New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 client_credentials authentication does not seem to be RFC6749 compliant #5909
Comments
@lolleko Thank you for bringing this to our attention. How are you generating the client_id and secret. Could you please share the doc you're referencing? I ask because when I create an OAuth client via our Tyk dashboard, I'm not seeing the special character '$@' included in the client ID and secret. Regards |
Hey Marvin, Thanks for getting back to me. This issue occurs not only for '$@', but for all characters that need to be urlenencoded (https://docs.microfocus.com/OMi/10.62/Content/OMi/ExtGuide/ExtApps/URL_encoding.htm) So something like |
Ahhh and regarding the referenced docs, I think I put all the relevant references in the Issue description, which one are you missing? |
Branch/Environment/Version
Describe the bug
Failing to authenticate via client_credentials Because
client_id
&client_secret
do not seem to be urlendecoded after base64 decoding.Reproduction steps
oauth/token
endpoint via curl:Actual behavior
No token is returned :(
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}
Expected behavior
A token should be returned.
Additional context
In fact, a token is returned if we omit step 2 from the reproduction steps.
Header encoded directly in base64 (skipping urlencode)
Authorization: Basic JHM2QmhkUmtxdDNAOiQ3RmpmcDBaQnIxS3REUmJuZlZkbUl3QA
Passing this token using the curl command from step 5 will return a token.
If I understand RFC6749 correctly urlencoding
id
andsecret
is required when using the authorization header.This is also how it is implemented in the
x/oauth2
pkg: https://github.com/golang/oauth2/blob/master/internal/token.go#L199In fact, if I remove the
url.QueryEscape
from that file, I am also able to authenticate with tyk usingx/oauth2
So I think tyk or whatever pkg you are using for oauth2 (osin?) should also follow this behaviour to be RFC6749 compliant. Therefore, first decode the base64 header, second split at the colon, third urlendecode.
The text was updated successfully, but these errors were encountered: