CORS headers not sent in userinfo endpoint error response
Concerned version
Version: %2.0.11
Platform: Apache
Summary
very similar to #2380 (closed), but for userinfo endpoint.
CORS headers are not sent in /oauth2/userinfo endpoint:
- if I send an invalid token
- if I don't send anything
Logs
curl -H "Accept: application/json" -v https://auth.domain.com/oauth2/userinfo
* Server certificate:
* subject: C=FR; L=Paris; O=****; CN=****
* start date: Jun 15 00:00:00 2021 GMT
* expire date: Jun 15 23:59:59 2022 GMT
* subjectAltName: host "auth.domain.com" matched cert's "auth.domain.com"
* issuer: C=NL; O=GEANT Vereniging; CN=GEANT OV RSA CA 4
* SSL certificate verify ok.
> GET /oauth2/userinfo HTTP/1.1
> Host: auth.domain.com
> User-Agent: curl/7.64.0
> Accept: application/json
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
< Date: Mon, 26 Jul 2021 10:32:35 GMT
< Server: Apache/2.4.38 (Debian)
< WWW-Authenticate: error=invalid_request,error_description=Access token not found in request
< Vary: User-Agent
< Content-Length: 0
<
* Connection #0 to host auth.domain.com left intact
Backends used
- LDAP authentication
- PostgreSQL for configurations
- Browseable::PG for sessions