From c0d57defce5d6d59ba8cc7ded020002b90530afd Mon Sep 17 00:00:00 2001
From: azush26 <azush@amazon.com>
Date: Tue, 15 Sep 2020 23:04:57 +0900
Subject: [PATCH 1/2] Limit the max number of splitting

Kubernetes-commit: bf516ab99c3c2ce2b4ad6d0acaf122a4d216cc2d
---
 pkg/authentication/request/bearertoken/bearertoken.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/authentication/request/bearertoken/bearertoken.go b/pkg/authentication/request/bearertoken/bearertoken.go
index 2de796b72..292b4f57d 100644
--- a/pkg/authentication/request/bearertoken/bearertoken.go
+++ b/pkg/authentication/request/bearertoken/bearertoken.go
@@ -39,7 +39,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
 	if auth == "" {
 		return nil, false, nil
 	}
-	parts := strings.Split(auth, " ")
+	parts := strings.SplitN(auth, " ", 3)
 	if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {
 		return nil, false, nil
 	}

From df032850ea841aba50f98607e72487c77e5d814d Mon Sep 17 00:00:00 2001
From: azush26 <azush@amazon.com>
Date: Sat, 19 Sep 2020 01:04:35 +0900
Subject: [PATCH 2/2] Add an unit test for requests including value after token

Kubernetes-commit: 367214dffdc070706011c6814cb2307749b0503f
---
 .../request/bearertoken/bearertoken_test.go   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pkg/authentication/request/bearertoken/bearertoken_test.go b/pkg/authentication/request/bearertoken/bearertoken_test.go
index b18bed9c5..5e982d557 100644
--- a/pkg/authentication/request/bearertoken/bearertoken_test.go
+++ b/pkg/authentication/request/bearertoken/bearertoken_test.go
@@ -42,6 +42,28 @@ func TestAuthenticateRequest(t *testing.T) {
 	}
 }
 
+func TestAuthenticateRequestIncludingValueAfterToken(t *testing.T) {
+	testCases := []struct {
+		Req *http.Request
+	}{
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token a"}}}},
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token a b c"}}}},
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token   a"}}}},
+	}
+	for i, testCase := range testCases {
+		auth := New(authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+			if token != "token" {
+				t.Errorf("unexpected token: %s", token)
+			}
+			return &authenticator.Response{User: &user.DefaultInfo{Name: "user"}}, true, nil
+		}))
+		resp, ok, err := auth.AuthenticateRequest(testCase.Req)
+		if !ok || resp == nil || err != nil {
+			t.Errorf("%d: expected valid user", i)
+		}
+	}
+}
+
 func TestAuthenticateRequestTokenInvalid(t *testing.T) {
 	auth := New(authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
 		return nil, false, nil