Add ability to use non-escaped header auth style

internal/token.go

@@ -106,9 +106,10 @@ func RegisterBrokenAuthHeaderProvider(tokenURL string) {}
 type AuthStyle int
 
 const (
-	AuthStyleUnknown  AuthStyle = 0
-	AuthStyleInParams AuthStyle = 1
-	AuthStyleInHeader AuthStyle = 2
+	AuthStyleUnknown          AuthStyle = 0
+	AuthStyleInParams         AuthStyle = 1
+	AuthStyleInHeader         AuthStyle = 2
+	AuthStyleInHeaderNoEscape AuthStyle = 3
 )
 
 // authStyleCache is the set of tokenURLs we've successfully used via
@@ -173,6 +174,8 @@ func newTokenRequest(tokenURL, clientID, clientSecret string, v url.Values, auth
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	if authStyle == AuthStyleInHeader {
 		req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
+	} else if authStyle == AuthStyleInHeaderNoEscape {
+		req.SetBasicAuth(clientID, clientSecret)
 	}
 	return req, nil
 }

internal/token_test.go

@@ -6,6 +6,7 @@ package internal
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"math"
@@ -35,6 +36,46 @@ func TestRetrieveToken_InParams(t *testing.T) {
 	}
 }
 
+func TestRetrieveToken_InHeader(t *testing.T) {
+	ResetAuthCache()
+	const clientID = "client-id%"
+	const clientSecret = "client-secret%"
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		token := base64.StdEncoding.EncodeToString([]byte(url.QueryEscape(clientID) + ":" + url.QueryEscape(clientSecret)))
+		want := fmt.Sprintf("Basic %s", token)
+		if got := r.Header.Get("Authorization"); got != want {
+			t.Errorf("Authorization header = %q; want %q", got, want)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
+	}))
+	defer ts.Close()
+	_, err := RetrieveToken(context.Background(), clientID, clientSecret, ts.URL, url.Values{}, AuthStyleInHeader)
+	if err != nil {
+		t.Errorf("RetrieveToken = %v; want no error", err)
+	}
+}
+
+func TestRetrieveToken_InHeaderNoEscape(t *testing.T) {
+	ResetAuthCache()
+	const clientID = "client-id%"
+	const clientSecret = "client-secret%"
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		token := base64.StdEncoding.EncodeToString([]byte(clientID + ":" + clientSecret))
+		want := fmt.Sprintf("Basic %s", token)
+		if got := r.Header.Get("Authorization"); got != want {
+			t.Errorf("Authorization header = %q; want %q", got, want)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		io.WriteString(w, `{"access_token": "ACCESS_TOKEN", "token_type": "bearer"}`)
+	}))
+	defer ts.Close()
+	_, err := RetrieveToken(context.Background(), clientID, clientSecret, ts.URL, url.Values{}, AuthStyleInHeaderNoEscape)
+	if err != nil {
+		t.Errorf("RetrieveToken = %v; want no error", err)
+	}
+}
+
 func TestRetrieveTokenWithContexts(t *testing.T) {
 	ResetAuthCache()
 	const clientID = "client-id"

oauth2.go

@@ -97,6 +97,11 @@ const (
 	// using HTTP Basic Authorization. This is an optional style
 	// described in the OAuth2 RFC 6749 section 2.3.1.
 	AuthStyleInHeader AuthStyle = 2
+
+	// AuthStyleInHeaderNoEscape operates just like AuthStyleInHeader
+	// with the exception that the client_id and client_password are
+	// not URL escaped to accommodate services that do not suport this.
+	AuthStyleInHeaderNoEscape AuthStyle = 3
 )
 
 var (