Clarify that client credentials are not passed in the URL The term "query parameters" suggested that the credentials are passed in the URL which is insecure and is actually not true as the credentials are passed in the request body. See https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/internal/token.go#L196 Change-Id: Id0a83f8d317fed30e18310b30860000109dafe88 GitHub-Last-Rev: 3961bc9affcbdb16a6e0b4db58ce0526da8e728b GitHub-Pull-Request: golang/oauth2#358 Reviewed-on: https://go-review.googlesource.com/c/157877 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit: 5dab4167f31cbd76b407f1486c86b40748bc5073 [log] [tgz]
author: Peter Dotchev <dotchev@gmail.com> Tue Jan 15 08:29:34 2019 +0000
committer: Brad Fitzpatrick <bradfitz@golang.org> Tue Jan 15 18:14:02 2019 +0000
tree: bf8e5803353133bad3ab4b26ef43b62839e0e765
parent: 36a7019397c4c86cf59eeab3bc0d188bac444277 [diff]
diff --git a/oauth2.go b/oauth2.go
index 1e8e1b7..3de6331 100644
--- a/oauth2.go
+++ b/oauth2.go

@@ -31,7 +31,7 @@
 // which doesn't support the HTTP Basic authentication
 // scheme to authenticate with the authorization server.
 // Once a server is registered, credentials (client_id and client_secret)
-// will be passed as query parameters rather than being present
+// will be passed as parameters in the request body rather than being present
 // in the Authorization header.
 // See https://code.google.com/p/goauth2/issues/detail?id=31 for background.
 func RegisterBrokenAuthHeaderProvider(tokenURL string) {
commit	5dab4167f31cbd76b407f1486c86b40748bc5073	[log] [tgz]
author	Peter Dotchev <dotchev@gmail.com>	Tue Jan 15 08:29:34 2019 +0000
committer	Brad Fitzpatrick <bradfitz@golang.org>	Tue Jan 15 18:14:02 2019 +0000
tree	bf8e5803353133bad3ab4b26ef43b62839e0e765
parent	36a7019397c4c86cf59eeab3bc0d188bac444277 [diff]