[IGN-7075] OIDC User Info URL requires GET instead of POST

We're having trouble retrieving our UserInfo when authenticating via OIDC because it seems Ignition tries to retrieve with a POST and our organization requires a GET. Is there any chance this could be an option in the future to change the request type. I see this error in the logs.

HTTP Response Body: '<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Error</title> </head> <body> <pre>Cannot POST /me</pre> </body> </html> '

The UserInfo Endpoint MUST support the use of the HTTP GET and HTTP POST methods defined in RFC 2616 [RFC2616].

The OIDC spec is pretty clear what the requirement is for the OP, so I'd suggest providing this info to your IdP.

However, in section 5.3.1:

The Client sends the UserInfo Request using either HTTP GET or HTTP POST. The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0 Bearer Token Usage [RFC6750].

It is RECOMMENDED that the request use the HTTP GET method and the Access Token be sent using the Authorization header field.

So Ignition's OIDC client is not following the recommendation, although it still complies.

Regardless, I'll create a ticket to add a setting to control the HTTP Method used for UserInfo API (two options: GET and POST). That way, Ignition will be even more interoperable with more IdPs.

1 Like

The capability to configure the UserInfo HTTP Request Method (GET or POST) is now available with the latest early access build: Nightly 8.1 Changelogs - 2023 - #35 by sreis

2 Likes