Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security fix] AzureADOAuth2 backend #910

Closed
wants to merge 6 commits into from
Closed

[Security fix] AzureADOAuth2 backend #910

wants to merge 6 commits into from

Conversation

mike667
Copy link

@mike667 mike667 commented May 3, 2024

Proposed changes

Hello, my changes involve replacing the user_data method for AzureADOAuth2. Since the old method simply decoded data from the JWT token without verifying its signature, any user could modify data in the JWT and authenticate on the site. In the new method, the data is extracted from the Microsoft Graph API using the access token, which fixes this vulnerability. Additionally, aliases for data have been added so that in future pipelines, functions like associate_by_email and user_details can retrieve the data.

Please tell me if these changes make sense, if so, I will update the tests. (Currently, this code is in production on my project.)

Types of changes

Please check the type of change your PR introduces:

  • Release (new release request)
  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (PEP8, lint, formatting, renaming, etc)
  • Refactoring (no functional changes, no api changes)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Build related changes (build process, tests runner, etc)
  • Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

@mike667
Copy link
Author

mike667 commented May 3, 2024

Related to Issue

@mike667 mike667 changed the title [Security fix] AzureADOAuth2 backend / Update MicrosoftOAuth2 aliases [Security fix] AzureADOAuth2 backend May 3, 2024
@nijel nijel linked an issue May 6, 2024 that may be closed by this pull request
Copy link
Member

@nijel nijel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change makes sense as this is similar what other OAuth2 backends do. Do you see any risks in breaking existing users? I think some details will have a different value after your changes.

if "@" in username:
if not email:
email = username
username = username.split("@", 1)[0]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

username was based on name before.

"first_name": first_name,
"last_name": last_name,
"username": username,
"email": email,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

email used to fall back to userPrincipalName if not present, this is now gone.

@mike667
Copy link
Author

mike667 commented May 21, 2024

Hi, after thinking about it a bit, there is no point in changing AzureADOAuth2 if it is very similar to MicrosoftOAuth2. It is better to just use MicrosoftOAuth2, and add a note for AzureADOAuth2 so that new users understand that AzureADOAuth2.user_data is not completely secure. Therefore, I am closing this request pool and opening a new one for documentation.

@mike667 mike667 closed this May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

token validation for azure AD backend
2 participants