Use standard-compliant encoding

Ensure basic authentication token encoding is standard-compliant. See dotnet/aspnetcore#10615 (comment).
aspnet-contrib · Jun 4, 2019 · 637b515 · 637b515
1 parent 11a6952
commit 637b515
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 12 deletions.
diff --git a/src/AspNet.Security.OAuth.Fitbit/FitbitAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Fitbit/FitbitAuthenticationHandler.cs
@@ -63,11 +63,9 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync([NotNull]
 
         protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] string code, [NotNull] string redirectUri)
         {
-            var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             var request = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
+            request.Headers.Authorization = CreateAuthorizationHeader();
 
             request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
             {
@@ -92,5 +90,25 @@ protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] st
 
             return OAuthTokenResponse.Success(payload);
         }
+
+        private AuthenticationHeaderValue CreateAuthorizationHeader()
+        {
+            string EscapeDataString(string value)
+            {
+                if (string.IsNullOrEmpty(value))
+                {
+                    return null;
+                }
+
+                return Uri.EscapeDataString(value).Replace("%20", "+");
+            }
+
+            string credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(
+                string.Concat(
+                    EscapeDataString(Options.ClientId), ":",
+                    EscapeDataString(Options.ClientSecret))));
+
+            return new AuthenticationHeaderValue("Basic", credentials);
+        }
     }
 }
diff --git a/src/AspNet.Security.OAuth.Reddit/RedditAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Reddit/RedditAuthenticationHandler.cs
@@ -88,11 +88,9 @@ protected override string FormatScope()
 
         protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] string code, [NotNull] string redirectUri)
         {
-            var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             var request = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
+            request.Headers.Authorization = CreateAuthorizationHeader();
 
             // When a custom user agent is specified in the options, add it to the request headers
             // to override the default (generic) user agent used by the OAuth2 base middleware.
@@ -124,5 +122,25 @@ protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] st
 
             return OAuthTokenResponse.Success(payload);
         }
+
+        private AuthenticationHeaderValue CreateAuthorizationHeader()
+        {
+            string EscapeDataString(string value)
+            {
+                if (string.IsNullOrEmpty(value))
+                {
+                    return null;
+                }
+
+                return Uri.EscapeDataString(value).Replace("%20", "+");
+            }
+
+            string credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(
+                string.Concat(
+                    EscapeDataString(Options.ClientId), ":",
+                    EscapeDataString(Options.ClientSecret))));
+
+            return new AuthenticationHeaderValue("Basic", credentials);
+        }
     }
 }
diff --git a/src/AspNet.Security.OAuth.Yahoo/YahooAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Yahoo/YahooAuthenticationHandler.cs
@@ -63,11 +63,9 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync([NotNull]
 
         protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] string code, [NotNull] string redirectUri)
         {
-            var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             var request = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
+            request.Headers.Authorization = CreateAuthorizationHeader();
 
             request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
             {
@@ -92,5 +90,25 @@ protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] st
 
             return OAuthTokenResponse.Success(payload);
         }
+
+        private AuthenticationHeaderValue CreateAuthorizationHeader()
+        {
+            string EscapeDataString(string value)
+            {
+                if (string.IsNullOrEmpty(value))
+                {
+                    return null;
+                }
+
+                return Uri.EscapeDataString(value).Replace("%20", "+");
+            }
+
+            string credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(
+                string.Concat(
+                    EscapeDataString(Options.ClientId), ":",
+                    EscapeDataString(Options.ClientSecret))));
+
+            return new AuthenticationHeaderValue("Basic", credentials);
+        }
     }
 }
diff --git a/src/AspNet.Security.OAuth.Yandex/YandexAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Yandex/YandexAuthenticationHandler.cs
@@ -63,11 +63,9 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync([NotNull]
 
         protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] string code, [NotNull] string redirectUri)
         {
-            var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             var request = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
+            request.Headers.Authorization = CreateAuthorizationHeader();
 
             request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
             {
@@ -92,5 +90,25 @@ protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] st
 
             return OAuthTokenResponse.Success(payload);
         }
+
+        private AuthenticationHeaderValue CreateAuthorizationHeader()
+        {
+            string EscapeDataString(string value)
+            {
+                if (string.IsNullOrEmpty(value))
+                {
+                    return null;
+                }
+
+                return Uri.EscapeDataString(value).Replace("%20", "+");
+            }
+
+            string credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes(
+                string.Concat(
+                    EscapeDataString(Options.ClientId), ":",
+                    EscapeDataString(Options.ClientSecret))));
+
+            return new AuthenticationHeaderValue("Basic", credentials);
+        }
     }
 }