oauth2: remove scope & client_id params from access token request

Remove "scope" & "client_id" from "token request" in the "access token request" of the "authorization code grant" flow, keeping "client_id" in case the provider is one of the known to be broken ones. Please see https://tools.ietf.org/html/rfc6749#section-4.1.3 This change is required for interoperation with OpenAM. Fixes golang/oauth2#145 Fixes golang/oauth2#110 Fixes golang/oauth2#188 Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e Reviewed-on: https://go-review.googlesource.com/23790 Reviewed-by: Chris Broadfoot <cbro@golang.org>
2016-06-04 01:11:54 -03:00
parent 314dd2c0bf
commit 4464e78483
4 changed files with 8 additions and 9 deletions
--- a/oauth2.go
+++ b/oauth2.go
@@ -180,7 +180,6 @@ func (c *Config) Exchange(ctx context.Context, code string) (*Token, error) {
 		"grant_type":   {"authorization_code"},
 		"code":         {code},
 		"redirect_uri": internal.CondVal(c.RedirectURL),
-		"scope":        internal.CondVal(strings.Join(c.Scopes, " ")),
 	})
 }