Skip to content
This repository was archived by the owner on May 1, 2024. It is now read-only.

Dont include client secret in URL#397

Open
dendle wants to merge 1 commit intoxamarin:masterfrom
dendle:master
Open

Dont include client secret in URL#397
dendle wants to merge 1 commit intoxamarin:masterfrom
dendle:master

Conversation

@dendle
Copy link
Copy Markdown

@dendle dendle commented Jul 13, 2019
edited
Loading

Authenticate using HTTP BASIC auth instead

Xamarin.Auth Pull Request

Fixes #261 (At least for people using identity server 4)

Checklist

  • I have included examples or tests - Cannot find a test project covering this
  • I have updated the change log - cannot find a changelog file
  • I am listed in the CONTRIBUTORS file - cannot find CONTRIBUTORS file
  • I have cleaned up the commit history (use rebase and squash)

Changes proposed in this pull request:

  • In code flow, when exchanging the code for a token at the token endoint, correctly authenticate to the IdP using HTTP BASIC auth, and do not send the client_secret as plaintext in the URL. (Follows RFC)

@dendle
Dont include client secret in URL
5407674 
Authenticate using HTTP BASIC auth instead
@dendle
Copy link
Copy Markdown
Author

dendle commented Jul 14, 2019

Here's the relevant RFC section that this fix implements:
https://tools.ietf.org/html/rfc6749#section-4.1.3

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Oauth2 with Authorization Code Grant not working

1 participant

@dendle