- changed status to invalid
Specification Violation in basic authentication
The OAuth2 SDK is handling basic authentication erroneously.
The class ClientSecretBasic defines the following method:
public String toHTTPAuthorizationHeader() {
StringBuilder sb = new StringBuilder();
try {
sb.append(URLEncoder.encode(getClientID().getValue(), UTF8_CHARSET.name()));
sb.append(':');
sb.append(URLEncoder.encode(getClientSecret().getValue(), UTF8_CHARSET.name()));
} catch (UnsupportedEncodingException e) {
// UTF-8 should always be supported
}
return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET));
}
You are URL encoding the clientId and the clientSecret which is not part of the specification! The specification says this (https://tools.ietf.org/html/rfc6749#section-2.3.1):
The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password.
this has nothing to do with encoding the values with URL-encoding! "application/x-www-form-urlencoded" defines only that parameters are set in the following scheme:
${param1Name}=${param1Value}&${param2Name}=${param2Value}
the URL-encoding itself is for parameters sent within a URL and for nothing else.
So the spec definition of Oauth2 does only apply to cases where the parameters are sent within the POST body of the request and not within the "Authorization"-header.
Comments (1)
-
- Log in to comment
Every now and then, since 2012, we get tickets on that :)
Check out the examples in the OAuth 2.0 spec:
https://tools.ietf.org/html/rfc6749#section-2.3.1
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/3456d718ca8d6a74582ae76d1139ffac42f6c937/src/test/java/com/nimbusds/oauth2/sdk/auth/ClientSecretBasicTest.java#lines-35