proposal: x/oauth2: allow making raw post requests to server

[janisz]

Proposal Details

Allow making raw HTTP POST requests to the authz server

This PR adds functionality to make token-style HTTP requests to an arbitrary endpoint of the authz server, instead of just for retrieving tokens.

Use case: the main motivation was to support for OAuth2 token revocation per RFC7009. The token revocation endpoint requires client credentials, and implementing it outside of this library requires effectively re-implementing the auth style auto-sensing & caching.

This seemed the most convenient way of leveraging the library for token revocation. If desired, I can also make this less general to only support token revocation, but a.o.t. this would require figuring out the revocation URLs for all supported providers, which is outside my current time budget.

• Allow making raw HTTP POST requests to the authz server oauth2#463 (https://go-review.googlesource.com/c/oauth2/+/277272)

[seankhliao]

imo this makes it too easy to misuse and leak credentials against an unintended server.

I think it should be:

type Endpoint struct{
    RevokeURL string
    // ... 
}

// Revoke a token using Endpoint.RevokeURL if available, otherwise return an error.
func (c *Config) Revoke(ctx context.Context, token *Token) error

People can add the revocation URLs for well known providers as they need them.