Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11360

OAuth2 ClientID and password URL decoded as per RFC-6749


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0.4, 13.5.0, 14.1.0, 5.5.1, 6.0.0, 6.5.1, 6.5.2,
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Support Ticket IDs:


      According to the document for OAuth2 https://www.rfc-editor.org/errata_search.php?rfc=6749 (Errata for the Oauth2 RFC for clarification)

      The errata of the OAuth2 specs say this:

      Clients in possession of a client password MAY use the HTTP Basic
      authentication scheme as defined in [RFC2617] to authenticate with
      the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per
      Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the
      password. The url encoded values are then encoded as defined in
      [RFC2617]. The authorization server MUST support the HTTP Basic
      authentication scheme for authenticating clients that were issued a
      client password.

      It was not clear to some implementers that the intention is a 2-step encoding. First for special characters and second the 2617 base 64 encoding. Implementers thought 6749 was in conflict with 2617.

      To avoid inter-op issues, a new clarifying sentence is proposed.
      "The url encoded values are then encoded as defined in [RFC2617]."


      • Configure OAuth2 and send a Basic Auth header with a URL encoded password say "$$" and see if it works (ie $ is %24 when URL encoded) (Authorization: Bearer <base64(<clientid>:%24%24)> instead of base64(<clientid>:$$)).
      • This should work according to the specs clarification.





            • Assignee:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: