happydpc / goauth2

Automatically exported from code.google.com/p/goauth2
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

only send Authorization header in updateToken, not also client_secret #31

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Reddit's Oauth implementation requires a basic HTTP auth header containing the 
ClientId & ClientSecret values to be included when a token is requested.

It would be great if goauth2 supported this.

Original issue reported on code.google.com by porj...@yahoo.com.au on 4 Feb 2014 at 7:50

GoogleCodeExporter commented 9 years ago
Attached is a patch which sends basic auth header for every request. Of course, 
this would need to be made optional e.g. config flag.

Original comment by porj...@yahoo.com.au on 4 Feb 2014 at 10:14

Attachments:

GoogleCodeExporter commented 9 years ago
Shouldn't this be closed as it looks like a patch was submitted to the 
repository?

https://code.google.com/p/goauth2/source/detail?r=696c088491246273e92442aa66b528
1e5bb34faa

Original comment by prat...@referabuyer.com on 5 Jun 2014 at 4:08

GoogleCodeExporter commented 9 years ago
For this commit, it does not work for Dropbox oauth flow. Which raises 400:
err: "Can't use "Authorization" header and "client_secret" arg together."

It would be great if we can pass option in?

Original comment by cls...@gmail.com on 5 Aug 2014 at 10:24

GoogleCodeExporter commented 9 years ago
The answer isn't more options.

We should just not send the client_secret at all if servers are required to 
support the Authorization header. And indeed, RFC 6749 section 2.3.1 says: "The 
authorization server MUST support the HTTP Basic authentication scheme for 
authenticating clients that were issued a client password."

Original comment by bradfitz@golang.org on 10 Aug 2014 at 6:02

GoogleCodeExporter commented 9 years ago

Original comment by bradfitz@golang.org on 10 Aug 2014 at 6:02

GoogleCodeExporter commented 9 years ago
Sent https://codereview.appspot.com/123250044

Original comment by bradfitz@golang.org on 12 Aug 2014 at 6:55

GoogleCodeExporter commented 9 years ago
This issue was closed by revision f06a85362aa5.

Original comment by bradfitz@golang.org on 12 Aug 2014 at 8:58

GoogleCodeExporter commented 9 years ago
This should be fixed now. Let me know if otherwise.

Original comment by bradfitz@golang.org on 12 Aug 2014 at 8:58

GoogleCodeExporter commented 9 years ago
I Came here to report that GitHub OAuth also doesn't support passing in the 
Secret through the Authorization header and fails with "received empty access 
token from authorization server" since the serve returns 
"incorrect_client_credentials" 
(https://developer.github.com/v3/oauth/#common-errors-for-the-authorization-requ
est) 

Is there any other way me to revert to the old behaviour instead manually 
editing "func providerAuthHeaderWorks(tokenURL string)" to also include 
github.com?

Original comment by advander...@gmail.com on 27 Aug 2014 at 8:08

GoogleCodeExporter commented 9 years ago
If that's what GitHub requires, then we should update that function 
https://codereview.appspot.com/131360043

Original comment by a...@golang.org on 27 Aug 2014 at 8:51

GoogleCodeExporter commented 9 years ago
Great!, optionally the error that follows might be improved to provide more 
context or it could be handy to somehow refer to this issue in the immediate: 
something along the lines "<error>, this might be caused by the server not 
following the oAuth2 spec, @see <some link>" it could save future developers 
hours of debugging and   and additionally might cause those developers to 
report failing services so they can be added to the list as soon as possible.

Original comment by advander...@gmail.com on 27 Aug 2014 at 9:10

GoogleCodeExporter commented 9 years ago
This issue was updated by revision 9fc9b28b7ffa.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://codereview.appspot.com/131360043

Committer: Brad Fitzpatrick <bradfitz@golang.org>

Original comment by a...@golang.org on 27 Aug 2014 at 3:36

GoogleCodeExporter commented 9 years ago
Please do file a separate bug for comment #11. This bug is closed.

I've submitted Andrew's change.

Original comment by bradfitz@golang.org on 27 Aug 2014 at 3:37