true) to offline (false) is a security-posture change and
	// must be queryable independently of generic trusted_issuer_updated events.
	AuditTrustedIssuerTokenReviewChangedEvent = "admin.trusted_issuer_token_review_changed"

	// AuditOrganizationCreatedEvent is logged when an admin creates an organization.
	AuditOrganizationCreatedEvent = "admin.organization_created"
	// AuditOrganizationCreateFailedEvent is logged when organization creation fails.
	AuditOrganizationCreateFailedEvent = "admin.organization_create_failed"
	// AuditOrganizationUpdatedEvent is logged when an admin updates an organization.
	AuditOrganizationUpdatedEvent = "admin.organization_updated"
	// AuditOrganizationUpdateFailedEvent is logged when an organization update fails.
	AuditOrganizationUpdateFailedEvent = "admin.organization_update_failed"
	// AuditOrganizationDeletedEvent is logged when an admin deletes an organization.
	AuditOrganizationDeletedEvent = "admin.organization_deleted"
	// AuditOrganizationDeleteFailedEvent is logged when an organization delete fails.
	AuditOrganizationDeleteFailedEvent = "admin.organization_delete_failed"
	// AuditOrgMemberAddedEvent is logged when an admin adds a user to an organization.
	AuditOrgMemberAddedEvent = "admin.org_member_added"
	// AuditOrgMemberAddFailedEvent is logged when adding an org member fails.
	AuditOrgMemberAddFailedEvent = "admin.org_member_add_failed"
	// AuditOrgMemberRemovedEvent is logged when an admin removes a user from an organization.
	AuditOrgMemberRemovedEvent = "admin.org_member_removed"
	// AuditOrgMemberRemoveFailedEvent is logged when removing an org member fails.
	AuditOrgMemberRemoveFailedEvent = "admin.org_member_remove_failed"

	// AuditScimEndpointCreatedEvent is logged when an admin creates a SCIM endpoint.
	AuditScimEndpointCreatedEvent = "admin.scim_endpoint_created"
	// AuditScimEndpointCreateFailedEvent is logged when SCIM endpoint creation fails.
	AuditScimEndpointCreateFailedEvent = "admin.scim_endpoint_create_failed"
	// AuditScimTokenRotatedEvent is logged when an admin rotates a SCIM token.
	AuditScimTokenRotatedEvent = "admin.scim_token_rotated"
	// AuditScimTokenRotateFailedEvent is logged when a SCIM token rotation fails.
	AuditScimTokenRotateFailedEvent = "admin.scim_token_rotate_failed"
	// AuditScimEndpointDeletedEvent is logged when an admin deletes a SCIM endpoint.
	AuditScimEndpointDeletedEvent = "admin.scim_endpoint_deleted"
	// AuditScimEndpointDeleteFailedEvent is logged when a SCIM endpoint delete fails.
	AuditScimEndpointDeleteFailedEvent = "admin.scim_endpoint_delete_failed"

	// AuditOrgDomainRequestedEvent is logged when an org admin requests a domain
	// verification challenge (a DNS TXT proof is minted; no durable row yet).
	AuditOrgDomainRequestedEvent = "admin.org_domain_requested"
	// AuditOrgDomainRequestFailedEvent is logged when a domain request fails.
	AuditOrgDomainRequestFailedEvent = "admin.org_domain_request_failed"
	// AuditOrgDomainVerifiedEvent is logged when a domain is verified (DNS TXT or
	// super-admin trusted-assert) and the verified row is inserted.
	AuditOrgDomainVerifiedEvent = "admin.org_domain_verified"
	// AuditOrgDomainVerifyFailedEvent is logged when a domain verification fails.
	AuditOrgDomainVerifyFailedEvent = "admin.org_domain_verify_failed"
	// AuditOrgDomainDeletedEvent is logged when a verified domain is deleted.
	AuditOrgDomainDeletedEvent = "admin.org_domain_deleted"
	// AuditOrgDomainDeleteFailedEvent is logged when a verified domain delete fails.
	AuditOrgDomainDeleteFailedEvent = "admin.org_domain_delete_failed"

	// AuditTokenClientCredentialsEvent is logged when a service account obtains a token
	// via the client_credentials grant (RFC 6749 §4.4).
	AuditTokenClientCredentialsEvent = "token.client_credentials"
	// AuditTokenClientCredentialsFailedEvent is logged when a client_credentials
	// authentication attempt fails (unknown client_id, inactive account, or
	// wrong secret) — mirrors AuditLoginFailedEvent for the human login path.
	AuditTokenClientCredentialsFailedEvent = "token.client_credentials_failed"
	// AuditTokenExchangeEvent is logged when a token exchange occurs (RFC 8693).
	AuditTokenExchangeEvent = "token.exchange"
	// AuditWorkloadAuthEvent is logged when a workload authenticates via client_assertion
	// (K8s SA token, SPIFFE JWT-SVID, or generic OIDC workload token).
	AuditWorkloadAuthEvent = "token.workload_auth"
)

Audit event type constants used for structured audit logging. Each constant represents a specific auditable action in the system, organized by domain: user authentication, admin operations, OAuth, token lifecycle, and session management.

View Source
const (
	// AuthRecipeMethodBasicAuth is the basic_auth auth method
	AuthRecipeMethodBasicAuth = "basic_auth"
	// AuthRecipeMethodMobileBasicAuth is the mobile basic_auth method, where user can signup using mobile number and password
	AuthRecipeMethodMobileBasicAuth = "mobile_basic_auth"
	// AuthRecipeMethodMagicLinkLogin is the magic_link_login auth method
	AuthRecipeMethodMagicLinkLogin = "magic_link_login"
	// AuthRecipeMethodMobileOTP is the mobile_otp auth method
	AuthRecipeMethodMobileOTP = "mobile_otp"
	// AuthRecipeMethodWebauthn is the webauthn/passkey auth method
	AuthRecipeMethodWebauthn = "webauthn"

	// AuthRecipeMethodGoogle is the google auth method
	AuthRecipeMethodGoogle = "google"
	// AuthRecipeMethodGithub is the github auth method
	AuthRecipeMethodGithub = "github"
	// AuthRecipeMethodFacebook is the facebook auth method
	AuthRecipeMethodFacebook = "facebook"
	// AuthRecipeMethodLinkedin is the linkedin auth method
	AuthRecipeMethodLinkedIn = "linkedin"
	// AuthRecipeMethodApple is the apple auth method
	AuthRecipeMethodApple = "apple"
	// AuthRecipeMethodDiscord is the discord auth method
	AuthRecipeMethodDiscord = "discord"
	// AuthRecipeMethodTwitter is the twitter auth method
	AuthRecipeMethodTwitter = "twitter"
	// AuthRecipeMethodMicrosoft is the microsoft auth method
	AuthRecipeMethodMicrosoft = "microsoft"
	// AuthRecipeMethodTwitch is the twitch auth method
	AuthRecipeMethodTwitch = "twitch"
	// AuthRecipeMethodRoblox is the roblox auth method
	AuthRecipeMethodRoblox = "roblox"
	// AuthRecipeMethodSSO is the login_method stamped on sessions established via
	// a per-org OIDC SSO broker flow. It namespaces the memory-store session key
	// ("sso:<user_id>") the same way the social recipes do.
	AuthRecipeMethodSSO = "sso"

	// AuthRecipeMethodServiceAccount is the login_method stamped on machine
	// access tokens issued via the client_credentials grant (RFC 6749 §4.4).
	// It is not a human login recipe — it namespaces the memory-store session
	// key ("service_account:<id>") so ValidateAccessToken derives the same key
	// the token endpoint registered the token under, keeping machine tokens on
	// the existing stateful validation path with zero special-casing.
	AuthRecipeMethodServiceAccount = "service_account"
)
View Source
const (
	// ClientKindInteractive is a human-facing login client (browser/app
	// authorization_code + PKCE flows).
	ClientKindInteractive = "interactive"

	// ClientKindServiceAccount is a machine/workload client using the
	// client_credentials grant or workload identity federation.
	ClientKindServiceAccount = "service_account"
)

Client.Kind discriminator values. Immutable after creation.

