UrlEndoding of clientId/Clientsecret in ClientSecretBasic

public String toHTTPAuthorizationHeader() { StringBuilder sb = new StringBuilder(); try { sb.append(URLEncoder.encode(this.getClientID().getValue(), UTF8_CHARSET.name())); sb.append(':'); sb.append(URLEncoder.encode(this.getClientSecret().getValue(), UTF8_CHARSET.name())); } catch (UnsupportedEncodingException var2) { ; } return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET)); }

Comments (3)

Connect2id OSS

changed status to invalid

Hi,

The OAuth spec follows RFC 2617 for basic auth, but requires the client_id and the client_secret to be URL-encoded beforehand in the Authorization header.

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Notice also the "Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters..."

https://tools.ietf.org/html/rfc6749#section-2.3.1

This library was used to run certification tests against the OIDF program, and has passed all client_secret_basic tests.

If you're on client side, and working with a non-compliant OAuth 2.0 server, feel free to extend ClientAuthenticaton with your own client_secret_basic implementation.

2018-04-26T09:09:55+00:00

Connect2id OSS

https://static.javadoc.io/com.nimbusds/oauth2-oidc-sdk/5.57/com/nimbusds/oauth2/sdk/auth/ClientAuthentication.html

2018-04-26T09:11:36+00:00

Olivier Massol

Hello, In case it helps other people with this issue :

We are using the nimbusds and we had the same kind of disagreement with our authorization provider. We read the following rfc section. https://tools.ietf.org/html/rfc6749#section-2.3.1 It is clear for us that the client_id and the client_secret have to be url-encoded.

2019-02-26T10:24:58+00:00

Connect2id OSS
- changed status to invalid
Hi,

The OAuth spec follows RFC 2617 for basic auth, but requires the client_id and the client_secret to be URL-encoded beforehand in the Authorization header.

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password.

Notice also the "Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters..."

https://tools.ietf.org/html/rfc6749#section-2.3.1

This library was used to run certification tests against the OIDF program, and has passed all client_secret_basic tests.

If you're on client side, and working with a non-compliant OAuth 2.0 server, feel free to extend ClientAuthenticaton with your own client_secret_basic implementation.
- 2018-04-26T09:09:55+00:00
Connect2id OSS
https://static.javadoc.io/com.nimbusds/oauth2-oidc-sdk/5.57/com/nimbusds/oauth2/sdk/auth/ClientAuthentication.html
- 2018-04-26T09:11:36+00:00
Olivier Massol
Hello, In case it helps other people with this issue :

We are using the nimbusds and we had the same kind of disagreement with our authorization provider. We read the following rfc section. https://tools.ietf.org/html/rfc6749#section-2.3.1 It is clear for us that the client_id and the client_secret have to be url-encoded.
- 2019-02-26T10:24:58+00:00
Log in to comment