[IMP] auth_oidc: clearer data_endpoint access

OdyX · OdyX · commit 89a2a5f2f215 · 2025-10-24T10:56:15.000+02:00
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
@@ -64,14 +64,20 @@ def auth_oauth(self, provider, params):
         if not id_token:
             _logger.error("No id_token in response.")
             raise AccessDenied()
+
+        # Parse the ID token
         validation = oauth_provider._parse_id_token(id_token, access_token)
+
+        # Use the access_token to fetch the data_endpoint (userinfo)
         if oauth_provider.data_endpoint:
-            data = requests.get(
+            response = requests.get(
                 oauth_provider.data_endpoint,
                 headers={"Authorization": "Bearer %s" % access_token},
                 timeout=10,
-            ).json()
-            validation.update(data)
+            )
+            if response.ok:  # nb: could be a successful failure
+                validation.update(response.json())
+
         # required check
         if "sub" in validation and "user_id" not in validation:
             # set user_id for auth_oauth, user_id is not an OpenID Connect standard