View Source
const (
	// TokenEndpointAuthMethodClientSecretBasic sends client_id/client_secret in
	// the HTTP Authorization header (RFC 6749 §2.3.1).
	TokenEndpointAuthMethodClientSecretBasic = "client_secret_basic"

	// TokenEndpointAuthMethodClientSecretPost sends client_id/client_secret in
	// the request body.
	TokenEndpointAuthMethodClientSecretPost = "client_secret_post"

	// TokenEndpointAuthMethodNone is a public client with no secret; it proves
	// possession via PKCE.
	TokenEndpointAuthMethodNone = "none"
)

Client.TokenEndpointAuthMethod values (RFC 7591 §2 / OIDC Core §9).

View Source
const (
	// AppCookieName is the name of the cookie that is used to store the application token
	AppCookieName = "cookie"
	// AdminCookieName is the name of the cookie that is used to store the admin token
	AdminCookieName = "authorizer-admin"
	// MfaCookieName is the name of the cookie that is used to store the mfa session
	MfaCookieName = "mfa"
)
View Source
const (
	// DbTypePostgres is the postgres database type
	DbTypePostgres = "postgres"
	// DbTypeSqlite is the sqlite database type
	DbTypeSqlite = "sqlite"
	// DbTypeLibSQL is the libsql / Turso database type
	DbTypeLibSQL = "libsql"
	// DbTypeMysql is the mysql database type
	DbTypeMysql = "mysql"
	// DbTypeSqlserver is the sqlserver database type
	DbTypeSqlserver = "sqlserver"
	// DbTypeYugabyte is the yugabyte database type
	DbTypeYugabyte = "yugabyte"
	// DbTypeMariaDB is the mariadb database type
	DbTypeMariaDB = "mariadb"
	// DbTypePlanetScaleDB is the planetscale database type
	DbTypePlanetScaleDB = "planetscale"
	// DbTypeCockroachDB is the cockroach database type
	DbTypeCockroachDB = "cockroachdb"

	// DbTypeArangoDB is the arangodb database type
	DbTypeArangoDB = "arangodb"

	// DbTypeMongoDB is the mongodb database type
	DbTypeMongoDB = "mongodb"

	// DbTypeCassandraDB is the cassandra database type
	DbTypeCassandraDB = "cassandradb"
	// DbTypeScyllaDB is the scylla database type
	DbTypeScyllaDB = "scylladb"

	// DbTypeDynamoDB is the Dynamo database type
	DbTypeDynamoDB = "dynamodb"

	// DbTypeCouchbaseDB is the Couchbase database type
	DbTypeCouchbaseDB = "couchbase"
)
View Source
const (
	// GrantTypeAuthorizationCode is the standard browser-redirect grant (RFC 6749 §4.1).
	GrantTypeAuthorizationCode = "authorization_code"

	// GrantTypeRefreshToken rotates an existing refresh token (RFC 6749 §6).
	GrantTypeRefreshToken = "refresh_token"

	// GrantTypeClientCredentials issues tokens for machine/service identities
	// without a human resource owner (RFC 6749 §4.4).
	// Authenticate using client_id (= Client.ID) and client_secret,
	// or via client_assertion for workload identity federation (Phases 3–5).
	GrantTypeClientCredentials = "client_credentials"

	// GrantTypeTokenExchange enables on-behalf-of delegation and workload-to-user
	// token exchange (RFC 8693).
	GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange"
)

OAuth2 grant type URNs for the token endpoint (RFC 6749 + RFC 8693).

View Source
const (
	// ClientAssertionTypeJWTBearer identifies a JWT as the client credential
	// in the client_assertion parameter (RFC 7523).
	// Used for Kubernetes SA tokens and generic OIDC workload tokens (Phases 3–4).
	ClientAssertionTypeJWTBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

	// ClientAssertionTypeJWTSPIFFE identifies a SPIFFE JWT-SVID as the client
	// credential (draft-schwenkschuster-oauth-spiffe-client-auth-00).
	// PREVIEW: the underlying draft expired 2026-01-02 and is not WG-adopted.
	// This URN is not IANA-registered and may change. Ship as experimental only.
	ClientAssertionTypeJWTSPIFFE = "urn:ietf:params:oauth:client-assertion-type:jwt-spiffe"
)

OAuth2 client assertion type URNs (RFC 7521 / RFC 7523).

