OAuth2 INTRIDEA gem and HTTP basic authentication header

Question

Using INTRIDEA's OAuth2 Ruby gem, is there a recommended way to add the HTTP basic authentication header using the password strategy?

This approach is recommended by IETF RFC 6749 and required by the Yahoo and RingCentral OAuth 2.0 implementations.

The required header I'm working with is of the following format:

Authorization: Basic <base 64 encoded "CLIENT_ID:CLIENT_SECRET">

The following doesn't work and doesn't seem to add the Authorization header:

client = OAuth2::Client.new('CLIENT_ID', 'CLIENT_SECRET', :site => 'https://example.com)
token  = client.password.get_token('USERNAME', 'PASSWORD')

The following works, but is verbose:

client = OAuth2::Client.new('CLIENT_ID', 'CLIENT_SECRET', :site => 'https://example.com)
token  = client.password.get_token('USERNAME', 'PASSWORD', \
  :headers => { 'Authorization' => 'Basic ' + Base64.strict_encode64("CLIENT_ID:CLIENT_SECRET") \
)

The password strategy examples I've seen don't explicitly include the header so I'm wondering how it's done.

score 4 · Accepted Answer · edited Oct 07 '21 at 08:57

After looking at the docs for the auth_code strategy and the code for oauth2/strategy/password.rb, oauth2/strategy/base.rb and oauth2/client.rb, it appears the OAuth2 gem will add the client_id and client_secret form parameters to the body but not the header. This is permitted but NOT RECOMMENDED by IETF RFC 6749. To add the IETF recommended Authorization header, it appears you need to add it as parameter as shown above.

More info: Pull request #192 covers this but may be stalled due to backward compatibility issues.

OAuth2 INTRIDEA gem and HTTP basic authentication header

1 Answers1