GO-2022-0981: Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev

oidcclient

package

v0.4.1 Latest Latest Go to latest Published: Jan 25, 2021 License: Apache-2.0 Imports: 22 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/vmware-tanzu/pinniped

Links

Open Source Insights

Documentation ¶

Overview ¶

Package oidcclient implements a CLI OIDC login flow.

Index ¶

func Login(issuer string, clientID string, opts ...Option) (*oidctypes.Token, error)
type Option
type SessionCache
type SessionCacheKey

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Login(issuer string, clientID string, opts ...Option) (*oidctypes.Token, error)

Login performs an OAuth2/OIDC authorization code login using a localhost listener.

Types ¶

type Option ¶

type Option func(*handlerState) error

Option is an optional configuration for Login().

func WithBrowserOpen ¶

func WithBrowserOpen(openURL func(url string) error) Option

WithBrowserOpen overrides the default "open browser" functionality with a custom callback. If not specified, an implementation using https://github.com/pkg/browser will be used by default.

func WithClient ¶

func WithClient(httpClient *http.Client) Option

WithClient sets the HTTP client used to make CLI-to-provider requests.

func WithContext ¶

func WithContext(ctx context.Context) Option

WithContext specifies a specific context.Context under which to perform the login. If this option is not specified, login happens under context.Background().

func WithListenPort ¶

func WithListenPort(port uint16) Option

WithListenPort specifies a TCP listen port on localhost, which will be used for the redirect_uri and to handle the authorization code callback. By default, a random high port will be chosen which requires the authorization server to support wildcard port numbers as described by https://tools.ietf.org/html/rfc8252:

The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.

func WithRequestAudience ¶

func WithRequestAudience(audience string) Option

WithRequestAudience causes the login flow to perform an additional token exchange using the RFC8693 flow.

func WithScopes ¶

func WithScopes(scopes []string) Option

WithScopes sets the OAuth2 scopes to request during login. If not specified, it defaults to "offline_access openid email profile".

func WithSessionCache ¶

func WithSessionCache(cache SessionCache) Option

WithSessionCache sets the session cache backend for storing and retrieving previously-issued ID tokens and refresh tokens.

type SessionCache ¶

type SessionCache interface {
	GetToken(SessionCacheKey) *oidctypes.Token
	PutToken(SessionCacheKey, *oidctypes.Token)
}

type SessionCacheKey ¶

type SessionCacheKey struct {
	Issuer      string   `json:"issuer"`
	ClientID    string   `json:"clientID"`
	Scopes      []string `json:"scopes"`
	RedirectURI string   `json:"redirect_uri"`
}

SessionCacheKey contains the data used to select a valid session cache entry.

Source Files ¶

View all Source files

login.go

Directories ¶

Path	Synopsis
filesession Package cachefile implements the file format for session caches.	Package cachefile implements the file format for session caches.
nonce Package nonce implements	Package nonce implements
oidctypes Package oidctypes provides core data types for OIDC token structures.	Package oidctypes provides core data types for OIDC token structures.
pkce
state

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL