fix: encoding of basic auth header values

pkg/client/rs/resource_server.go

@@ -37,11 +37,11 @@ func (r *resourceServer) AuthFn() (interface{}, error) {
 	return r.authFn()
 }
 
-func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) {
+func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
 	authorizer := func() (interface{}, error) {
 		return utils.AuthorizeBasic(clientID, clientSecret), nil
 	}
-	return newResourceServer(issuer, authorizer, option)
+	return newResourceServer(issuer, authorizer, option...)
 }
 func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
 	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)

pkg/op/token_intospection.go

@@ -3,6 +3,7 @@ package op
 import (
 	"errors"
 	"net/http"
+	"net/url"
 
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
@@ -68,6 +69,14 @@ func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector)
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
 	if ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
 		if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil {
 			return "", "", err
 		}

pkg/utils/http.go

@@ -30,7 +30,7 @@ type RequestAuthorization func(*http.Request)
 
 func AuthorizeBasic(user, password string) RequestAuthorization {
 	return func(req *http.Request) {
-		req.SetBasicAuth(user, password)
+		req.SetBasicAuth(url.QueryEscape(user), url.QueryEscape(password))
 	}
 }