oauth2: Add stripe connect to list of bad OAuth2 providers
Stripe connect only accepts client secret using via the
Authorization header using 'Bearer' as the method (not 'Basic').
Change-Id: I978d9ce2092fbad3c1a00fde21d689c8e57a3cf1
Reviewed-on: https://go-review.googlesource.com/5532
Reviewed-by: Andrew Gerrand <adg@golang.org>
diff --git a/oauth2.go b/oauth2.go
index 2061ddf..b95f9ac 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -413,6 +413,7 @@
// - Reddit only accepts client secret in the Authorization header
// - Dropbox accepts either it in URL param or Auth header, but not both.
// - Google only accepts URL param (not spec compliant?), not Auth header
+// - Stripe only accepts client secret in Auth header with Bearer method, not Basic
func providerAuthHeaderWorks(tokenURL string) bool {
if strings.HasPrefix(tokenURL, "https://accounts.google.com/") ||
strings.HasPrefix(tokenURL, "https://www.googleapis.com/") ||
@@ -422,7 +423,8 @@
strings.HasPrefix(tokenURL, "https://api.dropbox.com/") ||
strings.HasPrefix(tokenURL, "https://api.soundcloud.com/") ||
strings.HasPrefix(tokenURL, "https://www.linkedin.com/") ||
- strings.HasPrefix(tokenURL, "https://api.twitch.tv/") {
+ strings.HasPrefix(tokenURL, "https://api.twitch.tv/") ||
+ strings.HasPrefix(tokenURL, "https://connect.stripe.com/") {
// Some sites fail to implement the OAuth2 spec fully.
return false
}
