(feat) Enable auto refreshing access tokens through the oauth2 custom transport in the client

Author: christianarty

api/client.go

@@ -32,8 +32,10 @@ func getAPIToken(config *jira.Config) string {
 	}
 
 	// Try OAuth access token if available and valid
-	if oauthToken := oauth.GetValidAccessToken(); oauthToken != "" {
-		return oauthToken
+	if oauth.HasOAuthCredentials() {
+		tk, _ := oauth.LoadOAuth2TokenSource()
+		token, _ := tk.Token()
+		return token.AccessToken
 	}
 
 	// Try netrc file
@@ -73,15 +75,26 @@ func Client(config jira.Config) *jira.Client {
 		config.Insecure = &insecure
 	}
 
-	// Get API token from various sources
-	config.APIToken = getAPIToken(&config)
-
-	// If we have an OAuth token, set auth type to OAuth
-	if oauthToken := oauth.GetValidAccessToken(); oauthToken != "" && config.APIToken == oauthToken {
-		oauthAuthType := jira.AuthTypeOAuth
-		config.AuthType = &oauthAuthType
+	// Check if we have OAuth credentials and should use OAuth
+	if oauth.HasOAuthCredentials() && config.AuthType != nil && *config.AuthType == jira.AuthTypeOAuth {
+		// Try to create OAuth2 token source
+		tokenSource, err := oauth.LoadOAuth2TokenSource()
+		if err == nil {
+			// We have valid OAuth credentials, use OAuth authentication
+			// Pass the TokenSource to the client via a custom option
+			jiraClient = jira.NewClient(
+				config,
+				jira.WithTimeout(clientTimeout),
+				jira.WithInsecureTLS(*config.Insecure),
+				jira.WithOAuth2TokenSource(tokenSource),
+			)
+			return jiraClient
+		}
 	}
 
+	// Get API token from various sources (fallback for non-OAuth auth)
+	config.APIToken = getAPIToken(&config)
+
 	// MTLS
 
 	if config.MTLSConfig.CaCert == "" {

internal/cmd/root/root.go

@@ -157,7 +157,7 @@ func cmdRequireToken(cmd string) bool {
 }
 
 func checkForJiraToken(server string, login string) {
-	if oauthToken := oauth.GetValidAccessToken(); oauthToken != "" {
+	if oauth.HasOAuthCredentials() {
 		return
 	}
 

pkg/jira/client.go

@@ -14,6 +14,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	"golang.org/x/oauth2"
 )
 
 const (
@@ -116,14 +118,15 @@ type Config struct {
 
 // Client is a jira client.
 type Client struct {
-	transport http.RoundTripper
-	insecure  bool
-	server    string
-	login     string
-	authType  *AuthType
-	token     string
-	timeout   time.Duration
-	debug     bool
+	transport   http.RoundTripper
+	insecure    bool
+	server      string
+	login       string
+	authType    *AuthType
+	token       string
+	timeout     time.Duration
+	debug       bool
+	tokenSource oauth2.TokenSource
 }
 
 // ClientFunc decorates option for client.
@@ -142,8 +145,8 @@ func NewClient(c Config, opts ...ClientFunc) *Client {
 	for _, opt := range opts {
 		opt(&client)
 	}
-
-	transport := &http.Transport{
+	var transport http.RoundTripper
+	transport = &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		TLSClientConfig: &tls.Config{
 			MinVersion:         tls.VersionTLS12,
@@ -154,6 +157,15 @@ func NewClient(c Config, opts ...ClientFunc) *Client {
 		}).DialContext,
 	}
 
+	if c.AuthType != nil && *c.AuthType == AuthTypeOAuth && client.tokenSource != nil {
+		// Use OAuth2 transport with automatic token refresh
+		baseTransport := transport
+		transport = &oauth2.Transport{
+			Base:   baseTransport,
+			Source: oauth2.ReuseTokenSource(nil, client.tokenSource),
+		}
+	}
+
 	if c.AuthType != nil && *c.AuthType == AuthTypeMTLS {
 		// Create a CA certificate pool and add cert.pem to it.
 		caCert, err := os.ReadFile(c.MTLSConfig.CaCert)
@@ -170,9 +182,10 @@ func NewClient(c Config, opts ...ClientFunc) *Client {
 		}
 
 		// Add the MTLS specific configuration.
-		transport.TLSClientConfig.RootCAs = caCertPool
-		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
-		transport.TLSClientConfig.Renegotiation = tls.RenegotiateFreelyAsClient
+		tlsConfig := transport.(*http.Transport).TLSClientConfig
+		tlsConfig.RootCAs = caCertPool
+		tlsConfig.Certificates = []tls.Certificate{cert}
+		tlsConfig.Renegotiation = tls.RenegotiateFreelyAsClient
 	}
 
 	client.transport = transport
@@ -194,6 +207,13 @@ func WithInsecureTLS(ins bool) ClientFunc {
 	}
 }
 
+// WithOAuth2TokenSource is a functional opt to attach OAuth2 token source to the client.
+func WithOAuth2TokenSource(tokenSource oauth2.TokenSource) ClientFunc {
+	return func(c *Client) {
+		c.tokenSource = tokenSource
+	}
+}
+
 // Get sends GET request to v3 version of the jira api.
 func (c *Client) Get(ctx context.Context, path string, headers Header) (*http.Response, error) {
 	return c.request(ctx, http.MethodGet, c.server+baseURLv3+path, nil, headers)
@@ -280,7 +300,11 @@ func (c *Client) request(ctx context.Context, method, endpoint string, body []by
 			req.Header.Add("Authorization", "Bearer "+c.token)
 		}
 	case string(AuthTypeOAuth):
-		req.Header.Add("Authorization", "Bearer "+c.token)
+		// OAuth authentication is handled by oauth2.Transport automatically
+		// Only add manual auth header if we don't have a TokenSource (fallback mode)
+		if c.tokenSource == nil && c.token != "" {
+			req.Header.Add("Authorization", "Bearer "+c.token)
+		}
 	case string(AuthTypeBearer):
 		req.Header.Add("Authorization", "Bearer "+c.token)
 	case string(AuthTypeBasic):

pkg/oauth/oauth.go

@@ -51,30 +51,32 @@ type OAuthConfig struct {
 	Scopes       []string
 }
 
-// OAuthSecrets holds all OAuth secrets in a single structure
-type OAuthSecrets struct {
-	ClientSecret string    `json:"client_secret"`
-	AccessToken  string    `json:"access_token"`
-	RefreshToken string    `json:"refresh_token"`
-	TokenType    string    `json:"token_type"`
-	Expiry       time.Time `json:"expiry"`
-}
-
 // ConfigureTokenResponse holds the OAuth token response
 type ConfigureTokenResponse struct {
 	AccessToken  string
 	RefreshToken string
 	CloudID      string
 }
 
-// IsExpired checks if the access token is expired
-func (o *OAuthSecrets) IsExpired() bool {
-	return time.Now().After(o.Expiry)
-}
+// GetOAuth2Config creates an OAuth2 config for the given client credentials
+func GetOAuth2Config(clientID, clientSecret, redirectURI string, scopes []string) *oauth2.Config {
+	if scopes == nil {
+		scopes = defaultScopes
+	}
 
-// IsValid checks if the OAuth secrets are valid and not expired
-func (o *OAuthSecrets) IsValid() bool {
-	return o.AccessToken != "" && !o.IsExpired()
+	if redirectURI == "" {
+		redirectURI = defaultRedirectURI
+	}
+	return &oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectURI,
+		Scopes:       scopes,
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  jiraAuthURL,
+			TokenURL: jiraTokenURL,
+		},
+	}
 }
 
 // Configure performs the complete OAuth flow and returns tokens
@@ -106,6 +108,7 @@ func Configure() (*ConfigureTokenResponse, error) {
 
 	// Store all OAuth secrets in a single JSON file
 	oauthSecrets := &OAuthSecrets{
+		ClientID:     config.ClientID,
 		ClientSecret: config.ClientSecret,
 		AccessToken:  tokens.AccessToken,
 		RefreshToken: tokens.RefreshToken,
@@ -154,6 +157,12 @@ func GetValidAccessToken() string {
 	return ""
 }
 
+// HasOAuthCredentials checks if OAuth credentials are present
+func HasOAuthCredentials() bool {
+	_, err := LoadOAuthSecrets()
+	return err == nil
+}
+
 // collectOAuthCredentials collects OAuth credentials from the user
 func collectOAuthCredentials() (*OAuthConfig, error) {
 	var questions []*survey.Question
@@ -206,16 +215,7 @@ func performOAuthFlow(config *OAuthConfig) (*oauth2.Token, error) {
 	defer s.Stop()
 
 	// OAuth2 configuration for JIRA
-	oauthConfig := &oauth2.Config{
-		ClientID:     config.ClientID,
-		ClientSecret: config.ClientSecret,
-		RedirectURL:  config.RedirectURI,
-		Scopes:       config.Scopes,
-		Endpoint: oauth2.Endpoint{
-			AuthURL:  jiraAuthURL,
-			TokenURL: jiraTokenURL,
-		},
-	}
+	oauthConfig := GetOAuth2Config(config.ClientID, config.ClientSecret, config.RedirectURI, config.Scopes)
 
 	// Generate authorization URL with PKCE
 	verifier := oauth2.GenerateVerifier()