[GH-ISSUE #3855] [bug]: OAuth 2.0 token request has JSON body #1353

New issue

Open

opened 2026-03-16 19:57:46 +03:00 by kerem · 2 comments

kerem commented

2026-03-16 19:57:46 +03:00

Owner

Originally created by @GREsau on GitHub (Feb 23, 2024).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/3855

Is there an existing issue for this?

I have searched the existing issues

Current behavior

As part of the flow for generating a token using OAuth 2.0 authorization, hoppscotch sends a POST request to the authorization server's token endpoint.

The request looks similar to this (unimportant request headers omitted, line breaks added for readability):

POST /auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

{
"grant_type":"authorization_code",
"code":"...",
"client_id":"...",
"client_secret":"...",
"redirect_uri":"https://hoppscotch.io/oauth",
"code_verifier":"..."
}

One problem is that, despite the fact the request content is serialized as JSON, the Content-Type request header is set to application/x-www-form-urlencoded, presumably because that's the axios default.

However, the fact the request content is JSON is itself a problem, because RFC 6749 section 4.1.3 requires that the request content is serialized to the application/x-www-form-urlencoded format. Some identity providers allow JSON requests as an extension of OAuth, but the authorization server I'm trying to use does not. According to the spec, the request should instead be something like (again, unimportant request headers omitted and line breaks added for readability):

POST /auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=...
&client_id=...
&client_secret=...
&redirect_uri=https%3A%2F%2Fhoppscotch.io%2Foauth
&code_verifier=...

Some servers may also require the client credentials to be sent in the Authorization request header using basic authentication instead of in the request content, but this is not required by the spec.

Steps to reproduce

Create a new request with authorization type "OAuth 2.0"
Enter valid details for a authorization server (I was unable to find a free public authorization server for easy reproduction)
Open devtools with the network tab recording all requests
Click "Generate Token" and login at the authorization endpoint
Inspect the request to the token endpoint using devtools, note that the request payload is JSON

Environment

Production

Version

Local

Originally created by @GREsau on GitHub (Feb 23, 2024). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/3855 ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current behavior As part of the flow for generating a token using OAuth 2.0 authorization, hoppscotch sends a POST request to the authorization server's token endpoint. The request looks similar to this (unimportant request headers omitted, line breaks added for readability): ``` POST /auth/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded { "grant_type":"authorization_code", "code":"...", "client_id":"...", "client_secret":"...", "redirect_uri":"https://hoppscotch.io/oauth", "code_verifier":"..." } ``` One problem is that, despite the fact the request content is serialized as JSON, the `Content-Type` request header is set to `application/x-www-form-urlencoded`, presumably because that's the axios default. However, the fact the request content is JSON is itself a problem, because [RFC 6749 section 4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3) requires that the request content is serialized to the `application/x-www-form-urlencoded` format. Some identity providers allow JSON requests as an extension of OAuth, but the authorization server I'm trying to use does not. According to the spec, the request should instead be something like (again, unimportant request headers omitted and line breaks added for readability): ``` POST /auth/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=... &client_id=... &client_secret=... &redirect_uri=https%3A%2F%2Fhoppscotch.io%2Foauth &code_verifier=... ``` Some servers may also require the client credentials to be sent in the `Authorization` request header using basic authentication instead of in the request content, but this is not required by the spec. ### Steps to reproduce 1. Create a new request with authorization type "OAuth 2.0" 2. Enter valid details for a authorization server (I was unable to find a free public authorization server for easy reproduction) 3. Open devtools with the network tab recording all requests 4. Click "Generate Token" and login at the authorization endpoint 5. Inspect the request to the token endpoint using devtools, note that the request payload is JSON ![image](https://github.com/hoppscotch/hoppscotch/assets/9611672/bc1dd8a6-b045-4244-a120-8a764e97cfc2) ### Environment Production ### Version Local

kerem added the

bug

need testing

labels

2026-03-16 19:57:46 +03:00

kerem commented

2026-03-16 19:57:57 +03:00

Author

Owner

@GREsau commented on GitHub (Feb 23, 2024):

The actual code fix for this should be fairly straightforward - changing the JSON.stringify here to a function that serializes as form-urlencoded.

I'd be happy to submit a PR for this, although I don't know how to build the app locally to test changes

@GREsau commented on GitHub (Feb 23, 2024): The actual code fix for this should be fairly straightforward - changing the `JSON.stringify` [here](https://github.com/hoppscotch/hoppscotch/blob/4bd54b12cde4aa67a760dd85ccd2af81db533e03/packages/hoppscotch-common/src/helpers/oauth.ts#L256-L263) to a function that serializes as form-urlencoded. I'd be happy to submit a PR for this, although I don't know how to build the app locally to test changes

kerem commented

2026-03-16 19:58:02 +03:00

Author

Owner

@zhuhaozheng123 commented on GitHub (Mar 7, 2024):

sda

@zhuhaozheng123 commented on GitHub (Mar 7, 2024): sda