Support HTTP POST requests to /userinfo, aligning to OpenID Core specification (#32578)

This PR adds support for the HTTP POST requests to `/userinfo` endpoint.
While the OpenID Core specification says both are supported and
recommends using HTTP GET.

ref: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
(cherry picked from commit 56bff7ae234ee21d0e4524e401a49385c383ccaf)

Conflicts:
	routers/web/web.go
  trivial context conflict
This commit is contained in:
Marcell Mars 2024-11-20 15:22:48 +01:00 committed by Earl Warren
parent e9928b7577
commit 262c48409b
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -530,7 +530,7 @@ func registerRoutes(m *web.Route) {
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
}, ignSignInAndCsrf, reqSignIn)
m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
m.Methods("GET, POST, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)