Skip to content

Commit fa7ecac

Browse files
ovsepovsmar
ovsep
authored and
ovsmar
committed
"fix: Remove urlencode from Basic Authentication header construction
According to RFC 2617 Section 2, Basic Authentication should use base64 encoding of the raw credentials without URL encoding. This change removes the urlencode() calls that were incorrectly encoding the credentials before base64 encoding. This fixes issues with: - Special characters in client_secret being double-encoded - Non-compliance with RFC 2617 and RFC 7617 - Authentication failures with certain OpenID Connect providers
1 parent 7f27bab commit fa7ecac

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

src/OpenIDConnectClient.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -841,7 +841,7 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
841841
if($bClientAuth) {
842842
$token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
843843
if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
844-
$headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
844+
$headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
845845
} else {
846846
$post_data['client_id'] = $this->clientID;
847847
$post_data['client_secret'] = $this->clientSecret;
@@ -880,7 +880,7 @@ protected function requestTokens(string $code, array $headers = []) {
880880
$authorizationHeader = null;
881881
# Consider Basic authentication if provider config is set this way
882882
if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
883-
$authorizationHeader = 'Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret));
883+
$authorizationHeader = 'Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret);
884884
unset($token_params['client_secret'], $token_params['client_id']);
885885
}
886886

@@ -962,7 +962,7 @@ public function requestTokenExchange(string $subjectToken, string $subjectTokenT
962962

963963
# Consider Basic authentication if provider config is set this way
964964
if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
965-
$headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
965+
$headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
966966
unset($post_data['client_secret'], $post_data['client_id']);
967967
}
968968

@@ -998,7 +998,7 @@ public function refreshToken(string $refresh_token) {
998998

999999
# Consider Basic authentication if provider config is set this way
10001000
if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
1001-
$headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
1001+
$headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
10021002
unset($token_params['client_secret'], $token_params['client_id']);
10031003
}
10041004

@@ -1644,7 +1644,7 @@ public function introspectToken(string $token, string $token_type_hint = '', ?st
16441644
$clientSecret = $clientSecret ?? $this->clientSecret;
16451645

16461646
// Convert token params to string format
1647-
$headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
1647+
$headers = ['Authorization: Basic ' . base64_encode($clientId . ':' . $clientSecret),
16481648
'Accept: application/json'];
16491649

16501650
if ($this->supportsAuthMethod('client_secret_jwt', $token_endpoint_auth_methods_supported)) {
@@ -1685,7 +1685,7 @@ public function revokeToken(string $token, string $token_type_hint = '', ?string
16851685

16861686
// Convert token params to string format
16871687
$post_params = http_build_query($post_data, '', '&');
1688-
$headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
1688+
$headers = ['Authorization: Basic ' . base64_encode($clientId . ':' . $clientSecret),
16891689
'Accept: application/json'];
16901690

16911691
return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers), false);

0 commit comments

Comments
 (0)