Client credentials should not be included in the request body

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Call the step2_exchange method of the OAuth2WebServerFlow

What is the expected output? What do you see instead?
The library should use the HTP Basic Authentication specification and append 
the client credentials in the "Authorization" header.

Instead, the request includes the client_id and client_secret parameters with 
the rest of the params in the body of the request.

OAuth draft v2-31 stipulates:
"Including the client credentials in the request body using the two parameters 
is NOT RECOMMENDED, and SHOULD be limited to clients unable to directly utilize 
the HTTP Basic authentication scheme (or other password-based HTTP 
authentication schemes)"

What version of the product are you using? On what operating system?

Please provide any additional information below.

Original issue reported on code.google.com by mohamed....@greendizer.com on 22 Aug 2012 at 7:54

Attachments:

• use_basic_auth_patch

[GoogleCodeExporter]

Closing for now because the Google OAuth 2.0 server-side implementation 
currently doesn't support this. As it is, I would want to confirm that all 
known server implementations of OAuth 2.0 would support this before changing 
the client library.

Original comment by jcgregorio@google.com on 23 Aug 2012 at 10:49

• Changed state: Closed