[Openid-specs-ab] Issue #1137: Is content-type application/x-www-form-urlencoded required when calling user info endpoint with empty body? (openid/connect)
josephheenan
issues-reply at bitbucket.org
Sun Dec 8 22:11:47 UTC 2019
New issue 1137: Is content-type application/x-www-form-urlencoded required when calling user info endpoint with empty body?
https://bitbucket.org/openid/connect/issues/1137/is-content-type-application-x-www-form
Joseph Heenan:
As per [https://gitlab.com/openid/conformance-suite/merge\_requests/785#note\_256490283](https://gitlab.com/openid/conformance-suite/merge_requests/785#note_256490283) - it turns out the existing OpenID Connect Core python certification tests \(in particular OP-UserInfo-Header\) make a request to the user info endpoint like so:
```
2 do_user_info_request kwargs:{'state': 'LcaEMlJrGyE1ZG0B', 'method': 'POST', 'behavior': 'use_authorization_header'}
2 request {'body': ''}
2 request_url https://fapidev-rs.authlete.net/api/userinfo
2 request_http_args {'headers': {'Authorization': 'Bearer 8mZ80RhMMQq7j6-6WMh95s--xEYq4BTn1D8balXaI8Q', 'Content-Type': 'application/x-www-form-urlencoded'}}
3 http response url:https://fapidev-rs.authlete.net/api/userinfo status_code:200
```
or put more succinctly in HTTP speak
```
POST /api/userinfo HTTP/1.1
Authorization: Bearer 8mZ80RhMMQq7j6-6WMh95s--xEYq4BTn1D8balXaI8Q
Content-Type: application/x-www-form-urlencoded
<empty body>
```
I can’t find any spec reference that suggests the Content-Type: application/x-www-form-urlencoded must be sent.
If you don’t send the Content-Type header, we believe at least two OPs \(Authlete, node-oidc-provider\) fail the request.
The certification team would appreciate guidance from the Connect Working Group as to whether the java equivalent of this test should send the Content-Type header, or if the OPs are incorrect and should be fixed.
More information about the Openid-specs-ab
mailing list