Try to JWT decode userinfo response if JSON parsing is failing

MatMaul · MatMaul · commit 62e05131f35b · 2024-03-01T18:03:27.000+01:00
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
@@ -818,14 +818,30 @@ async def _fetch_userinfo(self, token: Token) -> UserInfo:
         logger.debug("Using the OAuth2 access_token to request userinfo")
         metadata = await self.load_metadata()
 
-        resp = await self._http_client.get_json(
+        resp = await self._http_client.get_raw(
             metadata["userinfo_endpoint"],
             headers={"Authorization": ["Bearer {}".format(token["access_token"])]},
         )
 
-        logger.debug("Retrieved user info from userinfo endpoint: %r", resp)
+        try:
+            decoded_resp = json_decoder.decode(resp.decode("utf-8"))
+        except json.JSONDecodeError:
+            # JSON parsing failed, the userinfo may be JWT so let's try to decode
+            alg_values = metadata.get(
+                "id_token_signing_alg_values_supported", ["RS256"]
+            )
+            jwt = JsonWebToken(alg_values)
+            jwk_set = await self.load_jwks()
+            try:
+                decoded_resp = jwt.decode(resp, key=jwk_set)
+            except ValueError:
+                logger.info("Reloading JWKS after decode error")
+                jwk_set = await self.load_jwks(force=True)  # try reloading the jwks
+                decoded_resp = jwt.decode(resp, key=jwk_set)
+
+        logger.debug("Retrieved user info from userinfo endpoint: %r", decoded_resp)
 
-        return UserInfo(resp)
+        return UserInfo(decoded_resp)
 
     async def _verify_jwt(
         self,
