krombel/oauth2-old
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

oauth2: remove scope & client_id params from access token request

Browse Source 
Remove "scope" & "client_id" from "token request" in the "access token 
request" of the "authorization code grant" flow, keeping "client_id"
in case the provider is one of the known to be broken ones.

Please see https://tools.ietf.org/html/rfc6749#section-4.1.3

This change is required for interoperation with OpenAM.

Fixes golang/oauth2#145
Fixes golang/oauth2#110
Fixes golang/oauth2#188

Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e
Reviewed-on: https://go-review.googlesource.com/23790
Reviewed-by: Chris Broadfoot <cbro@golang.org>
This commit is contained in:
Pablo Lalloni
2016-06-04 01:11:54 -03:00
committed by Chris Broadfoot
parent 314dd2c0bf
commit 4464e78483
4 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/token.go
View File

@@ -153,9 +153,9 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
if err != nil {
return nil, err
}
v.Set("client_id", clientID)
bustedAuth := !providerAuthHeaderWorks(tokenURL)
if bustedAuth && clientSecret != "" {
v.Set("client_id", clientID)
v.Set("client_secret", clientSecret)
}
req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))