danielorf opened a new issue #12182: URL: https://github.com/apache/pulsar/issues/12182
**Describe the bug** The OAuth2 token request should use Basic auth instead of urlencoded credentials. [RFC 6749 section 2.3.1](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) (The OAuth 2.0 Authorization Framework) states: ``` Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme ``` **Expected behavior** The OAuth2 token request should use the "Authorization: Basic ..." header for Oauth2 `client_id` and `client_secret` credential exchange. **Additional context** Code where client creds are being put into the body of the token request: https://github.com/apache/pulsar/blob/v2.8.1/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/TokenClient.java#L76-L77 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
