From 99e37e987afb24c8a48670c5953c996221726e69 Mon Sep 17 00:00:00 2001
From: Jason <jasonhsu2013@gmail.com>
Date: Tue, 4 Feb 2025 01:22:32 -0500
Subject: [PATCH] Allow POST on oauth userinfo (#3395)

---
 CONTRIBUTORS.md                     |  1 +
 server/core/src/https/oauth2.rs     |  4 +++-
 server/testkit/tests/oauth2_test.rs | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 09a4eafbd..3a75f2ca1 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -46,6 +46,7 @@
 - Christopher-Robin (cebbinghaus)
 - Fabian Kammel (datosh)
 - Andris Raugulis (arthepsy)
+- Jason (argonaut0)
 
 ## Acknowledgements
 
diff --git a/server/core/src/https/oauth2.rs b/server/core/src/https/oauth2.rs
index ae986119a..33a142507 100644
--- a/server/core/src/https/oauth2.rs
+++ b/server/core/src/https/oauth2.rs
@@ -774,7 +774,9 @@ pub fn route_setup(state: ServerState) -> Router<ServerState> {
         // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
         .route(
             "/oauth2/openid/:client_id/userinfo",
-            get(oauth2_openid_userinfo_get).options(oauth2_preflight_options),
+            get(oauth2_openid_userinfo_get)
+                .post(oauth2_openid_userinfo_get)
+                .options(oauth2_preflight_options),
         )
         // // ⚠️  ⚠️   WARNING  ⚠️  ⚠️
         // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
diff --git a/server/testkit/tests/oauth2_test.rs b/server/testkit/tests/oauth2_test.rs
index 21f3096f3..faab08575 100644
--- a/server/testkit/tests/oauth2_test.rs
+++ b/server/testkit/tests/oauth2_test.rs
@@ -447,6 +447,24 @@ async fn test_oauth2_openid_basic_flow_impl(
 
     assert_eq!(userinfo, oidc);
 
+    let response = client
+        .post(rsclient.make_url("/oauth2/openid/test_integration/userinfo"))
+        .bearer_auth(atr.access_token.clone())
+        .send()
+        .await
+        .expect("Failed to send userinfo POST request.");
+
+    tracing::trace!("{:?}", response.headers());
+    assert!(
+        response.headers().get(CONTENT_TYPE) == Some(&HeaderValue::from_static(APPLICATION_JSON))
+    );
+    let userinfo_post = response
+        .json::<OidcToken>()
+        .await
+        .expect("Unable to decode OidcToken from POST userinfo");
+
+    assert_eq!(userinfo_post, userinfo);
+
     // Step 6 - Show that our client can perform a client credentials grant
 
     let form_req: AccessTokenRequest = GrantTypeReq::ClientCredentials {