User authentication fails if user name or password contains character colon ":" #1709
Comments
|
This is a specific case of #1826. |
|
Upon reviewing RFC-7617, it states:
I'm going to close this since a user-id containing a colon character is invalid. |
While that is true it does not apply in this case. RFC-6749 describes the process of converting a client identifier (which may contain a colon) into a valid Basic auth user-id. |
|
For anybody that encounters this issue. You can work around this by changing the client-authentication-method property of your registration to post. |
Summary
DefaultClientAuthenticationHandler.authenticateTokenRequest() does not work properly if user name or password contain special characters. For example ":". Based on my specification search the user name and password has to be url encoded.
Actual Behavior
The user with user name containing colon cannot login. The provider returns exception.
Expected Behavior
The user with user name containing colon can be authenticated.
Configuration
Local openid provider.
Version
At least 2.2.x and 2.3.x.
Sample
Test case user credentials:
String userName="my:super:user";
String password ="secret:pwd";
The bug in the source code location:
// line in 32 of org.springframework.security.oauth2.client.token.auth.DefaultClientAuthenticationHandler.authenticateTokenRequest()
case header:
form.remove("client_secret");
headers.add("Authorization",
// original code which does work!
String.format("Basic %s", new String(
Base64.encode(
String.format("%s:%s", resource.getClientId(),
// my fix which works! clientSecret).getBytes("UTF-8")), "UTF-8")));
String.format("Basic %s", new String(
Base64.encode(
String.format("%s:%s", URLEncoder.encode(resource.getClientId()),
URLEncoder.encode(clientSecret)).getBytes("UTF-8")), "UTF-8")));
break;
The text was updated successfully, but these errors were encountered: