Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3217

UserInfo endpoint not accessible by POST request secured with Bearer header

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 2.0.0.CR1
    • 2.1.0.CR1
    • None
    • None

    Description

      The OIDC conformance testsuite has 3 tests for access UserInfo endpoint:
      1) GET method with Bearer token in header
      2) POST method with Bearer token in the body
      3) POST method with Bearer token in header

      We pass the 1 and 2, but we fail 3 right now.

      Just for tracking OIDC specification sais this in http://openid.net/specs/openid-connect-core-1_0.html#UserInfo :

       The UserInfo Endpoint MUST support the use of the HTTP GET and HTTP POST methods defined in RFC 2616 [RFC2616].

The UserInfo Endpoint MUST accept Access Tokens as OAuth 2.0 Bearer Token Usage [RFC6750].

      The RFC6750 indeed supports header for GET+POST or body for POST.

      Attachments

        Issue Links

          blocks

          Sub-task - The sub-task of the issue KEYCLOAK-3177 Pass OIDC Basic Profile

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: