userinfo returns wrong response with django cache enabled

[ZuSe]

We have identified some unexpected behavior with any django cache (db or redis) enabled.
Our Ressource-Servers are using the userinfo endpoint to resolve users from the previously shipped Bearer Token (on login)

We are calling the /userinfo/ endpoint with GET and have the token in the header e.g.
curl -X GET
https://accounts.xxxxx.org/oidc/userinfo
-H 'Authorization: Bearer 3c698d49ef13460b9e3933318430c733'
-H 'cache-control: no-cache'

On the first request the userdata (sub, email etc.) is returned as expected.

However, if in the meantime any other user calls the endpoint it can happen that userinfo returns another user which does not own the Bearer token on a second request.
With cache disabled everything works e.g.
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
}
}

I have looked in the code but could not figure out how the default django cache should affect the response behavior. Maybe some of you guys got an idea.

Funny sidenote: Using POST indead of GET everything works, but most libs dont support that.

[suutari-ai]

Maybe the view should be decorated with @vary_on_headers('Authorization')? See `https://docs.djangoproject.com/en/2.2/topics/cache/#using-vary-headers for more info about this decorator.

[ZuSe]

Hi @suutari-ai that sounds like a valid option. As far as i can see there is nothing like that in the code atm.