Is there an expectation that all of these providers would/should change their implementation? It seems like there are enough reputable implementations that maybe the "broken" case should be better supported, even if the spec discourages it.
I known there's been a long discussion about this already <https://code.google.com/archive/p/goauth2/issues/31>. But it seems like that was all decided a while ago and wondering if things have changed given how long that list of busted auth providers is getting. On Wednesday, May 9, 2018 at 8:43:56 AM UTC-4, David Collier-Brown wrote: > > > > On Tuesday, May 8, 2018 at 12:22:39 PM UTC-4, Joshua Winters wrote: >> >> It seems like `https://www.gitlab.com` needs to be added to the list of >> busted auth providers in golang/oauth2. >> >> Instead of maintaining a list of these providers, can we just send the >> `client_id` and `client_secret` in both the auth header and the body with >> every request? >> > > That does encourage them to leave it broken... > Can we perhaps detect the problem and refer the developer to > > - the public list of bad actors > - the workaround > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
