Adding OAuth2 ROPC

[nwest1]

As of the current PR #674 - this works as expected except for when a token expires.

Looking to implement this part of the spec: https://tools.ietf.org/html/rfc6749#section-4.3

Because refresh tokens are optional (and internally, we don't implement them,) I'm not sure what the best strategy is to handle refreshing the whole thing.

The core library seems to take care of refreshing properly if a refresh token is available. If it isn't, we'd need to refresh to whole token and implement something to refresh the token based on expiration. Whether that's in /lib/util/http/client/type.go, /lib/util/http/auth/oauth2.go or elsewhere is tbd.

I'm going to experiment a bit with some of the options in the thread below and hope to arrive at something fruitful. Hoping to get your thoughts on where you prefer to see these changes. Does the current oauth2 client credentials work correctly for refreshing tokens?

Some discussion related:
golang/oauth2#84

Thanks again!

[nwest1]

I'm a bit hesitant to add any sort of caching / async refresh to this due to complexity in backoff strategies and concurrency. My gut is telling me to (when configured) check expiry before any httpclient.Do() and refresh the token if needed.

[Jeffail]

Hey @nwest1, I'm a little out of my comfort zone with oauth2 algorithms but I'll try and read up on this soon.