This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both.
Sanity validation that client id and client secret in request are
consistent with Authorization header.
Improve error descriptions. Error codes remain the same.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
// AccessTokenOAuth manages all access token requests by the client
funcAccessTokenOAuth(ctx*context.Context){
form:=*web.GetForm(ctx).(*forms.AccessTokenForm)
ifform.ClientID==""{
// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header