Authorization Header not found in OAuth2 getOAuthAccessToken

[twhtanghk]

I run into problem in connection from passport-oauth2 to django-oauth-toolkit. When authorization is granted, getOAuthAccessToken prepare the request without authorization header including clientId and clientSecret as defined in section 4.1.3 of rfc6749. The value of the authorization header is "unicode: Bearer undefined" instead. Any hints or suggestion. Thanks.

[twhtanghk]

It is suggested to revise oauth2.js line 155-159 as follows:

  var post_data= querystring.stringify( params );
  var post_headers= {
       'Content-Type': 'application/x-www-form-urlencoded',
       'Authorization': 'Basic ' + new Buffer(this._clientId + ':' + this._clientSecret).toString('base64')
   };

Any other suggestions. Thanks

[skeggse]

I'm running into the same issue. The request body contains the id/secret, when some services require it to be in the Authorization header as a Basic auth request. I'm not familiar with the services purportedly tested with this library, but I'm guessing they accept the authorization in the body rather than the header.

[twhtanghk]

For your information, the following is mentioned in section 2.3.1 of rfc 6749.

   Including the client credentials in the request-body using the two
   parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
   to directly utilize the HTTP Basic authentication scheme (or other
   password-based HTTP authentication schemes).  The parameters can only
   be transmitted in the request-body and MUST NOT be included in the
   request URI.

[daveyjones]

The Fitbit API is an example of a service that requires Basic Auth.

https://dev.fitbit.com/docs/oauth2/#access-token-request

There's currently no way to add custom headers when calling getOAuthAccessToken?

[padewitte]

Have a look to https://github.com/thegameofcode/passport-fitbit-oauth2/blob/master/lib/oauth2.js
I make my integration work by creating my strategy like this :
new OAuth2Strategy({
authorizationURL: ...,
tokenURL: ..,
clientID: ,
clientSecret: ,
callbackURL: ...,
customHeaders : { Authorization: 'Basic '+ new Buffer( + ':' + ).toString('base64') }
}

[davidyum]

Is there a PR on resolving this issue? This prevents passport from working with the Dex OIDC provider.