[Security fix] AzureADOAuth2 backend

social_core/backends/azuread.py

@@ -1,8 +1,5 @@
 import time
 
-import jwt
-
-from ..exceptions import AuthTokenError
 from .oauth import BaseOAuth2
 
 """
@@ -83,32 +80,34 @@ def get_user_id(self, details, response):
         return response.get("upn")
 
     def get_user_details(self, response):
-        """Return user details from Azure AD account"""
-        fullname, first_name, last_name = (
-            response.get("name", ""),
-            response.get("given_name", ""),
-            response.get("family_name", ""),
-        )
+        """Return user details from Microsoft online account"""
+        email = response.get("mail")
+        username = response.get("userPrincipalName")
+
+        if "@" in username:
+            if not email:
+                email = username
+            username = username.split("@", 1)[0]
+
         return {
-            "username": fullname,
-            "email": response.get("email", response.get("upn")),
-            "fullname": fullname,
-            "first_name": first_name,
-            "last_name": last_name,
+            "username": username,
+            "email": email,
+            "fullname": response.get("displayName", ""),
+            "first_name": response.get("givenName", ""),
+            "last_name": response.get("surname", ""),
         }
 
     def user_data(self, access_token, *args, **kwargs):
-        response = kwargs.get("response")
-        if response and response.get("id_token"):
-            id_token = response.get("id_token")
-        else:
-            id_token = access_token
-
-        try:
-            decoded_id_token = jwt.decode(id_token, options={"verify_signature": False})
-        except (jwt.DecodeError, jwt.ExpiredSignatureError) as de:
-            raise AuthTokenError(self, de)
-        return decoded_id_token
+        """Return user data by querying Microsoft service"""
+        return self.get_json(
+            "https://graph.microsoft.com/v1.0/me",
+            headers={
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Accept": "application/json",
+                "Authorization": "Bearer " + access_token,
+            },
+            method="GET",
+        )
 
     def auth_extra_arguments(self):
         """Return extra arguments needed on auth process. The defaults can be