Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13609

Allow for URL encoded client id and secret in basic auth secured oauth endpoints

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.5.0
    • Component/s: None
    • Labels:
    • Target Version/s:

      Description

      Bug description

      According to RFC6749 2.3.1, the client id and secret should be URL-encoded.  However, this results in an "invalid_client" response from OpenAM when the client id and/or secret contain URL-encoded characters.

      The SaaS team encountered this error when the client lib we're using was updated to URL-encode:

      https://github.com/panva/node-openid-client/commit/9cccdbe49d5673a3e9d0d2613e0ba4990d7938a3#diff-50cfa59973c04321b5da0c6da0fdf4feR846

      How to reproduce the issue

      1. Create an oauth client with a secret that contains an equals sign ( = ).
      2. Create the authorization header by url-encoding the id and secret (e.g. "=" becomes "%3D"), concatenating with a colon ( : ), and then base64-encoding the resulting string.
      3. Use the encoded credentials to request an access token.
      Expected behaviour
      {
      "access_token": "<token>",
      "scope": "<scopes>",
      "token_type": "Bearer",
      "expires_in": 3599
      }
      
      Current behaviour
      {
      "error_description": "Client authentication failed",
      "error": "invalid_client"
      }
      

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                michael.carter Michael Carter
                Reporter:
                jared.jensen Jared Jensen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: