Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3217

UserInfo endpoint not accessible by POST request secured with Bearer header

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 2.0.0.CR1
    • 2.1.0.CR1
    • None
    • None

    Description

      The OIDC conformance testsuite has 3 tests for access UserInfo endpoint:
      1) GET method with Bearer token in header
      2) POST method with Bearer token in the body
      3) POST method with Bearer token in header

      We pass the 1 and 2, but we fail 3 right now.

      Just for tracking OIDC specification sais this in http://openid.net/specs/openid-connect-core-1_0.html#UserInfo :

       The UserInfo Endpoint MUST support the use of the HTTP GET and HTTP POST methods defined in RFC 2616 [RFC2616].
      
      The UserInfo Endpoint MUST accept Access Tokens as OAuth 2.0 Bearer Token Usage [RFC6750]. 
      

      The RFC6750 indeed supports header for GET+POST or body for POST.

      Attachments

        Issue Links

          Activity

            People

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: