Default to using HTTP GET for UserInfo endpoints

Fixes #4898
opsmill · Nov 11, 2024 · a7b8c0e · a7b8c0e
1 parent 361bb9c
commit a7b8c0e
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/backend/infrahub/api/oauth2.py b/backend/infrahub/api/oauth2.py
@@ -91,7 +91,11 @@ async def token(
     payload = token_response.json()
 
     headers = {"Authorization": f"{payload.get('token_type')} {payload.get('access_token')}"}
-    userinfo_response = await service.http.post(provider.userinfo_url, headers=headers)
+    if provider.userinfo_method == config.UserInfoMethod.GET:
+        userinfo_response = await service.http.get(provider.userinfo_url, headers=headers)
+    else:
+        userinfo_response = await service.http.post(provider.userinfo_url, headers=headers)
+
     _validate_response(response=userinfo_response)
     user_info = userinfo_response.json()
     sso_groups = user_info.get("groups", [])

diff --git a/backend/infrahub/api/oidc.py b/backend/infrahub/api/oidc.py
@@ -129,7 +129,12 @@ async def token(
     payload = token_response.json()
 
     headers = {"Authorization": f"{payload.get('token_type')} {payload.get('access_token')}"}
-    userinfo_response = await service.http.post(str(oidc_config.userinfo_endpoint), headers=headers)
+
+    if provider.userinfo_method == config.UserInfoMethod.GET:
+        userinfo_response = await service.http.get(str(oidc_config.userinfo_endpoint), headers=headers)
+    else:
+        userinfo_response = await service.http.post(str(oidc_config.userinfo_endpoint), headers=headers)
+
     _validate_response(response=userinfo_response)
     user_info = userinfo_response.json()
 

diff --git a/backend/infrahub/config.py b/backend/infrahub/config.py
@@ -36,6 +36,11 @@ def default_cors_allow_headers() -> list[str]:
     return ["accept", "authorization", "content-type", "user-agent", "x-csrftoken", "x-requested-with"]
 
 
+class UserInfoMethod(str, Enum):
+    POST = "post"
+    GET = "get"
+
+
 class SSOProtocol(str, Enum):
     OAUTH2 = "oauth2"
     OIDC = "oidc"
@@ -420,6 +425,7 @@ class SecurityOIDCBaseSettings(BaseSettings):
 
     icon: str = Field(default="mdi:account-key")
     display_label: str = Field(default="Single Sign on")
+    userinfo_method: UserInfoMethod = Field(default=UserInfoMethod.GET)
 
 
 class SecurityOIDCSettings(SecurityOIDCBaseSettings):
@@ -463,6 +469,7 @@ class SecurityOAuth2BaseSettings(BaseSettings):
     """Baseclass for typing"""
 
     icon: str = Field(default="mdi:account-key")
+    userinfo_method: UserInfoMethod = Field(default=UserInfoMethod.GET)
 
 
 class SecurityOAuth2Settings(SecurityOAuth2BaseSettings):

diff --git a/changelog/4898.fixed.md b/changelog/4898.fixed.md
@@ -0,0 +1 @@
+Default to using HTTP GET for UserInfo endpoints (OAuth2/OIDC)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Default to using HTTP GET for UserInfo endpoints (OAuth2/OIDC)