Affected by GO-2022-0413 and 3 other vulnerabilities

GO-2022-0413: Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

identity

package

v0.16.0 Latest Latest Go to latest Published: Dec 22, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package identity provides support for making OpenID Connect (OIDC) and OAuth2 authenticated HTTP requests with third party identity providers.

Index ¶

type AtomicAuthenticator
- func NewAtomicAuthenticator() *AtomicAuthenticator
- func (a *AtomicAuthenticator) Load() Authenticator
- func (a *AtomicAuthenticator) Store(value Authenticator)
type Authenticator
- func NewAuthenticator(o oauth.Options) (a Authenticator, err error)
type Claims
- func NewClaimsFromRaw(raw map[string]json.RawMessage) Claims
type FlattenedClaims
- func NewFlattenedClaimsFromPB(m map[string]*structpb.ListValue) FlattenedClaims
- func (claims FlattenedClaims) ToPB() map[string]*structpb.ListValue
- func (claims *FlattenedClaims) UnmarshalJSON(data []byte) error
type MockProvider
type SessionClaims
- func (claims *SessionClaims) SetRawIDToken(rawIDToken string)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AtomicAuthenticator ¶ added in v0.11.0

type AtomicAuthenticator struct {
	// contains filtered or unexported fields
}

An AtomicAuthenticator is a strongly-typed atomic.Value for storing an authenticator.

func NewAtomicAuthenticator ¶ added in v0.11.0

func NewAtomicAuthenticator() *AtomicAuthenticator

NewAtomicAuthenticator creates a new AtomicAuthenticator.

func (*AtomicAuthenticator) Load ¶ added in v0.11.0

func (a *AtomicAuthenticator) Load() Authenticator

Load loads the current authenticator.

func (*AtomicAuthenticator) Store ¶ added in v0.11.0

func (a *AtomicAuthenticator) Store(value Authenticator)

Store stores the authenticator.

type Authenticator ¶

type Authenticator interface {
	Authenticate(context.Context, string, identity.State) (*oauth2.Token, error)
	Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error)
	Revoke(context.Context, *oauth2.Token) error
	GetSignInURL(state string) (string, error)
	Name() string
	LogOut() (*url.URL, error)
	UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error
}

Authenticator is an interface representing the ability to authenticate with an identity provider.

func NewAuthenticator ¶ added in v0.8.0

func NewAuthenticator(o oauth.Options) (a Authenticator, err error)

NewAuthenticator returns a new identity provider based on its name.

type Claims ¶ added in v0.11.0

type Claims map[string]interface{}

Claims are JWT claims.

func NewClaimsFromRaw ¶ added in v0.11.0

func NewClaimsFromRaw(raw map[string]json.RawMessage) Claims

NewClaimsFromRaw creates a new Claims map from a map of raw messages.

func (Claims) Claims ¶ added in v0.11.0

func (claims Claims) Claims(v interface{}) error

Claims takes the claims data and fills v.

func (Claims) Flatten ¶ added in v0.11.0

func (claims Claims) Flatten() FlattenedClaims

Flatten flattens the claims to a FlattenedClaims map. For example:

{ "a": { "b": { "c": 12345 } } } => { "a.b.c": [12345] }

func (Claims) ToAnyMap ¶ added in v0.11.0

func (claims Claims) ToAnyMap() map[string]*anypb.Any

ToAnyMap converts the claims into a map of string => any.

func (*Claims) UnmarshalJSON ¶ added in v0.11.0

func (claims *Claims) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the raw json data into the claims object.

type FlattenedClaims ¶ added in v0.11.0

type FlattenedClaims map[string][]interface{}

FlattenedClaims are a set claims flattened into a single-level map.

func NewFlattenedClaimsFromPB ¶ added in v0.11.0

func NewFlattenedClaimsFromPB(m map[string]*structpb.ListValue) FlattenedClaims

NewFlattenedClaimsFromPB creates a new FlattenedClaims from the protobuf struct type.

func (FlattenedClaims) ToPB ¶ added in v0.11.0

func (claims FlattenedClaims) ToPB() map[string]*structpb.ListValue

ToPB converts the flattened claims into a protobuf type.

func (*FlattenedClaims) UnmarshalJSON ¶ added in v0.11.0

func (claims *FlattenedClaims) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals JSON into the flattened claims.

