OAuth2 client credentials are passed in a non standard way

[royi-frontegg]

OAuth2 credentials are passed in a non-standard way to my token endpoint and I get the client_id & client_secret in php-auth-user & php-auth-pw headers.
To solve it I added additional_parameters with the same values in order to get them to pass in urlencoded form body.

configuration example

services:
  my-service:
    url: https://my.bundle.location.com
    credentials:
      oauth2:
        token_url: "https://my-token-exchange-url.com"
        client_id: "aaaaa"
        client_secret: "ccccc"

Do you have any ideas what did I do wrong?

[anderseknert]

Hi Royi!

Nothing non-standard about how the credentials are transferred — encoding client_id and client_secret in a basic auth Authorization header is in fact the method preferred by the OAuth spec:

Including the client credentials in the request content using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

Your token server should know this, but if that's not the case, your workaround seems like a reasonable one to me.

[royi-frontegg]

@anderseknert thank you for your answer! I Appreciate it very much!

Encoding client_id & secret is the standard way, but I'm getting the following

body (form urlencoded)
grant_type=client_credentials

headers:
php-auth-user: supplied client_id
php-auth-pw: supplied client_secret

is that how it should be?
I understand client_id and secret should by part of the body as well

[anderseknert]

The php-auth-user and php-auth-pw "headers" are not something OPA sends, but likely a creation of the token server (or the framweowk it uses), sourced from the values found in the Authorization header, which is what OPA uses to transmit the client credentials, as recommended by the OAuth standard.

[royi-frontegg]

Oh I missed it... It's base64 in Auth header 🤦🏻‍♂️ thnx