third_codes/oauth2
1
0
Fork 0
mirror of https://github.com/golang/oauth2.git synced 2025-07-21 00:00:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

oauth2: Add stripe connect to list of bad OAuth2 providers

Browse Source 
Stripe connect only accepts client secret using via the
Authorization header using 'Bearer' as the method (not 'Basic').

Change-Id: I978d9ce2092fbad3c1a00fde21d689c8e57a3cf1
Reviewed-on: https://go-review.googlesource.com/5532
Reviewed-by: Andrew Gerrand <adg@golang.org>
This commit is contained in:
Ryan Lower 2015-02-22 14:42:53 -08:00 committed by Andrew Gerrand
parent 36fb42e1e8
commit 85a72d36ea
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
oauth2.go
View File

@ -413,6 +413,7 @@ func condVal(v string) []string {
// - Reddit only accepts client secret in the Authorization header
// - Dropbox accepts either it in URL param or Auth header, but not both.
// - Google only accepts URL param (not spec compliant?), not Auth header
// - Stripe only accepts client secret in Auth header with Bearer method, not Basic
func providerAuthHeaderWorks(tokenURL string) bool {
if strings.HasPrefix(tokenURL, "https://accounts.google.com/") ||
strings.HasPrefix(tokenURL, "https://www.googleapis.com/") ||
@ -422,7 +423,8 @@ func providerAuthHeaderWorks(tokenURL string) bool {
strings.HasPrefix(tokenURL, "https://api.dropbox.com/") ||
strings.HasPrefix(tokenURL, "https://api.soundcloud.com/") ||
strings.HasPrefix(tokenURL, "https://www.linkedin.com/") ||
strings.HasPrefix(tokenURL, "https://api.twitch.tv/") {
strings.HasPrefix(tokenURL, "https://api.twitch.tv/") ||
strings.HasPrefix(tokenURL, "https://connect.stripe.com/") {
// Some sites fail to implement the OAuth2 spec fully.
return false
}