That's really a question for the oauth principals: if they say "don't do
that" and the customers don't listen, they have a problem to either fix
or add to the spec as supported.
We're innocent victims (;-)) and need to decide if we're supporting the
spec or the customers. Right now we're supporting the spec.
--dave
On 09/05/18 10:17 AM, jwint...@pivotal.io wrote:
Is there an expectation that all of these providers would/should
change their implementation? It seems like there are enough reputable
implementations that maybe the "broken" case should be better
supported, even if the spec discourages it.
I known there's been a long discussion about this already
<https://code.google.com/archive/p/goauth2/issues/31>. But it seems
like that was all decided a while ago and wondering if things have
changed given how long that list of busted auth providers is getting.
On Wednesday, May 9, 2018 at 8:43:56 AM UTC-4, David Collier-Brown wrote:
On Tuesday, May 8, 2018 at 12:22:39 PM UTC-4, Joshua Winters wrote:
It seems like `https://www.gitlab.com` needs to be added to
the list of busted auth providers in golang/oauth2.
Instead of maintaining a list of these providers, can we just
send the `client_id` and `client_secret` in both the auth
header and the body with every request?
That does encourage them to leave it broken...
Can we perhaps detect the problem and refer the developer to
* the public list of bad actors
* the workaround
--
You received this message because you are subscribed to a topic in the
Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/golang-nuts/iYrYz8YZuPM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
golang-nuts+unsubscr...@googlegroups.com
<mailto:golang-nuts+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
dav...@spamcop.net | -- Mark Twain
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.