View Source
const (
	// TokenTypeURNAccessToken identifies an OAuth2 access token.
	TokenTypeURNAccessToken = "urn:ietf:params:oauth:token-type:access_token"

	// TokenTypeURNRefreshToken identifies an OAuth2 refresh token.
	TokenTypeURNRefreshToken = "urn:ietf:params:oauth:token-type:refresh_token"

	// TokenTypeURNIDToken identifies an OpenID Connect ID token.
	TokenTypeURNIDToken = "urn:ietf:params:oauth:token-type:id_token"

	// TokenTypeURNJWT identifies a generic JWT.
	TokenTypeURNJWT = "urn:ietf:params:oauth:token-type:jwt"
)

RFC 8693 token type URNs used in subject_token_type and issued_token_type.

View Source
const (
	// KeySourceOIDCDiscovery fetches the JWKS URI from the issuer's OpenID
	// Connect discovery document (/.well-known/openid-configuration).
	// Not suitable for private K8s clusters that do not expose discovery publicly.
	KeySourceOIDCDiscovery = "oidc_discovery"

	// KeySourceStaticJWKSURL fetches JWKS directly from a configured URL.
	// Preferred for private clusters — avoids exposing K8s discovery endpoints.
	KeySourceStaticJWKSURL = "static_jwks_url"

	// KeySourceSPIFFEBundleEndpoint fetches keys from a SPIFFE bundle endpoint.
	// Requires SpiffeRefreshHintSeconds to be honoured at runtime (Phase 5).
	KeySourceSPIFFEBundleEndpoint = "spiffe_bundle_endpoint"
)

TrustedIssuer key source types controlling how JWKS are fetched.

View Source
const (
	// IssuerTypeKubernetesSA identifies a Kubernetes projected ServiceAccount token.
	IssuerTypeKubernetesSA = "kubernetes_sa"

	// IssuerTypeSPIFFEJWT identifies a SPIFFE JWT-SVID (Phase 5, preview).
	IssuerTypeSPIFFEJWT = "spiffe_jwt"

	// IssuerTypeOIDC identifies a generic OIDC token from an external IdP.
	IssuerTypeOIDC = "oidc"

	// IssuerTypeCloudOIDC identifies a cloud-provider workload identity token
	// (AWS IRSA, GCP Workload Identity, Azure Managed Identity).
	IssuerTypeCloudOIDC = "cloud_oidc"
)

TrustedIssuer issuer type identifiers.

View Source
const (
	// AuthMethodJWTAssertion uses a JWT as the client_assertion (Phases 3–5, default).
	AuthMethodJWTAssertion = "jwt_assertion"

	// AuthMethodX509MTLS uses an X.509-SVID via mTLS (Phase 6).
	AuthMethodX509MTLS = "x509_mtls"
)

TrustedIssuer authentication method identifiers.

View Source
const (
	// - query: for Authorization Code grant. 302 Found triggers redirect.
	ResponseModeQuery = "query"
	// - fragment: for Implicit grant. 302 Found triggers redirect.
	ResponseModeFragment = "fragment"
	// - form_post: 200 OK with response parameters embedded in an HTML form as hidden parameters.
	ResponseModeFormPost = "form_post"
	// - web_message: For Silent Authentication. Uses HTML5 web messaging.
	ResponseModeWebMessage = "web_message"

	// For the Authorization Code grant, use response_type=code to include the authorization code.
	ResponseTypeCode = "code"
	// For the Implicit grant, use response_type=token to include an access token.
	ResponseTypeToken = "token"
	// For the Implicit grant of id_token, use response_type=id_token to include an identifier token.
	ResponseTypeIDToken = "id_token"

	// Constant indicating the "signup" screen hint for customizing authentication process and redirect to a signup page.
	ScreenHintSignUp = "signup"
)
View Source
const (
	// Ref: https://github.com/qor/auth/blob/master/providers/google/google.go
	// deprecated and not used. instead we follow open id approach for google login
	GoogleUserInfoURL = "https://www.googleapis.com/oauth2/v3/userinfo"
	// Ref: https://github.com/qor/auth/blob/master/providers/facebook/facebook.go#L18
	FacebookUserInfoURL = "https://graph.facebook.com/me?fields=id,first_name,last_name,name,email,picture&access_token="
	// Ref: https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#3-your-github-app-accesses-the-api-with-the-users-access-token
	GithubUserInfoURL = "https://api.github.com/user"
	// Get github user emails when user info email is empty Ref: https://stackoverflow.com/a/35387123
	GithubUserEmails = "https://api.github.com/user/emails"

