vendor: revendor

vendor/github.com/coreos/go-oidc/oauth2/doc.go

@@ -0,0 +1,2 @@
+// Package oauth2 is DEPRECATED. Use golang.org/x/oauth instead.
+package oauth2

vendor/github.com/coreos/go-oidc/oauth2/error.go

@@ -0,0 +1,29 @@
+package oauth2
+
+const (
+	ErrorAccessDenied            = "access_denied"
+	ErrorInvalidClient           = "invalid_client"
+	ErrorInvalidGrant            = "invalid_grant"
+	ErrorInvalidRequest          = "invalid_request"
+	ErrorServerError             = "server_error"
+	ErrorUnauthorizedClient      = "unauthorized_client"
+	ErrorUnsupportedGrantType    = "unsupported_grant_type"
+	ErrorUnsupportedResponseType = "unsupported_response_type"
+)
+
+type Error struct {
+	Type        string `json:"error"`
+	Description string `json:"error_description,omitempty"`
+	State       string `json:"state,omitempty"`
+}
+
+func (e *Error) Error() string {
+	if e.Description != "" {
+		return e.Type + ": " + e.Description
+	}
+	return e.Type
+}
+
+func NewError(typ string) *Error {
+	return &Error{Type: typ}
+}

vendor/github.com/coreos/go-oidc/oauth2/oauth2.go

@@ -0,0 +1,416 @@
+package oauth2
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"net/url"
+	"sort"
+	"strconv"
+	"strings"
+
+	phttp "github.com/coreos/go-oidc/http"
+)
+
+// ResponseTypesEqual compares two response_type values. If either
+// contains a space, it is treated as an unordered list. For example,
+// comparing "code id_token" and "id_token code" would evaluate to true.
+func ResponseTypesEqual(r1, r2 string) bool {
+	if !strings.Contains(r1, " ") || !strings.Contains(r2, " ") {
+		// fast route, no split needed
+		return r1 == r2
+	}
+
+	// split, sort, and compare
+	r1Fields := strings.Fields(r1)
+	r2Fields := strings.Fields(r2)
+	if len(r1Fields) != len(r2Fields) {
+		return false
+	}
+	sort.Strings(r1Fields)
+	sort.Strings(r2Fields)
+	for i, r1Field := range r1Fields {
+		if r1Field != r2Fields[i] {
+			return false
+		}
+	}
+	return true
+}
+
+const (
+	// OAuth2.0 response types registered by OIDC.
+	//
+	// See: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#RegistryContents
+	ResponseTypeCode             = "code"
+	ResponseTypeCodeIDToken      = "code id_token"
+	ResponseTypeCodeIDTokenToken = "code id_token token"
+	ResponseTypeIDToken          = "id_token"
+	ResponseTypeIDTokenToken     = "id_token token"
+	ResponseTypeToken            = "token"
+	ResponseTypeNone             = "none"
+)
+
+const (
+	GrantTypeAuthCode     = "authorization_code"
+	GrantTypeClientCreds  = "client_credentials"
+	GrantTypeUserCreds    = "password"
+	GrantTypeImplicit     = "implicit"
+	GrantTypeRefreshToken = "refresh_token"
+
+	AuthMethodClientSecretPost  = "client_secret_post"
+	AuthMethodClientSecretBasic = "client_secret_basic"
+	AuthMethodClientSecretJWT   = "client_secret_jwt"
+	AuthMethodPrivateKeyJWT     = "private_key_jwt"
+)
+
+type Config struct {
+	Credentials ClientCredentials
+	Scope       []string
+	RedirectURL string
+	AuthURL     string
+	TokenURL    string
+
+	// Must be one of the AuthMethodXXX methods above. Right now, only
+	// AuthMethodClientSecretPost and AuthMethodClientSecretBasic are supported.
+	AuthMethod string
+}
+
+type Client struct {
+	hc          phttp.Client
+	creds       ClientCredentials
+	scope       []string
+	authURL     *url.URL
+	redirectURL *url.URL
+	tokenURL    *url.URL
+	authMethod  string
+}
+
+type ClientCredentials struct {
+	ID     string
+	Secret string
+}
+
+func NewClient(hc phttp.Client, cfg Config) (c *Client, err error) {
+	if len(cfg.Credentials.ID) == 0 {
+		err = errors.New("missing client id")
+		return
+	}
+
+	if len(cfg.Credentials.Secret) == 0 {
+		err = errors.New("missing client secret")
+		return
+	}
+
+	if cfg.AuthMethod == "" {
+		cfg.AuthMethod = AuthMethodClientSecretBasic
+	} else if cfg.AuthMethod != AuthMethodClientSecretPost && cfg.AuthMethod != AuthMethodClientSecretBasic {
+		err = fmt.Errorf("auth method %q is not supported", cfg.AuthMethod)
+		return
+	}
+
+	au, err := phttp.ParseNonEmptyURL(cfg.AuthURL)
+	if err != nil {
+		return
+	}
+
+	tu, err := phttp.ParseNonEmptyURL(cfg.TokenURL)
+	if err != nil {
+		return
+	}
+
+	// Allow empty redirect URL in the case where the client
+	// only needs to verify a given token.
+	ru, err := url.Parse(cfg.RedirectURL)
+	if err != nil {
+		return
+	}
+
+	c = &Client{
+		creds:       cfg.Credentials,
+		scope:       cfg.Scope,
+		redirectURL: ru,
+		authURL:     au,
+		tokenURL:    tu,
+		hc:          hc,
+		authMethod:  cfg.AuthMethod,
+	}
+
+	return
+}
+
+// Return the embedded HTTP client
+func (c *Client) HttpClient() phttp.Client {
+	return c.hc
+}
+
+// Generate the url for initial redirect to oauth provider.
+func (c *Client) AuthCodeURL(state, accessType, prompt string) string {
+	v := c.commonURLValues()
+	v.Set("state", state)
+	if strings.ToLower(accessType) == "offline" {
+		v.Set("access_type", "offline")
+	}
+
+	if prompt != "" {
+		v.Set("prompt", prompt)
+	}
+	v.Set("response_type", "code")
+
+	q := v.Encode()
+	u := *c.authURL
+	if u.RawQuery == "" {
+		u.RawQuery = q
+	} else {
+		u.RawQuery += "&" + q
+	}
+	return u.String()
+}
+
+func (c *Client) commonURLValues() url.Values {
+	return url.Values{
+		"redirect_uri": {c.redirectURL.String()},
+		"scope":        {strings.Join(c.scope, " ")},
+		"client_id":    {c.creds.ID},
+	}
+}
+
+func (c *Client) newAuthenticatedRequest(urlToken string, values url.Values) (*http.Request, error) {
+	var req *http.Request
+	var err error
+	switch c.authMethod {
+	case AuthMethodClientSecretPost:
+		values.Set("client_secret", c.creds.Secret)
+		req, err = http.NewRequest("POST", urlToken, strings.NewReader(values.Encode()))
+		if err != nil {
+			return nil, err
+		}
+	case AuthMethodClientSecretBasic:
+		req, err = http.NewRequest("POST", urlToken, strings.NewReader(values.Encode()))
+		if err != nil {
+			return nil, err
+		}
+		encodedID := url.QueryEscape(c.creds.ID)
+		encodedSecret := url.QueryEscape(c.creds.Secret)
+		req.SetBasicAuth(encodedID, encodedSecret)
+	default:
+		panic("misconfigured client: auth method not supported")
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	return req, nil
+
+}
+
+// ClientCredsToken posts the client id and secret to obtain a token scoped to the OAuth2 client via the "client_credentials" grant type.
+// May not be supported by all OAuth2 servers.
