Prior to VMware Tanzu Application Service (TAS) for VMs 2.8 (UAA release 74) UAA's implementation of basic auth via url parameters did not support url encoding. If you attempted to authenticate with UAA using a client secret that has special characters like so "https://login.system.domain?client_id=1234&client_secret=Speci&l$ecret%" it will fail due to the client secret not being encoded. 

Also if you use an encoded the client secret like "https://login.system.domain?client_id=1234&client_secret=Speci%26l%24ecret%25" UAA will not accept the encoded string and fail the client credential check. 

Some errors you might see include:

Unable to verify email or password. Please try again.

{"error":"unauthorized","error_description":"Bad credentials"}

Product Version: 2.7
OS: 2.7.x

In TAS 2.8 UAA included a compatibility mode feature which allows clients to authenticate with URL encoded secrets. By default compatibility mode is disabled in the OSS UAA release 74.5.0, however TAS 2.8 consumes this release and will have compatibility mode set to enabled by default.  

Please note this change is also included in TAS 2.6.19 and 2.7.23

With compatibility mode is enabled in TAS 2.8 clients can add header "X-CF-ENCODED-CREDENTIALS"  informing UAA to url decode the client secret. See below examples for clarity:

SUCCESS: TAS 2.8 without encoded header and secret containing no special characters

curl -k -vvv https://login.system.domain?client_id=1234&client_secret=SpecialSecret

SUCCESS: TAS 2.8 with encoded header and secret containing encoded special characters

curl -H "X-CF-ENCODED-CREDENTIALS: true" -k -vvv https://login.system.domain?client_id=1234&client_secret=Speci%26l%24ecret%25

FAIL: TAS 2.8 with encoded header and secret containing unencoded special characters

curl -H "X-CF-ENCODED-CREDENTIALS: true" -k -vvv https://login.system.domain?client_id=1234&client_secret=Speci&l$ecret%

Pull Request

• https://github.com/cloudfoundry/uaa-release/commit/6647652285a071813a54fb23519a13297a598973