Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authorization-services
Describe the bug
The UserInfoToken responds with 401 if the UserInfoEndpoint is accessed with a DPoP Token if the Authorization HTTP-Header does not use the Bearer scheme.
POST /userinfo
Authorization Bearer ...
but according to RFC9449 section 7.1 the authentication scheme must be DPoP
POST /userinfo
Authorization DPoP ...
from my personal point of view it does not hurt to support both usecases:
- auth-schema set to
Bearer - auth-schema set to
DPoP
It is not defined like this but since the auth-scheme does actually have no impact on the evaluation results it shouldn't be a problem.
Version
24.0.5
Regression
- The issue is a regression
Expected behavior
UserInfoEndpoint returns 200 if the authentication scheme is set to DPoP.
Actual behavior
UserInfoEndpoint returns 401 if the authentication scheme is set to DPoP.
How to Reproduce?
Set authentication-scheme to DPoP when trying to get the userInfoToken when the AccessToken was received as DPoP bound accessToken
Anything else?
No response