Merge pull request #182 from johngian/pr-161

Implement RS256 verification
mozilla · Oct 2, 2017 · 58cfdb4 · 58cfdb4
2 parents 7d186f9 + 0727e54
commit 58cfdb4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -130,6 +130,19 @@ of ``mozilla-django-oidc``.
 
    Additional parameters to include in the initial authorization request.
 
+.. py:attribute:: OIDC_RP_SIGN_ALGO
+
+   :default: ``HS256``
+
+   Sets the algorithm the IdP uses to sign ID tokens.
+
+.. py:attribute:: OIDC_RP_IDP_SIGN_KEY
+
+   :default: ``None``
+
+   Sets the key the IdP uses to sign ID tokens in the case of an RSA sign algorithm.
+   Should be the JWK as a python dict.
+
 .. py:attribute:: LOGIN_REDIRECT_URL
 
    :default: ``/accounts/profile``

diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -6,7 +6,7 @@
 
 from django.utils.encoding import smart_bytes, smart_text
 from django.contrib.auth import get_user_model
-from django.core.exceptions import SuspiciousOperation
+from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured
 from django.core.urlresolvers import reverse
 
 from jose import jws
@@ -45,6 +45,11 @@ def __init__(self, *args, **kwargs):
         self.OIDC_OP_USER_ENDPOINT = import_from_settings('OIDC_OP_USER_ENDPOINT')
         self.OIDC_RP_CLIENT_ID = import_from_settings('OIDC_RP_CLIENT_ID')
         self.OIDC_RP_CLIENT_SECRET = import_from_settings('OIDC_RP_CLIENT_SECRET')
+        self.OIDC_RP_SIGN_ALGO = import_from_settings('OIDC_RP_SIGN_ALGO', 'HS256')
+        self.OIDC_RP_IDP_SIGN_KEY = import_from_settings('OIDC_RP_IDP_SIGN_KEY', None)
+
+        if self.OIDC_RP_SIGN_ALGO.startswith('RS') and self.OIDC_RP_IDP_SIGN_KEY is None:
+            raise ImproperlyConfigured('IDP Signing key not provided with RS signing algorithm')
 
         self.UserModel = get_user_model()
 
@@ -76,11 +81,16 @@ def verify_token(self, token, **kwargs):
         """Validate the token signature."""
         nonce = kwargs.get('nonce')
 
+        if self.OIDC_RP_SIGN_ALGO.startswith('RS'):
+            key = self.OIDC_RP_IDP_SIGN_KEY
+        else:
+            key = self.OIDC_RP_CLIENT_SECRET
+
         # Verify the token
         verified_token = jws.verify(
             token,
-            self.OIDC_RP_CLIENT_SECRET,
-            algorithms=['HS256']
+            key,
+            algorithms=[self.OIDC_RP_SIGN_ALGO]
         )
         # The 'verified_token' will always be a byte string since it's
         # the result of base64.urlsafe_b64decode().