Missing Basic Authorization header in call to token endpoint

  • Resolved cdabnor

    (@cdabnor)


    6 years, 10 months ago

    Hi,

    We’ve encountered an issue recently when configuring a custom Identity Provider within the plugin.
    The custom identity provider is an AWS Cognito User Pool that provides the standard OAuth 2.0 endpoints for:
    /authorize
    /token

    The HTTP POST token endpoint enforces the following for supplying the Client Id and Client Secret:

    Authorization
If the client was issued a secret, the client must pass its client_id and client_secret in the authorization header through Basic HTTP authorization. The secret is Basic Base64Encode(client_id:client_secret).

    This appears to be in line with the section regarding supply of Client Id and Client Secret in the OAuth 2.0 spec RFC 6749.

    However, the miniOrange OAuth Client plugin only supports sending the Client Id and Client secret in the body of the POST.

    I was able to update the plugin to add the following Basic Authorization header to the file:
    wp-content/plugins/miniorange-login-with-eve-online-google-facebook/handler/oauth_handler.php

                    
                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
                        'Accept: application/json',
                        'Authorization: Basic '.base64_encode($clientid.':'.$clientsecret)
                ));

    This then sends the Client Id and Client Secret correctly and the rest of the authentication flow works perfectly.

    Would this change request be something that could be updated in a new release of the plugin?

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Missing Basic Authorization header in call to token endpoint’ is closed to new replies.