OAuth 2.0 Client Credentials flow does not encode client secret

[paulius-valiunas]

Expected Behavior

As described in RFC6749, both the client id and client secret values should be:

encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B

Insomnium should either encode them automatically, or at least provide a button in the UI to do it manually so I don't have to use external tools.

Actual Behavior

Insomnium skips the URL encoding step and concatenates these values exactly as they are in the UI text fields.

Reproduction Steps

No response

Is there an existing issue for this?

• I have searched the issue tracker for this problem.

Additional Information

This change is needed only when sending credentials as basic auth header. If they're sent in the request body, encoding is not required (see RFC) and current behavior works fine. However, that is not the recommended approach.

Insomnium Version

0.2.3-a

What operating system are you using?

Windows

Operating System Version

Windows 11 version 23H2

Installation method

winget

Last Known Working Insomnium version

No response

[archywillhe]

hey thanks; do you know what's the status at Kong/Insomnium's on this? Doesn't look like they follow the proposed standard too and this appears to break many existing configs users had

[paulius-valiunas]

Yeah I'm pretty sure they have the same problem. Do you think we should offer the user a choice whether to encode the credentials or not? If you want me to update my PR with that, I'll need some help with the UI for this, because I'm like a 100% backend developer 😅 but a simple checkbox might work.

On the other hand, sometimes you have to re-break what's broken to fix it. It's up to you.