Skip to content

URL-encode OIDC client id and client secret for Basic authentication to comply to OAuth2.0 spec#530

Merged
hhund merged 3 commits into
developfrom
issue/529_oidc_fails_for_client-id_containing_colon
Jul 4, 2026
Merged

URL-encode OIDC client id and client secret for Basic authentication to comply to OAuth2.0 spec#530
hhund merged 3 commits into
developfrom
issue/529_oidc_fails_for_client-id_containing_colon

Conversation

@EmteZogaf

Copy link
Copy Markdown
Collaborator

The main change ensures that the clientId and clientSecret are properly URL-encoded before being included in the HTTP Basic Authorization header, which is required by RFC 6749 . Because client credentials can contain any printable ASCII character—including the colon (:) used as the Basic Auth delimiter—an unencoded clientId containing a colon caused OIDC server-side authorization failures due to incorrect credential splitting. URL-encoding both values safely escapes these characters and guarantees reliable server-side parsing.

Additionally, a small bug in the access token verification logic has been fixed by checking if the algorithm is present instead of just the key, providing proper error messages with unsupported key types or algorithms.

Closes #529.

Changes

The class OidcClientJersey now URL-encodes clientId and clientSecret when used in Basic Authorization header.

How Was This Patch Tested?

  • Unit tests
  • Integration tests
  • Manual executed tests

@EmteZogaf EmteZogaf force-pushed the issue/529_oidc_fails_for_client-id_containing_colon branch from da45cfc to 0be5cc0 Compare July 2, 2026 23:21
@EmteZogaf EmteZogaf requested a review from hhund July 2, 2026 23:23
RFC 6749 requires the client id and client secret to be url encoded
first when using HTTP Basic authentication scheme.

see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
@EmteZogaf EmteZogaf force-pushed the issue/529_oidc_fails_for_client-id_containing_colon branch from 0be5cc0 to 31ca79d Compare July 2, 2026 23:28
@hhund hhund added this to the 2.1.1 milestone Jul 4, 2026
@hhund hhund self-assigned this Jul 4, 2026

@hhund hhund left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We missed the UTF-8 requirement in RFC 6749 - Appendix B. I will fix the code and then merge the PR.

@hhund hhund merged commit def03ed into develop Jul 4, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OIDC identity provider receives wrong client-id for client-id containing colon

2 participants