search

omniauth / omniauth_openid_connect

MIT License
167 stars 186 forks source link

Gitlab client_auth_method basic, secret is url encoded #116

Open ap-wtioit opened 2 years ago

ap-wtioit commented 2 years ago

When i tried to set up the omniauth openid_connect in our gitlab instance with client_auth_method basic, the secret was sent url encoded to the server.

e.g.

...
{
  name: "openid_connect",
  ...
  args: {
    ...
    client_auth_method: "basic",
    ...
    client_options: {
      identifier: "our_id",
      secret: "our_p+a+s/s/w+o+r+d"
      ...
    },
    ...
  }
}
...

would send the following authorization header to the server: Basic b3VyX2lkOm91cl9wJTJCYSUyQnMlMkZzJTJGdyUyQm8lMkJyJTJCZA==

which gives us our_id:our_p%2Ba%2Bs%2Fs%2Fw%2Bo%2Br%2Bd instead of our_id:our_p+a+s/s/w+o+r+d

thezzisu commented 5 days ago

change client_auth_method to basic_without_www_form_urlencode may help.