oidc in oidc.go #5234

New issue

Closed

opened 2026-05-05 14:57:14 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:57:14 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5300
Author: @orbisai0security
Created: 4/29/2026
Status: ❌ Closed

Base: dev ← Head: fix-oidc-issuer-validation-v003

📝 Commits (1)

0f591af fix: V-003 security vulnerability

📊 Changes

1 file changed (+2 additions, -1 deletions)

View changed files

📝 pkg/auth/oidc.go (+2 -1)

📄 Description

Summary

Fix critical severity security issue in pkg/auth/oidc.go.

Vulnerability

Field	Value
ID	V-003
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	`V-003`
File	`pkg/auth/oidc.go:29`

Description: The frp OIDC authentication in pkg/auth/oidc.go uses a configurable OIDC provider URL. The existence of a mock OIDC server in the test suite confirms the application supports arbitrary, externally-configured OIDC providers. If the issuer (iss) claim is not strictly validated against a hardcoded or securely configured trusted issuer URL, an attacker who can influence the OIDC provider configuration or perform DNS hijacking can redirect authentication to a rogue provider that issues tokens granting full access.

Changes

pkg/auth/oidc.go

Verification

Build passes
Scanner re-scan confirms fix
LLM code review passed

Automated security fix by OrbisAI Security

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5300 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 4/29/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix-oidc-issuer-validation-v003` --- ### 📝 Commits (1) - [`0f591af`](https://github.com/fatedier/frp/commit/0f591af57c4e7bf5d0256ae36104c519e0b5adb0) fix: V-003 security vulnerability ### 📊 Changes **1 file changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/oidc.go` (+2 -1) </details> ### 📄 Description ## Summary Fix critical severity security issue in `pkg/auth/oidc.go`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-003 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-003` | | **File** | `pkg/auth/oidc.go:29` | **Description**: The frp OIDC authentication in pkg/auth/oidc.go uses a configurable OIDC provider URL. The existence of a mock OIDC server in the test suite confirms the application supports arbitrary, externally-configured OIDC providers. If the issuer (iss) claim is not strictly validated against a hardcoded or securely configured trusted issuer URL, an attacker who can influence the OIDC provider configuration or perform DNS hijacking can redirect authentication to a rogue provider that issues tokens granting full access. ## Changes - `pkg/auth/oidc.go` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>