Skip to content

OAuth Request Should Accept client_id and client_secret via Headers, Not Just in the Request Body #676

New issue
New issue
Open
Open
OAuth Request Should Accept client_id and client_secret via Headers, Not Just in the Request Body#676
Labels
bugSomething isn't working
@alonhar

Description

@alonhar
alonhar
opened on Jun 20, 2025

Describe the bug

When attempting to integrate with the OpenAI connector, the /token request fails because OpenAI sends the client_id and client_secret via the Authorization header, not in the request body.

The body /token request looks like this:

{
  "grant_type": "authorization_code",
  "code": "62cd621bf6e44fd88be3f98f3a8aba37",
  "redirect_uri": "https://chatgpt.com/connector_platform_oauth_redirect",
  "code_verifier": "mBLha_DC8fq_tnLSk3sWF0kpi3sda8yKKpsr_4k3vo"
}

Since the credentials are not in the body, the server does not recognize them and the authentication fails.

To Reproduce

Steps to reproduce the behavior:

  1. Attempt to integrate with the OpenAI connector.
  2. Use ProxyOAuthServerProvider for handling the /token request.
  3. Observe the failure due to missing credentials in the request body.

Expected behavior

From the code here, it appears that the implementation only reads client_id and client_secret from the request body.

This works for many clients, but fails in the case of OpenAI, which uses the Authorization header instead. The server should support extracting these credentials from the Authorization header (typically using Basic Auth) as well as from the body to ensure broader compatibility.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions