Make OAuth token endpoint work with HTTP Basic auth (!191) · Merge requests · Pleroma / pleroma

Dee requested to merge DeeUnderscore/pleroma:fix/oauth-http-basic into develop Jun 03, 2018

Per RFC 6749, during token requests, the client_id/client_secret pair may be sent to the server via a HTTP Basic auth header, instead of in the body of the request. This behavior is often the default in OAuth2 libraries, since it's the preferred way of sending the client secret per spec.

This MR makes it so that both authorization_code and password token requests can be sent with the client secret in the header. In addition, they can also be sent in the request body, as previously.

(Please let me know if you need this branch elsewhere for CI or whatnot)

Make OAuth token endpoint work with HTTP Basic auth

Merge request reports