fix(tokenExchange): use correct token type for userInfo requests (#3336)

Signed-off-by: Chris H <33393789+MrDeerly@users.noreply.github.com>
dexidp · Feb 9, 2024 · 79d5874 · 79d5874
1 parent fdb4dc6
commit 79d5874
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
@@ -433,7 +433,10 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	// We immediately want to run getUserInfo if configured before we validate the claims.
 	// For token exchanges with access tokens, this is how we verify the token.
 	if c.getUserInfo {
-		userInfo, err := c.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
+		userInfo, err := c.provider.UserInfo(ctx, oauth2.StaticTokenSource(&oauth2.Token{
+			AccessToken: token.AccessToken,
+			TokenType:   "Bearer", // The UserInfo endpoint requires a bearer token as per RFC6750
+		}))
 		if err != nil {
 			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
 		}