search

centreon / centreon-archived

Centreon is a network, system and application monitoring tool. Centreon is the only AIOps Platform Providing Holistic Visibility to Complex IT Workflows from Cloud to Edge.
https://www.centreon.com
GNU General Public License v2.0
574 stars 240 forks source link

OpenID : GET method should be used on User Information Endpoint instead of POST #10044

Open fixlair opened 3 years ago

fixlair commented 3 years ago

BUG REPORT INFORMATION

Centreon Versions Tested on last 20.10.10 version but checked the last 21.04.x code and seems to be also present.

Steps to Reproduce

When trying to connect using OpenID in Centreon it failed with some IDP when getting UserInfo as it's a POST and a GET is exepted

Describe the received result

The IDP we use send us an error as Centreon request /userinfo endpoint with POST method and only GET method is allowed. I also check Keycloak seems to prefer GET also (but is less strict and accept post)

Additional relevant information (e.g. frequency, ...)

The last doc from openId precise https://openid.net/specs/openid-connect-basic-1_0.html#UserInfoRequest

The request SHOULD use the HTTP GET method and the Access Token SHOULD be sent using the Authorization header field.

https://github.com/centreon/centreon/blob/2caa01bc77eb21ccf2fb53103feeadf61f0746af/www/class/centreonAuth.SSO.class.php#L482-L490

Thanks !!

srinathman commented 3 years ago

Same issue here, changing the request to GET fixes the issue. (Using Okta)