From 85a72d36ea095436c19e8d43c371e963d7a0f410 Mon Sep 17 00:00:00 2001
From: Ryan Lower <rpjlower@gmail.com>
Date: Sun, 22 Feb 2015 14:42:53 -0800
Subject: [PATCH] oauth2: Add stripe connect to list of bad OAuth2 providers

Stripe connect only accepts client secret using via the
Authorization header using 'Bearer' as the method (not 'Basic').

Change-Id: I978d9ce2092fbad3c1a00fde21d689c8e57a3cf1
Reviewed-on: https://go-review.googlesource.com/5532
Reviewed-by: Andrew Gerrand <adg@golang.org>
---
 oauth2.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/oauth2.go b/oauth2.go
index 2061ddf..b95f9ac 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -413,6 +413,7 @@ func condVal(v string) []string {
 // - Reddit only accepts client secret in the Authorization header
 // - Dropbox accepts either it in URL param or Auth header, but not both.
 // - Google only accepts URL param (not spec compliant?), not Auth header
+// - Stripe only accepts client secret in Auth header with Bearer method, not Basic
 func providerAuthHeaderWorks(tokenURL string) bool {
 	if strings.HasPrefix(tokenURL, "https://accounts.google.com/") ||
 		strings.HasPrefix(tokenURL, "https://www.googleapis.com/") ||
@@ -422,7 +423,8 @@ func providerAuthHeaderWorks(tokenURL string) bool {
 		strings.HasPrefix(tokenURL, "https://api.dropbox.com/") ||
 		strings.HasPrefix(tokenURL, "https://api.soundcloud.com/") ||
 		strings.HasPrefix(tokenURL, "https://www.linkedin.com/") ||
-		strings.HasPrefix(tokenURL, "https://api.twitch.tv/") {
+		strings.HasPrefix(tokenURL, "https://api.twitch.tv/") ||
+		strings.HasPrefix(tokenURL, "https://connect.stripe.com/") {
 		// Some sites fail to implement the OAuth2 spec fully.
 		return false
 	}