Support HTTP POST requests to `/userinfo`, aligning to OpenID Core specification...

This PR adds support for the HTTP POST requests to `/userinfo` endpoint.
While the OpenID Core specification says both are supported and
recommends using HTTP GET.

ref: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

diff --git a/routers/web/web.go b/routers/web/web.go
index 137c67730652d5a329d98a4bcebac560f9988190..b96d06ed66eb637e8ac38d59dc6fd3eb895ae1e7 100644 (file)
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -561,7 +561,7 @@ func registerRoutes(m *web.Router) {
                        m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
                }, optSignInIgnoreCsrf, reqSignIn)
 
-               m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), optSignInIgnoreCsrf, auth.InfoOAuth)
+               m.Methods("GET, POST, OPTIONS", "/userinfo", optionsCorsHandler(), optSignInIgnoreCsrf, auth.InfoOAuth)
                m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), optSignInIgnoreCsrf, auth.AccessTokenOAuth)
                m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), optSignInIgnoreCsrf, auth.OIDCKeys)
                m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), optSignInIgnoreCsrf, auth.IntrospectOAuth)