-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClientSecretBasic should not url encode credentials before encoding in base64 #754
Comments
Indeed, the RFC 7617/RFC5234/RFC7613 place a few minor restrictions on the valid password and user strings, but those are mostly harmless (no CTL chars %x00-1F / %x7F and no : in the username and some ASCII compatibility or unicode NFC normalization. (Edit: No, this ignores the explicity mention in RFC 6749) |
I have added the pull request #755 |
Looking at the commit message message that introduced that, I think that the I am not entirely sure on this one. |
I think the commit message is a little misleading. When passing the client_secret via HTTP Basic Auth in the header, the quote_plus is probably wrong. BUT the OAuth2/OpenID connect spec also optionally allows to pass the client secret/id in the body of the request. And that usecase obviously needs the form encoding. (RFC 6749 2.3.1 or OpenID connect section 9) like all parameters in the body of the request. On the other hand, the client_id/user is more restricted than Basic Auth allows, due to the various usecases where the client ID is passed via URL parameters, but the secret is not. (Edit: This is wrong) |
Ok, misread the spec there. RFC 6749 explicitly mentions the urlencoding in 2.3.1, but HTTP Basic Auth RFC 7617 is less strict.
|
In rfc2617 page 6, the example contains a space character that would be "+" if it had been url-encoded. The base64 shows that the password is not url_encoded first. RFC 6749 refers to RFC 2617. If the user agent wishes to send the userid "Aladdin" and password
|
Using requests_oauthlib I can retrieve my token using basic auth. They do not "quote_plus" the username and password but encode it in "latin1" before encoding it in base64: and msal from microsoft: |
I agree with you, that it is a common bug in the wild to not follow RFC6749 and skip the URL encoding of client_id/password. So the current behaviour is actually correct and standards compliant. Not a bug. You can see that it is a common bug in in-the-wild implementations. If you google a bit for "OAuth2 basic authorization encoding of password" you'll find a few instances of the bug and confusal. @tpazderka |
OK, I do agree with a kwarg that would allow to skip the quoting. The default should be the same as now. |
…sic-remove-quote_plus' into hotfix/CZ-NIC#754-ClientSecretBasic-remove-quote_plus # Conflicts: # src/oic/utils/authn/client.py # tests/test_client.py
…asic-remove-quote_plus' into oauth-fix
Bug in the ClientSecretBasic.
My request was working when using PostMan but not when using this library. I then realized that the Authorization header was not the same between the two requests. My client secret had non-friendly url characters.
https://github.com/rohe/pyoidc/blob/75275e90457ed7eec71ae383e38f5e43995981c2/src/oic/utils/authn/client.py#L125
The text was updated successfully, but these errors were encountered: