From 9ad55e6c044a15dfff553263a90af74fd2a8044d Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 12 May 2023 11:47:41 +0300
Subject: [PATCH] lib-oauth2: Do not send client_id and client_secret as
 parameters in POST queries

They need to be configured in the URL as Basic auth instead.
---
 src/lib-oauth2/oauth2-request.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 1c26e9347d..1f97295373 100644
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -262,12 +262,8 @@ oauth2_refresh_start(const struct oauth2_settings *set,
 {
 	string_t *payload = t_str_new(128);
 
-	str_append(payload, "client_secret=");
-	http_url_escape_param(payload, set->client_secret);
-	str_append(payload, "&grant_type=refresh_token&refresh_token=");
+	str_append(payload, "grant_type=refresh_token&refresh_token=");
 	http_url_escape_param(payload, input->token);
-	str_append(payload, "&client_id=");
-	http_url_escape_param(payload, set->client_id);
 
 	return oauth2_request_start(set, input, callback, context, NULL,
 				    "POST", set->refresh_url, NULL, FALSE);
-- 
2.47.3