diff options
| author | Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> | 2020-06-29 16:27:30 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-29 16:27:30 -0700 |
| commit | c05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04 (patch) | |
| tree | ee63ef37e39e78bf70c1c62688c56c55b1028bac | |
| parent | 06d7f97adaebb3b34ce6a159c23061dd2554e8ac (diff) | |
| download | google-auth-library-python-c05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04.tar.gz | |
feat: check 'iss' in `verify_oauth2_token` (#500)
Co-authored-by: Tianzi Cai <tianzi@google.com>
| -rw-r--r-- | google/auth/transport/requests.py | 6 | ||||
| -rw-r--r-- | google/oauth2/id_token.py | 16 | ||||
| -rw-r--r-- | tests/oauth2/test_id_token.py | 11 |
3 files changed, 31 insertions, 2 deletions
diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py index 9f55bea..4f5af7d 100644 --- a/google/auth/transport/requests.py +++ b/google/auth/transport/requests.py @@ -365,7 +365,11 @@ class AuthorizedSession(requests.Session): six.raise_from(new_exc, caught_exc) try: - self._is_mtls, cert, key = google.auth.transport._mtls_helper.get_client_cert_and_key( + ( + self._is_mtls, + cert, + key, + ) = google.auth.transport._mtls_helper.get_client_cert_and_key( client_cert_callback ) diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py index e78add4..bf6bf2c 100644 --- a/google/oauth2/id_token.py +++ b/google/oauth2/id_token.py @@ -80,6 +80,8 @@ _GOOGLE_APIS_CERTS_URL = ( "/securetoken@system.gserviceaccount.com" ) +_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"] + def _fetch_certs(request, certs_url): """Fetches certificates. @@ -140,11 +142,23 @@ def verify_oauth2_token(id_token, request, audience=None): Returns: Mapping[str, Any]: The decoded token. + + Raises: + exceptions.GoogleAuthError: If the issuer is invalid. """ - return verify_token( + idinfo = verify_token( id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL ) + if idinfo["iss"] not in _GOOGLE_ISSUERS: + raise exceptions.GoogleAuthError( + "Wrong issuer. 'iss' should be one of the following: {}".format( + _GOOGLE_ISSUERS + ) + ) + + return idinfo + def verify_firebase_token(id_token, request, audience=None): """Verifies an ID Token issued by Firebase Authentication. diff --git a/tests/oauth2/test_id_token.py b/tests/oauth2/test_id_token.py index ff85807..0c70d68 100644 --- a/tests/oauth2/test_id_token.py +++ b/tests/oauth2/test_id_token.py @@ -95,6 +95,7 @@ def test_verify_token_args(_fetch_certs, decode): @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_oauth2_token(verify_token): + verify_token.return_value = {"iss": "accounts.google.com"} result = id_token.verify_oauth2_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience ) @@ -109,6 +110,16 @@ def test_verify_oauth2_token(verify_token): @mock.patch("google.oauth2.id_token.verify_token", autospec=True) +def test_verify_oauth2_token_invalid_iss(verify_token): + verify_token.return_value = {"iss": "invalid_issuer"} + + with pytest.raises(exceptions.GoogleAuthError): + id_token.verify_oauth2_token( + mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience + ) + + +@mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_firebase_token(verify_token): result = id_token.verify_firebase_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience |