14bc4d79c1
Backport #21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net> |
||
---|---|---|
.. | ||
2fa.go | ||
auth.go | ||
linkaccount.go | ||
main_test.go | ||
oauth.go | ||
oauth_test.go | ||
openid.go | ||
password.go | ||
webauthn.go |