# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1678202870 0
# Node ID 8b2a3684791215c5f567edade293b251edc9c872
# Parent  578a72982bb23ed6954c7b4f0bc586dc93714493
mod_http_oauth2: Support HTTP Basic auth on token endpoint

This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1
as the recommended way to transmit the client's credentials.

The older spec even calls it the "client password", but the new spec clarifies
that this is just another term for the client secret.

diff -r 578a72982bb2 -r 8b2a36847912 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 15:18:41 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 15:27:50 2023 +0000
@@ -456,11 +456,19 @@
 end
 
 function handle_token_grant(event)
+	local credentials = get_request_credentials(event.request);
+
 	event.response.headers.content_type = "application/json";
 	local params = http.formdecode(event.request.body);
 	if not params then
 		return error_response(event.request, oauth_error("invalid_request"));
 	end
+
+	if credentials.type == "basic" then
+		params.client_id = http.urldecode(credentials.username);
+		params.client_secret = http.urldecode(credentials.password);
+	end
+
 	local grant_type = params.grant_type
 	local grant_handler = grant_type_handlers[grant_type];
 	if not grant_handler then