Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass correct algorithms argument to jwt.decode #514

Merged
merged 2 commits into from
Jan 9, 2021

Conversation

andersk
Copy link
Contributor

@andersk andersk commented Oct 24, 2020

Proposed changes

Several backends passed an incorrect and/or unverified algorithms argument to jwt.decode. The apple backend passed an unused algorithm argument instead. The azuread_b2c, azuread_tenant, and open_id_connect backends passed a value from the untrusted JWT header, potentially opening up a vulnerability to symmetric/asymmetric confusion attacks. Additionally, the azuread_b2c and azuread_tenant backends incorrectly passed it as a string rather than a list.

Types of changes

Please check the type of change your PR introduces:

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (PEP8, lint, formatting, renaming, etc)
  • Refactoring (no functional changes, no api changes)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Build related changes (build process, tests runner, etc)
  • Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

  • Lint and unit tests pass locally with my changes
    • (What lint?)
  • I have added tests that prove my fix is effective or that my feature works

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

It was discontinued on the server side in 2015, in favor of OpenID
Connect (our GoogleOpenIdConnect backend).

https://support.google.com/accounts/answer/6206245

Fixes python-social-auth#462. Fixes python-social-auth#472.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Several backends passed an incorrect and/or unverified ‘algorithms’
argument to jwt.decode.  The ‘apple’ backend passed an unused
‘algorithm’ argument instead.  The ‘azuread_b2c’, ‘azuread_tenant’,
and ‘open_id_connect’ backends passed a value from the untrusted JWT
header, potentially opening up a vulnerability to symmetric/asymmetric
confusion attacks.  Additionally, the ‘azuread_b2c’ and
‘azuread_tenant’ backends incorrectly passed it as a string rather
than a list.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
@andersk
Copy link
Contributor Author

andersk commented Oct 24, 2020

I rebased this on #515 to get Travis passing since it’s failing on master.

Copy link
Member

@nijel nijel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch.

PS: The JWT documentation shows wrong example here, that's why it's probably used that way. See jpadilla/pyjwt#530

@stale
Copy link

stale bot commented Jan 9, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Stale issues (closing soon) label Jan 9, 2021
@andersk
Copy link
Contributor Author

andersk commented Jan 9, 2021

Go away, stale bot.

@stale stale bot removed the stale Stale issues (closing soon) label Jan 9, 2021
@omab omab merged commit 6b86fc4 into python-social-auth:master Jan 9, 2021
@omab omab mentioned this pull request Jan 10, 2021
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants