
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
github.com/cloudentity/oauth2
This repo is a drop-in replacement of golang.org/x/oauth2
It extends the original library with additional authentication methods:
Additionally, it also adds utility methods for easy use of PKCE.
When using go modules you can run:
go mod edit -replace golang.org/x/oauth2 github.com/cloudentity/oauth2
When using any of the originally supported authentication methods, there's no need to change anything. This library can be used as a drop-in replacement.
For new authentication methods see the examples below:
import (
"context"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/advancedauth"
"golang.org/x/oauth2/clientcredentials"
)
cfg := clientcredentials.Config{
ClientID: "your client id",
AuthStyle: oauth2.AuthStylePrivateKeyJWT,
PrivateKeyAuth: advancedauth.PrivateKeyAuth{
Key: "your PEM encoded private key",
Algorithm: advancedauth.RS256,
Exp: 30 * time.Second,
},
}
token, err := cfg.Token(context.Background())
import (
"context"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/advancedauth"
)
cfg := oauth2.Config{
ClientID: "your client id",
Endpoint: oauth2.Endpoint{
AuthStyle: oauth2.AuthStylePrivateKeyJWT,
},
PrivateKeyAuth: advancedauth.PrivateKeyAuth{
Key: "your PEM encoded private key",
Algorithm: advancedauth.RS256,
Exp: 30 * time.Second,
},
Scopes: []string{"scope1", "scope2"},
},
token, err := cfg.Exchange(context.Background(), "your authorization code")
If you want to use tls_client_auth
or self_signed_tls_client_auth
there is no dedicated
configuration for the client certificate and key.
You should create an appropriate *http.Client
and pass it in the context.
One thing this library does is that it adds an AuthStyle AuthStyleTLS
which appropriately sends the client_id
but skips the client_secret
.
Example:
import (
"context"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/advancedauth"
"golang.org/x/oauth2/clientcredentials"
)
// ... generate cert
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
Certificates: []tls.Certificate{cert},
},
},
}
cfg := clientcredentials.Config{
ClientID: "your client id",
AuthStyle: oauth2.AuthStyleTLS,
}
token, err := cfg.Token(context.WithValue(context.Background(), oauth2.HTTPClient, client))
import (
"context"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/advancedauth/pkce"
)
Create PKCE
with
p, err := pkce.New()
or, if you want to specify the code challenge method and verifier length
p, err := pkce.NewWithMethodVerifierLength(pkce.512, 84)
PKCE
exposes few utility methods to ease creating AuthCodeURL
You can use utility methods returning needed AuthCodeOption
's
url = conf.AuthCodeURL("state", p.AuthCodeURLOpts()...)
or, individual methods
url := conf.AuthCodeURL("state", p.ChallengeOpt(), p.MethodOpt())
PKCE
also exposes similar methods for Exchange
tok, err := conf.Exchange(context.Background(), "exchange-code", p.ExchangeOpts()...)
or, with individual methods
tok, err := conf.Exchange(context.Background(), "exchange-code", p.VerifierOpt(), p.MethodOpt())
This fork tries to limit changes to the original codebase to the minimum.
All the new major changes are implemented in the advancedauth
package.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.