Affected by GO-2022-0783 and 4 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

authenticate

package

v0.4.2 Latest Latest Go to latest Published: Oct 18, 2019 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ValidateOptions(o config.Options) error
type Authenticate
- func New(opts config.Options) (*Authenticate, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var CSPHeaders = map[string]string{
	"Content-Security-Policy": "default-src 'none'; style-src 'self'" +
		" 'sha256-z9MsgkMbQjRSLxzAfN55jB3a9pP0PQ4OHFH8b4iDP6s=' " +
		" 'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " +
		" 'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0='; " +
		"img-src 'self';",
	"Referrer-Policy": "Same-origin",
}

CSPHeaders are the content security headers added to the service's handlers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Functions ¶

func ValidateOptions ¶ added in v0.0.5

func ValidateOptions(o config.Options) error

ValidateOptions checks that configuration are complete and valid. Returns on first error found.

Types ¶

type Authenticate ¶ added in v0.0.2

type Authenticate struct {
	SharedKey   string
	RedirectURL *url.URL
	// contains filtered or unexported fields
}

Authenticate contains data required to run the authenticate service.

func New ¶ added in v0.0.2

func New(opts config.Options) (*Authenticate, error)

New validates and creates a new authenticate service from a set of Options.

func (*Authenticate) ExchangeToken ¶ added in v0.1.0

func (a *Authenticate) ExchangeToken(w http.ResponseWriter, r *http.Request)

ExchangeToken takes an identity provider issued JWT as input ('id_token) and exchanges that token for a pomerium session. The provided token's audience ('aud') attribute must match Pomerium's client_id.

func (*Authenticate) Handler ¶ added in v0.0.2

func (a *Authenticate) Handler() http.Handler

Handler returns the authenticate service's HTTP multiplexer, and routes.

func (*Authenticate) OAuthCallback ¶ added in v0.0.2

func (a *Authenticate) OAuthCallback(w http.ResponseWriter, r *http.Request)

OAuthCallback handles the callback from the identity provider.

https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse

func (*Authenticate) RobotsTxt ¶ added in v0.0.2

func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request)

RobotsTxt handles the /robots.txt route.

func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request)

SignIn handles to authenticating a user.

func (*Authenticate) SignOut ¶ added in v0.0.2

func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request)

SignOut signs the user out and attempts to revoke the user's identity session Handles both GET and POST.

func (*Authenticate) VerifySession ¶ added in v0.4.0

func (a *Authenticate) VerifySession(next http.Handler) http.Handler

VerifySession is the middleware used to enforce a valid authentication session state is attached to the users's request context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL