Hello Hackers,
While working on an OAuth validator for PG18 I noticed that currently
the client code doesn't work when using Google as the OAuth provider.
It requires two small changes:
* The device code request only includes the OAuth Client ID in the
request body if the user doesn't specify a client secret (if the
secret is specified, the client ID is only sent as part of the basic
auth header), but Google OAuth always expects it in the body
* The wait loop for the authorization only expects HTTP 400 and 401,
but the Google endpoint responds with HTTP 428 (Precondition required)
Both issues are testable/verifiable without a properly working
validator, as they happen on the client side, before invoking the
validator logic.
I attached a small patch which fixes both.