feat: check 'iss' in `verify_oauth2_token` (#500) Co-authored-by: Tianzi Cai <tianzi@google.com>

commit: c05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04 [log] [tgz]
author: Bu Sun Kim <8822365+busunkim96@users.noreply.github.com> Mon Jun 29 16:27:30 2020 -0700
committer: GitHub <noreply@github.com> Mon Jun 29 16:27:30 2020 -0700
tree: ee63ef37e39e78bf70c1c62688c56c55b1028bac
parent: 06d7f97adaebb3b34ce6a159c23061dd2554e8ac [diff] [blame]
diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
index e78add4..bf6bf2c 100644
--- a/google/oauth2/id_token.py
+++ b/google/oauth2/id_token.py

@@ -80,6 +80,8 @@
     "/securetoken@system.gserviceaccount.com"
 )
 
+_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"]
+
 
 def _fetch_certs(request, certs_url):
     """Fetches certificates.
@@ -140,11 +142,23 @@
 
     Returns:
         Mapping[str, Any]: The decoded token.
+
+    Raises:
+        exceptions.GoogleAuthError: If the issuer is invalid.
     """
-    return verify_token(
+    idinfo = verify_token(
         id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
     )
 
+    if idinfo["iss"] not in _GOOGLE_ISSUERS:
+        raise exceptions.GoogleAuthError(
+            "Wrong issuer. 'iss' should be one of the following: {}".format(
+                _GOOGLE_ISSUERS
+            )
+        )
+
+    return idinfo
+
 
 def verify_firebase_token(id_token, request, audience=None):
     """Verifies an ID Token issued by Firebase Authentication.
commit	c05b8b52e3bbc096cf32e2d4bb5bd45986d3cd04	[log] [tgz]
author	Bu Sun Kim <8822365+busunkim96@users.noreply.github.com>	Mon Jun 29 16:27:30 2020 -0700
committer	GitHub <noreply@github.com>	Mon Jun 29 16:27:30 2020 -0700
tree	ee63ef37e39e78bf70c1c62688c56c55b1028bac
parent	06d7f97adaebb3b34ce6a159c23061dd2554e8ac [diff] [blame]