From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 12 May 2023 08:47:41 +0000 (+0300)
Subject: lib-oauth2: Do not send client_id and client_secret as parameters in POST queries
X-Git-Tag: 2.3.21~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ad55e6c044a15dfff553263a90af74fd2a8044d;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Do not send client_id and client_secret as parameters in POST queries

They need to be configured in the URL as Basic auth instead.
---

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 1c26e9347d..1f97295373 100644
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -262,12 +262,8 @@ oauth2_refresh_start(const struct oauth2_settings *set,
 {
 	string_t *payload = t_str_new(128);
 
-	str_append(payload, "client_secret=");
-	http_url_escape_param(payload, set->client_secret);
-	str_append(payload, "&grant_type=refresh_token&refresh_token=");
+	str_append(payload, "grant_type=refresh_token&refresh_token=");
 	http_url_escape_param(payload, input->token);
-	str_append(payload, "&client_id=");
-	http_url_escape_param(payload, set->client_id);
 
 	return oauth2_request_start(set, input, callback, context, NULL,
 				    "POST", set->refresh_url, NULL, FALSE);