vendor: golang.org/x/oauth2 v0.34.0

x/oauth2: populate RetrieveError from DeviceAuth

Endpoints may return errors when attempting to request device
authorization. Currently, these error codes are ignored and an
otherwise empty RetrieveError returned. This change populates
the RetrieveError similar to the oauth2 token exchange.

full diff: https://github.com/golang/oauth2/compare/v0.30.0...v0.34.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

go.mod

@@ -247,7 +247,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/crypto v0.46.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
 	google.golang.org/api v0.248.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect; TODO(thaJeztah): should we keep this one aligned with the other google.golang.org/genproto/xxx modules?

go.sum

@@ -744,8 +744,8 @@ golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
 golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20170912212905-13449ad91cb2/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20170517211232-f52d1811a629/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

vendor/golang.org/x/oauth2/deviceauth.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"mime"
 	"net/http"
 	"net/url"
 	"strings"
@@ -116,10 +117,38 @@ func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAu
 		return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
 	}
 	if code := r.StatusCode; code < 200 || code > 299 {
-		return nil, &RetrieveError{
+		retrieveError := &RetrieveError{
 			Response: r,
 			Body:     body,
 		}
+
+		content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
+		switch content {
+		case "application/x-www-form-urlencoded", "text/plain":
+			// some endpoints return a query string
+			vals, err := url.ParseQuery(string(body))
+			if err != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = vals.Get("error")
+			retrieveError.ErrorDescription = vals.Get("error_description")
+			retrieveError.ErrorURI = vals.Get("error_uri")
+		default:
+			var tj struct {
+				// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+				ErrorCode        string `json:"error"`
+				ErrorDescription string `json:"error_description"`
+				ErrorURI         string `json:"error_uri"`
+			}
+			if json.Unmarshal(body, &tj) != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = tj.ErrorCode
+			retrieveError.ErrorDescription = tj.ErrorDescription
+			retrieveError.ErrorURI = tj.ErrorURI
+		}
+
+		return nil, retrieveError
 	}
 
 	da := &DeviceAuthResponse{}

vendor/golang.org/x/oauth2/google/externalaccount/aws.go

@@ -5,7 +5,6 @@
 package externalaccount
 
 import (
-	"bytes"
 	"context"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -148,13 +147,13 @@ func canonicalHeaders(req *http.Request) (string, string) {
 	}
 	sort.Strings(headers)
 
-	var fullHeaders bytes.Buffer
+	var fullHeaders strings.Builder
 	for _, header := range headers {
 		headerValue := strings.Join(lowerCaseHeaders[header], ",")
 		fullHeaders.WriteString(header)
-		fullHeaders.WriteRune(':')
+		fullHeaders.WriteByte(':')
 		fullHeaders.WriteString(headerValue)
-		fullHeaders.WriteRune('\n')
+		fullHeaders.WriteByte('\n')
 	}
 
 	return strings.Join(headers, ";"), fullHeaders.String()

vendor/golang.org/x/oauth2/google/google.go

@@ -252,7 +252,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 // Further information about retrieving access tokens from the GCE metadata
 // server can be found at https://cloud.google.com/compute/docs/authentication.
 func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource {
-	// refresh 3 minutes and 45 seconds early. The shortest MDS cache is currently 4 minutes, so any
+	// Refresh 3 minutes and 45 seconds early. The shortest MDS cache is currently 4 minutes, so any
 	// refreshes earlier are a waste of compute.
 	earlyExpirySecs := 225 * time.Second
 	return computeTokenSource(account, earlyExpirySecs, scope...)

vendor/golang.org/x/oauth2/oauth2.go

@@ -9,7 +9,6 @@
 package oauth2 // import "golang.org/x/oauth2"
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"net/http"
@@ -99,7 +98,7 @@ const (
 	// in the POST body as application/x-www-form-urlencoded parameters.
 	AuthStyleInParams AuthStyle = 1
 
-	// AuthStyleInHeader sends the client_id and client_password
+	// AuthStyleInHeader sends the client_id and client_secret
 	// using HTTP Basic Authorization. This is an optional style
 	// described in the OAuth2 RFC 6749 section 2.3.1.
 	AuthStyleInHeader AuthStyle = 2
@@ -158,7 +157,7 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
 // PKCE), https://www.oauth.com/oauth2-servers/pkce/ and
 // https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#name-cross-site-request-forgery (describing both approaches)
 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
-	var buf bytes.Buffer
+	var buf strings.Builder
 	buf.WriteString(c.Endpoint.AuthURL)
 	v := url.Values{
 		"response_type": {"code"},

vendor/golang.org/x/oauth2/pkce.go

@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 	return base64.RawURLEncoding.EncodeToString(sha[:])
 }
 
-// S256ChallengeOption derives a PKCE code challenge derived from verifier with
+// S256ChallengeOption derives a PKCE code challenge from the verifier with
 // method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {

vendor/golang.org/x/oauth2/token.go

@@ -103,7 +103,7 @@ func (t *Token) WithExtra(extra any) *Token {
 }
 
 // Extra returns an extra field.
-// Extra fields are key-value pairs returned by the server as a
+// Extra fields are key-value pairs returned by the server as
 // part of the token retrieval response.
 func (t *Token) Extra(key string) any {
 	if raw, ok := t.raw.(map[string]any); ok {

vendor/golang.org/x/oauth2/transport.go

@@ -58,7 +58,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 var cancelOnce sync.Once
 
 // CancelRequest does nothing. It used to be a legacy cancellation mechanism
-// but now only it only logs on first use to warn that it's deprecated.
+// but now only logs on first use to warn that it's deprecated.
 //
 // Deprecated: use contexts for cancellation instead.
 func (t *Transport) CancelRequest(req *http.Request) {

vendor/modules.txt

@@ -1649,8 +1649,8 @@ golang.org/x/net/ipv4
 golang.org/x/net/ipv6
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.30.0
-## explicit; go 1.23.0
+# golang.org/x/oauth2 v0.34.0
+## explicit; go 1.24.0
 golang.org/x/oauth2
 golang.org/x/oauth2/authhandler
 golang.org/x/oauth2/google