URL-encode OIDC client id and client secret for Basic authentication to comply to OAuth2.0 spec#530
Merged
hhund merged 3 commits intoJul 4, 2026
Conversation
da45cfc to
0be5cc0
Compare
RFC 6749 requires the client id and client secret to be url encoded first when using HTTP Basic authentication scheme. see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
0be5cc0 to
31ca79d
Compare
hhund
approved these changes
Jul 4, 2026
hhund
left a comment
Member
There was a problem hiding this comment.
We missed the UTF-8 requirement in RFC 6749 - Appendix B. I will fix the code and then merge the PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The main change ensures that the
clientIdandclientSecretare properly URL-encoded before being included in the HTTP Basic Authorization header, which is required by RFC 6749 . Because client credentials can contain any printable ASCII character—including the colon (:) used as the Basic Auth delimiter—an unencodedclientIdcontaining a colon caused OIDC server-side authorization failures due to incorrect credential splitting. URL-encoding both values safely escapes these characters and guarantees reliable server-side parsing.Additionally, a small bug in the access token verification logic has been fixed by checking if the
algorithmis present instead of just thekey, providing proper error messages with unsupported key types or algorithms.Closes #529.
Changes
The class
OidcClientJerseynow URL-encodesclientIdandclientSecretwhen used in Basic Authorization header.How Was This Patch Tested?