From 9791a7e1461b95e946db87bbce47db056ff2b057 Mon Sep 17 00:00:00 2001 From: aeneasr Date: Thu, 23 Mar 2017 11:55:26 +0100 Subject: [PATCH] oauth2: basic auth should www-url-decode client id and secret - closes #150 --- access_request_handler.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/access_request_handler.go b/access_request_handler.go index 77b7f7e40..70b085c9a 100644 --- a/access_request_handler.go +++ b/access_request_handler.go @@ -6,6 +6,7 @@ import ( "github.com/pkg/errors" "golang.org/x/net/context" + "net/url" ) // Implements @@ -34,6 +35,7 @@ import ( // client MUST authenticate with the authorization server as described // in Section 3.2.1. func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error) { + var err error accessRequest := NewAccessRequest(session) if r.Method != "POST" { @@ -53,9 +55,14 @@ func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session return accessRequest, errors.Wrap(ErrInvalidRequest, "No grant type given") } - clientID, clientSecret, ok := r.BasicAuth() - if !ok { - return accessRequest, errors.Wrap(ErrInvalidRequest, "HTTP Authorization header missing or invalid") + // Decode client_id and client_secret which should be in "application/x-www-form-urlencoded" format. + var clientID, clientSecret string + if id, secret, ok := r.BasicAuth(); !ok { + return accessRequest, errors.Wrap(ErrInvalidRequest, "HTTP authorization header missing or invalid") + } else if clientID, err = url.QueryUnescape(id); err != nil { + return accessRequest, errors.Wrap(ErrInvalidRequest, `The client id in the HTTP authorization header could not be decoded from "application/x-www-form-urlencoded"`) + } else if clientSecret, err = url.QueryUnescape(secret); err != nil { + return accessRequest, errors.Wrap(ErrInvalidRequest, `The client secret in the HTTP authorization header could not be decoded from "application/x-www-form-urlencoded"`) } client, err := f.Store.GetClient(clientID)