mod_http_oauth2: Support HTTP Basic auth on token endpoint
This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1
as the recommended way to transmit the client's credentials.
The older spec even calls it the "client password", but the new spec clarifies
that this is just another term for the client secret.
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 07 15:18:41 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 07 15:27:50 2023 +0000
@@ -456,11 +456,19 @@
end
function handle_token_grant(event)
+ local credentials = get_request_credentials(event.request);
+
event.response.headers.content_type = "application/json";
local params = http.formdecode(event.request.body);
if not params then
return error_response(event.request, oauth_error("invalid_request"));
end
+
+ if credentials.type == "basic" then
+ params.client_id = http.urldecode(credentials.username);
+ params.client_secret = http.urldecode(credentials.password);
+ end
+
local grant_type = params.grant_type
local grant_handler = grant_type_handlers[grant_type];
if not grant_handler then