Support GET method on user info endpoint (oauth) #11014
Conversation
| @@ -332,7 +333,7 @@ else if (nonce.isPresent() != oauth2Response.getIdToken().isPresent()) { | |||
| if (userinfoUri.isPresent()) { | |||
| // validate access token is trusted by remote userinfo endpoint | |||
| Request request = Request.builder() | |||
| .setMethod(POST) | |||
| .setMethod(userInfoRequestMethod) | |||
There was a problem hiding this comment.
Can we simply change it to GET?
There was a problem hiding this comment.
Both methods are allowed according to the spec.
There was a problem hiding this comment.
According to https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest GET is recommended. The thing that we can use both methods does not mean we need to. I would prefer to have less toggles and use GET if is more widely. The issue is that we need to make sure we don't introduce regression.
| @@ -332,7 +333,7 @@ else if (nonce.isPresent() != oauth2Response.getIdToken().isPresent()) { | |||
| if (userinfoUri.isPresent()) { | |||
| // validate access token is trusted by remote userinfo endpoint | |||
| Request request = Request.builder() | |||
| .setMethod(POST) | |||
| .setMethod(userInfoRequestMethod) | |||
There was a problem hiding this comment.
Both methods are allowed according to the spec.
| @ConfigDescription("userinfo request method") | ||
| public OAuth2Config setUserInfoRequestMethod(String userInfoRequestMethod) | ||
| { | ||
| this.userInfoRequestMethod = userInfoRequestMethod; |
There was a problem hiding this comment.
Please add
@PostConstruct
public void validate()
{
}ensuring that a valid HTTP method name was provided and a test for it.
There was a problem hiding this comment.
I added the method and verified the valid states using checkState
| @@ -45,6 +46,7 @@ | |||
| private String tokenUrl; | |||
| private String jwksUrl; | |||
| private Optional<String> userinfoUrl = Optional.empty(); | |||
| private String userInfoRequestMethod = POST; | |||
There was a problem hiding this comment.
userinfoUrl uses a different casing
There was a problem hiding this comment.
Since userinforUrl is optional, so userinforRequestMethod should be optional as well. Configuring:
http-server.authentication.oauth2.userinfo-request-method=GETshouldn't be allowed without http-server.authentication.oauth2.userinfo-url specified.
There was a problem hiding this comment.
All remarks have been processed. I've changed the casing, made the property optional and added state checks.
mdesmet
force-pushed
the
oidc_support_get_user_endpoint
branch
4 times, most recently
from
5ce060e to
5c0f901
Compare
| @@ -45,6 +50,7 @@ | |||
| private String tokenUrl; | |||
| private String jwksUrl; | |||
| private Optional<String> userinfoUrl = Optional.empty(); | |||
| private Optional<String> userinfoRequestMethod = Optional.empty(); | |||
There was a problem hiding this comment.
Why is this configurable? Does oauth2 specify both methods for this type of API?
There was a problem hiding this comment.
| @@ -332,7 +334,7 @@ else if (nonce.isPresent() != oauth2Response.getIdToken().isPresent()) { | |||
| if (userinfoUri.isPresent()) { | |||
| // validate access token is trusted by remote userinfo endpoint | |||
| Request request = Request.builder() | |||
| .setMethod(POST) | |||
| .setMethod(userInfoRequestMethod.orElse(POST)) | |||
There was a problem hiding this comment.
What about the risk of regression?
I'm good to change to GET, just a little worried it might break for some existing users: I've seen many custom OAuth enterprise implementations, not always strictly according spec.
There was a problem hiding this comment.
I think @lukasz-walkiewicz have tested all the IdP we think we support and it was working just fine.
There was a problem hiding this comment.
No doubt the commercial idp will work with both POST or GET. I see rather the risk within custom built oidc implementations. if their custom oidc implementation only has the POST endpoint and suddenly it's not working anymore after a Trino upgrade. As I said already, for me it's ok to make the change to GET. Will adapt the code later today.
There was a problem hiding this comment.
We are not aware of any use case like this. Also it sounds very exotic, I would prefer not to support such use cases without hard evidence it is actually needed.
mdesmet
force-pushed
the
oidc_support_get_user_endpoint
branch
from
5c0f901 to
49972fb
Compare
|
No release notes are needed here. |
|
Merged, thanks! |
Description
General information
This is new feature
It's a change to the core query engine
This feature allows to configure the requests method of the user info endpoint for oauth2 authentication for web ui and jdbc/odbc drivers.
Related issues, pull requests, and links
Documentation
( ) No documentation is needed.
( *) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( *) No release notes entries required.
( ) Release notes entries required with the following suggested text: