From 0c361faeabfb2fb38040a41b74617524f5c8cebe Mon Sep 17 00:00:00 2001
From: Christoffer Hjalmarsson <b.christoffer.hjalmarsson@gmail.com>
Date: Fri, 28 Mar 2025 09:16:22 +0100
Subject: [PATCH] fix(common): oauth2 basic header encoding (#4927)

---
 .../src/services/oauth/flows/clientCredentials.ts     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/packages/hoppscotch-common/src/services/oauth/flows/clientCredentials.ts b/packages/hoppscotch-common/src/services/oauth/flows/clientCredentials.ts
index 19fa0bca..cb094156 100644
--- a/packages/hoppscotch-common/src/services/oauth/flows/clientCredentials.ts
+++ b/packages/hoppscotch-common/src/services/oauth/flows/clientCredentials.ts
@@ -177,7 +177,10 @@ const getPayloadForViaBasicAuthHeader = (
 ): RelayRequest => {
   const { clientID, clientSecret, scopes, authEndpoint } = payload
 
-  const basicAuthToken = btoa(`${clientID}:${clientSecret}`)
+  // RFC 6749 Section 2.3.1 states that the client ID and secret should be URL encoded.
+  const encodedClientID = encodeBasicAuthComponent(clientID)
+  const encodedClientSecret = encodeBasicAuthComponent(clientSecret || "")
+  const basicAuthToken = btoa(`${encodedClientID}:${encodedClientSecret}`)
 
   return {
     id: Date.now(),
@@ -218,3 +221,9 @@ const getPayloadForViaBody = (
     }),
   }
 }
+
+const encodeBasicAuthComponent = (component: string): string => {
+  // application/x-www-form-urlencoded expects spaces to be encoded as '+', but
+  // encodeURIComponent encodes them as '%20'.
+  return encodeURIComponent(component).replace(/%20/g, "+")
+}