Apparently any token valid by Google Auth, even if generated by another CLIENT_ID is accepting it, is that correct?

wagnerdelima / drf-social-oauth2

drf-social-oauth2 makes it easy to integrate Django social authentication with major OAuth2 providers, i.e., Facebook, Twitter, Google, etc.

https://drf-social-oauth2.readthedocs.io/en/latest/

MIT License

272 stars 34 forks source link

Apparently any token valid by Google Auth, even if generated by another CLIENT_ID is accepting it, is that correct? #193

Closed joaopedroabreuu closed 1 year ago

joaopedroabreuu commented 1 year ago

When we logged in using the frontend to get the token from google using a CLIENT_ID, the same used in the backend application, it accepts, which is expected. However, when we made a token request using another CLIENT_ID, which is different from the one on the backend, it also accepts it. This is correct?

wagnerdelima commented 1 year ago

Mmm, I am not sure that is an acceptable behaviour. Might be a bug. Let me know if you will investigate it.