feat: use oauth2 for token structs

radar07 · radar07 · commit b3cba20c60ef · 2026-02-22T14:52:59.000+05:30
diff --git a/oauthex/jwt_bearer.go b/oauthex/jwt_bearer.go
@@ -26,42 +26,6 @@ import (
 // This is used in SEP-990 to exchange an ID-JAG for an access token at the MCP Server.
 const GrantTypeJWTBearer = "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
-// JWTBearerResponse represents the response from a JWT Bearer grant request
-// per RFC 7523. This uses the standard OAuth 2.0 token response format.
-type JWTBearerResponse struct {
-	// AccessToken is the OAuth access token issued by the MCP Server's
-	// authorization server.
-	AccessToken string `json:"access_token"`
-	// TokenType is the type of token issued. This is typically "Bearer".
-	TokenType string `json:"token_type"`
-	// ExpiresIn is the lifetime in seconds of the access token.
-	ExpiresIn int `json:"expires_in,omitempty"`
-	// RefreshToken is the refresh token, which can be used to obtain new
-	// access tokens using the same authorization grant.
-	RefreshToken string `json:"refresh_token,omitempty"`
-	// Scope is the scope of the access token as described by RFC 6749 Section 3.3.
-	Scope string `json:"scope,omitempty"`
-}
-
-// JWTBearerError represents an error response from a JWT Bearer grant request.
-type JWTBearerError struct {
-	// ErrorCode is the error code as defined in RFC 6749 Section 5.2.
-	// The JSON field name is "error" per the RFC specification.
-	ErrorCode string `json:"error"`
-	// ErrorDescription is a human-readable description of the error.
-	ErrorDescription string `json:"error_description,omitempty"`
-	// ErrorURI is a URI identifying a human-readable web page with information
-	// about the error.
-	ErrorURI string `json:"error_uri,omitempty"`
-}
-
-func (e *JWTBearerError) Error() string {
-	if e.ErrorDescription != "" {
-		return fmt.Sprintf("JWT bearer grant failed: %s (%s)", e.ErrorCode, e.ErrorDescription)
-	}
-	return fmt.Sprintf("JWT bearer grant failed: %s", e.ErrorCode)
-}
-
 // ExchangeJWTBearer exchanges an Identity Assertion JWT Authorization Grant (ID-JAG)
 // for an access token using JWT Bearer Grant per RFC 7523. This is the second step
 // in Enterprise Managed Authorization (SEP-990) after obtaining the ID-JAG from the
@@ -151,7 +115,13 @@ func ExchangeJWTBearer(
 	}
 	// Handle success response (200 OK per OAuth 2.0)
 	if httpResp.StatusCode == http.StatusOK {
-		var resp JWTBearerResponse
+		var resp struct {
+			AccessToken  string `json:"access_token"`
+			TokenType    string `json:"token_type"`
+			ExpiresIn    int    `json:"expires_in,omitempty`
+			RefreshToken string `json:"refresh_token,omitempty"`
+			Scope        string `json:"scope,omitempty"`
+		}
 		if err := json.Unmarshal(body, &resp); err != nil {
 			return nil, fmt.Errorf("failed to parse JWT bearer grant response: %w (body: %s)", err, string(body))
 		}
@@ -182,12 +152,25 @@ func ExchangeJWTBearer(
 	}
 	// Handle error response (400 Bad Request per RFC 6749)
 	if httpResp.StatusCode == http.StatusBadRequest {
-		var errResp JWTBearerError
+		var errResp struct {
+			Error            string `json:"error"`
+			ErrorDescription string `json:"error_description,omitempty"`
+			ErrorURI         string `json:"error_uri,omitempty"`
+		}
 		if err := json.Unmarshal(body, &errResp); err != nil {
 			return nil, fmt.Errorf("failed to parse error response: %w (body: %s)", err, string(body))
 		}
-		return nil, &errResp
+		return nil, &oauth2.RetrieveError{
+			Response:         httpResp,
+			Body:             body,
+			ErrorCode:        errResp.Error,
+			ErrorDescription: errResp.ErrorDescription,
+			ErrorURI:         errResp.ErrorURI,
+		}
 	}
 	// Handle unexpected status codes
-	return nil, fmt.Errorf("unexpected status code %d: %s", httpResp.StatusCode, string(body))
+	return nil, &oauth2.RetrieveError{
+		Response: httpResp,
+		Body:     body,
+	}
 }
diff --git a/oauthex/jwt_bearer_test.go b/oauthex/jwt_bearer_test.go
@@ -64,7 +64,13 @@ func TestExchangeJWTBearer(t *testing.T) {
 			return
 		}
 		// Return successful OAuth token response
-		resp := JWTBearerResponse{
+		resp := struct {
+			AccessToken  string `json:"access_token"`
+			TokenType    string `json:"token_type"`
+			ExpiresIn    int    `json:"expires_in,omitempty"`
+			Scope        string `json:"scope,omitempty"`
+			RefreshToken string `json:"refresh_token,omitempty"`
+		}{
 			AccessToken:  "mcp-access-token-123",
 			TokenType:    "Bearer",
 			ExpiresIn:    3600,
@@ -143,7 +149,10 @@ func TestExchangeJWTBearer(t *testing.T) {
 
