oauth2: remove scope & client_id params from access token request Remove "scope" & "client_id" from "token request" in the "access token request" of the "authorization code grant" flow, keeping "client_id" in case the provider is one of the known to be broken ones. Please see https://tools.ietf.org/html/rfc6749#section-4.1.3 This change is required for interoperation with OpenAM. Fixes golang/oauth2#145 Fixes golang/oauth2#110 Fixes golang/oauth2#188 Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e Reviewed-on: https://go-review.googlesource.com/23790 Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit: 4464e7848382e6f39db55097f70e1460bdf944b3 [log] [tgz]
author: Pablo Lalloni <plalloni@gmail.com> Sat Jun 04 01:11:54 2016 -0300
committer: Chris Broadfoot <cbro@golang.org> Tue Feb 07 21:18:51 2017 +0000
tree: 1f686592afa3e2b37c52e029101f27980204e8b5
parent: 314dd2c0bf3ebd592ec0d20847d27e79d0dbe8dd [diff]
diff --git a/clientcredentials/clientcredentials_test.go b/clientcredentials/clientcredentials_test.go
index 061b43b..a18e95a 100644
--- a/clientcredentials/clientcredentials_test.go
+++ b/clientcredentials/clientcredentials_test.go

@@ -48,8 +48,8 @@
 		if err != nil {
 			t.Errorf("failed reading request body: %s.", err)
 		}
-		if string(body) != "client_id=CLIENT_ID&grant_type=client_credentials&scope=scope1+scope2" {
-			t.Errorf("payload = %q; want %q", string(body), "client_id=CLIENT_ID&grant_type=client_credentials&scope=scope1+scope2")
+		if string(body) != "grant_type=client_credentials&scope=scope1+scope2" {
+			t.Errorf("payload = %q; want %q", string(body), "grant_type=client_credentials&scope=scope1+scope2")
 		}
 		w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
 		w.Write([]byte("access_token=90d64460d14870c08c81352a05dedd3465940a7c&token_type=bearer"))
@@ -84,7 +84,7 @@
 			t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
 		}
 		body, _ := ioutil.ReadAll(r.Body)
-		if string(body) != "client_id=CLIENT_ID&grant_type=client_credentials&scope=scope1+scope2" {
+		if string(body) != "grant_type=client_credentials&scope=scope1+scope2" {
 			t.Errorf("Unexpected refresh token payload, %v is found.", string(body))
 		}
 	}))

diff --git a/internal/token.go b/internal/token.go
index 1c0ec76..2c1b857 100644
--- a/internal/token.go
+++ b/internal/token.go

@@ -153,9 +153,9 @@
 	if err != nil {
 		return nil, err
 	}
-	v.Set("client_id", clientID)
 	bustedAuth := !providerAuthHeaderWorks(tokenURL)
 	if bustedAuth && clientSecret != "" {
+		v.Set("client_id", clientID)
 		v.Set("client_secret", clientSecret)
 	}
 	req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))

diff --git a/oauth2.go b/oauth2.go
index 7b06bfe..3e4835d 100644
--- a/oauth2.go
+++ b/oauth2.go

@@ -180,7 +180,6 @@
 		"grant_type":   {"authorization_code"},
 		"code":         {code},
 		"redirect_uri": internal.CondVal(c.RedirectURL),
-		"scope":        internal.CondVal(strings.Join(c.Scopes, " ")),
 	})
 }
 

diff --git a/oauth2_test.go b/oauth2_test.go
index e98c01a..e757b0f 100644
--- a/oauth2_test.go
+++ b/oauth2_test.go

@@ -89,7 +89,7 @@
 		if err != nil {
 			t.Errorf("Failed reading request body: %s.", err)
 		}
-		if string(body) != "client_id=CLIENT_ID&code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL&scope=scope1+scope2" {
+		if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
 			t.Errorf("Unexpected exchange payload, %v is found.", string(body))
 		}
 		w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
@@ -133,7 +133,7 @@
 		if err != nil {
 			t.Errorf("Failed reading request body: %s.", err)
 		}
-		if string(body) != "client_id=CLIENT_ID&code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL&scope=scope1+scope2" {
+		if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
 			t.Errorf("Unexpected exchange payload, %v is found.", string(body))
 		}
 		w.Header().Set("Content-Type", "application/json")
@@ -325,7 +325,7 @@
 		if err != nil {
 			t.Errorf("Failed reading request body: %s.", err)
 		}
-		expected = "client_id=CLIENT_ID&grant_type=password&password=password1&scope=scope1+scope2&username=user1"
+		expected = "grant_type=password&password=password1&scope=scope1+scope2&username=user1"
 		if string(body) != expected {
 			t.Errorf("res.Body = %q; want %q", string(body), expected)
 		}
@@ -364,7 +364,7 @@
 			t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
 		}
 		body, _ := ioutil.ReadAll(r.Body)
-		if string(body) != "client_id=CLIENT_ID&grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
+		if string(body) != "grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
 			t.Errorf("Unexpected refresh token payload, %v is found.", string(body))
 		}
 	}))
commit	4464e7848382e6f39db55097f70e1460bdf944b3	[log] [tgz]
author	Pablo Lalloni <plalloni@gmail.com>	Sat Jun 04 01:11:54 2016 -0300
committer	Chris Broadfoot <cbro@golang.org>	Tue Feb 07 21:18:51 2017 +0000
tree	1f686592afa3e2b37c52e029101f27980204e8b5
parent	314dd2c0bf3ebd592ec0d20847d27e79d0dbe8dd [diff]