[SECURITY-208] Validate the hd claim

If the user configures a "Google Apps Domain", then the hd claim of the JSON Web token must be validated as matching that configured domain. https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#hd-param
jenkinsci · Oct 9, 2015 · cb470f0 · cb470f0
1 parent 1132d84
commit cb470f0
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java b/src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java
@@ -28,6 +28,8 @@
 import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
 import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.auth.oauth2.TokenResponse;
+import com.google.api.client.auth.openidconnect.IdToken;
+import com.google.api.client.auth.openidconnect.IdTokenResponse;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
@@ -168,7 +170,12 @@ public HttpResponse doCommenceLogin(@QueryParameter String from,  @Header("Refer
             @Override
             public HttpResponse onSuccess(String authorizationCode) {
                 try {
-                    TokenResponse response = flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()).execute();
+                    IdTokenResponse response = IdTokenResponse.execute(
+                            flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()));
+                    IdToken idToken = IdToken.parse(JSON_FACTORY,response.getIdToken());
+                    if (domain != null && ! domain.equals(idToken.getPayload().get("hd"))) {
+                        return HttpResponses.errorWithoutStack(401, "Unauthorized");
+                    }
                     final Credential credential = flow.createAndStoreCredential(response, null);
 
                     HttpRequestFactory requestFactory =