RFC 6749 / section-2.3.1

nikola.stojanovic · September 10, 2024, 1:55pm

Based on RFC 6749 - The OAuth 2.0 Authorization Framework (ietf.org) in Authorization/OAuth 2.0 when we are using Client Authentication with Basic Auth header client identifier and password should be encoded in Postman

danny-dainton · September 10, 2024, 5:11pm

Hey @nikola.stojanovic

Welcome to the Postman Community!

What this a question or something else? Did you want to expand on the context here?

nikola.stojanovic · September 11, 2024, 7:13am

Hi,

I recently had an issue with postman with integration tests.

Library that was used added encoding in this way in Header

Base64(urlformencode(client_id) + “:” + urlformencode(client_secret)) based on Rfc6749

And postman is adding

Base64(client_id + “:” + client_secret)
based on RFC 2617

My question is: is this bug on postman or this is intended behavior?

github.com

IdentityModel/IdentityModel/blob/48d7b800d066ca02f3bc50b33604b5dc54e8d39c/src/Client/BasicAuthenticationHeaderStyle.cs#L9


      
          // Copyright (c) Duende Software. All rights reserved.
          // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
          
          namespace IdentityModel.Client;
          
          /// <summary>
          /// Enum for specifying then encoding style of the basic authentication header
          /// </summary>
          public enum BasicAuthenticationHeaderStyle
          {
              /// <summary>
              /// Recommended. Uses the encoding as described in the OAuth 2.0 spec (https://tools.ietf.org/html/rfc6749#section-2.3.1). Base64(urlformencode(client_id) + ":" + urlformencode(client_secret))
              /// </summary>
              Rfc6749,
              /// <summary>
              /// Uses the encoding as described in the original basic authentication spec (https://tools.ietf.org/html/rfc2617#section-2 - used by some non-OAuth 2.0 compliant authorization servers). Base64(client_id + ":" + client_secret). 
              /// </summary>
              Rfc2617
          }

system · October 11, 2024, 7:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OAuth client authentication sent as basic authentication header 🙋 Help authentication	0	888	May 20, 2021
Incorrect Authorization Header 🙋 Help authentication	9	5147	October 1, 2024
Accessing an API with Basic Auth not working 🙋 Help	3	9276	October 27, 2022
Postman encode different base64 then Java 🙋 Help	1	6393	July 20, 2019
Message for Allen Helton 🗣 General Discussion authentication	14	1351	February 17, 2024

RFC 6749 / section-2.3.1

Related topics