@@ -435,6 +435,69 @@ func TestOIDCController(t *testing.T) {
435435 assert .False (t , ok , "Did not expect email claim in userinfo response" )
436436 },
437437 },
438+ {
439+ description : "Ensure userinfo forbids access with malformed authorization header" ,
440+ middlewares : []gin.HandlerFunc {},
441+ run : func (t * testing.T , router * gin.Engine , recorder * httptest.ResponseRecorder ) {
442+ req := httptest .NewRequest ("GET" , "/api/oidc/userinfo" , nil )
443+ req .Header .Set ("Authorization" , "Bearer" )
444+ router .ServeHTTP (recorder , req )
445+ assert .Equal (t , 401 , recorder .Code )
446+
447+ var res map [string ]any
448+ err := json .Unmarshal (recorder .Body .Bytes (), & res )
449+ assert .NoError (t , err )
450+ assert .Equal (t , "invalid_request" , res ["error" ])
451+ },
452+ },
453+ {
454+ description : "Ensure userinfo accepts access token via POST body" ,
455+ middlewares : []gin.HandlerFunc {
456+ simpleCtx ,
457+ },
458+ run : func (t * testing.T , router * gin.Engine , recorder * httptest.ResponseRecorder ) {
459+ tokenTest , found := getTestByDescription ("Ensure we can get a token with a valid request" )
460+ assert .True (t , found , "Token test not found" )
461+ tokenRecorder := httptest .NewRecorder ()
462+ tokenTest (t , router , tokenRecorder )
463+
464+ var tokenRes map [string ]any
465+ err := json .Unmarshal (tokenRecorder .Body .Bytes (), & tokenRes )
466+ assert .NoError (t , err )
467+
468+ accessToken := tokenRes ["access_token" ].(string )
469+ assert .NotEmpty (t , accessToken )
470+
471+ body := url.Values {}
472+ body .Set ("access_token" , accessToken )
473+ req := httptest .NewRequest ("POST" , "/api/oidc/userinfo" , strings .NewReader (body .Encode ()))
474+ req .Header .Set ("Content-Type" , "application/x-www-form-urlencoded" )
475+ router .ServeHTTP (recorder , req )
476+ assert .Equal (t , 200 , recorder .Code )
477+
478+ var userInfoRes map [string ]any
479+ err = json .Unmarshal (recorder .Body .Bytes (), & userInfoRes )
480+ assert .NoError (t , err )
481+
482+ _ , ok := userInfoRes ["sub" ]
483+ assert .True (t , ok , "Expected sub claim in userinfo response" )
484+ },
485+ },
486+ {
487+ description : "Ensure userinfo POST rejects wrong content type" ,
488+ middlewares : []gin.HandlerFunc {},
489+ run : func (t * testing.T , router * gin.Engine , recorder * httptest.ResponseRecorder ) {
490+ req := httptest .NewRequest ("POST" , "/api/oidc/userinfo" , strings .NewReader (`{"access_token":"some-token"}` ))
491+ req .Header .Set ("Content-Type" , "application/json" )
492+ router .ServeHTTP (recorder , req )
493+ assert .Equal (t , 400 , recorder .Code )
494+
495+ var res map [string ]any
496+ err := json .Unmarshal (recorder .Body .Bytes (), & res )
497+ assert .NoError (t , err )
498+ assert .Equal (t , "invalid_request" , res ["error" ])
499+ },
500+ },
438501 {
439502 description : "Ensure plain PKCE succeeds" ,
440503 middlewares : []gin.HandlerFunc {
0 commit comments