Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13609

Allow for URL encoded client id and secret in basic auth secured oauth endpoints

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.5.0
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Rank:
      1|hzwqpj:

      Description

      Bug description

      According to RFC6749 2.3.1, the client id and secret should be URL-encoded.  However, this results in an "invalid_client" response from OpenAM when the client id and/or secret contain URL-encoded characters.

      The SaaS team encountered this error when the client lib we're using was updated to URL-encode:

      https://github.com/panva/node-openid-client/commit/9cccdbe49d5673a3e9d0d2613e0ba4990d7938a3#diff-50cfa59973c04321b5da0c6da0fdf4feR846

      How to reproduce the issue

      1. Create an oauth client with a secret that contains an equals sign ( = ).
      2. Create the authorization header by url-encoding the id and secret (e.g. "=" becomes "%3D"), concatenating with a colon ( : ), and then base64-encoding the resulting string.
      3. Use the encoded credentials to request an access token.
      Expected behaviour
      {
      "access_token": "<token>",
      "scope": "<scopes>",
      "token_type": "Bearer",
      "expires_in": 3599
      }
      
      Current behaviour
      {
      "error_description": "Client authentication failed",
      "error": "invalid_client"
      }
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael.carter Michael Carter [X] (Inactive)
              Reporter:
              jared.jensen Jared Jensen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: