The OAuth2 client violates the RFC 6749 spec for Basic Auth when encoding client_id & password

[schlenk]

Describe the bug
RFC 6749 states in 2.3.1 that the client_id and password must be URL encoded before being base64 encoded.
(also see the errata https://www.rfc-editor.org/errata/eid4749 which clarifies it).

The current code in oauth2.py does not do the urlencoding step as far as i can see:

microsoft-authentication-library-for-python/msal/oauth2cli/oauth2.py

Line 208 in 0ced4cb

_headers["Authorization"] = "Basic " + base64.b64encode(

[rayluo]

Thanks for the nice finding! Out of curiosity, you were just doing a code review, weren't you? Your existing Microsoft Identity confidential app powered by MSAL still works, doesn't it?
Or, are you using MSAL on other identity platform?

[schlenk]

It got mentioned in a bugreport for CZ-NIC/pyoidc#754 and as we decided that we were spec compliant there, i reported it here. So this might actually be buggy on the Azure server side too, did not try with a proper client_id/secret that needs to be quoted.

[rayluo]

OK then. For the record, Microsoft identity system is not susceptible to this tricky issue, because:

• client_id and client_secret generated by Azure AD does not contain special characters, so that encoding would be a no-op anyway.
• This MSAL Python library runs a different code path.

We will still make some change to make our code base conceptually right, but our existing customers would not be affected by this.

[rayluo]

Fixed. Again, this does not affect our existing customers.