Skip to content

IdTokenVerifier does not verify the signature of ID Token #786

New issue
New issue
Closed
#861
Closed
IdTokenVerifier does not verify the signature of ID Token#786
#861
Assignees
TimurSadykov
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@tamjidrahat

Description

@tamjidrahat
tamjidrahat
opened on Dec 20, 2021

google-oauth-java-client/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdTokenVerifier.java

Line 152 in 5c202d6

public boolean verify(IdToken idToken) {

The verify method in IdTokenVerifier does not validate the signature before verifying the claims (e.g., iss, aud, etc.). This is also a violation of the ID Token Validation steps mentioned in the current OpenID Connect Spec (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).

The spec requires to validate the signature of ID token for apps that cannot guarantee TLS communication, which is the case for this library. This library initiates a local server that can run on any client machine without TLS support. So, it is critical to validate the signature, before trusting the claims of an ID token, which can be received from a malicious service provider.

Thanks.

Metadata

Metadata

Assignees

Labels

priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions