You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Depending on the session algorithm used and on how and when func SetToken(r *http.Request, t interface{}) is being used, this library is vulnerable to token substitution attacks. Please inform the developer, that SetToken() should never be called - except when handling the oauth2 callback. I would make it private.
If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.
Please add a section that informs developers to use id tokens provided by OpenID Connect instead.
The text was updated successfully, but these errors were encountered:
Depending on the session algorithm used and on how and when
func SetToken(r *http.Request, t interface{})is being used, this library is vulnerable to token substitution attacks. Please inform the developer, thatSetToken()should never be called - except when handling the oauth2 callback. I would make it private.If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling
login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.Please add a section that informs developers to use id tokens provided by OpenID Connect instead.
The text was updated successfully, but these errors were encountered: