Merge pull request #228 from johngian/pr-223

Fail earlier when JWS algorithm does not match OIDC_RP_SIGN_ALGO.
mozilla · May 7, 2018 · c6d9906 · c6d9906
2 parents b32c70a + 08d86d0
commit c6d9906
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -21,3 +21,4 @@ Contributors
 * Olle Jonsson (`@olleolleolle <https://github.com/olleolleolle>`_)
 * `@GermanoGuerrini <https://github.com/GermanoGuerrini>`_
 * John Paulett (`@johnpaulett <https://github.com/johnpaulett>`_)
+* Andreas Lutro (`@anlutro <https://github.com/anlutro>`_)
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -7,13 +7,17 @@ History
 ++++++++++++++++++
 
 * Add OIDC_AUTHENTICATION_CALLBACK_URL as a new configuration parameter
+* Fail earlier when JWS algorithm does not OIDC_RP_SIGN_ALGO.
+  Thanks `@anlutro`_
 
 Backwards-incompatible changes:
 
 * ``OIDC_OP_LOGOUT_URL_METHOD`` takes a ``request`` parameter now.
 * Changed name of ``RefreshIDToken`` middleware to ``SessionRefresh``.
 
 
+.. _`@anlutro`: https://github.com/anlutro
+
 0.6.0 (2018-03-27)
 ++++++++++++++++++
 

diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -99,20 +99,23 @@ def _verify_jws(self, payload, key):
         """Verify the given JWS payload with the given key and return the payload"""
 
         jws = JWS.from_compact(payload)
-        jwk = JWK.load(key)
-        if not jws.verify(jwk):
-            msg = 'JWS token verification failed.'
-            raise SuspiciousOperation(msg)
 
         try:
             alg = jws.signature.combined.alg.name
-            if alg != self.OIDC_RP_SIGN_ALGO:
-                msg = 'The specified alg value is not allowed'
-                raise SuspiciousOperation(msg)
         except KeyError:
             msg = 'No alg value found in header'
             raise SuspiciousOperation(msg)
 
+        if alg != self.OIDC_RP_SIGN_ALGO:
+            msg = "The provider algorithm {!r} does not match the client's " \
+                  "OIDC_RP_SIGN_ALGO.".format(alg)
+            raise SuspiciousOperation(msg)
+
+        jwk = JWK.load(key)
+        if not jws.verify(jwk):
+            msg = 'JWS token verification failed.'
+            raise SuspiciousOperation(msg)
+
         return jws.payload
 
     def verify_token(self, token, **kwargs):