Decode userinfo if it is a JWT

Problem/Motivation

We encountered an issue where users were not being provisioned because their e-mails were not being picked up. This turned out to be because the userinfo token was being passed as a JWT and Drupal\openid_connect\Plugin\OpenIDConnectClientBase::retrieveUserInfo() (and any clients that extend it like OpenIDConnectGenericClient which we were using) assume it is always raw JSON.

Steps to reproduce

You need an OpenID IdP configured to sign userinfo responses. I tested this with Keycloak. I'm using lando and expanded the services section of my lando file as follows:

services:
  # ... other unrelated services cut out here

  keycloak_mysql:
    type: mysql:5.7
    creds:
      user: keycloak
      database: keycloak
      password: password
  keycloak:
    type: compose
    app_mount: false
    services:
      image: quay.io/keycloak/keycloak:legacy
      command: '/opt/jboss/tools/docker-entrypoint.sh'
      environment:
        DB_VENDOR: MYSQL
        DB_ADDR: keycloak_mysql
        DB_DATABASE: keycloak
        DB_USER: keycloak
        DB_PASSWORD: password
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: password
      ports:
        - "0.0.0.0:8080:8080"
      depends_on:
        - keycloak_mysql

then did a lando rebuild -y.

You could also configure it directly with Docker or Docker Compose.

Once you have keycloak setup add a client and test user as follows:

1. Navigate to your keycloak instance
2. Click "Administration console"
3. Log in if needed
4. Click "Clients" on the left nav
5. Click the "Create" button on the top right of the table
6. Assign a client ID and make note of this value
7. Set the client protocol to "openid-connect"
8. Create your client
9. You should land on an extended configuration page. At minimum set "Access type" to "confidential", add a "Valid redirect URI" (e.g. https://www.example.com/openid-connect/generic - generic should be replaced by the ID you plan to use for your client in Drupal) and select a value besides unsigned for "User Info Signed Response Algorithm". The defaults are otherwise fine.
10. Save your client
11. Switch to the credentials tab and make note of the client secret value
12. Click the "Users" tab on the left hand nav
13. Click the "Add user" button on the top right of the tale
14. Populate at least a username and e-mail and save the user. Make note of the username.
15. Switch to the "Credentials" tab and set a password. Make note of the password.

Once you've configured your client and test user you need to configure the client in Drupal. Start with a simple Drupal site that has openid_connect installed (assuming anyone who is reading this already has that). Then:

1. Navigate to the openid admin page: /admin/config/people/openid-connect
2. Click "+Generic OAuth 2.0"
3. Assign a name and then populate the client ID and client secret you configured before
4. For the various endpoints populate them as follows, substituting your keycloak host for www.example.com:

• Authorization endpoint: http://www.example.com/auth/realms/master/protocol/openid-connect/auth
• Token endpoint: http://www.example.com/auth/realms/master/protocol/openid-connect/token
• UserInfo endpoint: http://www.example.com/auth/realms/master/protocol/openid-connect/userinfo
• End Session endpoint: http://www.example.com/auth/realms/master/protocol/openid-connect/logout

Finally, you need to actually test logging in as the test user you created earlier. You should see login fail with an error about the user not having an e-mail.

Proposed resolution

The easiest solution is probably to just check if the client failed to decode the userinfo and try again treating it as a JWT. I'll attach a patch for that shortly.

Another (perhaps better) option would be to make it configurable.

Remaining tasks

This should probably have a unit test.