Fix JWT signature verification

johngian · johngian · commit 2c3253fe0f8a · 2016-10-31T11:24:40.000+01:00
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -1,5 +1,7 @@
+import base64
 import jwt
 import requests
+
 try:
     from urllib import urlencode
 except ImportError:
@@ -26,9 +28,16 @@ def __init__(self, *args, **kwargs):
     def verify_token(self, token, **kwargs):
         """Validate the token signature."""
 
-        return jwt.decode(token,
-                          self.OIDC_OP_CLIENT_SECRET,
-                          verify=import_from_settings('OIDC_VERIFY_JWT', True))
+        # Get JWT audience without signature verification
+        audience = jwt.decode(token, verify=False)['aud']
+
+        secret = self.OIDC_OP_CLIENT_SECRET
+        if import_from_settings('OIDC_RP_CLIENT_SECRET_ENCODED', False):
+            secret = base64.urlsafe_b64decode(self.OIDC_OP_CLIENT_SECRET)
+
+        return jwt.decode(token, secret,
+                          verify=import_from_settings('OIDC_VERIFY_JWT', True),
+                          audience=audience)
 
     def authenticate(self, code=None, state=None):
         """Authenticates a user based on the OIDC code flow."""
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -1,4 +1,4 @@
-from mock import Mock, patch
+from mock import Mock, call, patch
 
 from django.contrib.auth import get_user_model
 from django.core.urlresolvers import reverse
@@ -138,6 +138,9 @@ def test_authenticate_no_code_no_state(self):
     def test_jwt_decode_params(self, request_mock, jwt_mock):
         """Test jwt verification signature."""
 
+        jwt_mock.decode.return_value = {
+            'aud': 'audience'
+        }
         get_json_mock = Mock()
         get_json_mock.json.return_value = {
             'username': 'username',
@@ -151,14 +154,21 @@ def test_jwt_decode_params(self, request_mock, jwt_mock):
         }
         request_mock.post.return_value = post_json_mock
         self.backend.authenticate(code='foo', state='bar')
-        jwt_mock.decode.assert_called_once_with('token', 'example_secret', verify=True)
+        calls = [
+            call('token', verify=False),
+            call('token', 'example_secret', verify=True, audience='audience')
+        ]
+        jwt_mock.decode.assert_has_calls(calls)
 
     @override_settings(OIDC_VERIFY_JWT=False)
     @patch('mozilla_django_oidc.auth.jwt')
     @patch('mozilla_django_oidc.auth.requests')
     def test_jwt_decode_params_verify_false(self, request_mock, jwt_mock):
         """Test jwt verification signature with verify False"""
 
+        jwt_mock.decode.return_value = {
+            'aud': 'audience'
+        }
         get_json_mock = Mock()
         get_json_mock.json.return_value = {
             'username': 'username',
@@ -171,6 +181,10 @@ def test_jwt_decode_params_verify_false(self, request_mock, jwt_mock):
             'access_token': 'access_token'
         }
         request_mock.post.return_value = post_json_mock
+        calls = [
+            call('token', verify=False),
+            call('token', 'example_secret', verify=False, audience='audience')
+        ]
 
         self.backend.authenticate(code='foo', state='bar')
-        jwt_mock.decode.assert_called_once_with('token', 'example_secret', verify=False)
+        jwt_mock.decode.assert_has_calls(calls)