type MockProvider ¶

type MockProvider struct {
	AuthenticateResponse oauth2.Token
	AuthenticateError    error
	RefreshResponse      oauth2.Token
	RefreshError         error
	RevokeError          error
	GetSignInURLResponse string
	LogOutResponse       url.URL
	LogOutError          error
	UpdateUserInfoError  error
}

MockProvider provides a mocked implementation of the providers interface.

func (MockProvider) Authenticate ¶

func (mp MockProvider) Authenticate(context.Context, string, identity.State) (*oauth2.Token, error)

Authenticate is a mocked providers function.

func (MockProvider) GetSignInURL ¶

func (mp MockProvider) GetSignInURL(s string) (string, error)

GetSignInURL is a mocked providers function.

func (MockProvider) LogOut ¶ added in v0.8.0

func (mp MockProvider) LogOut() (*url.URL, error)

LogOut is a mocked providers function.

func (MockProvider) Name ¶ added in v0.11.0

func (mp MockProvider) Name() string

Name returns the provider name.

func (MockProvider) Refresh ¶

func (mp MockProvider) Refresh(context.Context, *oauth2.Token, identity.State) (*oauth2.Token, error)

Refresh is a mocked providers function.

func (MockProvider) Revoke ¶

func (mp MockProvider) Revoke(ctx context.Context, s *oauth2.Token) error

Revoke is a mocked providers function.

func (MockProvider) UpdateUserInfo ¶ added in v0.10.0

func (mp MockProvider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error

UpdateUserInfo is a mocked providers function.

type SessionClaims ¶ added in v0.11.0

type SessionClaims struct {
	Claims
	RawIDToken string
}

SessionClaims are claims that are attached to a session so we can store the raw id token.

func (*SessionClaims) SetRawIDToken ¶ added in v0.11.0

func (claims *SessionClaims) SetRawIDToken(rawIDToken string)

SetRawIDToken sets the raw id token.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
identity Package identity is a package to avoid a dependency cycle.	Package identity is a package to avoid a dependency cycle.
manager Package manager contains an identity manager responsible for refreshing sessions and creating users.	Package manager contains an identity manager responsible for refreshing sessions and creating users.
oauth Package oauth provides support for making OAuth2 authorized and authenticated HTTP requests, as specified in RFC 6749.	Package oauth provides support for making OAuth2 authorized and authenticated HTTP requests, as specified in RFC 6749.
github Package github implements OAuth2 based authentication for github https://www.pomerium.io/docs/identity-providers/github.html	Package github implements OAuth2 based authentication for github https://www.pomerium.io/docs/identity-providers/github.html
oidc Package oidc implements a generic OpenID Connect provider.	Package oidc implements a generic OpenID Connect provider.
auth0 Package auth0 implements OpenID Connect for auth0 https://www.pomerium.io/docs/identity-providers/auth0.html	Package auth0 implements OpenID Connect for auth0 https://www.pomerium.io/docs/identity-providers/auth0.html
azure Package azure implements OpenID Connect for Microsoft Azure https://www.pomerium.io/docs/identity-providers/azure.html	Package azure implements OpenID Connect for Microsoft Azure https://www.pomerium.io/docs/identity-providers/azure.html
gitlab Package gitlab implements OpenID Connect for Gitlab https://www.pomerium.io/docs/identity-providers/gitlab.html	Package gitlab implements OpenID Connect for Gitlab https://www.pomerium.io/docs/identity-providers/gitlab.html
google Package google implements OpenID Connect for Google and GSuite.	Package google implements OpenID Connect for Google and GSuite.
okta Package okta implements OpenID Connect for okta https://www.pomerium.io/docs/identity-providers/okta.html	Package okta implements OpenID Connect for okta https://www.pomerium.io/docs/identity-providers/okta.html
onelogin Package onelogin implements OpenID Connect for OneLogin https://www.pomerium.io/docs/identity-providers/one-login.html	Package onelogin implements OpenID Connect for OneLogin https://www.pomerium.io/docs/identity-providers/one-login.html
ping Package ping implements OpenID Connect for Ping https://www.pomerium.io/docs/identity-providers/ping.html	Package ping implements OpenID Connect for Ping https://www.pomerium.io/docs/identity-providers/ping.html

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL