[community - oauth2] Include basic auth header for Oauth2 token instrospection requests

Description

Currently no authentication is provided when oauth2 provider sends requests to introspect token (for example when calling tokeninfo/ endpoint).

As suggested buy common best practices for Oauth2 an authentication is highly encuraged to reduce the exposure to attacks exposure and prevent user private data leakage.

The proposal is to add an auth header inside the requests with basic auth encoding of the client is and client secret: base64(client_id:client_secret)

This solution will make ti compatible with several oauths/oidc backends (like django-oidc-provider( which expects this header to allow the request.

Environment

None

Assignee

Alessio Fabiani

Reporter

Alessio Fabiani

Triage

None

Fix versions

Affects versions

None

Priority

Medium
Configure