mike667
commented
5 months ago Related to Issue
Closed mike667 closed 4 months ago
mike667
commented
4 months ago Hi, after thinking about it a bit, there is no point in changing AzureADOAuth2 if it is very similar to MicrosoftOAuth2. It is better to just use MicrosoftOAuth2, and add a note for AzureADOAuth2 so that new users understand that AzureADOAuth2.user_data is not completely secure. Therefore, I am closing this request pool and opening a new one for documentation.
Proposed changes
Hello, my changes involve replacing the user_data method for AzureADOAuth2. Since the old method simply decoded data from the JWT token without verifying its signature, any user could modify data in the JWT and authenticate on the site. In the new method, the data is extracted from the Microsoft Graph API using the access token, which fixes this vulnerability. Additionally, aliases for data have been added so that in future pipelines, functions like associate_by_email and user_details can retrieve the data.
Please tell me if these changes make sense, if so, I will update the tests. (Currently, this code is in production on my project.)
Types of changes
Please check the type of change your PR introduces:
Checklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Other information
Any other information that is important to this PR such as screenshots of how the component looks before and after the change.