feat(pro_connect): decode user_data

lacommunaute/openid_connect/tests/tests_views.py

@@ -1,6 +1,7 @@
 from urllib.parse import urlencode
 
 import httpx
+import jwt
 import respx
 from django.contrib import auth
 from django.contrib.sessions.middleware import SessionMiddleware
@@ -69,7 +70,9 @@ def mock_oauth_dance(
     user_info = OIDC_USERINFO.copy()
     if user_info_email:
         user_info["email"] = user_info_email
-    respx.get(constants.PRO_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, json=user_info))
+    user_info = user_info | {"aud": constants.OPENID_CONNECT_CLIENT_ID}
+    user_info_jwt = jwt.encode(payload=user_info, key=constants.OPENID_CONNECT_CLIENT_SECRET, algorithm="HS256")
+    respx.get(constants.OPENID_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, content=user_info_jwt))
 
     csrf_signed = OpenID_State.create_signed_csrf_token()
     url = reverse("openid_connect:callback")

lacommunaute/openid_connect/views.py

@@ -1,8 +1,8 @@
 import dataclasses
-import json
 import logging
 
 import httpx
+import jwt
 from django.contrib import messages
 from django.contrib.auth import login, logout
 from django.http import HttpResponseRedirect
@@ -123,10 +123,12 @@ def openid_connect_callback(request):  # pylint: disable=too-many-return-stateme
     if response.status_code != 200:
         return _redirect_to_login_page_on_error(error_msg="Impossible to get user infos.", request=request)
 
-    try:
-        user_data = json.loads(response.content.decode("utf-8"))
-    except json.decoder.JSONDecodeError:
-        return _redirect_to_login_page_on_error(error_msg="Impossible to decode user infos.", request=request)
+    user_data = jwt.decode(
+        response.content,
+        key=constants.OPENID_CONNECT_CLIENT_SECRET,
+        algorithms=["HS256"],
+        audience=constants.OPENID_CONNECT_CLIENT_ID,
+    )
 
     if "sub" not in user_data:
         # 'sub' is the unique identifier from Inclusion Connect, we need that to match a user later on.