- changed status to invalid
UrlEndoding of clientId/Clientsecret in ClientSecretBasic
Related to issue#239
Hi,
in your implementation the clientId and -secret is url encoded before it is encoded base64 and send as request header for basic-auth. I our opinion this is a bug.
Please have a look at :
https://tools.ietf.org/html/rfc2617#page-5
The OAuth2 spec mean only that it is url encoded when transmitting it in the Body:
https://tools.ietf.org/html/rfc6749#section-2.3.1
Example:
clientId:clientSecret : abc:Y[Zb9r4dVAq\Z,{J Base64: YWJjOllbWmI5cjRkVkFxXFose0o=
your lib: abc:Y%5BZb9r4dVAq%5CZ%2C%7BJ YWJjOlklNUJaYjlyNGRWQXElNUNaJTJDJTdCSg==
--- your code Class ClientSecretBasic---
public String toHTTPAuthorizationHeader() {
StringBuilder sb = new StringBuilder();
try {
sb.append(URLEncoder.encode(this.getClientID().getValue(), UTF8_CHARSET.name()));
sb.append(':');
sb.append(URLEncoder.encode(this.getClientSecret().getValue(), UTF8_CHARSET.name()));
} catch (UnsupportedEncodingException var2) {
;
}
return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET));
}
--- fix --- public String toHTTPAuthorizationHeader() { StringBuilder sb = new StringBuilder(); sb.append(this.getClientID().getValue()); sb.append(':'); sb.append(this.getClientSecret().getValue()); return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET)); }
Comments (3)
-
-
-
Hello, In case it helps other people with this issue :
We are using the nimbusds and we had the same kind of disagreement with our authorization provider. We read the following rfc section. https://tools.ietf.org/html/rfc6749#section-2.3.1 It is clear for us that the client_id and the client_secret have to be url-encoded.
- Log in to comment
Hi,
The OAuth spec follows RFC 2617 for basic auth, but requires the client_id and the client_secret to be URL-encoded beforehand in the Authorization header.
Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.
Notice also the "Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters..."
https://tools.ietf.org/html/rfc6749#section-2.3.1
This library was used to run certification tests against the OIDF program, and has passed all client_secret_basic tests.
If you're on client side, and working with a non-compliant OAuth 2.0 server, feel free to extend
ClientAuthenticaton
with your own client_secret_basic implementation.