Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3217

UserInfo endpoint not accessible by POST request secured with Bearer header

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 2.0.0.CR1
    • 2.1.0.CR1
    • None
    • None

    Description

      The OIDC conformance testsuite has 3 tests for access UserInfo endpoint:
      1) GET method with Bearer token in header
      2) POST method with Bearer token in the body
      3) POST method with Bearer token in header

      We pass the 1 and 2, but we fail 3 right now.

      Just for tracking OIDC specification sais this in http://openid.net/specs/openid-connect-core-1_0.html#UserInfo :

       The UserInfo Endpoint MUST support the use of the HTTP GET and HTTP POST methods defined in RFC 2616 [RFC2616].

The UserInfo Endpoint MUST accept Access Tokens as OAuth 2.0 Bearer Token Usage [RFC6750].

      The RFC6750 indeed supports header for GET+POST or body for POST.

      Attachments

        Issue Links

          blocks

          Sub-task - The sub-task of the issue KEYCLOAK-3177 Pass OIDC Basic Profile

          • Major - A request that should be considered seriously but is not a show stopper.
          • Closed

          Activity

            People

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: