OAuth2 client api() call sends access Token via HTTP vars instead of Authorization Bearer Header

[ldkafka]

Latest Yii2 version, in yii2-authclient/src
/OAuth2.php, Line 171

public function applyAccessTokenToRequest($request, $accessToken)
{
    $data = $request->getData();
    $data['access_token'] = $accessToken->getToken();
    $request->setData($data);
}

This is called from a BaseOAuth event in beforeApiRequestSend

The applyAccessTokenToRequest should either default to use Bearer Header Tokens, or be configurable like the the Server REST/Oauth2 implementations are configured with Authorization behaviour filters (of course using a method/attribute not filters).

Since most Oauth2/REST servers require Authorization Bearer Headers, how did this implementation ever work, or am I missing something?

[samdark]

See https://github.com/yiisoft/yii2-authclient/blob/master/src/clients/GitHub.php#L113

[rhertogh]

I think the default Oauth2 client should (have at least the option to) set the Authorization header.
According to the The OAuth 2.0 Authorization Framework RFC in the chapter Accessing Protected Resources:

The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field ...

[samdark]

Yes, maybe. The issue here is that it will break compatibility with clients that do not override the method.