fixes

Author: GitTimeraider

app/routes.py

@@ -907,7 +907,8 @@ def oidc_login():
         # Register the OIDC client
         client_kwargs = {
             'scope': 'openid profile email',
-            'token_endpoint_auth_method': 'client_secret_post'  # Send credentials in POST body instead of header
+            'token_endpoint_auth_method': 'client_secret_post',  # Send credentials in POST body instead of header
+            'token_introspection_endpoint': None  # Disable token introspection
         }
 
         # Check if using discovery or manual endpoints
@@ -996,7 +997,8 @@ def oidc_callback():
         # Register the OIDC client (same as in login)
         client_kwargs = {
             'scope': 'openid profile email',
-            'token_endpoint_auth_method': 'client_secret_post'  # Send credentials in POST body instead of header
+            'token_endpoint_auth_method': 'client_secret_post',  # Send credentials in POST body instead of header
+            'token_introspection_endpoint': None  # Disable token introspection
         }
 
         if not use_manual and oidc_config.discovery_endpoint and oidc_config.discovery_endpoint.strip():
@@ -1038,37 +1040,53 @@ def oidc_callback():
         # Get the token
         token = oidc_client.authorize_access_token()
 
-        # Parse the ID token to get user info
+        # Parse the ID token to get user info - skip JWT validation for manual endpoints
         user_info = token.get('userinfo')
         if not user_info:
-            # Try to get userinfo from the token
-            try:
-                user_info = oidc_client.parse_id_token(token)
-            except Exception as parse_error:
-                current_app.logger.error(f"Failed to parse ID token: {parse_error}")
-                # Try fetching userinfo from endpoint if available
-                if oidc_config.userinfo_endpoint:
-                    try:
-                        import requests
-                        access_token = token.get('access_token')
-                        if access_token:
-                            response = requests.get(
-                                oidc_config.userinfo_endpoint,
-                                headers={'Authorization': f'Bearer {access_token}'},
-                                timeout=10
-                            )
-                            if response.status_code == 200:
-                                user_info = response.json()
-                            else:
-                                current_app.logger.error(f"UserInfo endpoint returned {response.status_code}: {response.text}")
-                    except Exception as userinfo_error:
-                        current_app.logger.error(f"Failed to fetch userinfo: {userinfo_error}")
-                
-                if not user_info:
-                    flash('Failed to retrieve user information from identity provider.', 'error')
-                    return redirect(url_for('main.login'))
-        
-        # Get mapping configuration from session
+            # Try to parse ID token without validation if it exists
+            id_token = token.get('id_token')
+            if id_token and isinstance(id_token, str):
+                # Decode JWT without verification (we trust the token came from our OAuth exchange)
+                try:
+                    import json
+                    import base64
+                    # JWT format: header.payload.signature
+                    parts = id_token.split('.')
+                    if len(parts) >= 2:
+                        # Decode the payload (add padding if needed)
+                        payload = parts[1]
+                        padding = 4 - len(payload) % 4
+                        if padding != 4:
+                            payload += '=' * padding
+                        user_info = json.loads(base64.urlsafe_b64decode(payload))
+                        current_app.logger.info("Extracted user info from ID token payload")
+                except Exception as decode_error:
+                    current_app.logger.warning(f"Failed to decode ID token: {decode_error}")
+            
+            # If still no user_info, try fetching from userinfo endpoint
+            if not user_info:
+            # If still no user_info, try fetching from userinfo endpoint
+            if not user_info:
+                try:
+                    import requests
+                    access_token = token.get('access_token')
+                    if access_token and oidc_config.userinfo_endpoint:
+                        response = requests.get(
+                            oidc_config.userinfo_endpoint,
+                            headers={'Authorization': f'Bearer {access_token}'},
+                            timeout=10
+                        )
+                        if response.status_code == 200:
+                            user_info = response.json()
+                            current_app.logger.info("Fetched user info from userinfo endpoint")
+                        else:
+                            current_app.logger.error(f"UserInfo endpoint returned {response.status_code}: {response.text}")
+                except Exception as userinfo_error:
+                    current_app.logger.error(f"Failed to fetch userinfo: {userinfo_error}")
+            
+            if not user_info:
+                flash('Failed to retrieve user information from identity provider.', 'error')
+                return redirect(url_for('main.login'))        # Get mapping configuration from session
         mapping_field = session.get('oidc_mapping_field', 'email')
         custom_attribute = session.get('oidc_custom_attribute')