Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.38.0

Storage Type

etcd

Installation Type

Official Helm chart

Expected Behavior

When performing a tokenExchange, Dex will reuse the tokenType set in subject_token_type for requesting the userInfo from the upstream IdP (https://github.com/dexidp/dex/blob/master/connector/oidc/oidc.go#L436).

This will lead to errors as neither urn:ietf:params:oauth:token-type:access_token nor urn:ietf:params:oauth:token-type:id_token are valid token types for the oidc /userinfo endpoint as per RFC6750.

Actual Behavior

Dex follows the oidc spec and uses Bearer as token type for /userinfo requests.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo (5.3.1)

The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0 Bearer Token Usage [RFC6750].

Steps To Reproduce

No response

Additional Information

No response

Configuration

No response

Logs

No response