 // writeJWTBearerErrorResponse writes an OAuth 2.0 error response per RFC 6749 Section 5.2.
 func writeJWTBearerErrorResponse(w http.ResponseWriter, errorCode, errorDescription string) {
-	errResp := JWTBearerError{
+	errResp := struct {
+		Error     string `json:"error"`
+		ErrorCode string `json:"error_description,omitempty"`
+	}{
 		ErrorCode:        errorCode,
 		ErrorDescription: errorDescription,
 	}
diff --git a/oauthex/token_exchange.go b/oauthex/token_exchange.go
@@ -17,6 +17,8 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+
+	"golang.org/x/oauth2"
 )
 
 // Token type identifiers defined by RFC 8693 and SEP-990.
@@ -92,26 +94,6 @@ type TokenExchangeResponse struct {
 	ExpiresIn int `json:"expires_in,omitempty"`
 }
 
-// TokenExchangeError represents an error response from a token exchange request.
-type TokenExchangeError struct {
-	// Error is the error code as defined in RFC 6749 Section 5.2.
-	ErrorCode string `json:"error"`
-
-	// ErrorDescription is a human-readable description of the error.
-	ErrorDescription string `json:"error_description,omitempty"`
-
-	// ErrorURI is a URI identifying a human-readable web page with information
-	// about the error.
-	ErrorURI string `json:"error_uri,omitempty"`
-}
-
-func (e *TokenExchangeError) Error() string {
-	if e.ErrorDescription != "" {
-		return fmt.Sprintf("token exchange failed: %s (%s)", e.ErrorCode, e.ErrorDescription)
-	}
-	return fmt.Sprintf("token exchange failed: %s", e.ErrorCode)
-}
-
 // ExchangeToken performs a token exchange request per RFC 8693 for Enterprise
 // Managed Authorization (SEP-990). It exchanges an identity assertion (typically
 // an ID Token) for an Identity Assertion JWT Authorization Grant (ID-JAG) that
@@ -255,13 +237,26 @@ func ExchangeToken(
 
 	// Handle error response (400 Bad Request per RFC 6749)
 	if httpResp.StatusCode == http.StatusBadRequest {
-		var errResp TokenExchangeError
+		var errResp struct {
+			Error            string `json:"error"`
+			ErrorDescription string `json:"error_description,omitempty"`
+			ErrorURI         string `json:"error_uri,omitempty"`
+		}
 		if err := json.Unmarshal(body, &errResp); err != nil {
 			return nil, fmt.Errorf("failed to parse error response: %w (body: %s)", err, string(body))
 		}
-		return nil, &errResp
+		return nil, &oauth2.RetrieveError{
+			Response:         httpResp,
+			Body:             body,
+			ErrorCode:        errResp.Error,
+			ErrorDescription: errResp.ErrorDescription,
+			ErrorURI:         errResp.ErrorURI,
+		}
 	}
 
 	// Handle unexpected status codes
-	return nil, fmt.Errorf("unexpected status code %d: %s", httpResp.StatusCode, string(body))
+	return nil, &oauth2.RetrieveError{
+		Response: httpResp,
+		Body:     body,
+	}
 }
diff --git a/oauthex/token_exchange_test.go b/oauthex/token_exchange_test.go
@@ -208,7 +208,10 @@ func TestExchangeToken(t *testing.T) {
 
 // writeErrorResponse writes an OAuth 2.0 error response per RFC 6749 Section 5.2.
 func writeErrorResponse(w http.ResponseWriter, errorCode, errorDescription string) {
-	errResp := TokenExchangeError{
+	errResp := struct {
+		Error            string `json:"error"`
+		ErrorDescription string `json:"error_description,omitempty"`
+	}{
 		ErrorCode:        errorCode,
 		ErrorDescription: errorDescription,
 	}
