From d7d7daab2d8ac34d52e8f3a1b16db0757a1027e3 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Fri, 5 Mar 2021 07:44:37 +0100
Subject: [PATCH] fix: encoding of basic auth header values

---
 pkg/client/rs/resource_server.go | 4 ++--
 pkg/op/token_intospection.go     | 9 +++++++++
 pkg/utils/http.go                | 2 +-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/pkg/client/rs/resource_server.go b/pkg/client/rs/resource_server.go
index f5dbe69..551fe88 100644
--- a/pkg/client/rs/resource_server.go
+++ b/pkg/client/rs/resource_server.go
@@ -37,11 +37,11 @@ func (r *resourceServer) AuthFn() (interface{}, error) {
 	return r.authFn()
 }
 
-func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) {
+func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
 	authorizer := func() (interface{}, error) {
 		return utils.AuthorizeBasic(clientID, clientSecret), nil
 	}
-	return newResourceServer(issuer, authorizer, option)
+	return newResourceServer(issuer, authorizer, option...)
 }
 func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
 	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)
diff --git a/pkg/op/token_intospection.go b/pkg/op/token_intospection.go
index 30d2544..e2ae0ad 100644
--- a/pkg/op/token_intospection.go
+++ b/pkg/op/token_intospection.go
@@ -3,6 +3,7 @@ package op
 import (
 	"errors"
 	"net/http"
+	"net/url"
 
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/utils"
@@ -68,6 +69,14 @@ func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector)
 	}
 	clientID, clientSecret, ok := r.BasicAuth()
 	if ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return "", "", errors.New("invalid basic auth header")
+		}
 		if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil {
 			return "", "", err
 		}
diff --git a/pkg/utils/http.go b/pkg/utils/http.go
index fa51815..6632053 100644
--- a/pkg/utils/http.go
+++ b/pkg/utils/http.go
@@ -30,7 +30,7 @@ type RequestAuthorization func(*http.Request)
 
 func AuthorizeBasic(user, password string) RequestAuthorization {
 	return func(req *http.Request) {
-		req.SetBasicAuth(user, password)
+		req.SetBasicAuth(url.QueryEscape(user), url.QueryEscape(password))
 	}
 }