- changed status to invalid
ClientSecretBasic.java class second time decoding problem
Issue #362
invalid
Hi All,
We have realized an issue in the ClientSecretBasic.java class that on the line 156 and 157, client id and secret are decoded second time. According to [Rfc2611 Section 2] (https://datatracker.ietf.org/doc/html/rfc2617#section-2). After decoding the "base64-user-pass" there is no need to decode userid and password one more time. In below, I also put the steps which should be followed.
basic-credentials = base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass,
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
Comments (3)
-
-
Hi Yavor,
The section 2.31 gives a referal to the document that i indicated already rfc2617. I think there is misinterpreation because of the ambiguous of rfc6749 document. With the second encoding, it is implicitly stated that as a user, you can not create a password with “%“ character which happens to us now. does it make sense to you? Also section 2.3.1 gives info related with sending client_id and secret on form, in that case you should do a url encdoing, then suddenly jumps into http basic authorization part. That is the ambiquous part.
-
Hi Ersel,
Made a test for the % in the password, which shows the internals of the encoding: 73dd0e67
Would you be able to write a test to demonstrate the issue?
- Log in to comment
Hi,
This second encoding is required in OAuth 2.0:
https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1