From ffa24f74a5be9ebdf7d4d2760cf4ac9247bb7953 Mon Sep 17 00:00:00 2001
From: Xinyao <hi@xinyao.me>
Date: Sat, 5 Apr 2025 13:02:26 +0800
Subject: [PATCH] fix(oauth): encode clientId and clientSecret in authorization
 header (#2120)

* fix(oauth2): encode clientId and clientSecret in authorization header

* fix(oauth2): refactor to use encodeOAuthParameter for clientId and clientSecret

* chore: lint

---------

Co-authored-by: Bereket Engida <bekacru@gmail.com>
---
 packages/better-auth/src/oauth2/refresh-access-token.ts      | 5 ++++-
 packages/better-auth/src/oauth2/utils.ts                     | 3 +++
 .../better-auth/src/oauth2/validate-authorization-code.ts    | 5 ++++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/packages/better-auth/src/oauth2/refresh-access-token.ts b/packages/better-auth/src/oauth2/refresh-access-token.ts
index f1cde691a9..cfce3de5da 100644
--- a/packages/better-auth/src/oauth2/refresh-access-token.ts
+++ b/packages/better-auth/src/oauth2/refresh-access-token.ts
@@ -1,6 +1,7 @@
 import { betterFetch } from "@better-fetch/fetch";
 import type { OAuth2Tokens } from "./types";
 import type { ProviderOptions } from "./types";
+import { encodeOAuthParameter } from "./utils";
 
 export async function refreshAccessToken({
 	refreshToken,
@@ -27,7 +28,9 @@ export async function refreshAccessToken({
 	body.set("refresh_token", refreshToken);
 	if (authentication === "basic") {
 		const encodedCredentials = btoa(
-			`${options.clientId}:${options.clientSecret}`,
+			`${encodeOAuthParameter(options.clientId)}:${encodeOAuthParameter(
+				options.clientSecret,
+			)}`,
 		);
 		headers["authorization"] = `Basic ${encodedCredentials}`;
 	} else {
diff --git a/packages/better-auth/src/oauth2/utils.ts b/packages/better-auth/src/oauth2/utils.ts
index 061b4be536..237580d0ec 100644
--- a/packages/better-auth/src/oauth2/utils.ts
+++ b/packages/better-auth/src/oauth2/utils.ts
@@ -26,3 +26,6 @@ export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 		idToken: data.id_token,
 	};
 }
+
+export const encodeOAuthParameter = (value: string) =>
+	encodeURIComponent(value).replace(/%20/g, "+");
diff --git a/packages/better-auth/src/oauth2/validate-authorization-code.ts b/packages/better-auth/src/oauth2/validate-authorization-code.ts
index 886a0093a0..6069900312 100644
--- a/packages/better-auth/src/oauth2/validate-authorization-code.ts
+++ b/packages/better-auth/src/oauth2/validate-authorization-code.ts
@@ -2,6 +2,7 @@ import { betterFetch } from "@better-fetch/fetch";
 import type { ProviderOptions } from "./types";
 import { getOAuth2Tokens } from "./utils";
 import { jwtVerify } from "jose";
+import { encodeOAuthParameter } from "./utils";
 
 export async function validateAuthorizationCode({
 	code,
@@ -34,7 +35,9 @@ export async function validateAuthorizationCode({
 	body.set("redirect_uri", options.redirectURI || redirectURI);
 	if (authentication === "basic") {
 		const encodedCredentials = btoa(
-			`${options.clientId}:${options.clientSecret}`,
+			`${encodeOAuthParameter(options.clientId)}:${encodeOAuthParameter(
+				options.clientSecret,
+			)}`,
 		);
 		headers["authorization"] = `Basic ${encodedCredentials}`;
 	} else {