diff --git a/endpoints/web.py b/endpoints/web.py
index 7a460568d..884f4e6ea 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -471,14 +471,16 @@ def request_authorization_code():
 def exchange_code_for_token():
   grant_type = request.values.get('grant_type', None)
   client_id = request.values.get('client_id', None)
+  client_secret = request.values.get('client_id', None)
   redirect_uri = request.values.get('redirect_uri', None)
   code = request.values.get('code', None)
   scope = request.values.get('scope', None)
 
-  client_secret = request.values.get('client_secret', None)
-  if client_secret is None:
-    # Sometimes OAuth2 clients place the client secret in the Auth header.
-    client_secret = parse_basic_auth(request.headers.get('Authorization'))
+  # Sometimes OAuth2 clients place the client id/secret in the Auth header.
+  basic_header = parse_basic_auth(request.headers.get('Authorization'))
+  if basic_header is not None:
+    client_id = basic_header[0] or client_id
+    client_secret = basic_header[1] or client_secret
 
   provider = FlaskAuthorizationProvider()
   return provider.get_token(grant_type, client_id, client_secret, redirect_uri, code, scope=scope)
diff --git a/util/headers.py b/util/headers.py
index ae53c003a..8967dfaa7 100644
--- a/util/headers.py
+++ b/util/headers.py
@@ -11,6 +11,10 @@ def parse_basic_auth(header_value):
     return None
 
   try:
-    return base64.b64decode(parts[1])
+    basic_parts = base64.b64decode(parts[1]).split(':')
+    if len(basic_parts) != 2:
+      return None
+
+    return basic_parts
   except ValueError:
     return None
\ No newline at end of file