Preflight Checklist
Version
v3.47.1
Describe the problem caused by this bug
The OIDC login flow fails when a strict OIDC provider returns a lowercase OAuth token type when issuing a token (bearer), and the userinfo endpoint expects the capitalized Bearer authorization scheme. Instead of successfully fetching user info from the userinfo endpoint, the strict provider throws a 400 Bad Request caused by the RFC non-compliant (lower-case) authorization header :
userinfo failed: http status not ok: 400 Bad Request
This is caused by the direct reuse of the tokenType returned by the successful token request.
This is better described by Serge Gebhardt article on the topic.
To reproduce
Hard to reproduce since the request is validated by the OIDC provider, and I don't have a list of providers which validate strictly the Authorization header they receive. I've only tested with Kinde, which cannot be used with zitadel/oidc for this reason.
Screenshots
No response
Expected behavior
This appears to be the same issue previously reported and fixed in golang.org/x/oauth2:
Original issue: golang/oauth2#113
Fix commit: golang/oauth2@36ff901
The library is expected to normalize the token type before sending it back to the provider. This fix seems to introduce relatively few side-effects. I'd be happy to open a PR if you think this is the right way to do it.
Additional Context
No response
Preflight Checklist
Version
v3.47.1
Describe the problem caused by this bug
The OIDC login flow fails when a strict OIDC provider returns a lowercase OAuth token type when issuing a token (
bearer), and the userinfo endpoint expects the capitalizedBearerauthorization scheme. Instead of successfully fetching user info from the userinfo endpoint, the strict provider throws a 400 Bad Request caused by the RFC non-compliant (lower-case) authorization header :This is caused by the direct reuse of the tokenType returned by the successful token request.
This is better described by Serge Gebhardt article on the topic.
To reproduce
Hard to reproduce since the request is validated by the OIDC provider, and I don't have a list of providers which validate strictly the
Authorizationheader they receive. I've only tested with Kinde, which cannot be used withzitadel/oidcfor this reason.Screenshots
No response
Expected behavior
This appears to be the same issue previously reported and fixed in golang.org/x/oauth2:
Original issue: golang/oauth2#113
Fix commit: golang/oauth2@36ff901
The library is expected to normalize the token type before sending it back to the provider. This fix seems to introduce relatively few side-effects. I'd be happy to open a PR if you think this is the right way to do it.
Additional Context
No response