|
| 1 | +package constants |
| 2 | + |
| 3 | +// OAuth2 grant type URNs for the token endpoint (RFC 6749 + RFC 8693). |
| 4 | +const ( |
| 5 | + // GrantTypeAuthorizationCode is the standard browser-redirect grant (RFC 6749 §4.1). |
| 6 | + GrantTypeAuthorizationCode = "authorization_code" |
| 7 | + |
| 8 | + // GrantTypeRefreshToken rotates an existing refresh token (RFC 6749 §6). |
| 9 | + GrantTypeRefreshToken = "refresh_token" |
| 10 | + |
| 11 | + // GrantTypeClientCredentials issues tokens for machine/service identities |
| 12 | + // without a human resource owner (RFC 6749 §4.4). |
| 13 | + // Authenticate using client_id (= ServiceAccount.ID) and client_secret, |
| 14 | + // or via client_assertion for workload identity federation (Phases 3–5). |
| 15 | + GrantTypeClientCredentials = "client_credentials" |
| 16 | + |
| 17 | + // GrantTypeTokenExchange enables on-behalf-of delegation and workload-to-user |
| 18 | + // token exchange (RFC 8693). |
| 19 | + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" |
| 20 | +) |
| 21 | + |
| 22 | +// OAuth2 client assertion type URNs (RFC 7521 / RFC 7523). |
| 23 | +const ( |
| 24 | + // ClientAssertionTypeJWTBearer identifies a JWT as the client credential |
| 25 | + // in the client_assertion parameter (RFC 7523). |
| 26 | + // Used for Kubernetes SA tokens and generic OIDC workload tokens (Phases 3–4). |
| 27 | + ClientAssertionTypeJWTBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" |
| 28 | + |
| 29 | + // ClientAssertionTypeJWTSPIFFE identifies a SPIFFE JWT-SVID as the client |
| 30 | + // credential (draft-schwenkschuster-oauth-spiffe-client-auth-00). |
| 31 | + // PREVIEW: the underlying draft expired 2026-01-02 and is not WG-adopted. |
| 32 | + // This URN is not IANA-registered and may change. Ship as experimental only. |
| 33 | + ClientAssertionTypeJWTSPIFFE = "urn:ietf:params:oauth:client-assertion-type:jwt-spiffe" |
| 34 | +) |
| 35 | + |
| 36 | +// RFC 8693 token type URNs used in subject_token_type and issued_token_type. |
| 37 | +const ( |
| 38 | + // TokenTypeURNAccessToken identifies an OAuth2 access token. |
| 39 | + TokenTypeURNAccessToken = "urn:ietf:params:oauth:token-type:access_token" |
| 40 | + |
| 41 | + // TokenTypeURNRefreshToken identifies an OAuth2 refresh token. |
| 42 | + TokenTypeURNRefreshToken = "urn:ietf:params:oauth:token-type:refresh_token" |
| 43 | + |
| 44 | + // TokenTypeURNIDToken identifies an OpenID Connect ID token. |
| 45 | + TokenTypeURNIDToken = "urn:ietf:params:oauth:token-type:id_token" |
| 46 | + |
| 47 | + // TokenTypeURNJWT identifies a generic JWT. |
| 48 | + TokenTypeURNJWT = "urn:ietf:params:oauth:token-type:jwt" |
| 49 | +) |
| 50 | + |
| 51 | +// TrustedIssuer key source types controlling how JWKS are fetched. |
| 52 | +const ( |
| 53 | + // KeySourceOIDCDiscovery fetches the JWKS URI from the issuer's OpenID |
| 54 | + // Connect discovery document (/.well-known/openid-configuration). |
| 55 | + // Not suitable for private K8s clusters that do not expose discovery publicly. |
| 56 | + KeySourceOIDCDiscovery = "oidc_discovery" |
| 57 | + |
| 58 | + // KeySourceStaticJWKSURL fetches JWKS directly from a configured URL. |
| 59 | + // Preferred for private clusters — avoids exposing K8s discovery endpoints. |
| 60 | + KeySourceStaticJWKSURL = "static_jwks_url" |
| 61 | + |
| 62 | + // KeySourceSPIFFEBundleEndpoint fetches keys from a SPIFFE bundle endpoint. |
| 63 | + // Requires SpiffeRefreshHintSeconds to be honoured at runtime (Phase 5). |
| 64 | + KeySourceSPIFFEBundleEndpoint = "spiffe_bundle_endpoint" |
| 65 | +) |
| 66 | + |
| 67 | +// TrustedIssuer issuer type identifiers. |
| 68 | +const ( |
| 69 | + // IssuerTypeKubernetesSA identifies a Kubernetes projected ServiceAccount token. |
| 70 | + IssuerTypeKubernetesSA = "kubernetes_sa" |
| 71 | + |
| 72 | + // IssuerTypeSPIFFEJWT identifies a SPIFFE JWT-SVID (Phase 5, preview). |
| 73 | + IssuerTypeSPIFFEJWT = "spiffe_jwt" |
| 74 | + |
| 75 | + // IssuerTypeOIDC identifies a generic OIDC token from an external IdP. |
| 76 | + IssuerTypeOIDC = "oidc" |
| 77 | + |
| 78 | + // IssuerTypeCloudOIDC identifies a cloud-provider workload identity token |
| 79 | + // (AWS IRSA, GCP Workload Identity, Azure Managed Identity). |
| 80 | + IssuerTypeCloudOIDC = "cloud_oidc" |
| 81 | +) |
| 82 | + |
| 83 | +// TrustedIssuer authentication method identifiers. |
| 84 | +const ( |
| 85 | + // AuthMethodJWTAssertion uses a JWT as the client_assertion (Phases 3–5, default). |
| 86 | + AuthMethodJWTAssertion = "jwt_assertion" |
| 87 | + |
| 88 | + // AuthMethodX509MTLS uses an X.509-SVID via mTLS (Phase 6). |
| 89 | + AuthMethodX509MTLS = "x509_mtls" |
| 90 | +) |
0 commit comments