From 64cdc9f9539346fa74ac0cbb62909865e52ae5c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Triszt=C3=A1n=20Piller?=
 <60111772+triszt4n@users.noreply.github.com>
Date: Sun, 17 Apr 2022 02:39:07 +0200
Subject: [PATCH] feat(auth): OAuth2 access_token in GET query string in
 userInfoURL (#5188)

---
 server/modules/authentication/oauth2/authentication.js | 2 +-
 server/modules/authentication/oauth2/definition.yml    | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/modules/authentication/oauth2/authentication.js b/server/modules/authentication/oauth2/authentication.js
index 1ac9901b..a2285cff 100644
--- a/server/modules/authentication/oauth2/authentication.js
+++ b/server/modules/authentication/oauth2/authentication.js
@@ -37,7 +37,7 @@ module.exports = {
     })
 
     client.userProfile = function (accesstoken, done) {
-      this._oauth2._useAuthorizationHeaderForGET = true
+      this._oauth2._useAuthorizationHeaderForGET = !conf.useQueryStringForAccessToken
       this._oauth2.get(conf.userInfoURL, accesstoken, (err, data) => {
         if (err) {
           return done(err)
diff --git a/server/modules/authentication/oauth2/definition.yml b/server/modules/authentication/oauth2/definition.yml
index 38d13901..0621aa39 100644
--- a/server/modules/authentication/oauth2/definition.yml
+++ b/server/modules/authentication/oauth2/definition.yml
@@ -64,3 +64,9 @@ props:
     title: Scope
     hint: (optional) Application Client permission scopes.
     order: 10
+  useQueryStringForAccessToken:
+    type: Boolean
+    default: false
+    title: Pass access token via GET query string to User Info Endpoint
+    hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header.
+    order: 11