Permalink
Browse files

[SECURITY-208] Validate the hd claim

If the user configures a "Google Apps Domain", then the hd claim of the
JSON Web token must be validated as matching that configured domain.

https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#hd-param
  • Loading branch information...
recampbell committed Oct 9, 2015
1 parent 1132d84 commit cb470f0720d5ed921506a20c5766a8a2fdaf9524
@@ -28,6 +28,8 @@
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
@@ -168,7 +170,12 @@ public HttpResponse doCommenceLogin(@QueryParameter String from, @Header("Refer
@Override
public HttpResponse onSuccess(String authorizationCode) {
try {
TokenResponse response = flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()).execute();
IdTokenResponse response = IdTokenResponse.execute(
flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()));
IdToken idToken = IdToken.parse(JSON_FACTORY,response.getIdToken());
if (domain != null && ! domain.equals(idToken.getPayload().get("hd"))) {
return HttpResponses.errorWithoutStack(401, "Unauthorized");
}
final Credential credential = flow.createAndStoreCredential(response, null);
HttpRequestFactory requestFactory =

0 comments on commit cb470f0

Please sign in to comment.