lib-oauth2: Do not send client_id and client_secret as parameters in POST queries

They need to be configured in the URL as Basic auth instead.

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 1c26e9347d2acd904448ba0267448b6a0e3a9abb..1f972953731a6646baf6a1a4cb8d7c3162fbf140 100644 (file)
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -262,12 +262,8 @@ oauth2_refresh_start(const struct oauth2_settings *set,
 {
        string_t *payload = t_str_new(128);
 
-       str_append(payload, "client_secret=");
-       http_url_escape_param(payload, set->client_secret);
-       str_append(payload, "&grant_type=refresh_token&refresh_token=");
+       str_append(payload, "grant_type=refresh_token&refresh_token=");
        http_url_escape_param(payload, input->token);
-       str_append(payload, "&client_id=");
-       http_url_escape_param(payload, set->client_id);
 
        return oauth2_request_start(set, input, callback, context, NULL,
                                    "POST", set->refresh_url, NULL, FALSE);