1 files changed, 22 insertions, 13 deletions

diff --git a/oauthlib/oauth2/rfc6749/clients/base.py b/oauthlib/oauth2/rfc6749/clients/base.py
index 1a50644..9b05ad5 100644
--- a/oauthlib/oauth2/rfc6749/clients/base.py
+++ b/oauthlib/oauth2/rfc6749/clients/base.py
@@ -28,8 +28,8 @@ FORM_ENC_HEADERS = {
     'Content-Type': 'application/x-www-form-urlencoded'
 }
 
-class Client(object):
 
+class Client(object):
     """Base OAuth2 client responsible for access token management.
 
     This class also acts as a generic interface providing methods common to all
@@ -201,7 +201,7 @@ class Client(object):
                                                                      headers, token_placement, **kwargs)
 
     def prepare_authorization_request(self, authorization_url, state=None,
-            redirect_url=None, scope=None, **kwargs):
+                                      redirect_url=None, scope=None, **kwargs):
         """Prepare the authorization request.
 
         This is the first step in many OAuth flows in which the user is
@@ -222,6 +222,8 @@ class Client(object):
         the provider. If provided then it must also be provided in the
         token request.
 
+        :param scope:
+
         :param kwargs: Additional parameters to included in the request.
 
         :returns: The prepared request tuple with (url, headers, body).
@@ -233,12 +235,12 @@ class Client(object):
         self.redirect_url = redirect_url or self.redirect_url
         self.scope = scope or self.scope
         auth_url = self.prepare_request_uri(
-                authorization_url, redirect_uri=self.redirect_url,
-                scope=self.scope, state=self.state, **kwargs)
+            authorization_url, redirect_uri=self.redirect_url,
+            scope=self.scope, state=self.state, **kwargs)
         return auth_url, FORM_ENC_HEADERS, ''
 
     def prepare_token_request(self, token_url, authorization_response=None,
-            redirect_url=None, state=None, body='', **kwargs):
+                              redirect_url=None, state=None, body='', **kwargs):
         """Prepare a token creation request.
 
         Note that these requests usually require client authentication, either
@@ -255,6 +257,8 @@ class Client(object):
         :param redirect_url: The redirect_url supplied with the authorization
         request (if there was one).
 
+        :param state:
+
         :param body: Existing request body (URL encoded string) to embed parameters
                      into. This may contain extra paramters. Default ''.
 
@@ -268,15 +272,15 @@ class Client(object):
         state = state or self.state
         if authorization_response:
             self.parse_request_uri_response(
-                    authorization_response, state=state)
+                authorization_response, state=state)
         self.redirect_url = redirect_url or self.redirect_url
         body = self.prepare_request_body(body=body,
-                redirect_uri=self.redirect_url, **kwargs)
+                                         redirect_uri=self.redirect_url, **kwargs)
 
         return token_url, FORM_ENC_HEADERS, body
 
     def prepare_refresh_token_request(self, token_url, refresh_token=None,
-            body='', scope=None, **kwargs):
+                                      body='', scope=None, **kwargs):
         """Prepare an access token refresh request.
 
         Expired access tokens can be replaced by new access tokens without
@@ -304,11 +308,11 @@ class Client(object):
 
         self.scope = scope or self.scope
         body = self.prepare_refresh_body(body=body,
-                refresh_token=refresh_token, scope=self.scope, **kwargs)
+                                         refresh_token=refresh_token, scope=self.scope, **kwargs)
         return token_url, FORM_ENC_HEADERS, body
 
     def prepare_token_revocation_request(self, revocation_url, token,
-            token_type_hint="access_token", body='', callback=None, **kwargs):
+                                         token_type_hint="access_token", body='', callback=None, **kwargs):
         """Prepare a token revocation request.
 
         :param revocation_url: Provider token revocation endpoint URL.
@@ -319,6 +323,8 @@ class Client(object):
         ``"refresh_token"``. This is optional and if you wish to not pass it you
         must provide ``token_type_hint=None``.
 
+        :param body:
+
         :param callback: A jsonp callback such as ``package.callback`` to be invoked
         upon receiving the response. Not that it should not include a () suffix.
 
@@ -363,8 +369,8 @@ class Client(object):
             raise InsecureTransportError()
 
         return prepare_token_revocation_request(revocation_url, token,
-                token_type_hint=token_type_hint, body=body, callback=callback,
-                **kwargs)
+                                                token_type_hint=token_type_hint, body=body, callback=callback,
+                                                **kwargs)
 
     def parse_request_body_response(self, body, scope=None, **kwargs):
         """Parse the JSON response body.
@@ -404,7 +410,7 @@ class Client(object):
             If omitted, the authorization server SHOULD provide the
             expiration time via other means or document the default value.
 
-        **scope**
+           **scope**
             Providers may supply this in all responses but are required to only
             if it has changed since the authorization request.
 
@@ -461,6 +467,9 @@ class Client(object):
 
         Warning: MAC token support is experimental as the spec is not yet stable.
         """
+        if token_placement != AUTH_HEADER:
+            raise ValueError("Invalid token placement.")
+
         headers = tokens.prepare_mac_header(self.access_token, uri,
                                             self.mac_key, http_method, headers=headers, body=body, ext=ext,
                                             hash_algorithm=self.mac_algorithm, **kwargs)