Skip to content

providers/oauth2: decode percent-encoded basic auth#20779

Merged
BeryJu merged 4 commits intogoauthentik:mainfrom
Oluwatobi-Mustapha:fix/oauth-basic-auth-urlencoded-20739
Mar 7, 2026
Merged

providers/oauth2: decode percent-encoded basic auth#20779
BeryJu merged 4 commits intogoauthentik:mainfrom
Oluwatobi-Mustapha:fix/oauth-basic-auth-urlencoded-20739

Conversation

@Oluwatobi-Mustapha
Copy link
Contributor

@Oluwatobi-Mustapha Oluwatobi-Mustapha commented Mar 7, 2026

Fixes #20739

Details

extract_client_auth() now percent-decodes RFC 6749 form-encoded client_id and client_secret after Base64-decoding the HTTP Basic credential pair. It uses urllib.parse.unquote instead of unquote_plus so existing clients that send raw + characters keep their current behavior.

Added coverage for:

  • encoded client_id on the device backchannel endpoint
  • encoded client_secret on the token endpoint
  • backward compatibility for raw + in existing Basic auth credentials

Checklist

  • Local authentik/providers/oauth2/tests passes
  • Lint passes for the touched Python files

@Oluwatobi-Mustapha
providers/oauth2: decode percent-encoded basic auth
f5dee63 
Fixes goauthentik#20739

Decode percent-encoded client credentials from HTTP Basic authentication before provider lookup while preserving existing behavior for raw plus characters. Add unit and endpoint coverage for encoded client IDs and client secrets.
@Oluwatobi-Mustapha Oluwatobi-Mustapha requested a review from a team as a code owner March 7, 2026 09:44
@netlify
Copy link

netlify bot commented Mar 7, 2026
edited
Loading

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit 8fb62e1
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/69abf7af17cd7e0008e68766
😎 Deploy Preview https://deploy-preview-20779--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Mar 7, 2026
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit f0d92bb
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69ac443461deaf0008ee2c2e
😎 Deploy Preview https://deploy-preview-20779--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Mar 7, 2026
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 8fb62e1
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/69abf7af27304d00087bb183
😎 Deploy Preview https://deploy-preview-20779--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@BeryJu BeryJu added area:backend backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2 labels Mar 7, 2026
@codecov
Copy link

codecov bot commented Mar 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.39%. Comparing base (d8a20af) to head (f0d92bb).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #20779      +/-   ##
==========================================
- Coverage   93.43%   93.39%   -0.05%     
==========================================
  Files         983      983              
  Lines       55608    55644      +36     
==========================================
+ Hits        51960    51967       +7     
- Misses       3648     3677      +29
Flag Coverage Δ
conformance 37.58% <8.10%> (-0.02%) ⬇️
e2e 43.12% <8.10%> (-0.05%) ⬇️
integration 22.32% <2.70%> (-0.07%) ⬇️
unit 91.58% <100.00%> (+<0.01%) ⬆️
unit-migrate 91.68% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu merged commit d917fef into goauthentik:main Mar 7, 2026
101 checks passed
authentik-automation bot pushed a commit that referenced this pull request Mar 7, 2026
@Oluwatobi-Mustapha @authentik-automation
providers/oauth2: decode percent-encoded basic auth (#20779)
ceb3660 
Fixes #20739

Decode percent-encoded client credentials from HTTP Basic authentication before provider lookup while preserving existing behavior for raw plus characters. Add unit and endpoint coverage for encoded client IDs and client secrets.
@authentik-automation authentik-automation bot mentioned this pull request Mar 7, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Mar 7, 2026

🍒 Cherry-pick to version-2026.2 created: #20781

BeryJu pushed a commit that referenced this pull request Mar 7, 2026
@authentik-automation @Oluwatobi-Mustapha
providers/oauth2: decode percent-encoded basic auth (cherry-pick #20779
42c6c25 
… to version-2026.2) (#20781)

providers/oauth2: decode percent-encoded basic auth (#20779)

Fixes #20739

Decode percent-encoded client credentials from HTTP Basic authentication before provider lookup while preserving existing behavior for raw plus characters. Add unit and endpoint coverage for encoded client IDs and client secrets.

Co-authored-by: Oluwatobi Mustapha <oluwatobimustapha539@gmail.com>
@Oluwatobi-Mustapha Oluwatobi-Mustapha deleted the fix/oauth-basic-auth-urlencoded-20739 branch March 10, 2026 09:31
kensternberg-authentik added a commit that referenced this pull request Mar 10, 2026
@kensternberg-authentik
Merge branch 'main' into web/style/allow-alternative-stylesheets
cc4ce19 
* main: (23 commits)
  web: CodeSpell -> CSpell migration (#20188)
  core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1773052201 (#20801)
  core: bump github.com/go-openapi/runtime from 0.29.2 to 0.29.3 (#20787)
  core: bump golang.org/x/sync from 0.19.0 to 0.20.0 (#20788)
  web: bump the storybook group across 1 directory with 5 updates (#20794)
  core: bump golang.org/x/oauth2 from 0.35.0 to 0.36.0 (#20789)
  core: bump goauthentik/selenium from 145.0-ak-0.40.3 to 145.0-ak-0.40.5 in /tests/e2e (#20790)
  core: bump black from 26.1.0 to 26.3.0 (#20791)
  core: bump cachetools from 7.0.3 to 7.0.4 (#20792)
  core: bump goauthentik/fips-python from `38c4dd2` to `b481db2` in /lifecycle/container (#20796)
  web: bump @rollup/plugin-commonjs from 29.0.1 to 29.0.2 in /web in the rollup group across 1 directory (#20795)
  core: bump astral-sh/uv from 0.10.8 to 0.10.9 in /lifecycle/container (#20797)
  core: bump goauthentik/fips-debian from `4966b90` to `6c9197b` in /lifecycle/container (#20798)
  web: bump @types/node from 25.3.3 to 25.3.5 in /web (#20799)
  web: bump knip from 5.85.0 to 5.86.0 in /web (#20800)
  enterprise/endpoints/connectors: add google_chrome (#19129)
  providers/oauth2: decode percent-encoded basic auth (#20779)
  web: bump immutable from 5.1.4 to 5.1.5 in /web (#20720)
  web: bump the storybook group across 1 directory with 5 updates (#20731)
  web: bump @rollup/plugin-commonjs from 29.0.0 to 29.0.1 in /web in the rollup group across 1 directory (#20732)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

No one assigned

Labels

area:backend backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/application/o/token/ doesn't accept url-encoded client_id/client_secret in Basic-Auth

2 participants

@Oluwatobi-Mustapha @BeryJu