Skip to content

Commit

Permalink
url-encode client_id/client_secret; closes #204 and #205
Browse files Browse the repository at this point in the history
conforming to: https://tools.ietf.org/html/rfc6749#section-2.3.1
thanks @grrolland

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
  • Loading branch information
zandbelt committed Oct 11, 2018
1 parent e5e1987 commit bd3de58
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 2 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
10/11/2018
- url-encode client_id/client_secret; closes #204 and #205; thanks @grrolland
https://tools.ietf.org/html/rfc6749#section-2.3.1

10/8/2018
- make call_token_endpoint a public function

Expand Down
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,11 @@ http {
-- and could not set the hostname
discovery = "https://accounts.google.com/.well-known/openid-configuration",
-- For non compliant OPs to OAuth 2.0 RFC 6749 for client Authentication (cf. https://tools.ietf.org/html/rfc6749#section-2.3.1)
-- client_id and client_secret MUST be invariant when url encoded
client_id = "<client_id>",
client_secret = "<client_secret>"
client_secret = "<client_secret>",
--authorization_params = { hd="zmartzone.eu" },
--scope = "openid email profile",
-- Refresh the users id_token after 900 seconds without requiring re-authentication
Expand Down
2 changes: 1 addition & 1 deletion lib/resty/openidc.lua
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
if auth then
if auth == "client_secret_basic" then
if opts.client_secret then
headers.Authorization = "Basic " .. b64(opts.client_id .. ":" .. opts.client_secret)
headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":" .. ngx.escape_uri(opts.client_secret))
else
-- client_secret must not be set if Windows Integrated Authentication (WIA) is used with
-- Active Directory Federation Services (AD FS) 4.0 (or newer) on Windows Server 2016 (or newer)
Expand Down

0 comments on commit bd3de58

Please sign in to comment.