Affected by GO-2022-0783 and 5 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0827: pomerium_signature is not verified in middleware in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

authenticate

package

v0.12.0 Latest Latest Go to latest Published: Jan 8, 2021 License: Apache-2.0 Imports: 42 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authenticate is a pomerium service that handles user authentication and refersh (AuthN).

Index ¶

func ValidateOptions(o *config.Options) error
type Authenticate
- func New(cfg *config.Config) (*Authenticate, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ValidateOptions ¶ added in v0.0.5

func ValidateOptions(o *config.Options) error

ValidateOptions checks that configuration are complete and valid. Returns on first error found.

Types ¶

type Authenticate ¶ added in v0.0.2

type Authenticate struct {
	// contains filtered or unexported fields
}

Authenticate contains data required to run the authenticate service.

func New ¶ added in v0.0.2

func New(cfg *config.Config) (*Authenticate, error)

New validates and creates a new authenticate service from a set of Options.

func (*Authenticate) Dashboard ¶ added in v0.10.0

func (a *Authenticate) Dashboard(w http.ResponseWriter, r *http.Request) error

Dashboard renders the /.pomerium/ user dashboard.

func (*Authenticate) FrontchannelLogout ¶ added in v0.12.0

func (a *Authenticate) FrontchannelLogout(w http.ResponseWriter, r *http.Request) error

FrontchannelLogout uses HTTP GETs to Relying Party URLs (Pomerium) to clear a user's login state. This endpoint implements OpenID Connect Front-Channel Logout and reuses the Relying Party-initiated logout functionality specified in Section 5 of OpenID Connect Session Management 1.0 (RP-Initiated Logout).

https://openid.net/specs/openid-connect-frontchannel-1_0.html https://ldapwiki.com/wiki/OpenID%20Connect%20Front-Channel%20Logout

func (*Authenticate) Handler ¶ added in v0.0.2

func (a *Authenticate) Handler() http.Handler

Handler returns the authenticate service's handler chain.

func (*Authenticate) Impersonate ¶ added in v0.10.0

func (a *Authenticate) Impersonate(w http.ResponseWriter, r *http.Request) error

Impersonate takes the result of a form and adds user impersonation details to the user's current user sessions state if the user is currently an administrative user. Requests are redirected back to the user dashboard.

func (*Authenticate) Mount ¶ added in v0.9.0

func (a *Authenticate) Mount(r *mux.Router)

Mount mounts the authenticate routes to the given router.

func (*Authenticate) OAuthCallback ¶ added in v0.0.2

func (a *Authenticate) OAuthCallback(w http.ResponseWriter, r *http.Request) error

OAuthCallback handles the callback from the identity provider.

https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse

func (*Authenticate) OnConfigChange ¶ added in v0.10.0

func (a *Authenticate) OnConfigChange(cfg *config.Config)

OnConfigChange updates internal structures based on config.Options

func (*Authenticate) RetrieveSession ¶ added in v0.12.0

func (a *Authenticate) RetrieveSession(next http.Handler) http.Handler

RetrieveSession is the middleware used retrieve session by the sessionLoaders

func (*Authenticate) RobotsTxt ¶ added in v0.0.2

func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request)

RobotsTxt handles the /robots.txt route.

func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error

SignIn handles authenticating a user.

func (*Authenticate) SignOut ¶ added in v0.0.2

func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error

SignOut signs the user out and attempts to revoke the user's identity session Handles both GET and POST.

func (*Authenticate) VerifySession ¶ added in v0.4.0

func (a *Authenticate) VerifySession(next http.Handler) http.Handler

VerifySession is the middleware used to enforce a valid authentication session state is attached to the users's request context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL