Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / c05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04^! / .
commitc05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04[log] [tgz]
authorBu Sun Kim <8822365+busunkim96@users.noreply.github.com>Mon Jun 29 16:27:30 2020 -0700
committerGitHub <noreply@github.com>Mon Jun 29 16:27:30 2020 -0700
treeee63ef37e39e78bf70c1c62688c56c55b1028bac
parent06d7f97adaebb3b34ce6a159c23061dd2554e8ac [diff]
feat: check 'iss' in `verify_oauth2_token` (#500)

Co-authored-by: Tianzi Cai <tianzi@google.com>
diff --git a/google/auth/transport/requests.py b/google/auth/transport/requests.py
index 9f55bea..4f5af7d 100644
--- a/google/auth/transport/requests.py
+++ b/google/auth/transport/requests.py

@@ -365,7 +365,11 @@
             six.raise_from(new_exc, caught_exc)
 
         try:
-            self._is_mtls, cert, key = google.auth.transport._mtls_helper.get_client_cert_and_key(
+            (
+                self._is_mtls,
+                cert,
+                key,
+            ) = google.auth.transport._mtls_helper.get_client_cert_and_key(
                 client_cert_callback
             )
 

diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
index e78add4..bf6bf2c 100644
--- a/google/oauth2/id_token.py
+++ b/google/oauth2/id_token.py

@@ -80,6 +80,8 @@
     "/securetoken@system.gserviceaccount.com"
 )
 
+_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"]
+
 
 def _fetch_certs(request, certs_url):
     """Fetches certificates.
@@ -140,11 +142,23 @@
 
     Returns:
         Mapping[str, Any]: The decoded token.
+
+    Raises:
+        exceptions.GoogleAuthError: If the issuer is invalid.
     """
-    return verify_token(
+    idinfo = verify_token(
         id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
     )
 
+    if idinfo["iss"] not in _GOOGLE_ISSUERS:
+        raise exceptions.GoogleAuthError(
+            "Wrong issuer. 'iss' should be one of the following: {}".format(
+                _GOOGLE_ISSUERS
+            )
+        )
+
+    return idinfo
+
 
 def verify_firebase_token(id_token, request, audience=None):
     """Verifies an ID Token issued by Firebase Authentication.

diff --git a/tests/oauth2/test_id_token.py b/tests/oauth2/test_id_token.py
index ff85807..0c70d68 100644
--- a/tests/oauth2/test_id_token.py
+++ b/tests/oauth2/test_id_token.py

@@ -95,6 +95,7 @@
 
 @mock.patch("google.oauth2.id_token.verify_token", autospec=True)
 def test_verify_oauth2_token(verify_token):
+    verify_token.return_value = {"iss": "accounts.google.com"}
     result = id_token.verify_oauth2_token(
         mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience
     )
@@ -109,6 +110,16 @@
 
 
 @mock.patch("google.oauth2.id_token.verify_token", autospec=True)
+def test_verify_oauth2_token_invalid_iss(verify_token):
+    verify_token.return_value = {"iss": "invalid_issuer"}
+
+    with pytest.raises(exceptions.GoogleAuthError):
+        id_token.verify_oauth2_token(
+            mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience
+        )
+
+
+@mock.patch("google.oauth2.id_token.verify_token", autospec=True)
 def test_verify_firebase_token(verify_token):
     result = id_token.verify_firebase_token(
         mock.sentinel.token, mock.sentinel.request, audience=mock.sentinel.audience