From 450dde56b7cb762f646ead9d09018daaa00410a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Wed, 21 Feb 2018 10:49:33 +0100 Subject: [PATCH] Pass our OAuth2 client ID to Blender ID when validating tokens This is a security measure, as it ensures that valid Blender ID OAuth2 tokens that were not generated for Blender Cloud are rejected. --- pillar/api/blender_id.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pillar/api/blender_id.py b/pillar/api/blender_id.py index bf95dae5..a0cfdfb6 100644 --- a/pillar/api/blender_id.py +++ b/pillar/api/blender_id.py @@ -114,7 +114,12 @@ def validate_token(user_id, token, oauth_subclient_id): payload = {'user_id': user_id, 'token': token} if oauth_subclient_id: + # If the subclient ID is set, the token belongs to another OAuth Client, + # in which case we do not set the client_id field. payload['subclient_id'] = oauth_subclient_id + else: + # We only want to accept Blender Cloud tokens. + payload['client_id'] = current_app.config['OAUTH_CREDENTIALS']['blender-id']['id'] url = '{0}/u/validate_token'.format(blender_id_endpoint()) log.debug('POSTing to %r', url)