Add JWT verification to OpenID Connect registration flow (#2988)

LXIF · github-actions[bot] · web-flow · commit 2dfbd1757a0b · 2025-04-03T08:33:03.000Z
* add jwt verification to openid registration and add integration test that checks that a faulty jwt will fail

* 🤖 cargo-fmt auto-update

* clippy fix

* 🤖 cargo-fmt auto-update

* CLIPPY FIX

* 🤖 cargo-fmt auto-update

---------

Co-authored-by: github-actions &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/src/internet_identity/src/main.rs b/src/internet_identity/src/main.rs
@@ -778,7 +778,7 @@ mod openid_api {
         remove_openid_credential, update_openid_credential,
     };
     use crate::authz_utils::{anchor_operation_with_authz_check, IdentityUpdateError};
-    use crate::openid::{self, OpenIdCredentialKey};
+    use crate::openid::{self, verify, OpenIdCredentialKey};
     use crate::storage::anchor::AnchorError;
     use crate::{
         state, IdentityNumber, OpenIdCredentialAddError, OpenIdCredentialRemoveError,
@@ -806,9 +806,12 @@ mod openid_api {
     fn openid_identity_registration_finish(
         arg: OpenIDRegFinishArg,
     ) -> Result<IdRegFinishResult, IdRegFinishError> {
-        registration::registration_flow_v2::identity_registration_finish(
-            CreateIdentityData::OpenID(arg),
-        )
+        match verify(&arg.jwt, &arg.salt) {
+            Ok(_) => registration::registration_flow_v2::identity_registration_finish(
+                CreateIdentityData::OpenID(arg),
+            ),
+            Err(err) => Err(IdRegFinishError::InvalidAuthnMethod(err)),
+        }
     }
 
     #[update]
diff --git a/src/internet_identity/tests/integration/openid.rs b/src/internet_identity/tests/integration/openid.rs
@@ -220,6 +220,32 @@ fn can_register_with_google() -> Result<(), CallError> {
     Ok(())
 }
 
+/// Verifies that you cannot register with a faulty jwt
+#[test]
+#[should_panic]
+fn cannot_register_with_faulty_jwt() {
+    let env = env();
+
+    let canister_id = setup_canister(&env);
+
+    let (_jwt, salt, _claims, test_time, test_principal, _test_authn_method) = openid_test_data();
+
+    let faulty_jwt = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc2M2Y3YzRjZDI2YTFlYjJiMWIzOWE4OGY0NDM0ZDFmNGQ5YTM2OGIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzNjA1ODc5OTE2NjgtNjNicGMxZ25ncDFzNWdibzFhbGRhbDRhNTBjMWowYmIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIzNjA1ODc5OTE2NjgtNjNicGMxZ25ncDFzNWdibzFhbGRhbDRhNTBjMWowYmIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcxNzAzNjg4OTgyMTkwMzU3MjEiLCJoZCI6ImRmaW5pdHkub3JnIiwiZW1haWwiOiJhbmRyaS5zY2hhdHpAZGZpbml0eS5vcmciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibm9uY2UiOiJmQkcxS3IzUWt5Z0dHelNJWG9Pd2p3RF95QjhXS0FfcVJPUlZjMFp0WHlJIiwibmJmIjoxNzQwNTgzNDEyLCJuYW1lIjoiQW5kcmkgU2NoYXR6IiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0k1YUU0Mmo0Ml9JcEdqSHFjT2lUemVQLXRZaWNhMFZSLURnYklWcjJCWGtOSWxoUT1zOTYtYyIsImdpdmVuX25hbWUiOiJBbmRyaSIsImZhbWlseV9uYW1lIjoiU2NoYXR6IiwiaWF0IjoxNzQwNTgzNzEyLCJleHAiOjE3NDA1ODczMTIsImp0aSI6IjhjNjkzMWE4YmVmZjllOWM3OTRmYjM5ZTkwNTExOTM4MTk4MDgxZDYifQ.PVAbLj1Fv7AUwH16nFiedJkmPOUg1UkPnAkVj6S9MDhpEV467tP7iOxQCx64i0_imTymcjkzH9pcfTsaKpY8fWPrWSWZzDy9S4GygjOQeg13NXg_H23X2-IY_OVHKqtrAibhZZUppvczijqZja7-HmUivoAJIGsMOk1IxbJdalOhE5yQtsYEx4ZBxFemR7CTfMzopsAaRWgPHI7T0MENuiCbkSy_NYQPBzNpmGcKoZoyUbleFUzej8gbkqpoIUVdfwuNtoe_TMjED5eqJxi1Pip85iy4wJTa2RKUTZxUfqVCaTEftVt8U-PV1UgPsxpu0mKS5z5bXylmgclUzcNnmh";
+
+    let time_to_advance = Duration::from_millis(test_time) - Duration::from_nanos(time(&env));
+    env.advance_time(time_to_advance);
+
+    // Create identity - this will panic if it doesn't work. It should panic as we are using a faulty jwt.
+
+    let _identity_number = create_identity_with_openid_credential(
+        &env,
+        canister_id,
+        faulty_jwt,
+        &salt,
+        test_principal,
+    );
+}
+
 static CLIENT_ID: &str = "360587991668-63bpc1gngp1s5gbo1aldal4a50c1j0bb.apps.googleusercontent.com";
 
 #[derive(Deserialize)]
