diff --git a/lacommunaute/openid_connect/tests/tests_views.py b/lacommunaute/openid_connect/tests/tests_views.py index 5b3f6d5d2..626803a37 100644 --- a/lacommunaute/openid_connect/tests/tests_views.py +++ b/lacommunaute/openid_connect/tests/tests_views.py @@ -1,6 +1,7 @@ from urllib.parse import urlencode import httpx +import jwt import respx from django.contrib import auth from django.contrib.sessions.middleware import SessionMiddleware @@ -69,7 +70,9 @@ def mock_oauth_dance( user_info = OIDC_USERINFO.copy() if user_info_email: user_info["email"] = user_info_email - respx.get(constants.PRO_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, json=user_info)) + user_info = user_info | {"aud": constants.OPENID_CONNECT_CLIENT_ID} + user_info_jwt = jwt.encode(payload=user_info, key=constants.OPENID_CONNECT_CLIENT_SECRET, algorithm="HS256") + respx.get(constants.OPENID_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, content=user_info_jwt)) csrf_signed = OpenID_State.create_signed_csrf_token() url = reverse("openid_connect:callback") diff --git a/lacommunaute/openid_connect/views.py b/lacommunaute/openid_connect/views.py index dad6ac14a..28ec4e827 100644 --- a/lacommunaute/openid_connect/views.py +++ b/lacommunaute/openid_connect/views.py @@ -1,8 +1,8 @@ import dataclasses -import json import logging import httpx +import jwt from django.contrib import messages from django.contrib.auth import login, logout from django.http import HttpResponseRedirect @@ -123,10 +123,12 @@ def openid_connect_callback(request): # pylint: disable=too-many-return-stateme if response.status_code != 200: return _redirect_to_login_page_on_error(error_msg="Impossible to get user infos.", request=request) - try: - user_data = json.loads(response.content.decode("utf-8")) - except json.decoder.JSONDecodeError: - return _redirect_to_login_page_on_error(error_msg="Impossible to decode user infos.", request=request) + user_data = jwt.decode( + response.content, + key=constants.OPENID_CONNECT_CLIENT_SECRET, + algorithms=["HS256"], + audience=constants.OPENID_CONNECT_CLIENT_ID, + ) if "sub" not in user_data: # 'sub' is the unique identifier from Inclusion Connect, we need that to match a user later on.