As a user, I expect decode the claim set of JWT with validation of the signature and registered claim names

[rogeruiz]

Hey @toolness,

With this line in authentication.py changing verify to false in the decode call for user_info, I think we can't guarantee the integrity of the token.

Our UAA server has an endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA.

We expose it at https://uaa.fr.cloud.gov/token_keys and you can read more about it here after step 3️⃣.

The function call will need to be changed to something like this.

jwt.decode(
    access_token, 
    key='value_from_token_keys_endpoint', 
    algorithm='alg_from_token_keys_endpoint'
)

This will also need to be updated in the cg-fake-uaa repo as well.

[toolness]

Thanks for filing this! There's actually a reason we don't verify, but for some reason the comment explaining it is in the fake UAA provider instead of authentication.py:

    # The client won't need to verify this because it will be communicating
    # directly with the ID provider (i.e., us) over an intermediary-free
    # trusted channel, using its client secret to authenticate with us.
    #
    # https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo

That last URL, a link to the documentation for Google's own OpenID Connect implementation, mentions the following:

An ID Token is a JWT (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components validate the token before using it.

At the time we were thinking about this for CALC in https://github.com/18F/calc/pull/317, it seemed we could simply replace all occurrences of "Google" in the above passage with "cloud.gov" and it'd still make sense. Were we mistaken in thinking this?