In oidcclient token exchange request, pass client_id but don't bother with authorization header.

I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

pkg/oidcclient/login.go

@@ -338,11 +338,9 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty
 		return nil, err
 	}
 
-	// Use the base access token to authenticate our request. This will populate the "authorization" header.
-	client := oauth2.NewClient(h.ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: baseToken.AccessToken.Token}))
-
 	// Form the HTTP POST request with the parameters specified by RFC8693.
 	reqBody := strings.NewReader(url.Values{
+		"client_id":            []string{h.clientID},
 		"grant_type":           []string{"urn:ietf:params:oauth:grant-type:token-exchange"},
 		"audience":             []string{h.requestedAudience},
 		"subject_token":        []string{baseToken.AccessToken.Token},
@@ -356,7 +354,7 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 
 	// Perform the request.
-	resp, err := client.Do(req)
+	resp, err := h.httpClient.Do(req)
 	if err != nil {
 		return nil, err
 	}

pkg/oidcclient/login_test.go

@@ -152,6 +152,11 @@ func TestLogin(t *testing.T) {
 			}
 
 		case "urn:ietf:params:oauth:grant-type:token-exchange":
+			if r.Form.Get("client_id") != "test-client-id" {
+				http.Error(w, "bad client_id", http.StatusBadRequest)
+				return
+			}
+
 			switch r.Form.Get("audience") {
 			case "test-audience-produce-invalid-http-response":
 				http.Redirect(w, r, "%", http.StatusTemporaryRedirect)