url-encode client_id/client_secret; closes #204 and #205

conforming to: https://tools.ietf.org/html/rfc6749#section-2.3.1
thanks @grrolland

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+10/11/2018
+- url-encode client_id/client_secret; closes #204 and #205; thanks @grrolland
+  https://tools.ietf.org/html/rfc6749#section-2.3.1
+
 10/8/2018
 - make call_token_endpoint a public function
 

README.md

@@ -118,8 +118,11 @@ http {
              -- and could not set the hostname
 
              discovery = "https://accounts.google.com/.well-known/openid-configuration",
+             -- For non compliant OPs to OAuth 2.0 RFC 6749 for client Authentication (cf. https://tools.ietf.org/html/rfc6749#section-2.3.1)
+             -- client_id and client_secret MUST be invariant when url encoded
              client_id = "<client_id>",
-             client_secret = "<client_secret>"
+             client_secret = "<client_secret>",
+              
              --authorization_params = { hd="zmartzone.eu" },
              --scope = "openid email profile",
              -- Refresh the users id_token after 900 seconds without requiring re-authentication

lib/resty/openidc.lua

@@ -391,7 +391,7 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
   if auth then
     if auth == "client_secret_basic" then
       if opts.client_secret then
-        headers.Authorization = "Basic " .. b64(opts.client_id .. ":" .. opts.client_secret)
+          headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":" .. ngx.escape_uri(opts.client_secret))
       else
       -- client_secret must not be set if Windows Integrated Authentication (WIA) is used with
       -- Active Directory Federation Services (AD FS) 4.0 (or newer) on Windows Server 2016 (or newer)