From 56c98742161eb798e58dd71cee9951bd40f97768 Mon Sep 17 00:00:00 2001
From: vincent porte <vincent@neuralia.co>
Date: Wed, 31 Jul 2024 14:58:54 +0200
Subject: [PATCH] =?UTF-8?q?feat(pro=5Fconnect):=C2=A0decode=20user=5Fdata?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lacommunaute/openid_connect/tests/tests_views.py |  5 ++++-
 lacommunaute/openid_connect/views.py             | 12 +++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/lacommunaute/openid_connect/tests/tests_views.py b/lacommunaute/openid_connect/tests/tests_views.py
index 5b3f6d5d..626803a3 100644
--- a/lacommunaute/openid_connect/tests/tests_views.py
+++ b/lacommunaute/openid_connect/tests/tests_views.py
@@ -1,6 +1,7 @@
 from urllib.parse import urlencode
 
 import httpx
+import jwt
 import respx
 from django.contrib import auth
 from django.contrib.sessions.middleware import SessionMiddleware
@@ -69,7 +70,9 @@ def mock_oauth_dance(
     user_info = OIDC_USERINFO.copy()
     if user_info_email:
         user_info["email"] = user_info_email
-    respx.get(constants.PRO_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, json=user_info))
+    user_info = user_info | {"aud": constants.OPENID_CONNECT_CLIENT_ID}
+    user_info_jwt = jwt.encode(payload=user_info, key=constants.OPENID_CONNECT_CLIENT_SECRET, algorithm="HS256")
+    respx.get(constants.OPENID_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, content=user_info_jwt))
 
     csrf_signed = OpenID_State.create_signed_csrf_token()
     url = reverse("openid_connect:callback")
diff --git a/lacommunaute/openid_connect/views.py b/lacommunaute/openid_connect/views.py
index dad6ac14..28ec4e82 100644
--- a/lacommunaute/openid_connect/views.py
+++ b/lacommunaute/openid_connect/views.py
@@ -1,8 +1,8 @@
 import dataclasses
-import json
 import logging
 
 import httpx
+import jwt
 from django.contrib import messages
 from django.contrib.auth import login, logout
 from django.http import HttpResponseRedirect
@@ -123,10 +123,12 @@ def openid_connect_callback(request):  # pylint: disable=too-many-return-stateme
     if response.status_code != 200:
         return _redirect_to_login_page_on_error(error_msg="Impossible to get user infos.", request=request)
 
-    try:
-        user_data = json.loads(response.content.decode("utf-8"))
-    except json.decoder.JSONDecodeError:
-        return _redirect_to_login_page_on_error(error_msg="Impossible to decode user infos.", request=request)
+    user_data = jwt.decode(
+        response.content,
+        key=constants.OPENID_CONNECT_CLIENT_SECRET,
+        algorithms=["HS256"],
+        audience=constants.OPENID_CONNECT_CLIENT_ID,
+    )
 
     if "sub" not in user_data:
         # 'sub' is the unique identifier from Inclusion Connect, we need that to match a user later on.