Depending on the session algorithm used and on how and when func SetToken(r *http.Request, t interface{}) is being used, this library is vulnerable to token substitution attacks. Please inform the developer, that SetToken() should never be called - except when handling the oauth2 callback. I would make it private.
If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.
Please add a section that informs developers to use id tokens provided by OpenID Connect instead.
Depending on the session algorithm used and on how and when
func SetToken(r *http.Request, t interface{})is being used, this library is vulnerable to token substitution attacks. Please inform the developer, thatSetToken()should never be called - except when handling the oauth2 callback. I would make it private.If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling
login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.Please add a section that informs developers to use id tokens provided by OpenID Connect instead.