OIDC: `userinfo_endpoint` is RECOMMENDED, but not REQUIRED

coupergateway / couper

Couper is a lightweight API gateway designed to support developers in building and operating API-driven Web projects

https://couper.io

MIT License

85 stars 15 forks source link

Closed johakoch closed 1 year ago

johakoch commented 1 year ago

So, if the openid-configuration, for whatever reason, does not include a userinfo_endpoint, no userinfo should be requested. Accordingly,

the sub claim from the id token cannot be verified against the sub property from the userinfo response,
no userinfo is stored in request.context.<oidc_name>.

johakoch commented 1 year ago

Are issues that are on a milestone not automatically closed if the linked PR is merged?

malud commented 1 year ago

Works, comfirmed with an Azure B2C application without an userinfo_endpoint within the configuration.