Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"OAUTH2/USERINFO" POST request returns 415 - Unsupported Media Type Error #20754

Closed
ShamodyaHashantha opened this issue Jul 22, 2024 · 1 comment
Closed

"OAUTH2/USERINFO" POST request returns 415 - Unsupported Media Type Error #20754

ShamodyaHashantha opened this issue Jul 22, 2024 · 1 comment
Assignees
@bhagyasakalanka
Labels
Fixed/7.1.0 Type/Bug
Milestone
7.1.0-m1

Comments

@ShamodyaHashantha
Copy link

Describe the issue:

According to the OIDC specification [1], the client can send a user info request using either GET or POST, with a recommendation to use the GET request. However, previous versions of IS (specifically 5.10.0) allowed POST requests with the access token to be sent in the authorization header field. In IS-6.1.0, the user info endpoint does not return a successful response for POST requests; instead, it returns a 415 - Unsupported Media Type error along with the following error logs in the wso2carbon log file:

ERROR {org.apache.cxf.jaxrs.utils.JAXRSUtils} - No message body reader has been found for class javax.ws.rs.core.MultivaluedMap, ContentType: application/octet-stream  
[098ef4b3-7270-4499-b7dd-1e3a79073aea] WARN {org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper} - javax.ws.rs.WebApplicationException: HTTP 415 Unsupported Media Type

Apparently, this issue arose after the introduction of a fix for this [2], that added an additional MultivaluedMap parameter to the getUserClaimPost method [3] in IS-6.1.0 compared to the IS-5.10.0 implementation [4]. However, by explicitly setting the content type to application/x-www-form-urlencoded, the POST request works as expected in IS-6.1.0, whereas in IS-5.10.0, the user info POST request works fine regardless of the content type.

[1] https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest

[2] #10387

[3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/cb0dabe9dc7234d25bfc480e3f669c2a51461bf8/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/user/OpenIDConnectUserEndpoint.java#L112

[4] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/35d2b91f19d322dd2e923025d1c90c257cee024d/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/user/OpenIDConnectUserEndpoint.java#L102

How to reproduce:
Try the userinfo POST request in IS-6.1.0 version(Refer to the below sample curl)

curl --location --request POST 'https://localhost:9443/oauth2/userinfo' \
--header 'Authorization: Bearer 311be0f6-03b1-3bcb-96ec-0322b0e93313'

Expected behavior:
Return a successful response for POST request

Environment information (Please complete the following information; remove any unnecessary fields) :

  • Product Version: IS 6.1.0
  • OS: [e.g., Windows, Linux, Mac]
  • Database: [e.g., MySQL, H2]
  • Userstore: [e.g., LDAP, JDBC]

Optional Fields

Related issues:

Suggested labels:
@bhagyasakalanka bhagyasakalanka self-assigned this Oct 11, 2024
@nilasini
Copy link
Contributor

wso2-extensions/identity-inbound-auth-oauth#2544

@nilasini nilasini added this to the 7.1.0-m1 milestone Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bhagyasakalanka bhagyasakalanka

Labels
Fixed/7.1.0 Type/Bug
Projects
Identity Server 7.1.0
Archived in project
Milestone
7.1.0-m1
Development

No branches or pull requests
3 participants
@nilasini @ShamodyaHashantha @bhagyasakalanka