Affected by GO-2022-0783 and 4 other vulnerabilities

GO-2022-0783: JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

GO-2022-0933: Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

google

package

v0.8.3 Latest Latest Go to latest Published: May 26, 2020 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package google implements OpenID Connect for Google and GSuite.

https://www.pomerium.io/docs/identity-providers/google.html https://developers.google.com/identity/protocols/oauth2/openid-connect

Index ¶

Constants
type Provider
- func New(ctx context.Context, o *oauth.Options) (*Provider, error)
- func (p *Provider) GetSignInURL(state string) string
- func (p *Provider) UserGroups(ctx context.Context, s *sessions.State) ([]string, error)

Constants ¶

View Source

const (
	// Name identifies the Google identity provider
	Name = "google"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Provider ¶

type Provider struct {
	*pom_oidc.Provider
	// contains filtered or unexported fields
}

Provider is a Google implementation of the Authenticator interface.

func New ¶

func New(ctx context.Context, o *oauth.Options) (*Provider, error)

New instantiates an OpenID Connect (OIDC) session with Google.

func (*Provider) GetSignInURL ¶

func (p *Provider) GetSignInURL(state string) string

GetSignInURL returns a URL to OAuth 2.0 provider's consent page that asks for permissions for the required scopes explicitly. Google requires an additional access scope for offline access which is a requirement for any application that needs to access a Google API when the user is not present. Support for this scope differs between OpenID Connect providers. For instance Google rejects it, favoring appending "access_type=offline" as part of the authorization request instead. Google only provide refresh_token on the first authorization from the user. If user clears cookies, re-authorization will not bring back refresh_token. A work around to this is to add prompt=consent to the OAuth redirect URL and will always return a refresh_token. https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

func (*Provider) UserGroups ¶

func (p *Provider) UserGroups(ctx context.Context, s *sessions.State) ([]string, error)

UserGroups returns a slice of group names a given user is in NOTE: groups via Directory API is limited to 1 QPS! https://developers.google.com/admin-sdk/directory/v1/reference/groups/list https://developers.google.com/admin-sdk/directory/v1/limits

Source Files ¶

View all Source files

google.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL