[IMP] auth_oidc: fetch the OIDC validation_endpoint

OdyX · OdyX · commit dad2cd064304 · 2025-11-04T18:05:37.000+01:00
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
@@ -64,14 +64,30 @@ def auth_oauth(self, provider, params):
         if not id_token:
             _logger.error("No id_token in response.")
             raise AccessDenied()
+
+        # Parse the ID token
         validation = oauth_provider._parse_id_token(id_token, access_token)
+
+        # Use the access_token to fetch the OIDC validation_endpoint
+        if oauth_provider.validation_endpoint:
+            response = requests.get(
+                oauth_provider.validation_endpoint,
+                headers={"Authorization": f"Bearer {access_token}"},
+                timeout=10,
+            )
+            if response.ok:  # nb: could be a successful failure
+                validation.update(response.json())
+
+        # Use the access_token to fetch the OAuth2 data_endpoint
         if oauth_provider.data_endpoint:
-            data = requests.get(
+            response = requests.get(
                 oauth_provider.data_endpoint,
                 headers={"Authorization": f"Bearer {access_token}"},
                 timeout=10,
-            ).json()
-            validation.update(data)
+            )
+            if response.ok:  # nb: could be a successful failure
+                validation.update(response.json())
+
         # required check
         if "sub" in validation and "user_id" not in validation:
             # set user_id for auth_oauth, user_id is not an OpenID Connect standard
