OAuth2InputSerializer optional code

[jurecuhalev]

I want to use google-plus backend, that allows to authenticate with id_token [0]. But currently serializer for OAuth2InputSerializer [1] requires code param, which breaks this server-side auth flow. This is needed for Google Sign In process on Android (https://developers.google.com/identity/sign-in/web/backend-auth).

Would it be possible to make code optional parameter to OAuth2InputSerializer? I can make a small PR that adds required=False to it.

[0] https://github.com/python-social-auth/social-core/blob/fca33317dfd29f14b060d21d0af1ab9b9de3a0a1/social_core/backends/google.py#L129
[1] https://github.com/st4lk/django-rest-social-auth/blob/master/rest_social_auth/serializers.py#L12

[jurecuhalev]

After studying this a bit more, it seems like it could open new attack vectors (as google-plus doesn't check aud response for allowed clients). So maybe it isn't such a good idea to have it open by default.

[larcho]

@gandalfar what other way do you suggest validation Google Sign In on iOS or Android. I found this to be the only way, using id_token instead of code since you're not provided with a private key for the code.

[jurecuhalev]

I agree, I don't think there's a different way. It would be good to open a ticket against google-plus upstream backend, to add support for aud checking.

[larcho]

I've looked at the source very superficially, doesn't the GooglePlus Backend retrieve user information from the Google API? (I know it's present in the JWT token itself, but I'm under the impression that it does contact the Google API for something).

[jurecuhalev]

It does, but it doesn't verify token integrity: https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token , as far as I could see. See also the red warning at the end of here: https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint

[larcho]

Right. Otherwise I could use any ClientID to authenticate.