diff options
-rw-r--r-- | google/auth/transport/requests.py | 6 | ||||
-rw-r--r-- | google/oauth2/id_token.py | 16 | ||||
-rw-r--r-- | tests/oauth2/test_id_token.py | 11 |
3 files changed, 31 insertions, 2 deletions
diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py index 9f55bea..4f5af7d 100644 --- a/google/auth/transport/requests.py +++ b/google/auth/transport/requests.py @@ -365,7 +365,11 @@ class AuthorizedSession(requests.Session): six.raise_from(new_exc, caught_exc) try: - self._is_mtls, cert, key = google.auth.transport._mtls_helper.get_client_cert_and_key( + ( + self._is_mtls, + cert, + key, + ) = google.auth.transport._mtls_helper.get_client_cert_and_key( client_cert_callback ) diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py index e78add4..bf6bf2c 100644 --- a/google/oauth2/id_token.py +++ b/google/oauth2/id_token.py @@ -80,6 +80,8 @@ _GOOGLE_APIS_CERTS_URL = ( "/securetoken@system.gserviceaccount.com" ) +_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"] + def _fetch_certs(request, certs_url): """Fetches certificates. @@ -140,11 +142,23 @@ def verify_oauth2_token(id_token, request, audience=None): Returns: Mapping[str, Any]: The decoded token. + + Raises: + exceptions.GoogleAuthError: If the issuer is invalid. """ - return verify_token( + idinfo = verify_token( id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL ) + if idinfo["iss"] not in _GOOGLE_ISSUERS: + raise exceptions.GoogleAuthError( + "Wrong issuer. 'iss' should be one of the following: {}".format( + _GOOGLE_ISSUERS + ) + ) + + return idinfo + def verify_firebase_token(id_token, request, audience=None): """Verifies an ID Token issued by Firebase Authentication. diff --git a/tests/oauth2/test_id_token.py b/tests/oauth2/test_id_token.py index ff85807..0c70d68 100644 --- a/tests/oauth2/test_id_token.py +++ b/tests/oauth2/test_id_token.py @@ -95,6 +95,7 @@ def test_verify_token_args(_fetch_certs, decode): @mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_oauth2_token(verify_token): + verify_token.return_value = {"iss": "accounts.google.com"} result = id_token.verify_oauth2_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience ) @@ -109,6 +110,16 @@ def test_verify_oauth2_token(verify_token): @mock.patch("google.oauth2.id_token.verify_token", autospec=True) +def test_verify_oauth2_token_invalid_iss(verify_token): + verify_token.return_value = {"iss": "invalid_issuer"} + + with pytest.raises(exceptions.GoogleAuthError): + id_token.verify_oauth2_token( + mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience + ) + + +@mock.patch("google.oauth2.id_token.verify_token", autospec=True) def test_verify_firebase_token(verify_token): result = id_token.verify_firebase_token( mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience |