feat(google): Verify id_token signature

pennersr · pennersr · commit a2a051da704d · 2024-02-08T21:11:43.000+01:00
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,3 +1,20 @@
+0.61.1 (unreleased)
+*******************
+
+Security notice
+---------------
+
+- As part of the Google OAuth handshake, an ID token is obtained by direct
+  machine to machine communication between the server running django-allauth and
+  Google. Because of this direct communication, we are allowed to skip checking
+  the token signature according to the `OpenID Connect Core 1.0 specification
+  <https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation>`_.
+  However, as django-allauth is used and built upon by third parties, this is an
+  implementation detail with security implications that is easily overlooked. To
+  mitigate potential issues, verifying the signature is now only skipped if it
+  was django-allauth that actually fetched the access token.
+
+
 0.61.0 (2024-02-07)
 *******************
 
diff --git a/allauth/socialaccount/providers/google/tests.py b/allauth/socialaccount/providers/google/tests.py
@@ -307,6 +307,7 @@ def test_extract_data(
         (True, True, {"access_token": "123"}, "uid-from-userinfo", "pic-from-userinfo"),
     ],
 )
+@pytest.mark.parametrize("did_fetch_access_token", [False, True])
 def test_complete_login_variants(
     response,
     settings_with_google_provider,
@@ -315,6 +316,7 @@ def test_complete_login_variants(
     expected_uid,
     expected_picture,
     id_token_has_picture,
+    did_fetch_access_token,
 ):
     with patch.object(
         GoogleOAuth2Adapter,
@@ -327,16 +329,22 @@ def test_complete_login_variants(
         id_token = {"sub": "uid-from-id-token"}
         if id_token_has_picture:
             id_token["picture"] = "pic-from-id-token"
-        with patch.object(
-            GoogleOAuth2Adapter,
-            "_decode_id_token",
+        with patch(
+            "allauth.socialaccount.providers.google.views._verify_and_decode",
             return_value=id_token,
-        ):
+        ) as decode_mock:
             request = None
             app = None
             adapter = GoogleOAuth2Adapter(request)
+            adapter.did_fetch_access_token = did_fetch_access_token
             adapter.fetch_userinfo = fetch_userinfo
             token = SocialToken()
             login = adapter.complete_login(request, app, token, response)
             assert login.account.uid == expected_uid
             assert login.account.extra_data["picture"] == expected_picture
+            if not response.get("id_token"):
+                assert not decode_mock.called
+            else:
+                assert decode_mock.call_args.kwargs["verify_signature"] == (
+                    not did_fetch_access_token
+                )
diff --git a/allauth/socialaccount/providers/google/views.py b/allauth/socialaccount/providers/google/views.py
@@ -94,13 +94,14 @@ def complete_login(self, request, app, token, response, **kwargs):
 
     def _decode_id_token(self, app, id_token):
         """
-        Since the token was received by direct communication protected by
+        If the token was received by direct communication protected by
         TLS between this library and Google, we are allowed to skip checking the
         token signature according to the OpenID Connect Core 1.0 specification.
 
         https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
         """
-        return _verify_and_decode(app, id_token, verify_signature=False)
+        verify_signature = not self.did_fetch_access_token
+        return _verify_and_decode(app, id_token, verify_signature=verify_signature)
 
     def _fetch_user_info(self, access_token):
         resp = (
diff --git a/allauth/socialaccount/providers/oauth2/views.py b/allauth/socialaccount/providers/oauth2/views.py
@@ -39,6 +39,7 @@ class OAuth2Adapter(object):
 
     def __init__(self, request):
         self.request = request
+        self.did_fetch_access_token = False
 
     def get_provider(self):
         return get_adapter(self.request).get_provider(
@@ -67,7 +68,9 @@ def parse_token(self, data):
     def get_access_token_data(self, request, app, client):
         code = get_request_param(self.request, "code")
         pkce_code_verifier = request.session.pop("pkce_code_verifier", None)
-        return client.get_access_token(code, pkce_code_verifier=pkce_code_verifier)
+        data = client.get_access_token(code, pkce_code_verifier=pkce_code_verifier)
+        self.did_fetch_access_token = True
+        return data
 
 
 class OAuth2View(object):
