diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
index 2de796b7232..292b4f57d07 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
@@ -39,7 +39,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
 	if auth == "" {
 		return nil, false, nil
 	}
-	parts := strings.Split(auth, " ")
+	parts := strings.SplitN(auth, " ", 3)
 	if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {
 		return nil, false, nil
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
index b18bed9c596..5e982d5576f 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
@@ -42,6 +42,28 @@ func TestAuthenticateRequest(t *testing.T) {
 	}
 }
 
+func TestAuthenticateRequestIncludingValueAfterToken(t *testing.T) {
+	testCases := []struct {
+		Req *http.Request
+	}{
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token a"}}}},
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token a b c"}}}},
+		{Req: &http.Request{Header: http.Header{"Authorization": []string{"Bearer token   a"}}}},
+	}
+	for i, testCase := range testCases {
+		auth := New(authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+			if token != "token" {
+				t.Errorf("unexpected token: %s", token)
+			}
+			return &authenticator.Response{User: &user.DefaultInfo{Name: "user"}}, true, nil
+		}))
+		resp, ok, err := auth.AuthenticateRequest(testCase.Req)
+		if !ok || resp == nil || err != nil {
+			t.Errorf("%d: expected valid user", i)
+		}
+	}
+}
+
 func TestAuthenticateRequestTokenInvalid(t *testing.T) {
 	auth := New(authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
 		return nil, false, nil