14bc4d79c1
Backport #21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net> |
||
|---|---|---|
| .. | ||
| admin | ||
| auth | ||
| dev | ||
| events | ||
| explore | ||
| feed | ||
| healthcheck | ||
| misc | ||
| org | ||
| repo | ||
| user | ||
| auth.go | ||
| auth_windows.go | ||
| base.go | ||
| goget.go | ||
| home.go | ||
| metrics.go | ||
| nodeinfo.go | ||
| swagger_json.go | ||
| web.go | ||
| webfinger.go | ||