[Openid-specs-ab] Issue #1137: Is content-type application/x-www-form-urlencoded required when calling user info endpoint with empty body? (openid/connect)

josephheenan issues-reply at bitbucket.org
Sun Dec 8 22:11:47 UTC 2019


New issue 1137: Is content-type application/x-www-form-urlencoded required when calling user info endpoint with empty body?
https://bitbucket.org/openid/connect/issues/1137/is-content-type-application-x-www-form

Joseph Heenan:

As per [https://gitlab.com/openid/conformance-suite/merge\_requests/785#note\_256490283](https://gitlab.com/openid/conformance-suite/merge_requests/785#note_256490283) - it turns out the existing OpenID Connect Core python certification tests \(in particular OP-UserInfo-Header\) make a request to the user info endpoint like so:

‌

```
2 do_user_info_request kwargs:{'state': 'LcaEMlJrGyE1ZG0B', 'method': 'POST', 'behavior': 'use_authorization_header'}
2 request {'body': ''}
2 request_url https://fapidev-rs.authlete.net/api/userinfo
2 request_http_args {'headers': {'Authorization': 'Bearer 8mZ80RhMMQq7j6-6WMh95s--xEYq4BTn1D8balXaI8Q', 'Content-Type': 'application/x-www-form-urlencoded'}}
3 http response url:https://fapidev-rs.authlete.net/api/userinfo status_code:200
```

or put more succinctly in HTTP speak  

```
POST /api/userinfo HTTP/1.1
Authorization: Bearer 8mZ80RhMMQq7j6-6WMh95s--xEYq4BTn1D8balXaI8Q
Content-Type: application/x-www-form-urlencoded

<empty body>
```

I can’t find any spec reference that suggests the Content-Type: application/x-www-form-urlencoded must be sent.

If you don’t send the Content-Type header, we believe at least two OPs \(Authlete, node-oidc-provider\) fail the request.

The certification team would appreciate guidance from the Connect Working Group as to whether the java equivalent of this test should send the Content-Type header, or if the OPs are incorrect and should be fixed.




More information about the Openid-specs-ab mailing list