Supporting basic authentication Token exchange in both the OAuth2 and OIDC handlers

[Tratcher]

#9448 (comment)

OAuth and OIDC have a standard flow of sending the clientid and secret to the token endpoint using a custom basic auth format. 4 of the auth handlers in aspnet-contrib require this flow and have to implement it manually. We expect many other providers also support this format since it's the one required in the spec.

Note the encoding is customized in the OAuth spec. (I don't think the FitBit handler is following that).
https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/aad5420654c65b5fb9908ddf298dbab17076338c/src/AspNet.Security.OAuth.Fitbit/FitbitAuthenticationHandler.cs#L66-L70

@PinpointTownes

[kevinchalet]

I don't think the FitBit handler is following that

Yeah, the logic is not standard-compliant. Not sure whether it's an oversight or not (I guess it is), but here's an example of a valid basic header construction: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/blob/378348bb4efb1d277020e2a55f41a546368f7a31/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs#L414-L429

/cc @martincostello

[martincostello]

@PinpointTownes I'll look at updating that in aspnet-contrib/AspNet.Security.OAuth.Providers#280 based on the above sample.

[prochnowc]

@Tratcher Is there any plans to implement this in the OAuthHandler ? I need to add federation for some authority which only supports credentials via authorization header.

[Tratcher]

@prochnowc no plans at present. Only a few providers have required it, and even they don't use standard implementations.

You can handle this today the same way they did for FitBit.
https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/aad5420654c65b5fb9908ddf298dbab17076338c/src/AspNet.Security.OAuth.Fitbit/FitbitAuthenticationHandler.cs#L66-L70