fix: Replace insecure Google ID token decode with OIDC verification and nonce#7
Open
MP-Tool wants to merge 1 commit into
Open
fix: Replace insecure Google ID token decode with OIDC verification and nonce#7MP-Tool wants to merge 1 commit into
MP-Tool wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Google Provider: Security Fix — Replace Unsafe Token Decode with OIDC Verification
Why
The previous Google login flow used
insecure_decodeto read the ID token returned by Google. This function only base64-decodes the JWT payload — it does not verify the signature, issuer, audience, or expiry. Any tampered or forged token would have been accepted without detection.The fix replaces this with a standards-compliant OIDC Authorization Code Flow: Google's well-known endpoint is used for discovery, the authorization code is exchanged for a token response via the OIDC client, and the ID token is verified against Google's JWKS (signature, issuer, audience, expiry). A nonce is introduced in the authorization request and verified against the token, preventing replay attacks.
What changed
Replaced
insecure_decodewith full OIDC ID token verificationThe Google flow now uses
openidconnectfor discovery, code exchange, and ID token verification. The verified claims (sub,email,picture) are extracted from the validated token.Nonce added to the authorization request and session
A cryptographically random nonce is generated per login, included in the authorization URL, stored in the session, and verified against the returned ID token. This closes the replay attack vector.
get_google_user(code, nonce) → GoogleUserreplaces the old two-step patternDiscovery, code exchange, and ID token verification happen in a single method with one shared HTTP client, keeping the implementation clean and the call site simple.