You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After upgrading to version 4.5.0, logins using the Facebook Limited Login method should continue to work.
Actual behaviour
All login attempts instead fail with an AuthTokenError exception because the JWT coming from Facebook doesn't specify the at_hash claim and thus fails the new validation in 4.5.0.
What are the steps to reproduce this issue?
Input clear steps to reproduce the issue for a maintainer.
Set up a site using Facebook Limited Login
Attempt to log in using social-core 4.5.0
(It's a bit difficult to make this easier to reproduce without disclosing actual user information :/)
Any logs, error output, etc?
A heavily redacted example of the data Facebook Limited Login generates, note the lack of the at_hash field:
According to the OpenID Connect spec the at_hash field is optional, but it seems to always be checked inside OpenIdConnectAuth.validate_and_return_id_token. Is that correct?
I wonder if this could be solved with a relatively small change:
--- social_core/backends/open_id_connect.py+++ social_core/backends/open_id_connect.py@@ -236,7 +236,7 @@ class OpenIdConnectAuth(BaseOAuth2):
# pyjwt does not validate OIDC claims
# see https://github.com/jpadilla/pyjwt/pull/296
- if claims.get("at_hash") != self.calc_at_hash(access_token, key["alg"]):+ if "at_hash" in claims and claims.get("at_hash") != self.calc_at_hash(access_token, key["alg"]):
raise AuthTokenError(self, "Invalid access token")
self.validate_claims(claims)
The text was updated successfully, but these errors were encountered:
This was introduced in #819. Looking at the code there are other backends which include JWT_DECODE_OPTIONS = {"verify_at_hash": False}, which will now do nothing (it will trigger RemovedInPyjwt3Warning).
So this should be addressed better:
Facebook Limited backend should get a test-case so that such error is detected earlier
JWT_DECODE_OPTIONS should be removed (they were used for jose and PyJWT API differs, so it's anyway unlikely that will work)
Introduce separate class attribute for backends to make at_hash validation optional
Expected behaviour
After upgrading to version 4.5.0, logins using the Facebook Limited Login method should continue to work.
Actual behaviour
All login attempts instead fail with an
AuthTokenError
exception because the JWT coming from Facebook doesn't specify theat_hash
claim and thus fails the new validation in 4.5.0.What are the steps to reproduce this issue?
Input clear steps to reproduce the issue for a maintainer.
(It's a bit difficult to make this easier to reproduce without disclosing actual user information :/)
Any logs, error output, etc?
A heavily redacted example of the data Facebook Limited Login generates, note the lack of the
at_hash
field:Any other comments?
According to the OpenID Connect spec the
at_hash
field is optional, but it seems to always be checked insideOpenIdConnectAuth.validate_and_return_id_token
. Is that correct?I wonder if this could be solved with a relatively small change:
The text was updated successfully, but these errors were encountered: