Add comment about authenticated push JWT token validation (GoogleCloudPlatform#5729)

fayssalmartanigcp · gcf-merge-on-green[bot] · engelke · web-flow · commit c81a944b756f · 2021-04-23T11:30:11.000-07:00
This snippet is used in the Cloud Pub/Sub docs (https://cloud.google.com/pubsub/docs/push#validating_tokens) and many users are not aware that signature verification of the token is not enough, the claim needs to be validated also. Co-authored-by: gcf-merge-on-green[bot] <60162190+gcf-merge-on-green[bot]@users.noreply.github.com> Co-authored-by: Charles Engelke <engelke@google.com>
diff --git a/appengine/standard_python3/pubsub/main.py b/appengine/standard_python3/pubsub/main.py
@@ -85,6 +85,13 @@ def receive_messages_handler():
         # case they would all share the same token for a limited time window.
         claim = id_token.verify_oauth2_token(token, requests.Request(),
                                              audience='example.com')
+
+        # IMPORTANT: you should validate claim details not covered by signature
+        # and audience verification above, including:
+        #   - Ensure that `claim["email"]` is equal to the expected service
+        #     account set up in the push subscription settings.
+        #   - Ensure that `claim["email_verified"]` is set to true.
+
         CLAIMS.append(claim)
     except Exception as e:
         return 'Invalid token: {}\n'.format(e), 400
