social-core icon indicating copy to clipboard operation
social-core copied to clipboard

Published 20 hours ago verified publisher icon python-social-auth

token validation for azure AD backend

Open sdementen opened this issue 7 years ago • 9 comments

Does the azure AD Backend validates the id_token and access_token sent by Azure AD?

In the code I see a decoded_id_token = jwt_decode(id_token, verify=False).

When I set to verify=True:

  • I get an exception "Token error: Signature verification failed" if I tamper with the id_token which is fine
  • I get an exception "Could not deserialize key data." if the id_token is real which is not OK

My questions:

  • shouldn't the "verify=True" be the default ?
  • how can I fix the "Could not deserialize key data" exception ?

sdementen avatar Jun 30 '17 11:06 sdementen