From ff50357afc6272c07178d2be243ced42dee589da Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Mon, 6 Apr 2026 10:55:04 +0100
Subject: [PATCH] sources/oauth: correctly check requests' exception response
 (#21386)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/events/models.py                | 4 ++--
 authentik/sources/oauth/api/source.py     | 4 ++--
 authentik/sources/oauth/clients/base.py   | 2 +-
 authentik/sources/oauth/clients/oauth1.py | 4 ++--
 authentik/sources/oauth/clients/oauth2.py | 4 ++--
 authentik/sources/oauth/tasks.py          | 4 ++--
 authentik/sources/oauth/types/entra_id.py | 2 +-
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/authentik/events/models.py b/authentik/events/models.py
index 7f71f889d6..a516ba9836 100644
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -456,7 +456,7 @@ class NotificationTransport(TasksModel, SerializerModel):
                 response.raise_for_status()
             except RequestException as exc:
                 raise NotificationTransportError(
-                    exc.response.text if exc.response else str(exc)
+                    exc.response.text if exc.response is not None else str(exc)
                 ) from exc
             return [
                 response.status_code,
@@ -519,7 +519,7 @@ class NotificationTransport(TasksModel, SerializerModel):
             response = get_http_session().post(self.webhook_url, json=body)
             response.raise_for_status()
         except RequestException as exc:
-            text = exc.response.text if exc.response else str(exc)
+            text = exc.response.text if exc.response is not None else str(exc)
             raise NotificationTransportError(text) from exc
         return [
             response.status_code,
diff --git a/authentik/sources/oauth/api/source.py b/authentik/sources/oauth/api/source.py
index f918d26967..b46f1e7f60 100644
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@@ -73,7 +73,7 @@ class OAuthSourceSerializer(SourceSerializer):
                 well_known_config = session.get(well_known)
                 well_known_config.raise_for_status()
             except RequestException as exc:
-                text = exc.response.text if exc.response else str(exc)
+                text = exc.response.text if exc.response is not None else str(exc)
                 raise ValidationError({"oidc_well_known_url": text}) from None
             config = well_known_config.json()
             if "issuer" not in config:
@@ -100,7 +100,7 @@ class OAuthSourceSerializer(SourceSerializer):
                 jwks_config = session.get(jwks_url)
                 jwks_config.raise_for_status()
             except RequestException as exc:
-                text = exc.response.text if exc.response else str(exc)
+                text = exc.response.text if exc.response is not None else str(exc)
                 raise ValidationError({"oidc_jwks_url": text}) from None
             config = jwks_config.json()
             attrs["oidc_jwks"] = config
diff --git a/authentik/sources/oauth/clients/base.py b/authentik/sources/oauth/clients/base.py
index a580786e32..5a7dcd3c2a 100644
--- a/authentik/sources/oauth/clients/base.py
+++ b/authentik/sources/oauth/clients/base.py
@@ -47,7 +47,7 @@ class BaseOAuthClient:
             self.logger.warning(
                 "Unable to fetch user profile",
                 exc=exc,
-                response=exc.response.text if exc.response else str(exc),
+                response=exc.response.text if exc.response is not None else str(exc),
             )
             return None
         return response.json()
diff --git a/authentik/sources/oauth/clients/oauth1.py b/authentik/sources/oauth/clients/oauth1.py
index 2617556dd8..6e26cce677 100644
--- a/authentik/sources/oauth/clients/oauth1.py
+++ b/authentik/sources/oauth/clients/oauth1.py
@@ -45,7 +45,7 @@ class OAuthClient(BaseOAuthClient):
                 LOGGER.warning(
                     "Unable to fetch access token",
                     exc=exc,
-                    response=exc.response.text if exc.response else str(exc),
+                    response=exc.response.text if exc.response is not None else str(exc),
                 )
                 return None
             return self.parse_raw_token(response.text)
@@ -67,7 +67,7 @@ class OAuthClient(BaseOAuthClient):
             response.raise_for_status()
         except RequestException as exc:
             raise OAuthSourceException(
-                exc.response.text if exc.response else str(exc),
+                exc.response.text if exc.response is not None else str(exc),
             ) from exc
         return response.text
 
diff --git a/authentik/sources/oauth/clients/oauth2.py b/authentik/sources/oauth/clients/oauth2.py
index 807287ce99..6375c89e9b 100644
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@@ -121,7 +121,7 @@ class OAuth2Client(BaseOAuthClient):
             LOGGER.warning(
                 "Unable to fetch access token",
                 exc=exc,
-                response=exc.response.text if exc.response else str(exc),
+                response=exc.response.text if exc.response is not None else str(exc),
             )
             return None
         return response.json()
@@ -202,7 +202,7 @@ class UserprofileHeaderAuthClient(OAuth2Client):
             LOGGER.warning(
                 "Unable to fetch user profile from profile_url",
                 exc=exc,
-                response=exc.response.text if exc.response else str(exc),
+                response=exc.response.text if exc.response is not None else str(exc),
             )
             return None
         return response.json()
diff --git a/authentik/sources/oauth/tasks.py b/authentik/sources/oauth/tasks.py
index 1d898a8c4a..28b623c10e 100644
--- a/authentik/sources/oauth/tasks.py
+++ b/authentik/sources/oauth/tasks.py
@@ -27,7 +27,7 @@ def update_well_known_jwks():
             well_known_config = session.get(source.oidc_well_known_url)
             well_known_config.raise_for_status()
         except RequestException as exc:
-            text = exc.response.text if exc.response else str(exc)
+            text = exc.response.text if exc.response is not None else str(exc)
             LOGGER.warning("Failed to update well_known", source=source, exc=exc, text=text)
             self.info(f"Failed to update OIDC configuration for {source.slug}")
             continue
@@ -65,7 +65,7 @@ def update_well_known_jwks():
             jwks_config = session.get(source.oidc_jwks_url)
             jwks_config.raise_for_status()
         except RequestException as exc:
-            text = exc.response.text if exc.response else str(exc)
+            text = exc.response.text if exc.response is not None else str(exc)
             LOGGER.warning("Failed to update JWKS", source=source, exc=exc, text=text)
             self.info(f"Failed to update JWKS for {source.slug}")
             continue
diff --git a/authentik/sources/oauth/types/entra_id.py b/authentik/sources/oauth/types/entra_id.py
index 890476d902..06bd182531 100644
--- a/authentik/sources/oauth/types/entra_id.py
+++ b/authentik/sources/oauth/types/entra_id.py
@@ -41,7 +41,7 @@ class EntraIDClient(UserprofileHeaderAuthClient):
             LOGGER.warning(
                 "Unable to fetch user profile",
                 exc=exc,
-                response=exc.response.text if exc.response else str(exc),
+                response=exc.response.text if exc.response is not None else str(exc),
             )
             return None
         profile_data["raw_groups"] = group_response.json()