Skip to content

Commit

Permalink
Merge pull request #508 from n8lab/issue_345
Browse files Browse the repository at this point in the history
#345 handle the userinfo response as JWT
  • Loading branch information
zandbelt authored Mar 11, 2024
2 parents 734a3f4 + 65e4794 commit 9f3a4fc
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 0 deletions.
11 changes: 11 additions & 0 deletions lib/resty/openidc.lua
Original file line number Diff line number Diff line change
Expand Up @@ -623,6 +623,17 @@ function openidc.call_userinfo_endpoint(opts, access_token)

log(DEBUG, "userinfo response: ", res.body)

-- handle if the response type is a jwt/signed payload
local responseType = string.lower(res.headers["Content-Type"])
if string.find(responseType, "application/jwt") then
local json, err = openidc.jwt_verify(res.body, opts)
if err then
err = "userinfo jwt could not be verified: " .. err
return nil, err
end
return json
end

-- parse the response from the user info endpoint
return openidc_parse_json_response(res)
end
Expand Down
9 changes: 9 additions & 0 deletions tests/spec/test_support.lua
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,15 @@ http {
}
}
location /user-info-signed {
content_by_lua_block {
local auth = ngx.req.get_headers()["Authorization"]
ngx.header.content_type = 'application/jwt;charset=UTF-8'
local signed_userinfo = test_globals.create_jwt(USERINFO)
ngx.print(signed_userinfo)
}
}
location /introspection {
content_by_lua_block {
ngx.req.read_body()
Expand Down
23 changes: 23 additions & 0 deletions tests/spec/userinfo_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -169,3 +169,26 @@ describe("when userinfo endpoint doesn't return proper JSON", function()
assert.error_log_contains("JSON decoding failed")
end)
end)

describe("when userinfo endpoint returns a JWT", function()
test_support.start_server({
oidc_opts = {
discovery = {
userinfo_endpoint = "http://127.0.0.1/user-info-signed",
token_endpoint_auth_methods_supported = { "private_key_jwt" },
},
token_endpoint_auth_method = "private_key_jwt",
client_rsa_private_key = test_support.load("/spec/private_rsa_key.pem"),
public_key = test_support.load("/spec/public_rsa_key.pem"),
},
})
teardown(test_support.stop_server)
local _, status = test_support.login()
it("login succeeds", function()
assert.are.equals(302, status)
end)
it("an error has not been logged", function()
assert.is_not.error_log_contains("JSON decoding failed")
assert.is_not.error_log_contains("userinfo jwt could not be verified")
end)
end)

0 comments on commit 9f3a4fc

Please sign in to comment.