fix: comply with RFC6750 UserInfo endpoint requirements (#16592)

internal/config/identity/openid/providercfg.go

@@ -18,6 +18,7 @@
 package openid
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -108,23 +109,25 @@ func (p *providerCfg) GetRoleArn() string {
 // claims as part of the normal oauth2 flow, instead rely
 // on service providers making calls to IDP to fetch additional
 // claims available from the UserInfo endpoint
-func (p *providerCfg) UserInfo(accessToken string, transport http.RoundTripper) (map[string]interface{}, error) {
+func (p *providerCfg) UserInfo(ctx context.Context, accessToken string, transport http.RoundTripper) (map[string]interface{}, error) {
 	if p.JWKS.URL == nil || p.JWKS.URL.String() == "" {
 		return nil, errors.New("openid not configured")
 	}
-	client := &http.Client{
-		Transport: transport,
-	}
 
-	req, err := http.NewRequest(http.MethodPost, p.DiscoveryDoc.UserInfoEndpoint, nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, p.DiscoveryDoc.UserInfoEndpoint, nil)
 	if err != nil {
 		return nil, err
 	}
 
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	if accessToken != "" {
 		req.Header.Set("Authorization", "Bearer "+accessToken)
 	}
 
+	client := &http.Client{
+		Transport: transport,
+	}
+
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
@@ -140,10 +143,8 @@ func (p *providerCfg) UserInfo(accessToken string, transport http.RoundTripper)
 		return nil, errors.New(resp.Status)
 	}
 
-	dec := json.NewDecoder(resp.Body)
 	claims := map[string]interface{}{}
-
-	if err = dec.Decode(&claims); err != nil {
+	if err = json.NewDecoder(resp.Body).Decode(&claims); err != nil {
 		// uncomment this for debugging when needed.
 		// reqBytes, _ := httputil.DumpRequest(req, false)
 		// fmt.Println(string(reqBytes))