+func (c *Client) ClientCredsToken(scope []string) (result TokenResponse, err error) {
+	v := url.Values{
+		"scope":      {strings.Join(scope, " ")},
+		"grant_type": {GrantTypeClientCreds},
+	}
+
+	req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+	if err != nil {
+		return
+	}
+
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	return parseTokenResponse(resp)
+}
+
+// UserCredsToken posts the username and password to obtain a token scoped to the OAuth2 client via the "password" grant_type
+// May not be supported by all OAuth2 servers.
+func (c *Client) UserCredsToken(username, password string) (result TokenResponse, err error) {
+	v := url.Values{
+		"scope":      {strings.Join(c.scope, " ")},
+		"grant_type": {GrantTypeUserCreds},
+		"username":   {username},
+		"password":   {password},
+	}
+
+	req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+	if err != nil {
+		return
+	}
+
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	return parseTokenResponse(resp)
+}
+
+// RequestToken requests a token from the Token Endpoint with the specified grantType.
+// If 'grantType' == GrantTypeAuthCode, then 'value' should be the authorization code.
+// If 'grantType' == GrantTypeRefreshToken, then 'value' should be the refresh token.
+func (c *Client) RequestToken(grantType, value string) (result TokenResponse, err error) {
+	v := c.commonURLValues()
+
+	v.Set("grant_type", grantType)
+	v.Set("client_secret", c.creds.Secret)
+	switch grantType {
+	case GrantTypeAuthCode:
+		v.Set("code", value)
+	case GrantTypeRefreshToken:
+		v.Set("refresh_token", value)
+	default:
+		err = fmt.Errorf("unsupported grant_type: %v", grantType)
+		return
+	}
+
+	req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+	if err != nil {
+		return
+	}
+
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	return parseTokenResponse(resp)
+}
+
+func parseTokenResponse(resp *http.Response) (result TokenResponse, err error) {
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return
+	}
+	badStatusCode := resp.StatusCode < 200 || resp.StatusCode > 299
+
+	contentType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return
+	}
+
+	result = TokenResponse{
+		RawBody: body,
+	}
+
+	newError := func(typ, desc, state string) error {
+		if typ == "" {
+			return fmt.Errorf("unrecognized error %s", body)
+		}
+		return &Error{typ, desc, state}
+	}
+
+	if contentType == "application/x-www-form-urlencoded" || contentType == "text/plain" {
+		var vals url.Values
+		vals, err = url.ParseQuery(string(body))
+		if err != nil {
+			return
+		}
+		if error := vals.Get("error"); error != "" || badStatusCode {
+			err = newError(error, vals.Get("error_description"), vals.Get("state"))
+			return
+		}
+		e := vals.Get("expires_in")
+		if e == "" {
+			e = vals.Get("expires")
+		}
+		if e != "" {
+			result.Expires, err = strconv.Atoi(e)
+			if err != nil {
+				return
+			}
+		}
+		result.AccessToken = vals.Get("access_token")
+		result.TokenType = vals.Get("token_type")
+		result.IDToken = vals.Get("id_token")
+		result.RefreshToken = vals.Get("refresh_token")
+		result.Scope = vals.Get("scope")
+	} else {
+		var r struct {
+			AccessToken  string      `json:"access_token"`
+			TokenType    string      `json:"token_type"`
+			IDToken      string      `json:"id_token"`
+			RefreshToken string      `json:"refresh_token"`
+			Scope        string      `json:"scope"`
+			State        string      `json:"state"`
+			ExpiresIn    json.Number `json:"expires_in"` // Azure AD returns string
+			Expires      int         `json:"expires"`
+			Error        string      `json:"error"`
+			Desc         string      `json:"error_description"`
+		}
+		if err = json.Unmarshal(body, &r); err != nil {
+			return
+		}
+		if r.Error != "" || badStatusCode {
+			err = newError(r.Error, r.Desc, r.State)
+			return
+		}
+		result.AccessToken = r.AccessToken
+		result.TokenType = r.TokenType
+		result.IDToken = r.IDToken
+		result.RefreshToken = r.RefreshToken
+		result.Scope = r.Scope
+		if expiresIn, err := r.ExpiresIn.Int64(); err != nil {
+			result.Expires = r.Expires
+		} else {
+			result.Expires = int(expiresIn)
+		}
+	}
+	return
+}
+
+type TokenResponse struct {
+	AccessToken  string
+	TokenType    string
+	Expires      int
+	IDToken      string
+	RefreshToken string // OPTIONAL.
+	Scope        string // OPTIONAL, if identical to the scope requested by the client, otherwise, REQUIRED.
+	RawBody      []byte // In case callers need some other non-standard info from the token response
+}
+
+type AuthCodeRequest struct {
+	ResponseType string
+	ClientID     string
+	RedirectURL  *url.URL
+	Scope        []string
+	State        string
+}
+
+func ParseAuthCodeRequest(q url.Values) (AuthCodeRequest, error) {
+	acr := AuthCodeRequest{
+		ResponseType: q.Get("response_type"),
+		ClientID:     q.Get("client_id"),
+		State:        q.Get("state"),
+		Scope:        make([]string, 0),
+	}
+
+	qs := strings.TrimSpace(q.Get("scope"))
+	if qs != "" {
+		acr.Scope = strings.Split(qs, " ")
+	}
+
+	err := func() error {
+		if acr.ClientID == "" {
+			return NewError(ErrorInvalidRequest)
+		}
+
+		redirectURL := q.Get("redirect_uri")
+		if redirectURL != "" {
+			ru, err := url.Parse(redirectURL)
+			if err != nil {
+				return NewError(ErrorInvalidRequest)
+			}
+			acr.RedirectURL = ru
+		}
+
+		return nil
+	}()
+
+	return acr, err
+}

vendor/github.com/coreos/go-oidc/oauth2/oauth2_test.go

@@ -0,0 +1,518 @@
+package oauth2
+
+import (
+	"errors"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"reflect"
+	"strconv"
+	"strings"
+	"testing"
+
+	phttp "github.com/coreos/go-oidc/http"
+)
+
+func TestResponseTypesEqual(t *testing.T) {
+	tests := []struct {
+		r1, r2 string
+		want   bool
+	}{
+		{"code", "code", true},
+		{"id_token", "code", false},
+		{"code token", "token code", true},
+		{"code token", "code token", true},
+		{"foo", "bar code", false},
+		{"code token id_token", "token id_token code", true},
+		{"code token id_token", "token id_token code zoo", false},
+	}
+
+	for i, tt := range tests {
+		got1 := ResponseTypesEqual(tt.r1, tt.r2)
+		got2 := ResponseTypesEqual(tt.r2, tt.r1)
+		if got1 != got2 {
+			t.Errorf("case %d: got different answers with different orders", i)
+		}
+		if tt.want != got1 {
+			t.Errorf("case %d: want=%t, got=%t", i, tt.want, got1)
+		}
+	}
+}
+
+func TestParseAuthCodeRequest(t *testing.T) {
+	tests := []struct {
+		query   url.Values
+		wantACR AuthCodeRequest
+		wantErr error
+	}{
+		// no redirect_uri
+		{
+			query: url.Values{
+				"response_type": []string{"code"},
+				"scope":         []string{"foo bar baz"},
+				"client_id":     []string{"XXX"},
+				"state":         []string{"pants"},
+			},
+			wantACR: AuthCodeRequest{
+				ResponseType: "code",
+				ClientID:     "XXX",
+				Scope:        []string{"foo", "bar", "baz"},
+				State:        "pants",
+				RedirectURL:  nil,
+			},
+		},
+
+		// with redirect_uri
+		{
+			query: url.Values{
+				"response_type": []string{"code"},
+				"redirect_uri":  []string{"https://127.0.0.1:5555/callback?foo=bar"},
+				"scope":         []string{"foo bar baz"},
+				"client_id":     []string{"XXX"},
+				"state":         []string{"pants"},
+			},
+			wantACR: AuthCodeRequest{
+				ResponseType: "code",
+				ClientID:     "XXX",
+				Scope:        []string{"foo", "bar", "baz"},
+				State:        "pants",
+				RedirectURL: &url.URL{
+					Scheme:   "https",
+					Host:     "127.0.0.1:5555",
+					Path:     "/callback",
+					RawQuery: "foo=bar",
+				},
+			},
+		},
+
+		// unsupported response_type doesn't trigger error
+		{
+			query: url.Values{
+				"response_type": []string{"token"},
+				"redirect_uri":  []string{"https://127.0.0.1:5555/callback?foo=bar"},
+				"scope":         []string{"foo bar baz"},
+				"client_id":     []string{"XXX"},
+				"state":         []string{"pants"},
+			},
+			wantACR: AuthCodeRequest{
+				ResponseType: "token",
+				ClientID:     "XXX",
+				Scope:        []string{"foo", "bar", "baz"},
+				State:        "pants",
+				RedirectURL: &url.URL{
+					Scheme:   "https",
+					Host:     "127.0.0.1:5555",
+					Path:     "/callback",
+					RawQuery: "foo=bar",
+				},
+			},
+		},
+
+		// unparseable redirect_uri
+		{
+			query: url.Values{
+				"response_type": []string{"code"},
+				"redirect_uri":  []string{":"},
+				"scope":         []string{"foo bar baz"},
+				"client_id":     []string{"XXX"},
+				"state":         []string{"pants"},
+			},
+			wantACR: AuthCodeRequest{
+				ResponseType: "code",
+				ClientID:     "XXX",
+				Scope:        []string{"foo", "bar", "baz"},
+				State:        "pants",
+			},
+			wantErr: NewError(ErrorInvalidRequest),
+		},
+
+		// no client_id, redirect_uri not parsed
+		{
+			query: url.Values{
+				"response_type": []string{"code"},
+				"redirect_uri":  []string{"https://127.0.0.1:5555/callback?foo=bar"},
+				"scope":         []string{"foo bar baz"},
+				"client_id":     []string{},
+				"state":         []string{"pants"},
+			},
+			wantACR: AuthCodeRequest{
+				ResponseType: "code",
+				ClientID:     "",
+				Scope:        []string{"foo", "bar", "baz"},
+				State:        "pants",
+				RedirectURL:  nil,
+			},
+			wantErr: NewError(ErrorInvalidRequest),
+		},
+	}
+
+	for i, tt := range tests {
+		got, err := ParseAuthCodeRequest(tt.query)
+		if !reflect.DeepEqual(tt.wantErr, err) {
+			t.Errorf("case %d: incorrect error value: want=%q got=%q", i, tt.wantErr, err)
+		}
+
+		if !reflect.DeepEqual(tt.wantACR, got) {
+			t.Errorf("case %d: incorrect AuthCodeRequest value: want=%#v got=%#v", i, tt.wantACR, got)
+		}
+	}
+}
+
+type fakeBadClient struct {
+	Request *http.Request
+	err     error
+}
+
+func (f *fakeBadClient) Do(r *http.Request) (*http.Response, error) {
+	f.Request = r
+	return nil, f.err
+}
+
+func TestClientCredsToken(t *testing.T) {
+	hc := &fakeBadClient{nil, errors.New("error")}
+	cfg := Config{
+		Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+		Scope:       []string{"foo-scope", "bar-scope"},
+		TokenURL:    "http://example.com/token",
+		AuthMethod:  AuthMethodClientSecretBasic,
+		RedirectURL: "http://example.com/redirect",
+		AuthURL:     "http://example.com/auth",
+	}
+
+	c, err := NewClient(hc, cfg)
+	if err != nil {
+		t.Errorf("unexpected error %v", err)
+	}
+
+	scope := []string{"openid"}
+	c.ClientCredsToken(scope)
+	if hc.Request == nil {
+		t.Error("request is empty")
+	}
+
+	tu := hc.Request.URL.String()
+	if cfg.TokenURL != tu {
+		t.Errorf("wrong token url, want=%v, got=%v", cfg.TokenURL, tu)
+	}
+
+	ct := hc.Request.Header.Get("Content-Type")
+	if ct != "application/x-www-form-urlencoded" {
+		t.Errorf("wrong content-type, want=application/x-www-form-urlencoded, got=%v", ct)
+	}
+
+	cid, secret, ok := phttp.BasicAuth(hc.Request)
+	if !ok {
+		t.Error("unexpected error parsing basic auth")
+	}
+
+	if url.QueryEscape(cfg.Credentials.ID) != cid {
+		t.Errorf("wrong client ID, want=%v, got=%v", cfg.Credentials.ID, cid)
+	}
+
+	if url.QueryEscape(cfg.Credentials.Secret) != secret {
+		t.Errorf("wrong client secret, want=%v, got=%v", cfg.Credentials.Secret, secret)
+	}
+
+	err = hc.Request.ParseForm()
+	if err != nil {
+		t.Error("unexpected error parsing form")
+	}
+
+	gt := hc.Request.PostForm.Get("grant_type")
+	if gt != GrantTypeClientCreds {
+		t.Errorf("wrong grant_type, want=%v, got=%v", GrantTypeClientCreds, gt)
+	}
+
+	sc := strings.Split(hc.Request.PostForm.Get("scope"), " ")
+	if !reflect.DeepEqual(scope, sc) {
+		t.Errorf("wrong scope, want=%v, got=%v", scope, sc)
+	}
+}
+
+func TestUserCredsToken(t *testing.T) {
+	hc := &fakeBadClient{nil, errors.New("error")}
+	cfg := Config{
+		Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+		Scope:       []string{"foo-scope", "bar-scope"},
+		TokenURL:    "http://example.com/token",
+		AuthMethod:  AuthMethodClientSecretBasic,
+		RedirectURL: "http://example.com/redirect",
+		AuthURL:     "http://example.com/auth",
+	}
+
+	c, err := NewClient(hc, cfg)
+	if err != nil {
+		t.Errorf("unexpected error %v", err)
+	}
+
+	c.UserCredsToken("username", "password")
+	if hc.Request == nil {
+		t.Error("request is empty")
+	}
+
+	tu := hc.Request.URL.String()
+	if cfg.TokenURL != tu {
+		t.Errorf("wrong token url, want=%v, got=%v", cfg.TokenURL, tu)
+	}
+
+	ct := hc.Request.Header.Get("Content-Type")
+	if ct != "application/x-www-form-urlencoded" {
+		t.Errorf("wrong content-type, want=application/x-www-form-urlencoded, got=%v", ct)
+	}
+
+	cid, secret, ok := phttp.BasicAuth(hc.Request)
+	if !ok {
+		t.Error("unexpected error parsing basic auth")
+	}
+
+	if url.QueryEscape(cfg.Credentials.ID) != cid {
+		t.Errorf("wrong client ID, want=%v, got=%v", cfg.Credentials.ID, cid)
+	}
+
+	if url.QueryEscape(cfg.Credentials.Secret) != secret {
+		t.Errorf("wrong client secret, want=%v, got=%v", cfg.Credentials.Secret, secret)
+	}
+
+	err = hc.Request.ParseForm()
+	if err != nil {
+		t.Error("unexpected error parsing form")
+	}
+
+	gt := hc.Request.PostForm.Get("grant_type")
+	if gt != GrantTypeUserCreds {
+		t.Errorf("wrong grant_type, want=%v, got=%v", GrantTypeUserCreds, gt)
+	}
+
+	sc := strings.Split(hc.Request.PostForm.Get("scope"), " ")
+	if !reflect.DeepEqual(c.scope, sc) {
+		t.Errorf("wrong scope, want=%v, got=%v", c.scope, sc)
+	}
+}
+
+func TestNewAuthenticatedRequest(t *testing.T) {
+	tests := []struct {
+		authMethod string
+		url        string
+		values     url.Values
+	}{
+		{
+			authMethod: AuthMethodClientSecretBasic,
+			url:        "http://example.com/token",
+			values:     url.Values{},
+		},
+		{
+			authMethod: AuthMethodClientSecretPost,
+			url:        "http://example.com/token",
+			values:     url.Values{},
+		},
+	}
+
+	for i, tt := range tests {
+		cfg := Config{
+			Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+			Scope:       []string{"foo-scope", "bar-scope"},
+			TokenURL:    "http://example.com/token",
+			AuthURL:     "http://example.com/auth",
+			RedirectURL: "http://example.com/redirect",
+			AuthMethod:  tt.authMethod,
+		}
+		c, err := NewClient(nil, cfg)
+		req, err := c.newAuthenticatedRequest(tt.url, tt.values)
+		if err != nil {
+			t.Errorf("case %d: unexpected error: %v", i, err)
+			continue
+		}
+		err = req.ParseForm()
+		if err != nil {
+			t.Errorf("case %d: want nil err, got %v", i, err)
+		}
+
+		if tt.authMethod == AuthMethodClientSecretBasic {
+			cid, secret, ok := phttp.BasicAuth(req)
+			if !ok {
+				t.Errorf("case %d: !ok parsing Basic Auth headers", i)
+				continue
+			}
+			if cid != url.QueryEscape(cfg.Credentials.ID) {
+				t.Errorf("case %d: want CID == %q, got CID == %q", i, cfg.Credentials.ID, cid)
+			}
+			if secret != url.QueryEscape(cfg.Credentials.Secret) {
+				t.Errorf("case %d: want secret == %q, got secret == %q", i, cfg.Credentials.Secret, secret)
+			}
+		} else if tt.authMethod == AuthMethodClientSecretPost {
+			if req.PostFormValue("client_secret") != cfg.Credentials.Secret {
+				t.Errorf("case %d: want client_secret == %q, got client_secret == %q",
+					i, cfg.Credentials.Secret, req.PostFormValue("client_secret"))
+			}
+		}
+
+		for k, v := range tt.values {
+			if !reflect.DeepEqual(v, req.PostForm[k]) {
+				t.Errorf("case %d: key:%q want==%q, got==%q", i, k, v, req.PostForm[k])
+			}
+		}
+
+		if req.URL.String() != tt.url {
+			t.Errorf("case %d: want URL==%q, got URL==%q", i, tt.url, req.URL.String())
+		}
+
+	}
+}
+
+func TestParseTokenResponse(t *testing.T) {
+	type response struct {
+		body        string
+		contentType string
+		statusCode  int // defaults to http.StatusOK
+	}
+	tests := []struct {
+		resp      response
+		wantResp  TokenResponse
+		wantError *Error
+	}{
+		{
+			resp: response{
+				body:        "{ \"error\": \"invalid_client\", \"state\": \"foo\" }",
+				contentType: "application/json",
+				statusCode:  http.StatusBadRequest,
+			},
+			wantError: &Error{Type: "invalid_client", State: "foo"},
+		},
+		{
+			resp: response{
+				body:        "{ \"error\": \"invalid_request\", \"state\": \"bar\" }",
+				contentType: "application/json",
+				statusCode:  http.StatusBadRequest,
+			},
+			wantError: &Error{Type: "invalid_request", State: "bar"},
+		},
+		{
+			// Actual response from bitbucket
+			resp: response{
+				body:        `{"error_description": "Invalid OAuth client credentials", "error": "unauthorized_client"}`,
+				contentType: "application/json",
+				statusCode:  http.StatusBadRequest,
+			},
+			wantError: &Error{Type: "unauthorized_client", Description: "Invalid OAuth client credentials"},
+		},
+		{
+			// Actual response from github
+			resp: response{
+				body:        `error=incorrect_client_credentials&error_description=The+client_id+and%2For+client_secret+passed+are+incorrect.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23incorrect-client-credentials`,
+				contentType: "application/x-www-form-urlencoded; charset=utf-8",
+			},
+			wantError: &Error{Type: "incorrect_client_credentials", Description: "The client_id and/or client_secret passed are incorrect."},
+		},
+		{
+			resp: response{
+				body:        `{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer"}`,
+				contentType: "application/json",
+			},
+			wantResp: TokenResponse{
+				AccessToken: "e72e16c7e42f292c6912e7710c838347ae178b4a",
+				TokenType:   "bearer",
+				Scope:       "repo,gist",
+			},
+		},
+		{
+			resp: response{
+				body:        `access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&scope=user%2Cgist&token_type=bearer`,
+				contentType: "application/x-www-form-urlencoded",
+			},
+			wantResp: TokenResponse{
+				AccessToken: "e72e16c7e42f292c6912e7710c838347ae178b4a",
+				TokenType:   "bearer",
+				Scope:       "user,gist",
+			},
+		},
+		{
+			resp: response{
+				body:        `{"access_token":"foo","id_token":"bar","expires_in":200,"token_type":"bearer","refresh_token":"spam"}`,
+				contentType: "application/json; charset=utf-8",
+			},
+			wantResp: TokenResponse{
+				AccessToken:  "foo",
+				IDToken:      "bar",
+				Expires:      200,
+				TokenType:    "bearer",
+				RefreshToken: "spam",
+			},
+		},
+		{
+			// Azure AD returns "expires_in" value as string
+			resp: response{
+				body:        `{"access_token":"foo","id_token":"bar","expires_in":"300","token_type":"bearer","refresh_token":"spam"}`,
+				contentType: "application/json; charset=utf-8",
+			},
+			wantResp: TokenResponse{
+				AccessToken:  "foo",
+				IDToken:      "bar",
+				Expires:      300,
+				TokenType:    "bearer",
+				RefreshToken: "spam",
+			},
+		},
+		{
+			resp: response{
+				body:        `{"access_token":"foo","id_token":"bar","expires":200,"token_type":"bearer","refresh_token":"spam"}`,
+				contentType: "application/json; charset=utf-8",
+			},
+			wantResp: TokenResponse{
+				AccessToken:  "foo",
+				IDToken:      "bar",
+				Expires:      200,
+				TokenType:    "bearer",
+				RefreshToken: "spam",
+			},
+		},
+		{
+			resp: response{
+				body:        `access_token=foo&id_token=bar&expires_in=200&token_type=bearer&refresh_token=spam`,
+				contentType: "application/x-www-form-urlencoded",
+			},
+			wantResp: TokenResponse{
+				AccessToken:  "foo",
+				IDToken:      "bar",
+				Expires:      200,
+				TokenType:    "bearer",
+				RefreshToken: "spam",
+			},
+		},
+	}
+
+	for i, tt := range tests {
+		r := &http.Response{
+			StatusCode: http.StatusOK,
+			Header: http.Header{
+				"Content-Type":   []string{tt.resp.contentType},
+				"Content-Length": []string{strconv.Itoa(len([]byte(tt.resp.body)))},
+			},
+			Body:          ioutil.NopCloser(strings.NewReader(tt.resp.body)),
+			ContentLength: int64(len([]byte(tt.resp.body))),
+		}
+		if tt.resp.statusCode != 0 {
+			r.StatusCode = tt.resp.statusCode
+		}
+
+		result, err := parseTokenResponse(r)
+		if err != nil {
+			if tt.wantError == nil {
+				t.Errorf("case %d: got error==%v", i, err)
+				continue
+			}
+			if !reflect.DeepEqual(tt.wantError, err) {
+				t.Errorf("case %d: want=%+v, got=%+v", i, tt.wantError, err)
+			}
+		} else {
+			if tt.wantError != nil {
+				t.Errorf("case %d: want error==%v, got==nil", i, tt.wantError)
+				continue
+			}
+			// don't compare the raw body (it's really big and clogs error messages)
+			result.RawBody = tt.wantResp.RawBody
+			if !reflect.DeepEqual(tt.wantResp, result) {
+				t.Errorf("case %d: want=%+v, got=%+v", i, tt.wantResp, result)
+			}
+		}
+	}
+}