cf-java-client icon indicating copy to clipboard operation
cf-java-client copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

Authorization header for uaa needs oauth2 encoding now

Open strehle opened this issue 6 years ago • 2 comments
trafficstars

UAA changes now to standard oauth encoding: The RFC for OAuth requires an URL encode in authorization header, see https://tools.ietf.org/html/rfc6749#section-2.3

The authorization header needs to be Authorization: Basic base64Encode(urlencode(client_id):urlencode(client_secret))

UAAC does not encode the authorization header. (client) UAA does not decode the authorization header (server) Thus this issue does popup in uaac before, however uaac should behave standard conform.

see https://github.com/cloudfoundry/cf-java-client/blob/master/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/tokenprovider/AbstractUaaTokenProvider.java#L185-L187

This will come with UAA-RELEASE 74.0.0, see https://www.pivotaltracker.com/n/projects/997278/stories/166970393

UAA clients need to be adapted, therefore this issue

Another example: https://github.com/cloudfoundry/cf-uaac/issues/50

strehle avatar Aug 22 '19 10:08 strehle

Acknowledged.

We haven't seen any other issues reported from this or failures in CI, but I suspect that would only happen if there were characters in the username/password that require being urlencoded. Until this is fixed, if someone hits an issue you should be able to workaround by using a user/pass that does not change when being urlencoded (i.e. no characters need to be encoded).

dmikusa avatar Jan 18 '22 18:01 dmikusa

ok almost done in UAA , and even in spring 5.6 this now is default https://github.com/spring-projects/spring-security/pull/9791 so you should also change the default

strehle avatar Jan 18 '22 18:01 strehle