OIDC: try to JWT decode userinfo response if JSON parsing failed (#16972)

author: Mathieu Velten <matmaul@gmail.com> 2024-03-21 18:49:44 +0100
committer: GitHub <noreply@github.com> 2024-03-21 17:49:44 +0000
commit: 3ab9e6d524960784f6f108e57ac86a921912ea84 (patch)
tree: 63adb7a93a88677afac54a2e05728eecde26fa3d /synapse
parent: Patch the db conn pool sooner in tests (#17017) (diff)
download: synapse-3ab9e6d524960784f6f108e57ac86a921912ea84.tar.xz
1 files changed, 28 insertions, 4 deletions
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index ba67cc4768..ab28dc800e 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -829,14 +829,38 @@ class OidcProvider:
         logger.debug("Using the OAuth2 access_token to request userinfo")
         metadata = await self.load_metadata()
 
-        resp = await self._http_client.get_json(
+        resp = await self._http_client.request(
+            "GET",
             metadata["userinfo_endpoint"],
-            headers={"Authorization": ["Bearer {}".format(token["access_token"])]},
+            headers=Headers(
+                {"Authorization": ["Bearer {}".format(token["access_token"])]}
+            ),
         )
 
-        logger.debug("Retrieved user info from userinfo endpoint: %r", resp)
+        body = await readBody(resp)
+
+        content_type_headers = resp.headers.getRawHeaders("Content-Type")
+        assert content_type_headers
+        # We use `startswith` because the header value can contain the `charset` parameter
+        # even if it is useless, and Twisted doesn't take care of that for us.
+        if content_type_headers[0].startswith("application/jwt"):
+            alg_values = metadata.get(
+                "id_token_signing_alg_values_supported", ["RS256"]
+            )
+            jwt = JsonWebToken(alg_values)
+            jwk_set = await self.load_jwks()
+            try:
+                decoded_resp = jwt.decode(body, key=jwk_set)
+            except ValueError:
+                logger.info("Reloading JWKS after decode error")
+                jwk_set = await self.load_jwks(force=True)  # try reloading the jwks
+                decoded_resp = jwt.decode(body, key=jwk_set)
+        else:
+            decoded_resp = json_decoder.decode(body.decode("utf-8"))
+
+        logger.debug("Retrieved user info from userinfo endpoint: %r", decoded_resp)
 
-        return UserInfo(resp)
+        return UserInfo(decoded_resp)
 
     async def _verify_jwt(
         self,
author	Mathieu Velten <matmaul@gmail.com>	2024-03-21 18:49:44 +0100
committer	GitHub <noreply@github.com>	2024-03-21 17:49:44 +0000
commit	3ab9e6d524960784f6f108e57ac86a921912ea84 (patch)
tree	63adb7a93a88677afac54a2e05728eecde26fa3d /synapse
parent	Patch the db conn pool sooner in tests (#17017) (diff)
download	synapse-3ab9e6d524960784f6f108e57ac86a921912ea84.tar.xz