From 6f0d535085cabc48a48acd4f9e12f50ca28e03bd Mon Sep 17 00:00:00 2001
From: oxqnd <kkinho04@catholic.ac.kr>
Date: Wed, 4 Jun 2025 18:32:34 +0900
Subject: [PATCH] docs: clarify OpenIdConnect does not perform token validation

---
 fastapi/security/open_id_connect_url.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fastapi/security/open_id_connect_url.py b/fastapi/security/open_id_connect_url.py
index c8cceb911..8b25e8e7e 100644
--- a/fastapi/security/open_id_connect_url.py
+++ b/fastapi/security/open_id_connect_url.py
@@ -12,6 +12,13 @@ class OpenIdConnect(SecurityBase):
     """
     OpenID Connect authentication class. An instance of it would be used as a
     dependency.
+
+    Note:
+    This class **does not perform any token validation or decoding**.
+    It only extracts the `Authorization` header and includes metadata in the OpenAPI docs.
+
+    You must implement the actual authentication logic separately (e.g., verifying
+    the token signature, claims, and user handling).
     """
 
     def __init__(