authorization_code strategy does not send client_secret for get token request

[silviurosu]

I had issues with getting the token. I noticed that Ruby client works fine. Then I investigated there requests and found out that the Ruby client send also the client_secret on the wire.

Although this can be accomplished by appending this param again to the get token request
client = OAuth2.Client.get_token!(client, code: "xxxxxxxxx", client_secret: "xxxxxxx")
this is not at all obvious and neither documented in the readme. I lost a few days debugging this issue.

I suggest that OAuth2.Strategy.AuthCode to do this by itself. Can I make a pull request with this?

[scrogson]

@silviurosu I'm sorry to hear of your troubles. You're not the only one who has run into something like this. This issue has come up a few times before.

The problem is, this library attempts to provide strategies that follow the OAuth2 specification but allow for users to extend them, OR write a specific strategy for the target service.

I probably won't accept a PR that adds client_secret to the AuthCode strategy, but I will gladly accept a PR that outlines this issue in the README.

[silviurosu]

@scrogson I understand your reasoning.
I searched for oauth2 docs and I see what client_secret is mentioned here: https://aaronparecki.com/oauth-2-simplified/#web-server-apps
This link is from oauth2.net