Self-audit: our usage pattern is not vulnerable to CVE-2020-26244

rayluo · rayluo · commit 2fb7a4577084 · 2020-12-01T16:22:01.000-08:00
CVE-2020-26244 does not yet have detail info, but its fix on another library is available here CZ-NIC/pyoidc@62f8d75 More background info is available here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
diff --git a/oauth2cli/oidc.py b/oauth2cli/oidc.py
@@ -60,7 +60,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
             err = "3. The aud (audience) Claim must contain this client's client_id."
     # Per specs:
     # 6. If the ID Token is received via direct communication between
-    # the Client and the Token Endpoint (which it is in this flow),
+    # the Client and the Token Endpoint (which it is during _obtain_token()),
     # the TLS server validation MAY be used to validate the issuer
     # in place of checking the token signature.
     if _now > decoded["exp"]:
