Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Authorization Header not found in OAuth2 getOAuthAccessToken #175

twhtanghk opened this Issue Jan 17, 2014 · 6 comments


None yet
5 participants

I run into problem in connection from passport-oauth2 to django-oauth-toolkit. When authorization is granted, getOAuthAccessToken prepare the request without authorization header including clientId and clientSecret as defined in section 4.1.3 of rfc6749. The value of the authorization header is "unicode: Bearer undefined" instead. Any hints or suggestion. Thanks.

It is suggested to revise oauth2.js line 155-159 as follows:

  var post_data= querystring.stringify( params );
  var post_headers= {
       'Content-Type': 'application/x-www-form-urlencoded',
       'Authorization': 'Basic ' + new Buffer(this._clientId + ':' + this._clientSecret).toString('base64')

Any other suggestions. Thanks

skeggse commented Feb 24, 2014

I'm running into the same issue. The request body contains the id/secret, when some services require it to be in the Authorization header as a Basic auth request. I'm not familiar with the services purportedly tested with this library, but I'm guessing they accept the authorization in the body rather than the header.

For your information, the following is mentioned in section 2.3.1 of rfc 6749.

   Including the client credentials in the request-body using the two
   parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
   to directly utilize the HTTP Basic authentication scheme (or other
   password-based HTTP authentication schemes).  The parameters can only
   be transmitted in the request-body and MUST NOT be included in the
   request URI.

The Fitbit API is an example of a service that requires Basic Auth.


There's currently no way to add custom headers when calling getOAuthAccessToken?

Have a look to https://github.com/thegameofcode/passport-fitbit-oauth2/blob/master/lib/oauth2.js
I make my integration work by creating my strategy like this :
new OAuth2Strategy({
authorizationURL: ...,
tokenURL: ..,
clientID: ,
clientSecret: ,
callbackURL: ...,
customHeaders : { Authorization: 'Basic '+ new Buffer( + ':' + ).toString('base64') }

Is there a PR on resolving this issue? This prevents passport from working with the Dex OIDC provider.

@lexi-lambda lexi-lambda added a commit to cjdev/node-oauth that referenced this issue Oct 13, 2016

@lexi-lambda lexi-lambda Pass Basic Authorization header to OAuth2 access token request
fixes #143, #175, #205, and #300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment