Google OpenID Connect authorization token problems

[erickpeirson]

The backend for Google OpenID Connect is broken. Here are some notes toward where the problem lies, in case someone else is tempted to go on a goose chase.

In 61dfbc2ea7a897981a15db8904c5a68d471b0515 the authorization flow for the GoogleOpenIDConnect backend fails at BaseOAuth2.auth_complete(): raising an AuthCanceled exception due to an underlying 400 response by Google -- PSA is passing nonce, which is not supported by the Google API.

If we remove the nonce from the request (e.g. by removing lines 298-300 in backends.open_id.OpenIDConnectAuth.auth_complete_params()), we get an ok response from Google, but PSA fails to verify Google's JWT -- we get an AuthTokenError here with an underlying complaint from jwt.decode that "The specified alg value is not allowed").

From what I vaguely understand of OpenID Connect, we should expect an alg header in the JWT, and so it makes sense that the PSA OpenID backend is asking jwt.decode to verify (default) the token. The exception above is raised because PSA's OpenID backend passes algorithms=['HS256'] to jwt.decode, but since Google does not pass the alg claim in the JWT verification fails.

The missing alg claim is by design on Google's part: Google claims that

Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid.

Here's how Google wants you to validate their tokens: https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken

So, not sure what the path forward is for PSA, other than that a different validation strategy needs to be implemented.

[viaro-adolfo]

Hi All I have the same issue!

[omab]

The fix for this problems got ported to the social-core component.