fix: remove incorrect URL encoding from OAuth2 Basic auth credentials

🚀 Niklas Arens · claude · 🚀 Niklas Arens · commit b77f3b0ddbd5 · 2026-02-03T09:16:14.000+01:00
OAuth2 Basic authentication was incorrectly URL-encoding client credentials
before Base64 encoding. This caused characters like '&gt;' and '?' to become
'%3e' and '%3f' respectively, breaking authentication.

According to RFC 7617 (HTTP Basic Authentication) and RFC 6749 (OAuth 2.0)
Section 2.3.1, Basic auth credentials should be:
1. Concatenated as "client_id:client_secret"
2. Base64 encoded directly (no URL encoding first)
3. Sent as "Authorization: Basic &lt;base64&gt;"

URL encoding is for URL parameters, not Basic auth credentials.

This fixes authentication with OAuth2 providers that strictly validate
Basic auth header format, especially when client secrets contain special
characters that would be URL-encoded incorrectly.

Co-Authored-By: Claude (claude-sonnet-4) &lt;noreply@anthropic.com&gt;
diff --git a/lua/kulala/cmd/oauth.lua b/lua/kulala/cmd/oauth.lua
@@ -185,7 +185,7 @@ local function add_client_credentials(config_id, body, headers)
   if not validate_auth_params(config_id, required_params) then return body, headers end
 
   if type == "basic" then
-    local id, secret = vim.uri_encode(config["Client ID"]), vim.uri_encode(config["Client Secret"])
+    local id, secret = config["Client ID"], config["Client Secret"]
     table.insert(headers, "Authorization: Basic " .. Crypto.base64_encode_standard(id .. ":" .. secret))
   end
 
