search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 950 forks source link

URL-decode client credentials in HTTP Basic auth, as described in the RFC #979

Open pjcdawkins opened 4 years ago

pjcdawkins commented 4 years ago

https://tools.ietf.org/html/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password.

This affects client IDs and secrets that would differ from their URL-decoded form, i.e. those containing + or %.

bshaffer commented 4 years ago

This is a great change but as it would break backwards compatibility we'll need to save this for the next major version