When using ClientBasicHandler, the handler returns the raw values from r.BasicAuth, but theses values should be unescaped using url.QueryUnescape before being returned.
The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the password.
This make the server not compatible with OAuth2 clients enforcing the RFC when using basic auth.
golang.org/x/oauth2 for example is not working properly when using basic auth with this server implementation because the Client ID and Client secret are url.QueryEscaped before being sent (source).
The following could fix the problem and should also work for non-compliant clients:
Hi,
When using ClientBasicHandler, the handler returns the raw values from
r.BasicAuth
, but theses values should be unescaped using url.QueryUnescape before being returned.As stated by RFC 6749#section-2.3.1:
This make the server not compatible with OAuth2 clients enforcing the RFC when using basic auth.
golang.org/x/oauth2 for example is not working properly when using basic auth with this server implementation because the Client ID and Client secret are
url.QueryEscaped
before being sent (source).The following could fix the problem and should also work for non-compliant clients: