- changed status to invalid
URL Encoding in ClientSecretBasic
Issue #239
invalid
The method toHTTPAuthorizationHeader() in the class ClientSecretBasic doesn't need to url encode the client id and secret. If a secret has a char like '/' which would be url encoded in "%2F", the authorization header would have the wrong value.
Comments (1)
-
- Log in to comment
The URL encoding is required for basic auth in OAuth 2.0:
https://tools.ietf.org/html/rfc6749#section-2.3.1