feat(auth): OAuth2 access_token in GET query string in userInfoURL (#5188)

de151031 · Trisztán Piller · GitHub · a647626a · de151031 · de151031
Unverified Commit de151031 authored Apr 17, 2022 by Trisztán Piller Committed by GitHub Apr 16, 2022
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

authentication.js server/modules/authentication/oauth2/authentication.js +1 -1

definition.yml server/modules/authentication/oauth2/definition.yml +6 -0

No files found.
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@@ -37,7 +37,7 @@ module.exports = {
    })
    client.userProfile = function (accesstoken, done) {
-      this._oauth2._useAuthorizationHeaderForGET = true
+      this._oauth2._useAuthorizationHeaderForGET = !conf.useQueryStringForAccessToken
      this._oauth2.get(conf.userInfoURL, accesstoken, (err, data) => {
        if (err) {
          return done(err)

--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@@ -64,3 +64,9 @@ props:
    title: Scope
    hint: (optional) Application Client permission scopes.
    order: 10
+  useQueryStringForAccessToken:
+    type: Boolean
+    default: false
+    title: Pass access token via GET query string to User Info Endpoint
+    hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
+    order: 11