Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Implementation of OAuth2 authentication with HTTP Basic authentication scheme not RFC6749 compliant

See original GitHub issue

Describe the bug

When authenticating to the keycloak oauth2 server with grant_type: "client_credentials" and the HTTP Basic authentication scheme as described in RFC6749 section 2.3.1 with url encoded special characters, keycloak rejects the authentication request with an 401 error response: { "error": "unauthorized_client", "error_description": "Invalid client secret" }

Version

16.1.1

Expected behavior

Keycloak should decode provided credentials in a basic authentication header before validating their correctness as specified in RFC6749 standard.

Actual behavior

Keycloak does not url decode the client credentials according to specification in basic authentication headers when authenticating an oauth2 client. Therefore requests of compliant clients with secrets containing special characters are not authenticated.

How to Reproduce?

When authenticating a client with client_id = "user" and client_secret = "secret/with=special?character", a compliant authentication request with basic auth header would look like this:

` POST /user-service/auth/realms/generic/protocol/openid-connect/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Authorization: Basic dXNlcjpzZWNyZXQlMkZ3aXRoJTNEc3BlY2lhbCUzRmNoYXJhY3Rlcg== User-Agent: PostmanRuntime/7.29.0 Accept: / Cache-Control: no-cache Host: keycloak-test.testdomain.de Accept-Encoding: gzip, deflate, br Connection: keep-alive

grant_type=client_credentials`

but gets denied with: ` HTTP/1.1 401 Unauthorized Cache-Control: no-store X-XSS-Protection: 1; mode=block Pragma: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: no-referrer Date: Mon, 09 May 2022 13:13:54 GMT X-Content-Type-Options: nosniff Content-Length: 75 Content-Type: application/json Strict-Transport-Security: max-age=31536000;includeSubDomains

{“error”:“unauthorized_client”,“error_description”:“Invalid client secret”}`

Anything else?

This issue has been brouht to our attantion through an update to the spring oauth2 client impementation: https://github.com/spring-projects/spring-security/issues/9610

Issue Analytics

State:
Created a year ago
Comments:17 (9 by maintainers)

Top GitHub Comments

3reactions

lexcaocommented, Jun 14, 2022

Hi, I create a PR to fix it. https://github.com/keycloak/keycloak/pull/12486

1reaction

lexcaocommented, Aug 23, 2022

Hi @mposolda @sschu Thanks for your confirmation. I am willing to follow up on this. I will create the issue and PR later.

Top Results From Across the Web

OAuth 2 Client Authentication using HTTP Basic #1360 - GitHub

The OAuth 2.0 RFC says: "The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued ...

RFC 6749: The OAuth 2.0 Authorization Framework

... Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ...

RFC 6749 The OAuth 2.0 Authorization Framework - IETF

Clients in possession of a client password MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization...

Is HTTP Basic Authentication and OAuth 2.0 same?

Yes, HTTP Basic Authentication different from OAuth 2.0. However, the Resource Owner Password Credentials Grant utilizes Basic ...

T11794 OAuth Server Doesn't Handle Client ID and Secret in ...

In the OAuth 2.0 specification, section 2.3.1 ... server MUST support the HTTP Basic authentication scheme for authenticating clients that ...