Skip to content

Commit cb470f0

Browse files
committed
[SECURITY-208] Validate the hd claim
If the user configures a "Google Apps Domain", then the hd claim of the JSON Web token must be validated as matching that configured domain. https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#hd-param
1 parent 1132d84 commit cb470f0

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@
2828
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
2929
import com.google.api.client.auth.oauth2.Credential;
3030
import com.google.api.client.auth.oauth2.TokenResponse;
31+
import com.google.api.client.auth.openidconnect.IdToken;
32+
import com.google.api.client.auth.openidconnect.IdTokenResponse;
3133
import com.google.api.client.http.GenericUrl;
3234
import com.google.api.client.http.HttpRequest;
3335
import com.google.api.client.http.HttpRequestFactory;
@@ -168,7 +170,12 @@ public HttpResponse doCommenceLogin(@QueryParameter String from, @Header("Refer
168170
@Override
169171
public HttpResponse onSuccess(String authorizationCode) {
170172
try {
171-
TokenResponse response = flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()).execute();
173+
IdTokenResponse response = IdTokenResponse.execute(
174+
flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()));
175+
IdToken idToken = IdToken.parse(JSON_FACTORY,response.getIdToken());
176+
if (domain != null && ! domain.equals(idToken.getPayload().get("hd"))) {
177+
return HttpResponses.errorWithoutStack(401, "Unauthorized");
178+
}
172179
final Credential credential = flow.createAndStoreCredential(response, null);
173180

174181
HttpRequestFactory requestFactory =

0 commit comments

Comments
 (0)