Userinfo response content-type for spid is wrong

matteo-s commented 6 months ago

The docs at https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/userinfo_endpoint.html#response say that userinfo response content-type MUST be application/jwt for spid. For CIE I could not find any requirement.

La response dello UserInfo Endpoint DEVE specificare nel "Content-Type" il valore "application/jwt".

The current implementation always returns application/jose as type.

https://github.com/italia/spid-cie-oidc-django/blob/2b0c2eff271ef290f90f62ba8b7a3d508b887543/spid_cie_oidc/provider/views/userinfo_endpoint.py#L105

peppelinux commented 6 months ago

https://www.iana.org/assignments/media-types/media-types.xhtml

includes both jose and JWT, I'm in favor to align to application/jwt since jose includes also JWS using json serialization, while JWT only uses compact serialization

rglauco commented 6 months ago

Verified with IPZS, uniformed use of application/jwt for both SPID and CIE. fixed in https://github.com/italia/spid-cie-oidc-django/pull/291

italia / spid-cie-oidc-django

Userinfo response content-type for spid is wrong #290