2 files changed, 11 insertions, 2 deletions

diff --git a/changes/bug_use_token_for_eip b/changes/bug_use_token_for_eip
new file mode 100644
index 00000000..b10368ad
--- /dev/null
+++ b/changes/bug_use_token_for_eip
@@ -0,0 +1 @@
+- Properly send the token for querying the EIP certificate. Fixes #6060.
\ No newline at end of file
diff --git a/src/leap/bitmask/crypto/certs.py b/src/leap/bitmask/crypto/certs.py
index 244decfd..c3ca4efb 100644
--- a/src/leap/bitmask/crypto/certs.py
+++ b/src/leap/bitmask/crypto/certs.py
@@ -46,19 +46,27 @@ def download_client_cert(provider_config, path, session):
     # again.
     srp_auth = SRPAuth(provider_config)
     session_id = srp_auth.get_session_id()
+    token = srp_auth.get_token()
     cookies = None
-    if session_id:
+    if session_id is not None:
         cookies = {"_session_id": session_id}
     cert_uri = "%s/%s/cert" % (
         provider_config.get_api_uri(),
         provider_config.get_api_version())
     logger.debug('getting cert from uri: %s' % cert_uri)
 
+    headers = {}
+
+    # API v2 will only support token auth, but in v1 we can send both
+    if token is not None:
+        headers["Authorization"] = 'Token token="{0}"'.format(token)
+
     res = session.get(cert_uri,
                       verify=provider_config
                       .get_ca_cert_path(),
                       cookies=cookies,
-                      timeout=REQUEST_TIMEOUT)
+                      timeout=REQUEST_TIMEOUT,
+                      headers=headers)
     res.raise_for_status()
     client_cert = res.content