Authorization header for uaa needs oauth2 encoding now #1002
Labels
Comments
dmikusa
added
enhancement
|
Acknowledged. We haven't seen any other issues reported from this or failures in CI, but I suspect that would only happen if there were characters in the username/password that require being urlencoded. Until this is fixed, if someone hits an issue you should be able to workaround by using a user/pass that does not change when being urlencoded (i.e. no characters need to be encoded). |
|
ok almost done in UAA , and even in spring 5.6 this now is default spring-projects/spring-security#9791 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UAA changes now to standard oauth encoding:
The RFC for OAuth requires an URL encode in authorization header, see
https://tools.ietf.org/html/rfc6749#section-2.3
The authorization header needs to be
Authorization: Basic base64Encode(urlencode(client_id):urlencode(client_secret))
UAAC does not encode the authorization header. (client)
UAA does not decode the authorization header (server)
Thus this issue does popup in uaac before, however uaac should behave standard conform.
see
https://github.com/cloudfoundry/cf-java-client/blob/master/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java#L185-L187
This will come with UAA-RELEASE 74.0.0, see
https://www.pivotaltracker.com/n/projects/997278/stories/166970393
UAA clients need to be adapted, therefore this issue
Another example:
cloudfoundry/cf-uaac#50
The text was updated successfully, but these errors were encountered: