[PR #579] [CLOSED] Don't send duplicate authentication with basic authentication #678

New issue

Closed

opened 2026-03-03 17:29:37 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 17:29:37 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/OAuthSwift/OAuthSwift/pull/579
Author: @jimmya
Created: 3/17/2020
Status: ❌ Closed

Base: master ← Head: master

📝 Commits (1)

747fabe Don't send client_id and client_secret when authenticating using basic authentication

📊 Changes

1 file changed (+4 additions, -1 deletions)

View changed files

📝 Sources/OAuth2Swift.swift (+4 -1)

📄 Description

When enabling

accessTokenBasicAuthentification

The client_id and client_secret are still sent in the POST body. Some oAuth implementations complain about this. For example Ory Hydra returns this error:

{
	"error": "invalid_client",
	"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
	"error_hint": "The OAuth 2.0 Client supports client authentication method \"client_secret_basic\", but method \"client_secret_post\" was requested. You must configure the OAuth 2.0 client's \"token_endpoint_auth_method\" value to accept \"client_secret_post\".",
	"status_code": 401
}

This PR ensures that when authenticating through basic authentication, client_id and client_secret aren't sent in the post body.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/OAuthSwift/OAuthSwift/pull/579 **Author:** [@jimmya](https://github.com/jimmya) **Created:** 3/17/2020 **Status:** ❌ Closed **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (1) - [`747fabe`](https://github.com/OAuthSwift/OAuthSwift/commit/747fabef48041b0aadcc7b44886960bcdca30fe9) Don't send client_id and client_secret when authenticating using basic authentication ### 📊 Changes **1 file changed** (+4 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `Sources/OAuth2Swift.swift` (+4 -1) </details> ### 📄 Description When enabling > accessTokenBasicAuthentification The client_id and client_secret are still sent in the POST body. Some oAuth implementations complain about this. For example [Ory Hydra](https://github.com/ory/hydra) returns this error: ``` { "error": "invalid_client", "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)", "error_hint": "The OAuth 2.0 Client supports client authentication method \"client_secret_basic\", but method \"client_secret_post\" was requested. You must configure the OAuth 2.0 client's \"token_endpoint_auth_method\" value to accept \"client_secret_post\".", "status_code": 401 } ``` This PR ensures that when authenticating through basic authentication, client_id and client_secret aren't sent in the post body. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>