try to decode the userinfo response like a JWT if it's not a raw JSON string

julien-nc · julien-nc · commit ba69c163a502 · 2025-12-16T12:10:10.000+01:00
Signed-off-by: Julien Veyssier &lt;julien-nc@posteo.net&gt;
diff --git a/lib/Service/OIDCService.php b/lib/Service/OIDCService.php
@@ -11,6 +11,7 @@
 
 use OCA\UserOIDC\Db\Provider;
 use OCA\UserOIDC\Helper\HttpClientHelper;
+use OCA\UserOIDC\Vendor\Firebase\JWT\JWT;
 use OCP\Security\ICrypto;
 use Psr\Log\LoggerInterface;
 use Throwable;
@@ -37,11 +38,34 @@ public function userinfo(Provider $provider, string $accessToken): array {
 				'Authorization' => 'Bearer ' . $accessToken,
 			],
 		];
+
 		try {
-			return json_decode($this->clientService->get($url, [], $options), true);
+			$userInfoResponse = $this->clientService->get($url, [], $options);
 		} catch (Throwable $e) {
+			$this->logger->error('Request to the userinfo endpoint failed', ['exception' => $e]);
 			return [];
 		}
+
+		// try to decode it like a JSON string
+		try {
+			return json_decode($userInfoResponse, true);
+		} catch (Throwable) {
+			$this->logger->debug('The userinfo response is not JSON');
+		}
+
+		// try to decode it like a JWT token
+		JWT::$leeway = 60;
+		try {
+			$jwks = $this->discoveryService->obtainJWK($provider, $userInfoResponse);
+			$payload = JWT::decode($userInfoResponse, $jwks);
+			$arrayPayload = json_decode(json_encode($payload), true);
+			$this->logger->debug('JWT Decoded user info response', ['decoded_userinfo_response' => $arrayPayload]);
+			return $arrayPayload;
+		} catch (Throwable $e) {
+			$this->logger->debug('Treating the userinfo response as a JWT token. Impossible to decode it:' . $e->getMessage());
+		}
+
+		return [];
 	}
 
 	public function introspection(Provider $provider, string $accessToken): array {
