internal: urlencode client id and secret in header

As per https://tools.ietf.org/html/rfc6749#section-2.3.1 client IDs and secrets must be urlencoded in the authorization header. This patch addresses this by wrapping clientID and clientSecret with url.QueryEscape. A dedicated test for unsafe-url client IDs and secrets has been added as well. Closes #237 Change-Id: I1f277b52caef4932e14147be8fb1712203da51d0 Reviewed-on: https://go-review.googlesource.com/46473 Reviewed-by: JBD <jbd@google.com>
2017-06-22 17:12:08 +02:00
parent d89af98d7c
commit 13449ad91c
2 changed files with 20 additions and 1 deletions
--- a/internal/token.go
+++ b/internal/token.go
@@ -188,7 +188,7 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	if !bustedAuth {
-		req.SetBasicAuth(clientID, clientSecret)
+		req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
 	}
 	r, err := ctxhttp.Do(ctx, hc, req)
 	if err != nil {