models: check issuer using only URL scheme and netloc (fixes #18766)

2017-09-18 15:49:20 +02:00 · 2017-09-18 15:49:20 +02:00 · 4fb66cc6fb
parent d36f1110d3
commit 4fb66cc6fb
1 changed files with 12 additions and 2 deletions
--- a/src/authentic2_auth_fc/models.py
+++ b/src/authentic2_auth_fc/models.py
@ -47,8 +47,18 @@ def parse_id_token(id_token, client_id=None, client_secret=None):
        return None, 'invalid audience'
    if 'exp' not in payload or parse_timestamp(payload['exp']) < now():
        return None, 'id_token is expired'
-    parsed = urlparse.urlparse(app_settings.authorize_url)
-    if 'iss' not in payload or payload['iss'] != '%s://%s' % (parsed.scheme, parsed.netloc):
+
+    def check_issuer():
+        parsed = urlparse.urlparse(app_settings.authorize_url)
+        if 'iss' not in payload:
+            return False
+        try:
+            parsed_issuer = urlparse.urlparse(payload['iss'])
+        except:
+            return False
+        return parsed_issuer.scheme == parsed.scheme and parsed_issuer.netloc == parsed.netloc
+
+    if not check_issuer():
        return None, 'wrong issuer received, %r' % payload['iss']
    return payload, None