URL-decode client credentials in HTTP Basic auth, as described in RFC 6749

pjcdawkins · pjcdawkins · commit a0dfea961fa2 · 2020-05-01T08:34:36.000+01:00
diff --git a/src/OAuth2/ClientAssertionType/HttpBasic.php b/src/OAuth2/ClientAssertionType/HttpBasic.php
@@ -115,7 +115,14 @@ public function getClientId()
     public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
     {
         if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
-            return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
+            return array(
+                /**
+                 * client credentials are URL-encoded before being encoded in the HTTP Basic header, so we decode them here
+                 * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
+                 */
+                'client_id' => urldecode($request->headers('PHP_AUTH_USER')),
+                'client_secret' => urldecode($request->headers('PHP_AUTH_PW')),
+            );
         }
 
         if ($this->config['allow_credentials_in_request_body']) {
