UserInfo endpoint not fully standards compliant (#1675)

Closes #1681
keycloak · Sep 16, 2022 · 533b730 · 533b730
1 parent f1df1c4
commit 533b730
Showing 1 changed file with 40 additions and 1 deletion.
diff --git a/upgrading/topics/keycloak/changes-19_0_2.adoc b/upgrading/topics/keycloak/changes-19_0_2.adoc
@@ -19,4 +19,43 @@ Until now, administrators, which used SAML javascript protocol mapper on their S
 through the RESTful Admin API.
 
 For now on, this capability is *disabled* and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details,
-please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
+please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
+
+= UserInfo Endpoint Changes
+
+Error response changes::
+  The UserInfo endpoint is now returning error responses fully compliant with https://datatracker.ietf.org/doc/html/rfc6750[RFC 6750] (The OAuth 2.0 Authorization Framework: Bearer Token Usage). Error code and description (if available) are provided as `WWW-Authenticate` challenge attributes rather than JSON object fields.
+  The responses will be the following, depending on the error condition:
+  * In case no access token is provided:
++
+----
+401 Unauthorized
+WWW-Authenticate: Bearer realm="myrealm"
+----
+  * In case several methods are used simultaneously to provide an access token (for example, Authorization header + POST access_token parameter), or POST parameters are duplicated:
++
+----
+400 Bad Request
+WWW-Authenticate: Bearer realm="myrealm", error="invalid_request", error_description="..."
+----
+  * In case an access token is missing `openid` scope:
++
+----
+403 Forbidden
+WWW-Authenticate: Bearer realm="myrealm", error="insufficient_scope", error_description="Missing openid scope"
+----
+  * In case of inability to resolve cryptographic keys for UserInfo response signing/encryption:
++
+----
+500 Internal Server Error
+----
+  * In case of a token validation error, a `401 Unauthorized` is returned in combination with the `invalid_token` error code. This error includes user and client related checks and actually captures all the remaining error cases:
++
+----
+401 Unauthorized
+WWW-Authenticate: Bearer realm="myrealm", error="invalid_token", error_description="..."
+----
+
+Other Changes::
+  * It is now required for access tokens to have the `openid` scope, which is stipulated by UserInfo being a feature specific to OpenID Connect and not OAuth 2.0. If the `openid` scope is missing from the token, the request will be denied with a `403 Forbidden` (see above).
+  * UserInfo now checks the user status, and returns the `invalid_token` response if the user is disabled.