Verify multiple Google issuers and fix JWT claim verifications - Githubissues

zquestz / omniauth-google-oauth2

Oauth2 strategy for Google

1.46k stars 414 forks source link

Verify multiple Google issuers and fix JWT claim verifications #345

Closed stanhu closed 5 years ago

stanhu commented 5 years ago

Per https://developers.google.com/identity/sign-in/web/backend-auth:

The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com.

The JWT decoder should be verifying that the iss is either one of those values. In ruby-jwt 1.5.6, only one issuer can be supplied (https://github.com/jwt/ruby-jwt/blob/8e8a9c9f9fd455537c03b6dcde1e20ebbc1fe585/lib/jwt/verify.rb#L62).

However, in ruby-jwt v2.0+, this can be an array: https://github.com/jwt/ruby-jwt/commit/ed3a6483b4e81314ca2e7168701a9d34afcb690d

stanhu commented 5 years ago

@zquestz Would you mind reviewing? This is a prerequisite for https://github.com/zquestz/omniauth-google-oauth2/pull/344.