Skip to content

Commit 449878e

Browse files
author
Andreea Muscalu
committed
Check for v=OID. Use only RS256 algorithm. Check exp claim on jwt
1 parent 62f49f4 commit 449878e

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

social_core/backends/id4me.py

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,9 @@ def get_key_and_secret(self):
7373
issuer_configuration = self.oidc_config_authority()
7474
response = requests.post(issuer_configuration['registration_endpoint'], json={
7575
'client_name': self.setting('SOCIAL_AUTH_ID4ME_CLIENT_NAME', ''),
76-
'redirect_uris': [self.get_redirect_uri()]
76+
'redirect_uris': [self.get_redirect_uri()],
77+
'id_token_signed_response_alg': 'RS256',
78+
'userinfo_signed_response_alg': 'RS256'
7779
})
7880

7981
if response.status_code != 200:
@@ -147,21 +149,23 @@ def find_valid_key(self, id_token):
147149
header = jwt.get_unverified_header(id_token)
148150
if header['kid'] == key['kid']:
149151
if 'alg' not in key:
150-
key['alg'] = 'RS256' if key['kty'] == 'RSA' else 'ES256'
152+
key['alg'] = 'RS256'
151153
return key
152154

153155
def find_agent_valid_key(self, id_token):
154156
for key in self.get_agent_keys():
155157
header = jwt.get_unverified_header(id_token)
156158
if header['kid'] == key['kid']:
157159
if 'alg' not in key:
158-
key['alg'] = 'RS256' if key['kty'] == 'RSA' else 'ES256'
160+
key['alg'] = 'RS256'
159161
return key
160162

161163
def auth_complete(self, *args, **kwargs):
162164
self.validate_state()
163165
identity = self.strategy.session_get(self.name + '_identity')
164166
openid_configuration = self.get_identity_record(identity)
167+
if 'v' not in openid_configuration or openid_configuration['v'] != 'OID1':
168+
raise AuthUnreachableProvider(self)
165169
if 'clp' not in openid_configuration:
166170
raise AuthUnreachableProvider(self)
167171
self.strategy.session_set(self.name + '_agent', openid_configuration['clp'])
@@ -196,6 +200,8 @@ def auth_url(self):
196200
if not is_valid_domain(identity):
197201
raise AuthForbidden(self)
198202
openid_configuration = self.get_identity_record(identity)
203+
if 'v' not in openid_configuration or openid_configuration['v'] != 'OID1':
204+
raise AuthUnreachableProvider(self)
199205
if 'iss' not in openid_configuration:
200206
raise AuthUnreachableProvider(self)
201207
self.strategy.session_set(self.name + '_authority', openid_configuration['iss'])
@@ -216,13 +222,8 @@ def auth_complete_credentials(self):
216222
def validate_claims(self, id_token):
217223
utc_timestamp = timegm(datetime.datetime.utcnow().utctimetuple())
218224

219-
if 'nbf' in id_token and utc_timestamp < id_token['nbf']:
220-
raise AuthTokenError(self, 'Incorrect id_token: nbf')
221-
222-
# Verify the token was issued in the last 10 minutes
223-
iat_leeway = self.setting('ID_TOKEN_MAX_AGE', self.ID_TOKEN_MAX_AGE)
224-
if utc_timestamp > id_token['iat'] + iat_leeway:
225-
raise AuthTokenError(self, 'Incorrect id_token: iat')
225+
if utc_timestamp > id_token['exp']:
226+
raise AuthTokenError(self, 'Incorrect id_token: exp')
226227

227228
def validate_and_return_user_token(self, user_token):
228229
client_id, client_secret = self.get_key_and_secret()

0 commit comments

Comments
 (0)