models: check issuer using only URL scheme and netloc (fixes #18766)
This commit is contained in:
parent
d36f1110d3
commit
4fb66cc6fb
|
@ -47,8 +47,18 @@ def parse_id_token(id_token, client_id=None, client_secret=None):
|
|||
return None, 'invalid audience'
|
||||
if 'exp' not in payload or parse_timestamp(payload['exp']) < now():
|
||||
return None, 'id_token is expired'
|
||||
parsed = urlparse.urlparse(app_settings.authorize_url)
|
||||
if 'iss' not in payload or payload['iss'] != '%s://%s' % (parsed.scheme, parsed.netloc):
|
||||
|
||||
def check_issuer():
|
||||
parsed = urlparse.urlparse(app_settings.authorize_url)
|
||||
if 'iss' not in payload:
|
||||
return False
|
||||
try:
|
||||
parsed_issuer = urlparse.urlparse(payload['iss'])
|
||||
except:
|
||||
return False
|
||||
return parsed_issuer.scheme == parsed.scheme and parsed_issuer.netloc == parsed.netloc
|
||||
|
||||
if not check_issuer():
|
||||
return None, 'wrong issuer received, %r' % payload['iss']
|
||||
return payload, None
|
||||
|
||||
|
|
Reference in New Issue