@@ -73,7 +73,9 @@ def get_key_and_secret(self):
73
73
issuer_configuration = self .oidc_config_authority ()
74
74
response = requests .post (issuer_configuration ['registration_endpoint' ], json = {
75
75
'client_name' : self .setting ('SOCIAL_AUTH_ID4ME_CLIENT_NAME' , '' ),
76
- 'redirect_uris' : [self .get_redirect_uri ()]
76
+ 'redirect_uris' : [self .get_redirect_uri ()],
77
+ 'id_token_signed_response_alg' : 'RS256' ,
78
+ 'userinfo_signed_response_alg' : 'RS256'
77
79
})
78
80
79
81
if response .status_code != 200 :
@@ -147,21 +149,23 @@ def find_valid_key(self, id_token):
147
149
header = jwt .get_unverified_header (id_token )
148
150
if header ['kid' ] == key ['kid' ]:
149
151
if 'alg' not in key :
150
- key ['alg' ] = 'RS256' if key [ 'kty' ] == 'RSA' else 'ES256'
152
+ key ['alg' ] = 'RS256'
151
153
return key
152
154
153
155
def find_agent_valid_key (self , id_token ):
154
156
for key in self .get_agent_keys ():
155
157
header = jwt .get_unverified_header (id_token )
156
158
if header ['kid' ] == key ['kid' ]:
157
159
if 'alg' not in key :
158
- key ['alg' ] = 'RS256' if key [ 'kty' ] == 'RSA' else 'ES256'
160
+ key ['alg' ] = 'RS256'
159
161
return key
160
162
161
163
def auth_complete (self , * args , ** kwargs ):
162
164
self .validate_state ()
163
165
identity = self .strategy .session_get (self .name + '_identity' )
164
166
openid_configuration = self .get_identity_record (identity )
167
+ if 'v' not in openid_configuration or openid_configuration ['v' ] != 'OID1' :
168
+ raise AuthUnreachableProvider (self )
165
169
if 'clp' not in openid_configuration :
166
170
raise AuthUnreachableProvider (self )
167
171
self .strategy .session_set (self .name + '_agent' , openid_configuration ['clp' ])
@@ -196,6 +200,8 @@ def auth_url(self):
196
200
if not is_valid_domain (identity ):
197
201
raise AuthForbidden (self )
198
202
openid_configuration = self .get_identity_record (identity )
203
+ if 'v' not in openid_configuration or openid_configuration ['v' ] != 'OID1' :
204
+ raise AuthUnreachableProvider (self )
199
205
if 'iss' not in openid_configuration :
200
206
raise AuthUnreachableProvider (self )
201
207
self .strategy .session_set (self .name + '_authority' , openid_configuration ['iss' ])
@@ -216,13 +222,8 @@ def auth_complete_credentials(self):
216
222
def validate_claims (self , id_token ):
217
223
utc_timestamp = timegm (datetime .datetime .utcnow ().utctimetuple ())
218
224
219
- if 'nbf' in id_token and utc_timestamp < id_token ['nbf' ]:
220
- raise AuthTokenError (self , 'Incorrect id_token: nbf' )
221
-
222
- # Verify the token was issued in the last 10 minutes
223
- iat_leeway = self .setting ('ID_TOKEN_MAX_AGE' , self .ID_TOKEN_MAX_AGE )
224
- if utc_timestamp > id_token ['iat' ] + iat_leeway :
225
- raise AuthTokenError (self , 'Incorrect id_token: iat' )
225
+ if utc_timestamp > id_token ['exp' ]:
226
+ raise AuthTokenError (self , 'Incorrect id_token: exp' )
226
227
227
228
def validate_and_return_user_token (self , user_token ):
228
229
client_id , client_secret = self .get_key_and_secret ()
0 commit comments