Summary
TokenEndpoint and DeviceAuthEndpoint from the OIDC discovery document are used without validating they share the same host as the issuer URL. A compromised discovery document could redirect token requests to an attacker-controlled endpoint.
Location
cli/internal/auth/device_flow.go (line 84+)
Risk
Device code and token are sent to endpoints from an untrusted discovery document. An attacker who controls the discovery response can steal auth tokens.
Suggested fix
Validate that all endpoints from the discovery document share the same scheme+host as the issuer URL.
Summary
TokenEndpointandDeviceAuthEndpointfrom the OIDC discovery document are used without validating they share the same host as the issuer URL. A compromised discovery document could redirect token requests to an attacker-controlled endpoint.Location
cli/internal/auth/device_flow.go(line 84+)Risk
Device code and token are sent to endpoints from an untrusted discovery document. An attacker who controls the discovery response can steal auth tokens.
Suggested fix
Validate that all endpoints from the discovery document share the same scheme+host as the issuer URL.