Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 964b898

Browse filesBrowse files
anguillanneufanguillanneuf
authored
Authenticated Push: must also verify the iss claim (GoogleCloudPlatform#2111)
* Verify iss claim in the JWT
1 parent 35e8cab commit 964b898
Copy full SHA for 964b898

File tree

Expand file treeCollapse file tree

3 files changed

+12
-20
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+12
-20
lines changed

‎appengine/standard_python37/pubsub/main.py

Copy file name to clipboardExpand all lines: appengine/standard_python37/pubsub/main.py
+11-14Lines changed: 11 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
import logging
2020
import os
2121

22-
from google.auth import jwt
2322
from google.auth.transport import requests
2423
from google.cloud import pubsub_v1
2524
from google.oauth2 import id_token
@@ -38,15 +37,14 @@
3837
# Global list to store messages, tokens, etc. received by this instance.
3938
MESSAGES = []
4039
TOKENS = []
41-
HEADERS = []
4240
CLAIMS = []
4341

4442
# [START index]
4543
@app.route('/', methods=['GET', 'POST'])
4644
def index():
4745
if request.method == 'GET':
4846
return render_template('index.html', messages=MESSAGES, tokens=TOKENS,
49-
headers=HEADERS, claims=CLAIMS)
47+
claims=CLAIMS)
5048

5149
data = request.form.get('payload', 'Example payload').encode('utf-8')
5250

@@ -74,18 +72,17 @@ def receive_messages_handler():
7472
token = bearer_token.split(' ')[1]
7573
TOKENS.append(token)
7674

77-
header = jwt.decode_header(token)
78-
HEADERS.append(header)
79-
80-
# Verify and decode the JWT. Underneath it checks the signature against
81-
# Google's public certs at https://www.googleapis.com/oauth2/v1/certs.
82-
# It also checks the token expiration time.
83-
claim = id_token.verify_oauth2_token(token, requests.Request())
75+
# Verify and decode the JWT. `verify_oauth2_token` verifies
76+
# the JWT signature, the `aud` claim, and the `exp` claim.
77+
claim = id_token.verify_oauth2_token(token, requests.Request(),
78+
audience='example.com')
79+
# Must also verify the `iss` claim.
80+
if claim['iss'] not in [
81+
'accounts.google.com',
82+
'https://accounts.google.com'
83+
]:
84+
raise ValueError('Wrong issuer.')
8485
CLAIMS.append(claim)
85-
86-
# Check the audience field in the claim. It was specified in
87-
# `--push-auth-token-audience` when you created the subscription.
88-
assert claim['aud'] == 'example.com'
8986
except Exception as e:
9087
return 'Invalid token: {}\n'.format(e), 400
9188

‎appengine/standard_python37/pubsub/main_test.py

Copy file name to clipboardExpand all lines: appengine/standard_python37/pubsub/main_test.py
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ def fake_token(signer):
7070
yield jwt.encode(signer, payload, header=header)
7171

7272

73-
def _verify_mocked_oauth2_token(token, request):
73+
def _verify_mocked_oauth2_token(token, request, audience):
7474
claims = jwt.decode(token, certs=PUBLIC_CERT_BYTES, verify=True)
7575
return claims
7676

‎appengine/standard_python37/pubsub/templates/index.html

Copy file name to clipboardExpand all lines: appengine/standard_python37/pubsub/templates/index.html
-5Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,6 @@
2525
<li>{{token}}</li>
2626
{% endfor %}
2727
</p>
28-
<p>Print HEADERS:
29-
{% for header in headers: %}
30-
<li>{{header}}</li>
31-
{% endfor %}
32-
</p>
3328
<p>Print CLAIMS:
3429
{% for claim in claims: %}
3530
<li>{{claim}}</li>

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.