Golang proposal: x/oauth2: allow making raw post requests to server

Proposal Details

Allow making raw HTTP POST requests to the authz server

This PR adds functionality to make token-style HTTP requests to an arbitrary endpoint of the authz server, instead of just for retrieving tokens.

Use case: the main motivation was to support for OAuth2 token revocation per RFC7009. The token revocation endpoint requires client credentials, and implementing it outside of this library requires effectively re-implementing the auth style auto-sensing & caching.

This seemed the most convenient way of leveraging the library for token revocation. If desired, I can also make this less general to only support token revocation, but a.o.t. this would require figuring out the revocation URLs for all supported providers, which is outside my current time budget.

• https://github.com/golang/oauth2/pull/463 (https://go-review.googlesource.com/c/oauth2/+/277272)

Comment From: seankhliao

imo this makes it too easy to misuse and leak credentials against an unintended server.

I think it should be:

type Endpoint struct{
    RevokeURL string
    // ... 
}

// Revoke a token using Endpoint.RevokeURL if available, otherwise return an error.
func (c *Config) Revoke(ctx context.Context, token *Token) error

People can add the revocation URLs for well known providers as they need them.

Comment From: seankhliao

After some more thought, I don't really understand this proposal. The oauth2 package isn't doing anything special, and it gets all its parameters from data the user passes in. Having another way to make arbitrary http calls seems extraneous.