search

usebruno / bruno

Opensource IDE For Exploring and Testing Api's (lightweight alternative to postman/insomnia)
https://www.usebruno.com/
MIT License
27.77k stars 1.28k forks source link

Client Certificates not used on Auth when getting Access Token #3342

Open PeterSimonis opened 1 month ago

PeterSimonis commented 1 month ago

I have checked the following:

Describe the bug

When requesting an OAuth 2.0 Client Credentials token on an Access Token URL which requires mTLS, the Client Certificates added to the collection are not used.

The UI displays ✅ Request made successfully, even when the response is not a valid token response. In our case, it's a HTML page containing a Cloudflare error.

Writing a POST request using the client_id, client_secret, grant_type and scope in the body (Content-Type application/x-www-form-urlencoded) and providing Basic authorization in the Authorization header however, does take these Client Certificates into account. This then results in succesful retrieval of a token.

.bru file to reproduce the bug

This .bru file demonstrates the request to succesfully retrieve a token through a POST request. client_secret has been obfuscated

meta {
  name: Token
  type: http
  seq: 2
}

post {
  url: https://auth.test-datakluis.shared.topicuszorg.nl/oauth2/token
  body: formUrlEncoded
  auth: none
}

headers {
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic YnVyZ2VycG9ydGFsZW4tdGVzdC1jbGllbnQtY3JlZGVudGlhbHM6aW5zZXJ0X2NsaWVudF9pZF9oZXJl
}

body:form-urlencoded {
  grant_type: client_credentials
  scope: openid
  client_id: viplive
  client_secret: insert_client_id_here
}

Screenshots/Live demo link

Client Credentials setup image

Result of Get Access Token from https://auth.test-datakluis.shared.topicuszorg.nl/oauth2/token: image

helloanoop commented 1 month ago

Thanks for reporting this @PeterSimonis !

We’ll look into it and follow up with you soon.