Alternative check on response type of client.userinfo_signed_response_alg #175
Closed
adamchengtkc
started this conversation in
Ideas
Replies: 1 comment
-
|
I'm afraid I don't quite understand. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
https://github.com/panva/oauth4webapi/blob/09bc1cd4434ed83888f30f154a2f15cea5f798df/src/index.ts#L3176C16-L3176C44
Suggest we use the same check as jwt to look for the expected return type (In this case
application/json)Reason:
Same OIDC provider would have the following in discovery when
userinfoendpoint returns a JSON"userinfo_signing_alg_values_supported":["none"]In this case, the current setup will leads to
throw OPE('JWT UserInfo Response expected', JWT_USERINFO_EXPECTED, response)I can submit a PR to use conditional
(getContentType(response) === 'application/json')Beta Was this translation helpful? Give feedback.
All reactions