Skip to content

Authenticated Push: must also verify the iss claim #2111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anguillanneuf merged 3 commits into from
Apr 12, 2019
Merged

Authenticated Push: must also verify the iss claim #2111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2be5c8a
Verify iss claim
anguillanneuf Apr 12, 2019
0d6e632
format
anguillanneuf Apr 12, 2019
b6e2f62
Fix test
anguillanneuf Apr 12, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 11 additions & 14 deletions appengine/standard_python37/pubsub/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import logging
import os

from google.auth import jwt
from google.auth.transport import requests
from google.cloud import pubsub_v1
from google.oauth2 import id_token
Expand All @@ -38,15 +37,14 @@
# Global list to store messages, tokens, etc. received by this instance.
MESSAGES = []
TOKENS = []
HEADERS = []
CLAIMS = []

# [START index]
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
return render_template('index.html', messages=MESSAGES, tokens=TOKENS,
headers=HEADERS, claims=CLAIMS)
claims=CLAIMS)

data = request.form.get('payload', 'Example payload').encode('utf-8')

Expand Down Expand Up @@ -74,18 +72,17 @@ def receive_messages_handler():
token = bearer_token.split(' ')[1]
TOKENS.append(token)

header = jwt.decode_header(token)
HEADERS.append(header)

# Verify and decode the JWT. Underneath it checks the signature against
# Google's public certs at https://www.googleapis.com/oauth2/v1/certs.
# It also checks the token expiration time.
claim = id_token.verify_oauth2_token(token, requests.Request())
# Verify and decode the JWT. `verify_oauth2_token` verifies
# the JWT signature, the `aud` claim, and the `exp` claim.
claim = id_token.verify_oauth2_token(token, requests.Request(),
audience='example.com')
# Must also verify the `iss` claim.
if claim['iss'] not in [
'accounts.google.com',
'https://accounts.google.com'
]:
raise ValueError('Wrong issuer.')
CLAIMS.append(claim)

# Check the audience field in the claim. It was specified in
# `--push-auth-token-audience` when you created the subscription.
assert claim['aud'] == 'example.com'
except Exception as e:
return 'Invalid token: {}\n'.format(e), 400

Expand Down
2 changes: 1 addition & 1 deletion appengine/standard_python37/pubsub/main_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ def fake_token(signer):
yield jwt.encode(signer, payload, header=header)


def _verify_mocked_oauth2_token(token, request):
def _verify_mocked_oauth2_token(token, request, audience):
claims = jwt.decode(token, certs=PUBLIC_CERT_BYTES, verify=True)
return claims

Expand Down
5 changes: 0 additions & 5 deletions appengine/standard_python37/pubsub/templates/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,6 @@
<li>{{token}}</li>
{% endfor %}
</p>
<p>Print HEADERS:
{% for header in headers: %}
<li>{{header}}</li>
{% endfor %}
</p>
<p>Print CLAIMS:
{% for claim in claims: %}
<li>{{claim}}</li>
Expand Down