Allow `client_id` to be provided in Authorization header (!214) · Merge requests · Jamie Tanna / www-api

Jamie Tanna requested to merge feature/basic-auth-client-id into develop Jan 18, 2021

A number of OAuth2 clients prefer to send the client_id in the Authorization header with HTTP Basic auth, instead of in the request body.

To make it easier to interoperate with these clients, we can pull the client_id out of the Authorization header and prefer it over a client_id in the request body, in case multiple are sent.

This is made easier using the httpBasic support for MockMVC with spring-security-test.

This may be added to the IndieAuth spec (https://github.com/indieweb/indieauth/issues/76)

Closes #309 (closed).

Allow `client_id` to be provided in Authorization header

Merge request reports