UAA should accept url-escaped client credentials via basic auth #785
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/155676075 The labels on this github issue will be updated when the story is started. |
|
See also #778 and cloudfoundry/cli#1176 (review) |
|
Closing as it is a duplicate of #778 |
cf-gitbot
added
delivered
accepted
strehle
added a commit
that referenced
this issue
Dec 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of UAA are you running?
4.10.0
How are you deploying the UAA?
I am deploying the UAA using BOSH
What did you do?
Tried to obtain an access token via client credentials grant where client secret contains url-unsafe characters, using https://godoc.org/golang.org/x/oauth2.
What did you expect to see? What goal are you trying to achieve with the UAA?
To obtain an access token.
What did you see instead?
Received a 401.
The golang oauth2 client url-escapes the client id and secret: https://github.com/golang/oauth2/blob/master/internal/token.go#L191. When the client id or secret includes url-unsafe characters, it's impossible to obtain an access token using the golang client, since the uaa doesn't accept url-escaped credentials. It's possible to obtain an access token with url-unsafe credentials using another client, like
curl, if credentials are not url-escaped.According to rfc 6749, client credentials should be url-escaped, so it looks like the behavior of the golang oauth2 client is correct.
cc @sharms @wjwoodson
The text was updated successfully, but these errors were encountered: