ClientSecretBasic.java class second time decoding problem

Issue #362 invalid
Former user created an issue

Hi All,

We have realized an issue in the ClientSecretBasic.java class that on the line 156 and 157, client id and secret are decoded second time. According to [Rfc2611 Section 2] (https://datatracker.ietf.org/doc/html/rfc2617#section-2). After decoding the "base64-user-pass" there is no need to decode userid and password one more time. In below, I also put the steps which should be followed.

basic-credentials = base64-user-pass
base64-user-pass  = <base64 [4] encoding of user-pass,
user-pass   = userid ":" password
userid      = *<TEXT excluding ":">
password    = *TEXT

Comments (3)

  1. Ersel Bora

    Hi Yavor,

    The section 2.31 gives a referal to the document that i indicated already rfc2617. I think there is misinterpreation because of the ambiguous of rfc6749 document. With the second encoding, it is implicitly stated that as a user, you can not create a password with “%“ character which happens to us now. does it make sense to you? Also section 2.3.1 gives info related with sending client_id and secret on form, in that case you should do a url encdoing, then suddenly jumps into http basic authorization part. That is the ambiquous part.

  2. Yavor Vasilev

    Hi Ersel,

    Made a test for the % in the password, which shows the internals of the encoding: 73dd0e67

    Would you be able to write a test to demonstrate the issue?

  3. Log in to comment