Description
What version of Go are you using (go version)? go version go1.15.2 linux/amd64
What operating system and processor architecture are you using? Ubuntu, x86
The OAuth2 spec states the authorization server should respond with a HTTP 400 if there is an error in the access token response. The details of the error are conveyed in the error, error_description, and error_uri fields in the response.
GitHub OAuth does not follow this spec exactly and can return an error response (examples) with HTTP code 200. In this case, the error from GitHub is swallowed and instead we return a generic error. This makes it difficult to debug exactly what went wrong when GitHub returns an access token response error.
Reproduction steps:
- Configure GitHub as OAuth2 authorization provider for a web service that uses this package.
- Change the GitHub client secret so that it no longer matches.
- Attempt login via GitHub.
- Note that the error returned by this package is the generic
oauth2: server response missing access_token, rather than the actual error returned by GitHub:incorrect_client_credentials.
Proposed fix: Parse the error field in the access token response. If it is non-empty, then treat the response as an error and return an error containing the error, error_description, and error_uri fields in the access token response. An implementation of this fix is here: sourcegraph@6057702.