feat: check 'iss' in `verify_oauth2_token` (#500)
Co-authored-by: Tianzi Cai <tianzi@google.com>
diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
index e78add4..bf6bf2c 100644
--- a/google/oauth2/id_token.py
+++ b/google/oauth2/id_token.py
@@ -80,6 +80,8 @@
"/securetoken@system.gserviceaccount.com"
)
+_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"]
+
def _fetch_certs(request, certs_url):
"""Fetches certificates.
@@ -140,11 +142,23 @@
Returns:
Mapping[str, Any]: The decoded token.
+
+ Raises:
+ exceptions.GoogleAuthError: If the issuer is invalid.
"""
- return verify_token(
+ idinfo = verify_token(
id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
)
+ if idinfo["iss"] not in _GOOGLE_ISSUERS:
+ raise exceptions.GoogleAuthError(
+ "Wrong issuer. 'iss' should be one of the following: {}".format(
+ _GOOGLE_ISSUERS
+ )
+ )
+
+ return idinfo
+
def verify_firebase_token(id_token, request, audience=None):
"""Verifies an ID Token issued by Firebase Authentication.