Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL-decode client credentials in HTTP Basic auth, as described in the RFC #979

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

pjcdawkins
Copy link

@pjcdawkins pjcdawkins commented Mar 17, 2020

https://tools.ietf.org/html/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password.

This affects client IDs and secrets that would differ from their URL-decoded form, i.e. those containing + or %.

@bshaffer
Copy link
Owner

This is a great change but as it would break backwards compatibility we'll need to save this for the next major version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants