From 85a72d36ea095436c19e8d43c371e963d7a0f410 Mon Sep 17 00:00:00 2001 From: Ryan Lower Date: Sun, 22 Feb 2015 14:42:53 -0800 Subject: [PATCH] oauth2: Add stripe connect to list of bad OAuth2 providers Stripe connect only accepts client secret using via the Authorization header using 'Bearer' as the method (not 'Basic'). Change-Id: I978d9ce2092fbad3c1a00fde21d689c8e57a3cf1 Reviewed-on: https://go-review.googlesource.com/5532 Reviewed-by: Andrew Gerrand --- oauth2.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/oauth2.go b/oauth2.go index 2061ddf..b95f9ac 100644 --- a/oauth2.go +++ b/oauth2.go @@ -413,6 +413,7 @@ func condVal(v string) []string { // - Reddit only accepts client secret in the Authorization header // - Dropbox accepts either it in URL param or Auth header, but not both. // - Google only accepts URL param (not spec compliant?), not Auth header +// - Stripe only accepts client secret in Auth header with Bearer method, not Basic func providerAuthHeaderWorks(tokenURL string) bool { if strings.HasPrefix(tokenURL, "https://accounts.google.com/") || strings.HasPrefix(tokenURL, "https://www.googleapis.com/") || @@ -422,7 +423,8 @@ func providerAuthHeaderWorks(tokenURL string) bool { strings.HasPrefix(tokenURL, "https://api.dropbox.com/") || strings.HasPrefix(tokenURL, "https://api.soundcloud.com/") || strings.HasPrefix(tokenURL, "https://www.linkedin.com/") || - strings.HasPrefix(tokenURL, "https://api.twitch.tv/") { + strings.HasPrefix(tokenURL, "https://api.twitch.tv/") || + strings.HasPrefix(tokenURL, "https://connect.stripe.com/") { // Some sites fail to implement the OAuth2 spec fully. return false }