Authorization header for uaa needs oauth2 encoding now

[strehle]

UAA changes now to standard oauth encoding: The RFC for OAuth requires an URL encode in authorization header, see https://tools.ietf.org/html/rfc6749#section-2.3

The authorization header needs to be Authorization: Basic base64Encode(urlencode(client_id):urlencode(client_secret))

UAAC does not encode the authorization header. (client) UAA does not decode the authorization header (server) Thus this issue does popup in uaac before, however uaac should behave standard conform.

see https://github.com/cloudfoundry/cf-java-client/blob/master/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java#L185-L187

This will come with UAA-RELEASE 74.0.0, see https://www.pivotaltracker.com/n/projects/997278/stories/166970393

UAA clients need to be adapted, therefore this issue

Another example: https://github.com/cloudfoundry/cf-uaac/issues/50

[dmikusa]

Acknowledged.

We haven't seen any other issues reported from this or failures in CI, but I suspect that would only happen if there were characters in the username/password that require being urlencoded. Until this is fixed, if someone hits an issue you should be able to workaround by using a user/pass that does not change when being urlencoded (i.e. no characters need to be encoded).

[strehle]

ok almost done in UAA , and even in spring 5.6 this now is default https://github.com/spring-projects/spring-security/pull/9791 so you should also change the default