Reddit's Oauth implementation requires a basic HTTP auth header containing the ClientId & ClientSecret values to be included when a token is requested.

It would be great if goauth2 supported this.

Attached is a patch which sends basic auth header for every request. Of course, this would need to be made optional e.g. config flag.

Shouldn't this be closed as it looks like a patch was submitted to the repository?

https://code.google.com/p/goauth2/source/detail?r=696c088491246273e92442aa66b5281e5bb34faa

For this commit, it does not work for Dropbox oauth flow. Which raises 400: err: "Can't use "Authorization" header and "client_secret" arg together."

It would be great if we can pass option in?

The answer isn't more options.

We should just not send the client_secret at all if servers are required to support the Authorization header. And indeed, RFC 6749 section 2.3.1 says: "The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password."

Sent https://codereview.appspot.com/123250044

This issue was closed by revision f06a85362aa5.

This should be fixed now. Let me know if otherwise.

I Came here to report that GitHub OAuth also doesn't support passing in the Secret through the Authorization header and fails with "received empty access token from authorization server" since the serve returns "incorrect_client_credentials" (https://developer.github.com/v3/oauth/#common-errors-for-the-authorization-request)

Is there any other way me to revert to the old behaviour instead manually editing "func providerAuthHeaderWorks(tokenURL string)" to also include github.com?

If that's what GitHub requires, then we should update that function https://codereview.appspot.com/131360043

Great!, optionally the error that follows might be improved to provide more context or it could be handy to somehow refer to this issue in the immediate: something along the lines ", this might be caused by the server not following the oAuth2 spec, @see " it could save future developers hours of debugging and and additionally might cause those developers to report failing services so they can be added to the list as soon as possible.

This issue was updated by revision 9fc9b28b7ffa.

LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://codereview.appspot.com/131360043

Committer: Brad Fitzpatrick

Please do file a separate bug for comment #11. This bug is closed.

I've submitted Andrew's change.