Skip to content

Prefer client_secret_post authentication method when available#191

Open
guillaume-fr wants to merge 1 commit into
badgateway:mainfrom
guillaume-fr:patch-1
Open

Prefer client_secret_post authentication method when available#191
guillaume-fr wants to merge 1 commit into
badgateway:mainfrom
guillaume-fr:patch-1

Conversation

@guillaume-fr
Copy link
Copy Markdown

@guillaume-fr guillaume-fr commented Jul 28, 2025

No description provided.

@sbatista-uc
Copy link
Copy Markdown

sbatista-uc commented Apr 23, 2026

What's the rationale for this PR? I'd appreciate a description or comments.

@guillaume-fr
Copy link
Copy Markdown
Author

guillaume-fr commented Apr 23, 2026

That was a bit ago, I'll check later if I can find context. Sorry for not clarifying that earlier.

TBH RFC6749 says:

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).

It seems wiser to default to basic auth... Maybe I had encoding issues. If I can find anything I'll add a comment here.

@guillaume-fr
Copy link
Copy Markdown
Author

guillaume-fr commented Apr 24, 2026
edited
Loading

Likely to be an encoding issue I had with specific server. Existing code already mention switching to post by default to avoid interoperability issues:

oauth2-client/src/client.ts

Line 149 in 8151413

* In the future, we will switch this to 'client_secret_post', which has fewer

If you think it's a good change, I can update the PR with a similar comment in code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guillaume-fr @sbatista-uc