fix: Remove urlencode from Basic Authentication header construction

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Check existence of subject when verifying JWT #474
+- Remove incorrect URL encoding from Basic Authentication header construction (RFC 2617/7617 compliance) #466
 
 ## [1.0.1] - 2024-09-13
 

src/OpenIDConnectClient.php

@@ -841,7 +841,7 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
         if($bClientAuth) {
             $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
             if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-                $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+                $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
             } else {
                 $post_data['client_id']     = $this->clientID;
                 $post_data['client_secret'] = $this->clientSecret;
@@ -880,7 +880,7 @@ protected function requestTokens(string $code, array $headers = []) {
         $authorizationHeader = null;
         # Consider Basic authentication if provider config is set this way
         if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-            $authorizationHeader = 'Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret));
+            $authorizationHeader = 'Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret);
             unset($token_params['client_secret'], $token_params['client_id']);
         }
 
@@ -962,7 +962,7 @@ public function requestTokenExchange(string $subjectToken, string $subjectTokenT
 
         # Consider Basic authentication if provider config is set this way
         if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
             unset($post_data['client_secret'], $post_data['client_id']);
         }
 
@@ -998,7 +998,7 @@ public function refreshToken(string $refresh_token) {
 
         # Consider Basic authentication if provider config is set this way
         if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
             unset($token_params['client_secret'], $token_params['client_id']);
         }
 
@@ -1644,7 +1644,7 @@ public function introspectToken(string $token, string $token_type_hint = '', ?st
         $clientSecret = $clientSecret ?? $this->clientSecret;
 
         // Convert token params to string format
-        $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
+        $headers = ['Authorization: Basic ' . base64_encode($clientId . ':' . $clientSecret),
             'Accept: application/json'];
 
         if ($this->supportsAuthMethod('client_secret_jwt', $token_endpoint_auth_methods_supported)) {
@@ -1685,7 +1685,7 @@ public function revokeToken(string $token, string $token_type_hint = '', ?string
 
         // Convert token params to string format
         $post_params = http_build_query($post_data, '', '&');
-        $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
+        $headers = ['Authorization: Basic ' . base64_encode($clientId . ':' . $clientSecret),
             'Accept: application/json'];
 
         return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers), false);

tests/OpenIDConnectClientTest.php

@@ -338,4 +338,46 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
             ],
         ];
     }
+
+    /**
+     * @dataProvider provideBasicAuthTestData
+     */
+    public function testBasicAuthenticationHeaderConstruction($clientId, $clientSecret, $expectedHeader)
+    {
+        $client = new class extends OpenIDConnectClient {
+            public function getBasicAuthHeader($clientId, $clientSecret): string
+            {
+                return 'Authorization: Basic ' . base64_encode($clientId . ':' . $clientSecret);
+            }
+        };
+
+        $actualHeader = $client->getBasicAuthHeader($clientId, $clientSecret);
+        $this->assertEquals($expectedHeader, $actualHeader);
+    }
+
+    public function provideBasicAuthTestData(): array
+    {
+        return [
+            'simple_credentials' => [
+                'client_id',
+                'client_secret',
+                'Authorization: Basic ' . base64_encode('client_id:client_secret')
+            ],
+            'with_forward_slash' => [
+                'client_id',
+                'my/secret',
+                'Authorization: Basic ' . base64_encode('client_id:my/secret')
+            ],
+            'with_special_chars' => [
+                'client@id',
+                'secret#123$%^',
+                'Authorization: Basic ' . base64_encode('client@id:secret#123$%^')
+            ],
+            'with_unicode' => [
+                'client_üid',
+                'sécret',
+                'Authorization: Basic ' . base64_encode('client_üid:sécret')
+            ],
+        ];
+    }
 }