From c0cc574ca2ae21a104cd785e900a57a1c946843a Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 27 Apr 2017 11:24:12 -0400 Subject: [PATCH] Add Authorization header with token to user info call While not required, it is recommended to send the token as an Authorization header to the UserInfo call in OIDC: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo Some implementations expect this and will fail if not present --- oauth/base.py | 6 +++++- oauth/test/test_oidc.py | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/oauth/base.py b/oauth/base.py index e7a6232c8..f50ae80d8 100644 --- a/oauth/base.py +++ b/oauth/base.py @@ -101,7 +101,11 @@ class OAuthService(object): 'alt': 'json', } - got_user = http_client.get(self.user_endpoint(), params=token_param) + headers = { + 'Authorization': 'Bearer %s' % token, + } + + got_user = http_client.get(self.user_endpoint(), params=token_param, headers=headers) if got_user.status_code // 100 != 2: raise OAuthGetUserInfoException('Non-2XX response code for user_info call: %s' % got_user.status_code) diff --git a/oauth/test/test_oidc.py b/oauth/test/test_oidc.py index e8bdd0c0e..cfc61e37c 100644 --- a/oauth/test/test_oidc.py +++ b/oauth/test/test_oidc.py @@ -153,7 +153,10 @@ def preferred_username(request): @pytest.fixture def userinfo_handler(oidc_service, preferred_username): @urlmatch(netloc=r'fakeoidc', path=r'/userinfo') - def handler(_, __): + def handler(_, req): + if req.headers.get('Authorization') != 'Bearer sometoken': + return {'status_code': 401, 'content': 'Missing expected header'} + content = { 'sub': 'cooluser', 'preferred_username':preferred_username,