From 42878989d62dcec2fa918ef6b012e638d4763736 Mon Sep 17 00:00:00 2001
From: kavix <kavix@yahoo.com>
Date: Wed, 17 Jun 2026 19:34:46 +0530
Subject: [PATCH] Add integration test for multiple Authorization headers
 rejection

---
 .../test/oauth2/OpenIdUserInfoTestCase.java   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OpenIdUserInfoTestCase.java b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OpenIdUserInfoTestCase.java
index b55747360b8..6836ee8df5c 100644
--- a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OpenIdUserInfoTestCase.java
+++ b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/OpenIdUserInfoTestCase.java
@@ -447,6 +447,25 @@ public void testSendAuthorizedPostWithM2MToken() throws Exception {
                 "Unexpected error message");
     }
 
+    @Test(groups = "wso2.is", description = "Validate UserInfo request with multiple Authorization headers", dependsOnMethods = "testGetAccessToken")
+    public void testUserInfoWithMultipleAuthorizationHeaders() throws Exception {
+
+        String userInfoUrl = tenantInfo.getDomain().equalsIgnoreCase("carbon.super") ?
+                OAuth2Constant.USER_INFO_ENDPOINT : OAuth2Constant.TENANT_USER_INFO_ENDPOINT;
+        HttpGet request = new HttpGet(userInfoUrl);
+
+        request.setHeader("User-Agent", OAuth2Constant.USER_AGENT);
+        // Add two separate Authorization headers to simulate the duplicate headers scenario
+        request.addHeader("Authorization", "Bearer " + accessToken);
+        request.addHeader("Authorization", "Bearer invalid_token");
+        request.setHeader("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");
+
+        HttpResponse response = client.execute(request);
+        Assert.assertEquals(response.getStatusLine().getStatusCode(), 400,
+                "Request with multiple Authorization headers was not rejected with 400 Bad Request");
+        EntityUtils.consume(response.getEntity());
+    }
+
 
     public HttpResponse sendLoginPost(HttpClient client, String sessionDataKey) throws IOException {