The other thing worth noting is that gitlab can be self-hosted. So I'm not sure how it can even work under the current setup when the domain isn't static.
On Wednesday, May 9, 2018 at 10:17:40 AM UTC-4, Joshua Winters wrote: > > Is there an expectation that all of these providers would/should change > their implementation? It seems like there are enough reputable > implementations that maybe the "broken" case should be better supported, > even if the spec discourages it. > > I known there's been a long discussion about this already > <https://code.google.com/archive/p/goauth2/issues/31>. But it seems like > that was all decided a while ago and wondering if things have changed given > how long that list of busted auth providers is getting. > > > On Wednesday, May 9, 2018 at 8:43:56 AM UTC-4, David Collier-Brown wrote: >> >> >> >> On Tuesday, May 8, 2018 at 12:22:39 PM UTC-4, Joshua Winters wrote: >>> >>> It seems like `https://www.gitlab.com` needs to be added to the list of >>> busted auth providers in golang/oauth2. >>> >>> Instead of maintaining a list of these providers, can we just send the >>> `client_id` and `client_secret` in both the auth header and the body with >>> every request? >>> >> >> That does encourage them to leave it broken... >> Can we perhaps detect the problem and refer the developer to >> >> - the public list of bad actors >> - the workaround >> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
