This library is vulnerable to token substitution attacks

[aeneasr]

Depending on the session algorithm used and on how and when func SetToken(r *http.Request, t interface{}) is being used, this library is vulnerable to token substitution attacks. Please inform the developer, that SetToken() should never be called - except when handling the oauth2 callback. I would make it private.

If the remote idp's user id is used (e.g. by calling the user_info endpoint) for authentication, and the access token can be set by e.g. calling login?access_token=123, a malicious user will be able to break in by generating an access token for the same user on another app.

Please add a section that informs developers to use id tokens provided by OpenID Connect instead.