[Python-modules-commits] [python-social-auth] 29/131: Updated ID token iat claim validation for OpenIdConnectAuth
Wolfgang Borgert
debacle at moszumanska.debian.org
Sat Dec 24 15:16:57 UTC 2016
This is an automated email from the git hooks/post-receive script.
debacle pushed a commit to tag v0.2.20
in repository python-social-auth.
commit d5b018382e02fd78957fa42285b42700caa319bf
Author: Clinton Blackburn <clinton.blackburn at gmail.com>
Date: Sat Apr 23 17:35:40 2016 -0400
Updated ID token iat claim validation for OpenIdConnectAuth
The maximum age of the ID token is now exposed as a class variable rather than hardcoded to 10 minutes.
---
social/backends/open_id.py | 25 +++++++++++++++++--------
social/tests/backends/open_id.py | 25 ++++++++++++-------------
2 files changed, 29 insertions(+), 21 deletions(-)
diff --git a/social/backends/open_id.py b/social/backends/open_id.py
index a6c6124..91cd39e 100644
--- a/social/backends/open_id.py
+++ b/social/backends/open_id.py
@@ -2,18 +2,16 @@ import datetime
from calendar import timegm
from jwt import InvalidTokenError, decode as jwt_decode
-
from openid.consumer.consumer import Consumer, SUCCESS, CANCEL, FAILURE
from openid.consumer.discover import DiscoveryFailure
from openid.extensions import sreg, ax, pape
-from social.utils import url_add_parameters
-from social.exceptions import AuthException, AuthFailed, AuthCanceled, \
- AuthUnknownError, AuthMissingParameter, \
- AuthTokenError
from social.backends.base import BaseAuth
from social.backends.oauth import BaseOAuth2
-
+from social.exceptions import (
+ AuthException, AuthFailed, AuthCanceled, AuthUnknownError, AuthMissingParameter, AuthTokenError
+)
+from social.utils import url_add_parameters
# OpenID configuration
OLD_AX_ATTRS = [
@@ -278,6 +276,7 @@ class OpenIdConnectAuth(BaseOAuth2):
Currently only the code response type is supported.
"""
ID_TOKEN_ISSUER = None
+ ID_TOKEN_MAX_AGE = 600
DEFAULT_SCOPE = ['openid']
EXTRA_DATA = ['id_token', 'refresh_token', ('sub', 'id')]
# Set after access_token is retrieved
@@ -331,6 +330,15 @@ class OpenIdConnectAuth(BaseOAuth2):
'audience': client_id,
'issuer': self.ID_TOKEN_ISSUER,
'key': self.setting('ID_TOKEN_DECRYPTION_KEY'),
+ 'options': {
+ 'verify_signature': True,
+ 'verify_exp': True,
+ 'verify_iat': True,
+ 'verify_aud': True,
+ 'verify_iss': True,
+ 'require_exp': True,
+ 'require_iat': True,
+ },
}
decode_kwargs.update(self.setting('ID_TOKEN_JWT_DECODE_KWARGS', {}))
@@ -341,9 +349,10 @@ class OpenIdConnectAuth(BaseOAuth2):
except InvalidTokenError as err:
raise AuthTokenError(self, err)
- # Verify the token was issued in the last 10 minutes
+ # Verify the token was issued within a specified amount of time
+ iat_leeway = self.setting('ID_TOKEN_MAX_AGE', self.ID_TOKEN_MAX_AGE)
utc_timestamp = timegm(datetime.datetime.utcnow().utctimetuple())
- if id_token['iat'] < (utc_timestamp - 600):
+ if id_token['iat'] < (utc_timestamp - iat_leeway):
raise AuthTokenError(self, 'Incorrect id_token: iat')
# Validate the nonce to ensure the request was not modified
diff --git a/social/tests/backends/open_id.py b/social/tests/backends/open_id.py
index 22e6d45..c46a550 100644
--- a/social/tests/backends/open_id.py
+++ b/social/tests/backends/open_id.py
@@ -1,13 +1,11 @@
# -*- coding: utf-8 -*-
-from calendar import timegm
-
-import sys
-import json
import datetime
+import json
+import sys
+from calendar import timegm
-import requests
import jwt
-
+import requests
from openid import oidutil
@@ -127,14 +125,15 @@ class OpenIdConnectTestMixin(object):
client_key = 'a-key'
client_secret = 'a-secret-key'
issuer = None # id_token issuer
+ id_token_max_age = 600 # seconds
def extra_settings(self):
settings = super(OpenIdConnectTestMixin, self).extra_settings()
settings.update({
'SOCIAL_AUTH_{0}_KEY'.format(self.name): self.client_key,
'SOCIAL_AUTH_{0}_SECRET'.format(self.name): self.client_secret,
- 'SOCIAL_AUTH_{0}_ID_TOKEN_DECRYPTION_KEY'.format(self.name):
- self.client_secret
+ 'SOCIAL_AUTH_{0}_ID_TOKEN_DECRYPTION_KEY'.format(self.name): self.client_secret,
+ 'SOCIAL_AUTH_{0}_ID_TOKEN_MAX_AGE'.format(self.name): self.id_token_max_age,
})
return settings
@@ -197,11 +196,11 @@ class OpenIdConnectTestMixin(object):
algorithm='HS256').decode('utf-8')
return json.dumps(body)
- def authtoken_raised(self, expected_message, **access_token_kwargs):
+ def authtoken_raised(self, expected_message_regexp, **access_token_kwargs):
self.access_token_body = self.prepare_access_token_body(
**access_token_kwargs
)
- with self.assertRaisesRegexp(AuthTokenError, expected_message):
+ with self.assertRaisesRegexp(AuthTokenError, expected_message_regexp):
self.do_login()
def test_invalid_secret(self):
@@ -225,10 +224,10 @@ class OpenIdConnectTestMixin(object):
client_key='someone-else')
def test_invalid_issue_time(self):
- expiration_datetime = datetime.datetime.utcnow() - \
- datetime.timedelta(hours=1)
+ issue_datetime = datetime.datetime.utcnow() - \
+ datetime.timedelta(seconds=self.id_token_max_age + 1)
self.authtoken_raised('Token error: Incorrect id_token: iat',
- issue_datetime=expiration_datetime)
+ issue_datetime=issue_datetime)
def test_invalid_nonce(self):
self.authtoken_raised(
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-social-auth.git
More information about the Python-modules-commits
mailing list