Token Endpoint with basic authentication fails due to not url-decoding

By: David Avendasora user 21 Dec 2017 at 3:07 p.m. CST

2 Responses
David Avendasora gravatar
I am using Spring Boot 2.0 with Spring Security 5.0 and I am running into the problem described here: https://github.com/GluuFederation/oxAuth/issues/677 Spring Security **now** uses the following code to URL-encode the username (client-id) and password (client-secret) prior to base64-encoding them. ```java /** * Returns the HTTP Authorization header representation of this client * secret basic authentication. * * <p>Note that OAuth 2.0 (RFC 6749, section 2.3.1) requires the client * ID and secret to be {@code application/x-www-form-urlencoded} before * passing them to the HTTP basic authentication algorithm. This * behaviour differs from the original HTTP Basic Authentication * specification (RFC 2617). * * <p>Example HTTP Authorization header (for client identifier * "Aladdin" and password "open sesame"): * * <pre> * * Authorization: Basic QWxhZGRpbjpvcGVuK3Nlc2FtZQ== * </pre> * * <p>See RFC 2617, section 2. * * @return The HTTP Authorization header. */ public String toHTTPAuthorizationHeader() { StringBuilder sb = new StringBuilder(); try { sb.append(URLEncoder.encode(getClientID().getValue(), UTF8_CHARSET.name())); sb.append(':'); sb.append(URLEncoder.encode(getClientSecret().getValue(), UTF8_CHARSET.name())); } catch (UnsupportedEncodingException e) { // UTF-8 should always be supported } return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET)); } ``` Based on the above code, I believe that the the result of [this unit test](https://github.com/GluuFederation/oxAuth/blob/master/Client/src/test/java/org/xdi/oxauth/ws/rs/ClientSecretBasicTest.java) (from [issue 677 on Github](https://github.com/GluuFederation/oxAuth/issues/677)) is incorrect. The correctly base64-encoded **and** url-encoded string should be `YSUyQmI6YyUyQmQ=`, not `YStiOmMrZA==`.
Ubuntu 16.04
closed

Answers

By David Avendasora user 21 Dec 2017 at 4:16 p.m. CST

Copy
David Avendasora gravatar
I forgot to include a specific example. Given the following values: - **client-id**: `@!412E.2540.0430.FDDA!0001!A2B6.0F60!0008!45CD.44CF.C8A9.3F6F` - **client-secret**: `Pa55w0rd!` Using: **base64.encode(**`@!412E.2540.0430.FDDA!0001!A2B6.0F60!0008!45CD.44CF.C8A9.3F6F`**:**`Pa55w0rd!`**)** which translates into an Authorization header of: ``` Basic QCE0MTJFLjI1NDAuMDQzMC5GRERBITAwMDEhQTJCNi4wRjYwITAwMDghNDVDRC40NENGLkM4QTkuM0Y2RjpQYTU1dzByZCE= ``` which works, returning the expected access token. **However**, using the OpenID Connect specified encoding of: *base64.encode(* **url.encode(**`@!412E.2540.0430.FDDA!0001!A2B6.0F60!0008!45CD.44CF.C8A9.3F6F`**)**:**url.encode(**`Pa55w0rd!`**)** *)* which translates into an Authorization header of: ``` Basic JTQwJTIxNDEyRS4yNTQwLjA0MzAuRkREQSUyMTAwMDElMjFBMkI2LjBGNjAlMjEwMDA4JTIxNDVDRC40NENGLkM4QTkuM0Y2RjpQYTU1dzByZCUyMQ== ``` which fails, returning the following error message: ```json {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."} ```

By Michael Schwartz Account Admin 21 Dec 2017 at 6:56 p.m. CST

Copy
Michael Schwartz gravatar
Non-supported client. Use [oxd-java](https://gluu.org/docs/oxd/libraries/languages/java/)...

Post an answer