Affected by GO-2025-3999 and 2 other vulnerabilities

GO-2025-3999: Privilege Escalation via WebSocket Connection Hijacking in Operations API in github.com/canonical/lxd

GO-2025-4003: CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI in github.com/canonical/lxd

GO-2025-4121: LXD vulnerable to a local privilege escalation through custom storage volumes in lxd in github.com/canonical/lxd

oidc

package

v0.0.0-...-9324e0a Latest Latest Go to latest Published: Feb 6, 2026 License: AGPL-3.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/canonical/lxd

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type AuthError
- func (e AuthError) Error() string
- func (e AuthError) Unwrap() error
type AuthenticationResult
type SessionHandler
type Verifier
- func NewVerifier(ctx context.Context, issuer string, clientID string, clientSecret string, ...) (*Verifier, error)

Constants ¶

View Source

const (

	// SessionCookieExpiryBuffer denotes the time taken for a session cookie to expire AFTER the token within the cookie expires.
	// This buffer is necessary so that clients continue to send the session cookie after the token expires, so that we can
	// refresh their session by contacting the IdP.
	SessionCookieExpiryBuffer = time.Hour * 24 * 7
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthError ¶

type AuthError struct {
	Err error
}

AuthError represents an authentication error. If an error of this type is returned, the caller should call WriteHeaders on the response so that the client has the necessary information to log in using the device flow.

func (AuthError) Error ¶

func (e AuthError) Error() string

Error implements the error interface for AuthError.

func (AuthError) Unwrap ¶

func (e AuthError) Unwrap() error

Unwrap implements the xerrors.Wrapper interface for AuthError.

type AuthenticationResult ¶

type AuthenticationResult struct {
	IdentityType           string
	Subject                string
	Email                  string
	Name                   string
	IdentityProviderGroups []string
}

AuthenticationResult represents an authenticated OIDC client.

type SessionHandler ¶

type SessionHandler interface {
	StartSession(r *http.Request, res AuthenticationResult, tokens *oidc.Tokens[*oidc.IDTokenClaims], expiryOverride *time.Time) (sessionID *uuid.UUID, expiry *time.Time, err error)
	GetIdentityBySessionID(ctx context.Context, sessionID uuid.UUID) (res *AuthenticationResult, tokens *oidc.Tokens[*oidc.IDTokenClaims], sessionExpiry *time.Time, err error)
	DeleteSession(ctx context.Context, sessionID uuid.UUID) error
}

SessionHandler is used where session handling must call the database.

It is important that these methods are only called after the caller has successfully authenticated via session token or via the IdP. This is to enforce that unauthenticated callers cannot DoS the database by sending bogus tokens.

type Verifier ¶

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier holds all information needed to verify and manage OIDC logins and sessions.

func NewVerifier ¶

func NewVerifier(ctx context.Context, issuer string, clientID string, clientSecret string, scopes []string, audience string, groupsClaim string, clusterUUID string, networkAddress string, secretsFunc func(ctx context.Context) (cluster.AuthSecrets, error), httpClientFunc func() (*http.Client, error), sessionHandler SessionHandler) (*Verifier, error)

NewVerifier returns a Verifier.

func (*Verifier) Auth ¶

func (o *Verifier) Auth(w http.ResponseWriter, r *http.Request) (*AuthenticationResult, error)

Auth checks if a session cookie is present and tries to verify it. Otherwise, it checks if a bearer token was sent and verifies that instead (for the CLI).

func (*Verifier) Callback ¶

func (o *Verifier) Callback(w http.ResponseWriter, r *http.Request)

Callback is a http.HandlerFunc which implements the code exchange required on the /oidc/callback endpoint.

func (*Verifier) ExpireConfig ¶

func (o *Verifier) ExpireConfig()

ExpireConfig sets the expiry time of the current configuration to zero. This forces the verifier to reconfigure the relying party the next time a user authenticates.

func (*Verifier) IsRequest ¶

func (*Verifier) IsRequest(r *http.Request) bool

IsRequest checks if the request is using OIDC authentication. We check for the presence of the Authorization header or one of the ID or refresh tokens and the session cookie.

func (o *Verifier) Login(w http.ResponseWriter, r *http.Request)

Login is a http.Handler than initiates the login flow for the UI.

func (*Verifier) Logout ¶

func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request)

Logout always deletes the session cookie. If the caller is logged in with a valid session cookie, then that session deleted from the database.

func (*Verifier) WriteHeaders ¶

func (o *Verifier) WriteHeaders(w http.ResponseWriter) error

WriteHeaders writes the OIDC configuration as HTTP headers so the client can initatiate the device code flow.

Source Files ¶

View all Source files

oidc.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL