Affected by GO-2022-0783 and 4 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

authenticator

package

v0.0.2 Latest Latest Go to latest Published: Feb 19, 2019 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Index ¶

type AuthenticateGRPC
- func NewGRPC(opts *Options) (p *AuthenticateGRPC, err error)
type Authenticator
- func New(name string, opts *Options) (a Authenticator, err error)
type MockAuthenticate
type Options
type RedeemResponse

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthenticateGRPC ¶ added in v0.0.2

type AuthenticateGRPC struct {
	Conn *grpc.ClientConn
	// contains filtered or unexported fields
}

AuthenticateGRPC is a gRPC implementation of an authenticator (authenticate client)

func NewGRPC ¶ added in v0.0.2

func NewGRPC(opts *Options) (p *AuthenticateGRPC, err error)

NewGRPC returns a new authenticate service client.

func (*AuthenticateGRPC) Close ¶ added in v0.0.2

func (a *AuthenticateGRPC) Close() error

Close tears down the ClientConn and all underlying connections.

func (*AuthenticateGRPC) Redeem ¶ added in v0.0.2

func (a *AuthenticateGRPC) Redeem(code string) (*RedeemResponse, error)

Redeem makes an RPC call to the authenticate service to creates a session state from an encrypted code provided as a result of an oauth2 callback process.

func (*AuthenticateGRPC) Refresh ¶ added in v0.0.2

func (a *AuthenticateGRPC) Refresh(refreshToken string) (string, time.Time, error)

Refresh makes an RPC call to the authenticate service to attempt to refresh the user's session. Requires a valid refresh token. Will return an error if the identity provider has revoked the session or if the refresh token is no longer valid in this context.

func (*AuthenticateGRPC) Validate ¶ added in v0.0.2

func (a *AuthenticateGRPC) Validate(idToken string) (bool, error)

Validate makes an RPC call to the authenticate service to validate the JWT id token; does NOT do nonce or revokation validation. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

type Authenticator ¶ added in v0.0.2

type Authenticator interface {
	// Redeem takes a code and returns a validated session or an error
	Redeem(string) (*RedeemResponse, error)
	// Refresh attempts to refresh a valid session with a refresh token. Returns a new access token
	// and expiration, or an error.
	Refresh(string) (string, time.Time, error)
	// Validate evaluates a given oidc id_token for validity. Returns validity and any error.
	Validate(string) (bool, error)
	// Close closes the authenticator connection if any.
	Close() error
}

Authenticator provides the authenticate service interface

func New ¶ added in v0.0.2

func New(name string, opts *Options) (a Authenticator, err error)

New returns a new authenticate service client. Takes a client implementation name as an argument. Currently only gRPC is supported and is always returned.

type MockAuthenticate ¶ added in v0.0.2

type MockAuthenticate struct {
	RedeemError      error
	RedeemResponse   *RedeemResponse
	RefreshResponse  string
	RefreshTime      time.Time
	RefreshError     error
	ValidateResponse bool
	ValidateError    error
	CloseError       error
}

MockAuthenticate provides a mocked implementation of the authenticator interface.

func (MockAuthenticate) Close ¶ added in v0.0.2

func (a MockAuthenticate) Close() error

Close is a mocked authenticator client function.

func (MockAuthenticate) Redeem ¶ added in v0.0.2

func (a MockAuthenticate) Redeem(code string) (*RedeemResponse, error)

Redeem is a mocked authenticator client function.

func (MockAuthenticate) Refresh ¶ added in v0.0.2

func (a MockAuthenticate) Refresh(refreshToken string) (string, time.Time, error)

Refresh is a mocked authenticator client function.

func (MockAuthenticate) Validate ¶ added in v0.0.2

func (a MockAuthenticate) Validate(idToken string) (bool, error)

Validate is a mocked authenticator client function.

type Options ¶ added in v0.0.2

type Options struct {
	// Addr is the location of the authenticate service. Used if InternalAddr is not set.
	Addr string
	Port int
	// InternalAddr is the internal (behind the ingress) address to use when making an
	// authentication connection. If empty, Addr is used.
	InternalAddr string
	// OverrideCertificateName overrides the server name used to verify the hostname on the
	// returned certificates from the server.  gRPC internals also use it to override the virtual
	// hosting name if it is set.
	OverrideCertificateName string
	// Shared secret is used to authenticate a authenticate-client with a authenticate-server.
	SharedSecret string
	// CA specifies the base64 encoded TLS certificate authority to use.
	CA string
	// CAFile specifies the TLS certificate authority file to use.
	CAFile string
}

Options contains options for connecting to an authenticate service .

type RedeemResponse ¶ added in v0.0.2

type RedeemResponse struct {
	AccessToken  string
	RefreshToken string
	IDToken      string
	User         string
	Email        string
	Expiry       time.Time
}

RedeemResponse contains data from a authenticator redeem request.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL