Open paulius-valiunas opened 5 months ago
archywillhe
commented
4 months ago hey thanks; do you know what's the status at Kong/Insomnium's on this? Doesn't look like they follow the proposed standard too and this appears to break many existing configs users had
paulius-valiunas
commented
4 months ago Yeah I'm pretty sure they have the same problem. Do you think we should offer the user a choice whether to encode the credentials or not? If you want me to update my PR with that, I'll need some help with the UI for this, because I'm like a 100% backend developer 😅 but a simple checkbox might work.
On the other hand, sometimes you have to re-break what's broken to fix it. It's up to you.
Expected Behavior
As described in RFC6749, both the client id and client secret values should be:
Insomnium should either encode them automatically, or at least provide a button in the UI to do it manually so I don't have to use external tools.
Actual Behavior
Insomnium skips the URL encoding step and concatenates these values exactly as they are in the UI text fields.
Reproduction Steps
No response
Is there an existing issue for this?
Additional Information
This change is needed only when sending credentials as basic auth header. If they're sent in the request body, encoding is not required (see RFC) and current behavior works fine. However, that is not the recommended approach.
Insomnium Version
0.2.3-a
What operating system are you using?
Windows
Operating System Version
Windows 11 version 23H2
Installation method
winget
Last Known Working Insomnium version
No response