According to the document for OAuth2 https://www.rfc-editor.org/errata_search.php?rfc=6749 (Errata for the Oauth2 RFC for clarification)
The errata of the OAuth2 specs say this:
Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the
password. The url encoded values are then encoded as defined in
[RFC2617]. The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
It was not clear to some implementers that the intention is a 2-step encoding. First for special characters and second the 2617 base 64 encoding. Implementers thought 6749 was in conflict with 2617.
To avoid inter-op issues, a new clarifying sentence is proposed.
"The url encoded values are then encoded as defined in [RFC2617]."
- Configure OAuth2 and send a Basic Auth header with a URL encoded password say "$$" and see if it works (ie $ is %24 when URL encoded) (Authorization: Bearer <base64(<clientid>:%24%24)> instead of base64(<clientid>:$$)).
- This should work according to the specs clarification.