package oauth21_test import ( "net/http" "net/url" "strings" "testing" "github.com/stretchr/testify/require" "github.com/pomerium/pomerium/internal/oauth21" ) func TestParseTokenRequest_BasicAuth(t *testing.T) { form := url.Values{} form.Set("grant_type", "authorization_code") form.Set("code", "abc") req, err := http.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode())) require.NoError(t, err) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.SetBasicAuth("myclient", "secret") tr, err := oauth21.ParseTokenRequest(req) require.NoError(t, err) require.NotNil(t, tr.ClientId) require.Equal(t, "myclient", *tr.ClientId) require.NotNil(t, tr.ClientSecret) require.Equal(t, "secret", *tr.ClientSecret) } func TestParseTokenRequest_BasicAuthWithBodyOverride(t *testing.T) { form := url.Values{} form.Set("grant_type", "authorization_code") form.Set("code", "abc") form.Set("client_id", "bodyid") form.Set("client_secret", "bodysecret") req, err := http.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode())) require.NoError(t, err) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.SetBasicAuth("basicid", "basicsecret") tr, err := oauth21.ParseTokenRequest(req) require.NoError(t, err) require.NotNil(t, tr.ClientId) require.Equal(t, "bodyid", *tr.ClientId) // body should win require.NotNil(t, tr.ClientSecret) require.Equal(t, "bodysecret", *tr.ClientSecret) }