httputil

func BodyReader ¶

func BodyReader(body []byte) io.ReadCloser

BodyReader wraps a buffered request body so http.Request.Body / GetBody can replay it across a retry. Pair with BufferRequestBody.

func BufferRequestBody ¶

func BufferRequestBody(req *http.Request) ([]byte, error)

BufferRequestBody reads the request body once so a fallback retry can replay it. http.NoBody (and nil) short-circuits — both signal "no body" but only the latter is a runtime nil, so the explicit identity check keeps the cloned request's Content-Length correct on the wire. Returns (nil, nil) for no-body requests; the caller can safely forward without replay state.

func PostOAuthToken ¶

func PostOAuthToken(ctx context.Context, httpClient *http.Client, coreURL string, form url.Values) (accessToken string, expiresIn int, err error)

PostOAuthToken posts a form-encoded request to coreURL+"/oauth/token" and parses the standard {access_token, expires_in} response. Callers build the form (grant_type, subject_token, audience, etc.) so the helper stays neutral about which OAuth grant is being exercised.

If the form carries client_id (and optionally client_secret), the helper lifts both into an HTTP Basic Authorization header and drops them from the form body. zitadel/oidc's token endpoint reads client credentials only from Basic auth, so form-only client_id produces invalid_client even when the form is otherwise well-formed. Both values are url.QueryEscaped per RFC 6749 §2.3.1 because pkg/op QueryUnescapes them on the other side — a raw '+'/'%xx' would round-trip to a different value and fail invalid_client (matches core/api/token_endpoint.go).

coreURL must already be trimmed of any trailing slash. A non-2xx response is surfaced as *OAuthError; transport and decode failures are wrapped plain errors.