From 79d5874b3549bdad8c288ab42bcae065025fdb8e Mon Sep 17 00:00:00 2001
From: Chris <33393789+MrDeerly@users.noreply.github.com>
Date: Fri, 9 Feb 2024 10:27:23 +0100
Subject: [PATCH] fix(tokenExchange): use correct token type for userInfo
 requests (#3336)

Signed-off-by: Chris H <33393789+MrDeerly@users.noreply.github.com>
---
 connector/oidc/oidc.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index b125979b99..e948635442 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -433,7 +433,10 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	// We immediately want to run getUserInfo if configured before we validate the claims.
 	// For token exchanges with access tokens, this is how we verify the token.
 	if c.getUserInfo {
-		userInfo, err := c.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
+		userInfo, err := c.provider.UserInfo(ctx, oauth2.StaticTokenSource(&oauth2.Token{
+			AccessToken: token.AccessToken,
+			TokenType:   "Bearer", // The UserInfo endpoint requires a bearer token as per RFC6750
+		}))
 		if err != nil {
 			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
 		}