Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip 'at_hash' claim validation when missing #852

Merged
merged 1 commit into from
Nov 7, 2023
Merged

Skip 'at_hash' claim validation when missing #852

merged 1 commit into from
Nov 7, 2023

Conversation

browniebroke
Copy link
Contributor

Proposed changes

Fix validation error when the at_hash claim is absent.

Types of changes

Please check the type of change your PR introduces:

  • Release (new release request)
  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (PEP8, lint, formatting, renaming, etc)
  • Refactoring (no functional changes, no api changes)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Build related changes (build process, tests runner, etc)
  • Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

  • Lint and unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

@codecov Codecov
Copy link

codecov bot commented Nov 7, 2023
edited
Loading

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (e0cb888) 77.20% compared to head (f7ed3a3) 77.20%.
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #852   +/-   ##
=======================================
  Coverage   77.20%   77.20%           
=======================================
  Files         339      339           
  Lines       10340    10340           
  Branches      696      696           
=======================================
  Hits         7983     7983           
  Misses       2200     2200           
  Partials      157      157
Flag Coverage Δ
unittests 77.20% <50.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
social_core/__init__.py 100.00% <100.00%> (ø)
social_core/backends/open_id_connect.py 92.15% <0.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

browniebroke
browniebroke commented Nov 7, 2023
View reviewed changes
social_core/backends/open_id_connect.py
if claims.get("at_hash") != self.calc_at_hash(access_token, key["alg"]):
if "at_hash" in claims and claims["at_hash"] != self.calc_at_hash(
access_token, key["alg"]
):
raise AuthTokenError(self, "Invalid access token")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, this isn't covered by the tests currently.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently, there is no test where at_hash claim would be missing, so this behavior is not tested (otherwise we would see a test failure earlier).

@nijel nijel merged commit 8fed29b into python-social-auth:master Nov 7, 2023
8 of 9 checks passed
@nijel
Copy link
Member

nijel commented Nov 7, 2023

Merged, thanks for your contribution!

@browniebroke browniebroke deleted the fix/missing-at_hash-claims branch November 7, 2023 22:21
@noxan noxan mentioned this pull request Nov 23, 2023
Merged
11 tasks
@Tenzer Tenzer mentioned this pull request Jan 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nijel nijel nijel left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenID Connect "at_hash" claim requirement during ID token validation
2 participants
@browniebroke @nijel