Squashed commit of the following:

commit 6c5e40d
Author: M Hickford <[email protected]>
Date:   Mon Nov 14 05:43:06 2022 +0000

    more error handling fix

commit bc6a2d2
Author: M Hickford <[email protected]>
Date:   Fri Nov 11 19:24:52 2022 +0000

    fix error handling

commit 547b7ab
Author: Beyang Liu <[email protected]>
Date:   Sun Oct 11 12:23:44 2020 -0700

    oauth2: return error, error_description, and error_uri when error field is present in token response

commit 13a8e35
Author: M Hickford <[email protected]>
Date:   Fri Nov 11 15:36:51 2022 +0000

    Fix for GitHub

commit 4d789d2
Author: Marcos Lilljedahl <[email protected]>
Date:   Mon Jan 7 21:56:42 2019 +0800

    oauth2: add device flow support

    Signed-off-by: Marcos Lilljedahl <[email protected]>

Author: hickford

deviceauth.go

@@ -0,0 +1,86 @@
+package oauth2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"golang.org/x/net/context/ctxhttp"
+	"golang.org/x/oauth2/internal"
+)
+
+const (
+	errAuthorizationPending = "authorization_pending"
+	errSlowDown             = "slow_down"
+	errAccessDenied         = "access_denied"
+	errExpiredToken         = "expired_token"
+)
+
+type DeviceAuth struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri,verification_url"`
+	VerificationURIComplete string `json:"verification_uri_complete,omitempty"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval,omitempty"`
+	raw                     map[string]interface{}
+}
+
+func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAuth, error) {
+	req, err := http.NewRequest("POST", c.Endpoint.DeviceAuthURL, strings.NewReader(v.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	r, err := ctxhttp.Do(ctx, nil, req)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
+	if err != nil {
+		return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
+	}
+	if code := r.StatusCode; code < 200 || code > 299 {
+		return nil, &RetrieveError{
+			Response: r,
+			Body:     body,
+		}
+	}
+
+	da := &DeviceAuth{}
+	err = json.Unmarshal(body, &da)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal %s", err)
+	}
+
+	_ = json.Unmarshal(body, &da.raw)
+
+	// Azure AD supplies verification_url instead of verification_uri
+	if da.VerificationURI == "" {
+		da.VerificationURI, _ = da.raw["verification_url"].(string)
+	}
+
+	return da, nil
+}
+
+func parseError(err error) string {
+	e, ok := err.(*RetrieveError)
+	if ok {
+		eResp := make(map[string]string)
+		_ = json.Unmarshal(e.Body, &eResp)
+		return eResp["error"]
+	}
+	e2, ok := err.(*internal.TokenError)
+	if ok {
+		return e2.Err
+	}
+	return ""
+}

endpoints/endpoints.go

@@ -55,8 +55,9 @@ var Fitbit = oauth2.Endpoint{
 
 // GitHub is the endpoint for Github.
 var GitHub = oauth2.Endpoint{
-	AuthURL:  "https://github.com/login/oauth/authorize",
-	TokenURL: "https://github.com/login/oauth/access_token",
+	AuthURL:       "https://github.com/login/oauth/authorize",
+	TokenURL:      "https://github.com/login/oauth/access_token",
+	DeviceAuthURL: "https://github.com/login/device/code",
 }
 
 // GitLab is the endpoint for GitLab.

internal/token.go

@@ -323,3 +323,13 @@ type RetrieveError struct {
 func (r *RetrieveError) Error() string {
 	return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", r.Response.Status, r.Body)
 }
+
+type TokenError struct {
+	Err              string
+	ErrorDescription string
+	ErrorURI         string
+}
+
+func (t *TokenError) Error() string {
+	return fmt.Sprintf("oauth2: error in token fetch response: %s\nerror_description: %s\nerror_uri: %s", t.Err, t.ErrorDescription, t.ErrorURI)
+}

oauth2.go

@@ -16,6 +16,7 @@ import (
 	"net/url"
 	"strings"
 	"sync"
+	"time"
 
 	"golang.org/x/oauth2/internal"
 )
@@ -70,8 +71,9 @@ type TokenSource interface {
 // Endpoint represents an OAuth 2.0 provider's authorization and token
 // endpoint URLs.
 type Endpoint struct {
-	AuthURL  string
-	TokenURL string
+	AuthURL       string
+	DeviceAuthURL string
+	TokenURL      string
 
 	// AuthStyle optionally specifies how the endpoint wants the
 	// client ID & client secret sent. The zero value means to
@@ -224,6 +226,64 @@ func (c *Config) Exchange(ctx context.Context, code string, opts ...AuthCodeOpti
 	return retrieveToken(ctx, c, v)
 }
 
+// AuthDevice returns a device auth struct which contains a device code
+// and authorization information provided for users to enter on another device.
+func (c *Config) AuthDevice(ctx context.Context, opts ...AuthCodeOption) (*DeviceAuth, error) {
+	v := url.Values{
+		"client_id": {c.ClientID},
+	}
+	if len(c.Scopes) > 0 {
+		v.Set("scope", strings.Join(c.Scopes, " "))
+	}
+	for _, opt := range opts {
+		opt.setValue(v)
+	}
+	return retrieveDeviceAuth(ctx, c, v)
+}
+
+// Poll does a polling to exchange an device code for a token.
+func (c *Config) Poll(ctx context.Context, da *DeviceAuth, opts ...AuthCodeOption) (*Token, error) {
+	v := url.Values{
+		"client_id":   {c.ClientID},
+		"grant_type":  {"urn:ietf:params:oauth:grant-type:device_code"},
+		"device_code": {da.DeviceCode},
+	}
+	if len(c.Scopes) > 0 {
+		v.Set("scope", strings.Join(c.Scopes, " "))
+	}
+	for _, opt := range opts {
+		opt.setValue(v)
+	}
+
+	// If no interval was provided, the client MUST use a reasonable default polling interval.
+	// See https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.5
+	interval := da.Interval
+	if interval == 0 {
+		interval = 5
+	}
+
+	for {
+		time.Sleep(time.Duration(interval) * time.Second)
+
+		tok, err := retrieveToken(ctx, c, v)
+		if err == nil {
+			return tok, nil
+		}
+
+		errTyp := parseError(err)
+		switch errTyp {
+		case errSlowDown:
+			interval += 5
+		case errAuthorizationPending:
+			// Do nothing.
+		case errAccessDenied, errExpiredToken:
+			fallthrough
+		default:
+			return tok, err
+		}
+	}
+}
+
 // Client returns an HTTP client using the provided token.
 // The token will auto-refresh as necessary. The underlying
 // HTTP transport will be obtained using the provided context.