omniauth_openid_connect icon indicating copy to clipboard operation
omniauth_openid_connect copied to clipboard

Published 20 hours ago verified publisher icon omniauth

Gitlab client_auth_method basic, secret is url encoded

Open ap-wtioit opened this issue 2 years ago • 1 comments

When i tried to set up the omniauth openid_connect in our gitlab instance with client_auth_method basic, the secret was sent url encoded to the server.

e.g.

...
{
  name: "openid_connect",
  ...
  args: {
    ...
    client_auth_method: "basic",
    ...
    client_options: {
      identifier: "our_id",
      secret: "our_p+a+s/s/w+o+r+d"
      ...
    },
    ...
  }
}
...

would send the following authorization header to the server: Basic b3VyX2lkOm91cl9wJTJCYSUyQnMlMkZzJTJGdyUyQm8lMkJyJTJCZA==

which gives us our_id:our_p%2Ba%2Bs%2Fs%2Fw%2Bo%2Br%2Bd instead of our_id:our_p+a+s/s/w+o+r+d

ap-wtioit avatar Jun 21 '22 07:06 ap-wtioit

change client_auth_method to basic_without_www_form_urlencode may help.

thezzisu avatar Sep 15 '24 08:09 thezzisu