From c3aa6a1ee3fd358a684ca2288fbd67034a65403e Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang.m@gmail.com>
Date: Wed, 2 Mar 2016 16:41:13 -0800
Subject: [PATCH] server: correctly decode oauth2 basic auth credentials

Fixes #336
---
 server/http.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/http.go b/server/http.go
index 89a8a578..a9d2bc46 100644
--- a/server/http.go
+++ b/server/http.go
@@ -434,7 +434,21 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
 			return
 		}
 
-		creds := oidc.ClientCredentials{ID: user, Secret: password}
+		decodedUser, err := url.QueryUnescape(user)
+		if err != nil {
+			log.Errorf("error decoding user: %v", err)
+			writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidClient), state)
+			return
+		}
+
+		decodedPassword, err := url.QueryUnescape(password)
+		if err != nil {
+			log.Errorf("error decoding password: %v", err)
+			writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidClient), state)
+			return
+		}
+
+		creds := oidc.ClientCredentials{ID: decodedUser, Secret: decodedPassword}
 
 		var jwt *jose.JWT
 		var refreshToken string