Ability to parse JWT UserInfo payload (#549)

ikarius · web-flow · commit 0495149a89f9 · 2025-12-16T15:49:09.000-08:00
* fix: allow JWT payload for userinfo response See: https://openid.net/specs/openid-connect-core-1_0-final.html#UserInfoResponse * fix: added test for JWT userinfo payload * fix: content-type case thx @qbey
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -261,6 +261,12 @@ def get_userinfo(self, access_token, id_token, payload):
             proxies=self.get_settings("OIDC_PROXY", None),
         )
         user_response.raise_for_status()
+
+        if user_response.headers.get("content-type", "").lower().startswith("application/jwt"):
+            # OIDC userinfo claims can be encoded as JWT
+            return self.verify_token(user_response.text)
+
+        # otherwise process as JSON payload
         return user_response.json()
 
     def authenticate(self, request, **kwargs):
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -831,6 +831,31 @@ def update_user(user, claims):
 
         self.assertEqual(User.objects.get().first_name, "a_username")
 
+    @patch("mozilla_django_oidc.auth.requests")
+    @patch("mozilla_django_oidc.auth.OIDCAuthenticationBackend.verify_token")
+    def test_get_userinfo_with_jwt_response(self, verify_token_mock, request_mock):
+        """Test get_userinfo with a JWT response."""
+        auth_request = RequestFactory().get("/foo", {"code": "foo", "state": "bar"})
+        auth_request.session = {}
+
+        # Mock the response from the userinfo endpoint
+        jwt_response = Mock()
+        jwt_response.headers = {"content-type": "application/jwt"}
+        jwt_response.text = "mocked_jwt_token"
+        request_mock.get.return_value = jwt_response
+
+        # Mock the verify_token method to return a specific payload
+        verify_token_mock.return_value = {"email": "email@example.com", "name": "John Doe"}
+
+        # Call the get_userinfo method
+        user_info = self.backend.get_userinfo("access_token", "id_token", {})
+
+        # Assert that verify_token was called with the correct token
+        verify_token_mock.assert_called_once_with("mocked_jwt_token")
+
+        # Assert that the returned user info matches the expected payload
+        self.assertEqual(user_info, {"email": "email@example.com", "name": "John Doe"})
+
 
 class OIDCAuthenticationBackendRS256WithKeyTestCase(TestCase):
     """Authentication tests with ALG RS256 and provided IdP Sign Key."""
