Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(tokenExchange): use correct token type for userInfo requests #3336

Merged
merged 1 commit into from
Feb 9, 2024

Conversation

0x0dr1y
Copy link
Contributor

@0x0dr1y 0x0dr1y commented Feb 7, 2024

Overview

This small changes fixes an issue in the token exchange flow. It explicitly sets the tokenType used for GET /userinfo to Bearer to be conform with the OIDC spec.

What this PR does / why we need it

Without this change the tokenType would be set to either urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:id_token, which doesn't satisfy the OIDC spec.

The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0 Bearer Token Usage [RFC6750].

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo (5.3.1)

Closes #3335

Signed-off-by: Chris H <33393789+MrDeerly@users.noreply.github.com>
@nabokihms
Copy link
Member

@MrDeerly thanks! It does make sense. Because there are no integration tests, I will test this PR manually. If everything is okay, I will bump the merge button.

@nabokihms nabokihms self-requested a review February 8, 2024 06:31
Copy link
Member

@nabokihms nabokihms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested it and it works as expected, so, LGTM! Thank you for the fix.

@nabokihms nabokihms merged commit 79d5874 into dexidp:master Feb 9, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Token Exchange uses wrong tokenType for /userinfo request
2 participants