Skip to content
This repository has been archived by the owner on Jul 19, 2024. It is now read-only.

OAuth 2.0 Client Credentials flow does not encode client secret #137

Open
1 task done
paulius-valiunas opened this issue Jan 18, 2024 · 2 comments · May be fixed by #140
Open
1 task done

OAuth 2.0 Client Credentials flow does not encode client secret #137

paulius-valiunas opened this issue Jan 18, 2024 · 2 comments · May be fixed by #140

Comments

@paulius-valiunas
Copy link

paulius-valiunas commented Jan 18, 2024

Expected Behavior

As described in RFC6749, both the client id and client secret values should be:

encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B

Insomnium should either encode them automatically, or at least provide a button in the UI to do it manually so I don't have to use external tools.

Actual Behavior

Insomnium skips the URL encoding step and concatenates these values exactly as they are in the UI text fields.

Reproduction Steps

No response

Is there an existing issue for this?

Additional Information

This change is needed only when sending credentials as basic auth header. If they're sent in the request body, encoding is not required (see RFC) and current behavior works fine. However, that is not the recommended approach.

Insomnium Version

0.2.3-a

What operating system are you using?

Windows

Operating System Version

Windows 11 version 23H2

Installation method

winget

Last Known Working Insomnium version

No response

@paulius-valiunas paulius-valiunas linked a pull request Jan 24, 2024 that will close this issue
@archywillhe
Copy link
Member

hey thanks; do you know what's the status at Kong/Insomnium's on this? Doesn't look like they follow the proposed standard too and this appears to break many existing configs users had

@paulius-valiunas
Copy link
Author

paulius-valiunas commented Feb 14, 2024

Yeah I'm pretty sure they have the same problem. Do you think we should offer the user a choice whether to encode the credentials or not? If you want me to update my PR with that, I'll need some help with the UI for this, because I'm like a 100% backend developer 😅 but a simple checkbox might work.

On the other hand, sometimes you have to re-break what's broken to fix it. It's up to you.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants