From a0dfea961fa25193d2c19b92a19e741e1fd533b3 Mon Sep 17 00:00:00 2001
From: Patrick Dawkins <pjcdawkins@users.noreply.github.com>
Date: Fri, 1 May 2020 08:34:36 +0100
Subject: [PATCH] URL-decode client credentials in HTTP Basic auth, as
 described in RFC 6749

---
 src/OAuth2/ClientAssertionType/HttpBasic.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/OAuth2/ClientAssertionType/HttpBasic.php b/src/OAuth2/ClientAssertionType/HttpBasic.php
index ef6120300..a11a950af 100644
--- a/src/OAuth2/ClientAssertionType/HttpBasic.php
+++ b/src/OAuth2/ClientAssertionType/HttpBasic.php
@@ -115,7 +115,14 @@ public function getClientId()
     public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
     {
         if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
-            return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
+            return array(
+                /**
+                 * client credentials are URL-encoded before being encoded in the HTTP Basic header, so we decode them here
+                 * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
+                 */
+                'client_id' => urldecode($request->headers('PHP_AUTH_USER')),
+                'client_secret' => urldecode($request->headers('PHP_AUTH_PW')),
+            );
         }
 
         if ($this->config['allow_credentials_in_request_body']) {