	// Ref: https://docs.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api
	LinkedInUserInfoURL = "" /* 142-byte string literal not displayed */
	LinkedInEmailURL    = "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))"

	TwitterUserInfoURL = "https://api.twitter.com/2/users/me?user.fields=id,name,profile_image_url,username"

	// RobloxUserInfoURL is the URL to get user info from Roblox
	RobloxUserInfoURL = "https://apis.roblox.com/oauth/v1/userinfo"

	DiscordUserInfoURL = "https://discord.com/api/oauth2/@me"
	// Get microsoft user info.
	// Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo
	MicrosoftUserInfoURL = "https://graph.microsoft.com/oidc/userinfo"
)
View Source
const (
	// TokenTypeRefreshToken is the refresh_token token type
	TokenTypeRefreshToken = "refresh_token"
	// TokenTypeAccessToken is the access_token token type
	TokenTypeAccessToken = "access_token"
	// TokenTypeIdentityToken is the identity_token token type
	TokenTypeIdentityToken = "id_token"
	// TokenTypeSessionToken is the session_token type used for browser session
	TokenTypeSessionToken = "session_token"
)
View Source
const (
	// ProtocolGraphQL marks an operation served via the GraphQL endpoint.
	ProtocolGraphQL = "graphql"
	// ProtocolGRPC marks an operation served via a direct gRPC call.
	ProtocolGRPC = "grpc"
	// ProtocolREST marks an operation served via the REST (grpc-gateway) surface.
	ProtocolREST = "rest"
)

Transport protocol identifiers. Recorded on RequestMetadata and surfaced in audit logs (audit.Event.Protocol → audit metadata) and the authorizer_api_operations_total metric so each performed operation is attributable to the protocol it came in on. Low-cardinality; safe as metric label values.

View Source
const (
	// TrustKindClientAssertion is the default kind. Every pre-existing row (which
	// may have no kind column value) is treated as this kind on read
	// (TrustedIssuer.EffectiveKind), so an upgrade never breaks existing
	// client_assertion trust rows.
	TrustKindClientAssertion = "client_assertion_trust"

	// TrustKindSSOOIDC is a per-org upstream OIDC IdP brokered by Authorizer.
	TrustKindSSOOIDC = "sso_oidc"

	// TrustKindSSOSAML is reserved for the per-org SAML SP connection.
	// ponytail: reserved only — SAML SP (signature-wrapping/XSW validation) ships
	// in its own PR so it gets a focused security review.
	TrustKindSSOSAML = "sso_saml"
)

TrustedIssuer.Kind discriminator values (design §4.3 / §5 K1). Immutable after creation. The unified authorizer_trusted_issuers table serves two distinct trust relationships that MUST NOT be confused (design §5.2 CR1):

  • client_assertion_trust: an external JWT issuer whose tokens authenticate an OAuth *client* (RFC 7523 client_assertion). Subject-pinned, org-global.
  • sso_oidc: a per-organization upstream OIDC IdP that Authorizer brokers as a Relying Party. Org-scoped (OrgID set), NO subject pin — it federates end users, it can never authenticate a client.
  • sso_saml: reserved for the SAML Service Provider (separate PR).
View Source
const (
	// VerificationTypeBasicAuthSignup is the basic_auth_signup verification type
	VerificationTypeBasicAuthSignup = "basic_auth_signup"
	// VerificationTypeMagicLinkLogin is the magic_link_login verification type
	VerificationTypeMagicLinkLogin = "magic_link_login"
	// VerificationTypeUpdateEmail is the update_email verification type
	VerificationTypeUpdateEmail = "update_email"
	// VerificationTypeForgotPassword is the forgot_password verification type
	VerificationTypeForgotPassword = "forgot_password"
	// VerificationTypeInviteMember is the invite_member verification type
	VerificationTypeInviteMember = "invite_member"
	// VerificationTypeOTP is the otp verification type
	VerificationTypeOTP = "verify_otp"
)
View Source
const (

