Why formUrlEncode before creating Basic authentication Base64?

[ghost]

I am currently having trouble getting Basic authentication to pass due to formUrlEncode. I have investigated and found that this occurs when the ClientSecret contains symbols.

When AuthMethod is client_secret_basic, ClientId and ClientSecret are connected by a colon to generate Base64.

Since Base64 is already URL Safe and encoded, there is no known need to encode the original string of Base64.

Due to this encoding, the original password has been determined to be incorrect by services that provide OAuth authentication services.

The service I am using is Chatwork.
https://developer.chatwork.com/docs/oauth#3%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E3%83%88%E3%83%BC%E3%82%AF%E3%83%B3%E3%81%AE%E7%99%BA%E8%A1%8C%E5%86%8D%E7%99%BA%E8%A1%8C

Reference:

• https://github.com/panva/node-openid-client/blob/main/lib/helpers/client.js#L128C26-L128C39

Best regards.

[panva]

Why formUrlEncode before creating Basic authentication Base64

Because that's what rfc6749 defines has to happen to client id and secret before being used as basic auth username and password tokens.

Your provider just doesn't implement oauth basic client authentication correctly for the secrets they generate.

[ghost]

Thank you.
I understood that it is defined in RFC6749.

I referred to other libraries, but there are cases where the strict encoding is not configured or can be specified by the user, is there any assumption that this node-openid-client will support this?

Reference:

• https://github.com/lelylan/simple-oauth2/blob/master/lib/client/credentials-encoding.js#L54
• https://github.com/mulesoft-labs/js-client-oauth2/blob/master/src/client-oauth2.js#L186

[panva]

is there any assumption that this node-openid-client will support this

No, openid-client will conform to the RFC.