Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a user, I expect decode the claim set of JWT with validation of the signature and registered claim names #37

Open
rogeruiz opened this issue Jul 27, 2017 · 1 comment
Open

As a user, I expect decode the claim set of JWT with validation of the signature and registered claim names #37

rogeruiz opened this issue Jul 27, 2017 · 1 comment

Comments

@rogeruiz
Copy link

Hey @toolness,

With this line in authentication.py changing verify to false in the decode call for user_info, I think we can't guarantee the integrity of the token.

Our UAA server has an endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA.

We expose it at https://uaa.fr.cloud.gov/token_keys and you can read more about it here after step 3️⃣.

The function call will need to be changed to something like this.

jwt.decode(
    access_token, 
    key='value_from_token_keys_endpoint', 
    algorithm='alg_from_token_keys_endpoint'
)

This will also need to be updated in the cg-fake-uaa repo as well.
@toolness
Copy link
Contributor

Thanks for filing this! There's actually a reason we don't verify, but for some reason the comment explaining it is in the fake UAA provider instead of authentication.py:

    # The client won't need to verify this because it will be communicating
    # directly with the ID provider (i.e., us) over an intermediary-free
    # trusted channel, using its client secret to authenticate with us.
    #
    # https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo

That last URL, a link to the documentation for Google's own OpenID Connect implementation, mentions the following:

An ID Token is a JWT (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components validate the token before using it.

At the time we were thinking about this for CALC in https://github.com/18F/calc/pull/317, it seemed we could simply replace all occurrences of "Google" in the above passage with "cloud.gov" and it'd still make sense. Were we mistaken in thinking this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@toolness @rogeruiz