Add handling for unexpected successful response type

adamjmcgrath · adamjmcgrath · commit 5937f45cdc38 · 2025-09-10T11:15:51.000+01:00
diff --git a/packages/auth0_server_python/src/auth0_server_python/auth_server/server_client.py b/packages/auth0_server_python/src/auth0_server_python/auth_server/server_client.py
@@ -1072,7 +1072,13 @@ async def backchannel_authentication_grant(self, auth_req_id: str) -> Dict[str,
                         interval
                     )
 
-                token_response = response.json()
+                try:
+                    token_response = response.json()
+                except json.JSONDecodeError:
+                    raise ApiError(
+                        "invalid_response",
+                        "Failed to parse token response as JSON"
+                    )
 
                 # Add required fields if they are missing
                 if "expires_in" in token_response and "expires_at" not in token_response:
diff --git a/packages/auth0_server_python/tests/test_server_client.py b/packages/auth0_server_python/tests/test_server_client.py
@@ -1,3 +1,4 @@
+import json
 import pytest
 import time
 
@@ -1037,6 +1038,29 @@ async def test_backchannel_authentication_grant_error_response(mocker):
     assert 2 == exc.value.interval
     assert "invalid_grant" in str(exc.value.code)
 
+@pytest.mark.asyncio
+async def test_backchannel_authentication_grant_json_decode_error(mocker):
+    client = ServerClient(
+        domain="auth0.local",
+        client_id="client_id",
+        client_secret="client_secret",
+        secret="some-secret"
+    )
+    client._oauth.metadata = {"token_endpoint": "https://auth0.local/token"}
+
+    # Mock httpx.AsyncClient.post to return a response whose .json() raises JSONDecodeError
+    mock_post = mocker.patch("httpx.AsyncClient.post", new_callable=AsyncMock)
+    mock_response = AsyncMock()
+    mock_response.status_code = 200
+    mock_response.json = MagicMock(side_effect=json.JSONDecodeError("Expecting value", "not json", 0))
+    mock_post.return_value = mock_response
+
+    with pytest.raises(ApiError) as exc:
+        await client.backchannel_authentication_grant("auth_req_123")
+
+    assert exc.value.code == "invalid_response"
+    assert "Failed to parse token response as JSON" in str(exc.value)
+
 @pytest.mark.asyncio
 async def test_get_token_for_connection_success(mocker):
     client = ServerClient(
