Passthrough token request

.editorconfig

@@ -0,0 +1,2 @@
+[*.go]
+end_of_line = crlf

manage/manager.go

@@ -214,7 +214,7 @@ func (m *Manager) GenerateAuthToken(ctx context.Context, rt oauth2.ResponseType,
 	}
 	return ti, nil
 }
-
+ 
 // get authorization code data
 func (m *Manager) getAuthorizationCode(ctx context.Context, code string) (oauth2.TokenInfo, error) {
 	ti, err := m.tokenStore.GetByCode(ctx, code)

server/handler.go

@@ -16,7 +16,7 @@ type (
 	ClientAuthorizedHandler func(clientID string, grant oauth2.GrantType) (allowed bool, err error)
 
 	// ClientScopeHandler check the client allows to use scope
-	ClientScopeHandler func(clientID, scope string) (allowed bool, err error)
+	ClientScopeHandler func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error)
 
 	// UserAuthorizationHandler get user id from request authorization
 	UserAuthorizationHandler func(w http.ResponseWriter, r *http.Request) (userID string, err error)
@@ -25,7 +25,7 @@ type (
 	PasswordAuthorizationHandler func(username, password string) (userID string, err error)
 
 	// RefreshingScopeHandler check the scope of the refreshing token
-	RefreshingScopeHandler func(newScope, oldScope string) (allowed bool, err error)
+	RefreshingScopeHandler func(tgr *oauth2.TokenGenerateRequest, oldScope string) (allowed bool, err error)
 
 	// ResponseErrorHandler response error handing
 	ResponseErrorHandler func(re *errors.Response)

server/server.go

@@ -182,24 +182,25 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) (
 		}
 	}
 
+	tgr := &oauth2.TokenGenerateRequest{
+		ClientID:       req.ClientID,
+		UserID:         req.UserID,
+		RedirectURI:    req.RedirectURI,
+		Scope:          req.Scope,
+		AccessTokenExp: req.AccessTokenExp,
+		Request:        req.Request,
+	}
+
 	// check the client allows the authorized scope
 	if fn := s.ClientScopeHandler; fn != nil {
-		allowed, err := fn(req.ClientID, req.Scope)
+		allowed, err := fn(tgr)
 		if err != nil {
 			return nil, err
 		} else if !allowed {
 			return nil, errors.ErrInvalidScope
 		}
 	}
 
-	tgr := &oauth2.TokenGenerateRequest{
-		ClientID:       req.ClientID,
-		UserID:         req.UserID,
-		RedirectURI:    req.RedirectURI,
-		Scope:          req.Scope,
-		AccessTokenExp: req.AccessTokenExp,
-		Request:        req.Request,
-	}
 	return s.Manager.GenerateAuthToken(ctx, req.ResponseType, tgr)
 }
 
@@ -365,7 +366,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o
 		return ti, nil
 	case oauth2.PasswordCredentials, oauth2.ClientCredentials:
 		if fn := s.ClientScopeHandler; fn != nil {
-			allowed, err := fn(tgr.ClientID, tgr.Scope)
+			allowed, err := fn(tgr)
 			if err != nil {
 				return nil, err
 			} else if !allowed {
@@ -375,7 +376,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o
 		return s.Manager.GenerateAccessToken(ctx, gt, tgr)
 	case oauth2.Refreshing:
 		// check scope
-		if scope, scopeFn := tgr.Scope, s.RefreshingScopeHandler; scope != "" && scopeFn != nil {
+		if scopeFn := s.RefreshingScopeHandler; tgr.Scope != "" && scopeFn != nil {
 			rti, err := s.Manager.LoadRefreshToken(ctx, tgr.Refresh)
 			if err != nil {
 				if err == errors.ErrInvalidRefreshToken || err == errors.ErrExpiredRefreshToken {
@@ -384,7 +385,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o
 				return nil, err
 			}
 
-			allowed, err := scopeFn(scope, rti.GetScope())
+			allowed, err := scopeFn(tgr, rti.GetScope())
 			if err != nil {
 				return nil, err
 			} else if !allowed {