oauth: add Authorization header to exchange token requests

According to http://tools.ietf.org/html/rfc6749 authorization servers MUST
support receiving client_id:client_secret encoded in the Authorization
header. However, receiving the id and secret urlencoded inside the body is
only something the server MAY support.

To increase compatibility, this commit change exchange token requests to
always include id and secret both encoded in the body and in the
Authorization header.

LGTM=bradfitz, adg
R=golang-codereviews, adg
CC=bradfitz, golang-dev, jbd
https://codereview.appspot.com/97400044

Committer: Andrew Gerrand <adg@golang.org>
2 files changed