Problem
authorization-derive/src/lib.rs encodes Basic auth credentials using general_purpose::STANDARD_NO_PAD:
// line 221 (Basic flow) and line 397 (Keycloak flow)
let encoded_auth = general_purpose::STANDARD_NO_PAD
.encode(format!("{}:{}", &self.login, &self.password));RFC 7617 (HTTP Basic Auth) requires standard Base64 with padding characters (=). STANDARD_NO_PAD omits the trailing = padding, producing a non-conformant credential string. Strict RFC implementations on the server side reject it with a 401 Unauthorized, which is indistinguishable from a wrong-password error.
Fix
Replace STANDARD_NO_PAD with STANDARD:
use base64::engine::general_purpose::STANDARD;
let encoded_auth = STANDARD.encode(format!("{}:{}", &self.login, &self.password));The same fix applies to both affected sites: the Basic derive path (line 221) and the Keycloak Authorization: Basic <client_id:client_secret> header (line 397).
Impact
All users of #[derive(Basic)] and #[derive(Keycloak)] against RFC-compliant servers receive unexpected 401 errors that appear to be credential errors.
Problem
authorization-derive/src/lib.rsencodes Basic auth credentials usinggeneral_purpose::STANDARD_NO_PAD:RFC 7617 (HTTP Basic Auth) requires standard Base64 with padding characters (
=).STANDARD_NO_PADomits the trailing=padding, producing a non-conformant credential string. Strict RFC implementations on the server side reject it with a401 Unauthorized, which is indistinguishable from a wrong-password error.Fix
Replace
STANDARD_NO_PADwithSTANDARD:The same fix applies to both affected sites: the
Basicderive path (line 221) and the KeycloakAuthorization: Basic <client_id:client_secret>header (line 397).Impact
All users of
#[derive(Basic)]and#[derive(Keycloak)]against RFC-compliant servers receive unexpected401errors that appear to be credential errors.