FIX: Avoid clock skew issues when logging in with Google (#11442)

All the data we need for the `info` and `credentials` auth hash
are obtained via the user info API, not the JWT. Using and verifying
the JWT can fail due to clock skew, so let's skip it completely.

PR opened to fix the upstream issue at https://github.com/zquestz/omniauth-google-oauth2/pull/392
This commit is contained in:
David Taylor 2020-12-09 09:09:31 +00:00 committed by GitHub
parent 942888a10c
commit 17fcdd60c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -29,6 +29,12 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
end
# All the data we need for the `info` and `credentials` auth hash
# are obtained via the user info API, not the JWT. Using and verifying
# the JWT can fail due to clock skew, so let's skip it completely.
# https://github.com/zquestz/omniauth-google-oauth2/pull/392
strategy.options[:skip_jwt] = true
}
}
omniauth.provider :google_oauth2, options