From 08d9f58d0debfa77e2d428ca8f2a46e6be3f7669 Mon Sep 17 00:00:00 2001
From: wgengarelly <wgengarelly@users.noreply.github.com>
Date: Tue, 26 Jul 2016 12:16:41 -0600
Subject: [PATCH] When requesting userinfo, send the access token using the
 Authorization header field as recommended in section 5.3.1 of the specs.

---
 includes/openid-connect-generic-client.php | 10 +++++++++-
 readme.md                                  |  4 ++++
 readme.txt                                 |  5 +++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php
index 50c0a0c..6fbda04 100644
--- a/includes/openid-connect-generic-client.php
+++ b/includes/openid-connect-generic-client.php
@@ -148,7 +148,15 @@ class OpenID_Connect_Generic_Client {
 		// allow modifications to the request
 		$request = apply_filters( 'openid-connect-generic-alter-request', array(), 'get-userinfo' );
 
-		// attempt the request
+		// section 5.3.1 of the spec recommends sending the access token using the authorization header
+		// a filter may or may not have already added headers - make sure they exist then add the token
+		if ( !array_key_exists( 'headers', $request ) || !is_array( $request['headers'] ) ) {
+			$request['headers'] = array();
+		}
+
+		$request['headers']['Authorization'] = 'Bearer '.$access_token;
+
+		// attempt the request including the access token in the query string for backwards compatibility
 		$response = wp_remote_get( $this->endpoint_userinfo . '?access_token=' . $access_token, $request );
 
 		if ( is_wp_error( $response ) ){
diff --git a/readme.md b/readme.md
index 4dc538e..bacbfd6 100644
--- a/readme.md
+++ b/readme.md
@@ -33,6 +33,10 @@ Replace `example.com` with your domain name and path to WordPress.
 
 ### Changelog
 
+**3.0.7**
+* When requesting userinfo, send the access token using the Authorization header field as recommended in 
+section 5.3.1 of the specs. 
+
 **3.0.6**
 
 * If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
diff --git a/readme.txt b/readme.txt
index 54acc01..f3ffac5 100644
--- a/readme.txt
+++ b/readme.txt
@@ -40,6 +40,11 @@ Replace `example.com` with your domain name and path to WordPress.
 
 == Changelog ==
 
+= 3.0.7 =
+
+* When requesting userinfo, send the access token using the Authorization header field as recommended in
+  section 5.3.1 of the specs.
+
 = 3.0.6 =
 
 * If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials