Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved OIDC compliance #213

Merged
merged 16 commits into from
May 15, 2020
Merged

Improved OIDC compliance #213

merged 16 commits into from
May 15, 2020

Conversation

lbalmaceda
Copy link
Contributor

@lbalmaceda lbalmaceda commented May 4, 2020
edited
Loading

Changes

This update improves the SDK support for OpenID Connect. In particular, it modifies the sign in verification phase by adding on top of the backchannel checks the option to perform id_token validation.

TODO

  • Signature verifiers for RS256 and HS256 algorithms.
  • JWKS fetching
  • JWKS caching
  • Custom exception/error classes
  • Doc-blocks
  • Readme usage instructions

Testing

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language or why not

Checklist

@lbalmaceda lbalmaceda requested a review from a team May 4, 2020 22:17
lbalmaceda
lbalmaceda commented May 4, 2020
View reviewed changes
auth0/v3/authentication/token_verifier.py


class SignatureVerifier():
DISABLE_JWT_CHECKS = {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These need to be disabled here in order to only validate the signature of the token

auth0/v3/authentication/token_verifier.py

def __init__(self, algorithm):
if not algorithm or type(algorithm) != str:
raise ValueError("algorithm must be specified.")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a small safety check for this instance to have an "expected algorithm" defined

auth0/v3/authentication/token_verifier.py
self._algorithm = algorithm

def _fetch_key(self, key_id=None):
raise NotImplementedError
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be implemented by the subclasses, providing "keys" AKA shared secrets or public certificates

auth0/v3/authentication/token_verifier.py

class SymmetricSignatureVerifier(SignatureVerifier):

def __init__(self, shared_secret, algorithm="HS256"):
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if the algorithm should be exposed here or kept hardcoded in the internals. I don't see any use case for auth0. Applies to the AsymmetricSignatureVerifier as well

auth0/v3/authentication/token_verifier.py Outdated Show resolved Hide resolved
auth0/v3/authentication/token_verifier.py Outdated
# Verify claims
# Issuer

if 'iss' not in payload or type(payload['iss']) != str:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check 4, claims presence/value

auth0/v3/authentication/token_verifier.py Outdated
raise TokenValidationError('Audience (aud) claim mismatch in the ID token; expected "{}" but found "{}"'.format(opt['aud'], payload['aud']))

# --Time validation (epoch)--
now = opt['_clock'] or time.time()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not assigning this default value at construction time since I don't want to "fix" the value of the clock to whatever returns time.time()

auth0/v3/authentication/token_verifier.py
def verify_signature(self, token):
try:
header = jwt.get_unverified_header(token)
except jwt.exceptions.DecodeError:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all these try/catches are required to launch our custom exception messages

auth0/v3/exceptions.py Show resolved Hide resolved
requirements.txt
@@ -1,3 +1,4 @@
requests>=2.14.0
mock==1.3.0
pre-commit
pyjwt[crypto]>=1.7.1
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the recommended way of requiring this dependency, since it includes "crypto" and is easier to tell both are used "together"

jpadilla
jpadilla reviewed May 6, 2020
View reviewed changes
Copy link
Member

@jpadilla jpadilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good stuff 👏

auth0/v3/authentication/token_verifier.py Show resolved Hide resolved
auth0/v3/authentication/token_verifier.py Outdated Show resolved Hide resolved
auth0/v3/authentication/token_verifier.py Outdated Show resolved Hide resolved
auth0/v3/authentication/token_verifier.py Outdated Show resolved Hide resolved
@lbalmaceda lbalmaceda merged commit ad5acc6 into master May 15, 2020
@lbalmaceda lbalmaceda deleted the add-idtv branch May 15, 2020 23:34
@lbalmaceda lbalmaceda added this to the v3-Next milestone May 15, 2020
@lbalmaceda lbalmaceda modified the milestones: v3-Next, 3.10.0 Jun 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpadilla jpadilla jpadilla left review comments

@adamjmcgrath adamjmcgrath adamjmcgrath approved these changes

Assignees
No one assigned
Labels
CH: Security
Projects
None yet
Milestone
3.10.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lbalmaceda @jpadilla @adamjmcgrath