add client credential flow

[nkreiger]

Summary

This PR adds client credentials as a supported OIDC Auth Flow Provider.

Closes #1619

Release Note

Adds a new oauthflow type, client_credentials that can be used by the consumers of the sigstore package

Documentation

The change in the cosign CLI probably would? Let me know on this.

[haydentherapper]

Overall LGTM - Have you been added to add this to a fork of Cosign to confirm this works for a private OIDC provider?

[nkreiger]

Overall LGTM - Have you been added to add this to a fork of Cosign to confirm this works for a private OIDC provider?

@haydentherapper I have! And I've been testing it live since Friday. Working as expected

[nkreiger]

@haydentherapper is there something I'm missing for the unit tests? I checked the tests I added locally and they are working

[haydentherapper]

There’s a lint failure.

[nkreiger]

@haydentherapper all issues resolved 👍 thanks!

[haydentherapper]

Do you know if https://pkg.go.dev/golang.org/x/oauth2/clientcredentials could be used to simplify some of the code here?

[nkreiger]

Do you know if https://pkg.go.dev/golang.org/x/oauth2/clientcredentials could be used to simplify some of the code here?

@haydentherapper it would really just replace this portion:

resp, err := http.PostForm(codeURL, data)
	if err != nil {
		return "", err
	}
	defer resp.Body.Close()

	b, err := io.ReadAll(resp.Body)
	if err != nil {
		return "", err
	}
	if resp.StatusCode != http.StatusOK {
		return "", fmt.Errorf("%s: %s", resp.Status, b)
	}

	tr := tokenResp{}
	if err := json.Unmarshal(b, &tr); err != nil {
		return "", err
	}

This is lined up to match the code for the other flows, so is shares the same test structure and consistency.

I think we could utilize the OAuth package overall across to simplify some of the code, but it should probably be used for all the flows I would think to keep that consistency? Thoughts?

[haydentherapper]

It's not a blocker for the PR, I agree that cleaning up all of the existing flows at once would be best.

[nkreiger]

@haydentherapper I can also make the change on the cosign side, what is the process for that? This is merged in and a new release is cut?

[haydentherapper]

Yea, I'll wait ~24 hours to see if there's any other comments from other maintainers, then merge and cut a release. Feel free to put up a draft PR for Cosign replacing sigstore/sigstore with a fork in go.mod in the meantime.