	// UserLoginWebhookEvent name for login event
	UserLoginWebhookEvent = `user.login`
	// UserCreatedWebhookEvent name for user creation event
	// This is triggered when user entry is created but still not verified
	UserCreatedWebhookEvent = `user.created`
	// UserSignUpWebhookEvent name for signup event
	UserSignUpWebhookEvent = `user.signup`
	// UserAccessRevokedWebhookEvent name for user access revoke event
	UserAccessRevokedWebhookEvent = `user.access_revoked`
	// UserAccessEnabledWebhookEvent name for user access enable event
	UserAccessEnabledWebhookEvent = `user.access_enabled`
	// UserDeletedWebhookEvent name for user deleted event
	UserDeletedWebhookEvent = `user.deleted`
	// UserDeactivatedWebhookEvent name for user deactivated event
	UserDeactivatedWebhookEvent = `user.deactivated`
)
View Source
const (
	// ResourceCreatedWebhookEvent is fired when an authorization resource is created.
	ResourceCreatedWebhookEvent = "resource.created"
	// ResourceUpdatedWebhookEvent is fired when an authorization resource is updated.
	ResourceUpdatedWebhookEvent = "resource.updated"
	// ResourceDeletedWebhookEvent is fired when an authorization resource is deleted.
	ResourceDeletedWebhookEvent = "resource.deleted"
	// ScopeCreatedWebhookEvent is fired when an authorization scope is created.
	ScopeCreatedWebhookEvent = "scope.created"
	// ScopeUpdatedWebhookEvent is fired when an authorization scope is updated.
	ScopeUpdatedWebhookEvent = "scope.updated"
	// ScopeDeletedWebhookEvent is fired when an authorization scope is deleted.
	ScopeDeletedWebhookEvent = "scope.deleted"
	// PolicyCreatedWebhookEvent is fired when an authorization policy is created.
	PolicyCreatedWebhookEvent = "policy.created"
	// PolicyUpdatedWebhookEvent is fired when an authorization policy is updated.
	PolicyUpdatedWebhookEvent = "policy.updated"
	// PolicyDeletedWebhookEvent is fired when an authorization policy is deleted.
	PolicyDeletedWebhookEvent = "policy.deleted"
	// PermissionCreatedWebhookEvent is fired when an authorization permission is created.
	PermissionCreatedWebhookEvent = "permission.created"
	// PermissionUpdatedWebhookEvent is fired when an authorization permission is updated.
	PermissionUpdatedWebhookEvent = "permission.updated"
	// PermissionDeletedWebhookEvent is fired when an authorization permission is deleted.
	PermissionDeletedWebhookEvent = "permission.deleted"
	// PermissionCheckDeniedWebhookEvent is fired when a permission check is denied
	// in enforcing mode. Useful for agent kill-switches and security alerting.
	PermissionCheckDeniedWebhookEvent = "permission.check_denied"
)
View Source
const (
	// EnvKeyTOTPAuthenticator key for env variable TOTP
	EnvKeyTOTPAuthenticator = "totp"
)

Authenticators Methods

View Source
const OrgRoleAdmin = "authorizer:org_admin"

OrgRoleAdmin is the reserved, namespaced OrgMembership role that grants a user org-scoped admin rights (manage their own org's SSO/SCIM/domain config and members) without being a platform super-admin.

It is intentionally the namespaced string "authorizer:org_admin", NOT the bare "admin": app-defined org roles are free-form and commonly include "admin" or "owner" for the app's own RBAC meaning, so reserving the bare string would silently hand SSO/SCIM control to every member a tenant already made an app-level admin. The ":" namespace cannot collide with a normal app role. Existing bare-"admin" memberships are NEVER auto-promoted — this role must be granted explicitly.

View Source
const (
	// TestEnv is used for testing
	TestEnv = "test"
)

Variables

View Source
var DefaultLimit = 10

DefaultLimit is the default limit for pagination

View Source
var VERSION = "0.0.1"

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL