Allow to override the http.Client for RequestToken and AccessToken

[fdcds]

Before, the http.DefaultClient was always used. This is e.g. not
sufficient, if the server being authenticated against uses TLS
certificates signed by a custom root CA. In this case, a custom
http.Client needs to be passed.

To avoid passing arbitrary hidden objects through the context,
as can be seen sometimes in similar situations, the client
is passed through the Config struct instead.

[dghubble]

Thanks, but no thanks.

I've never liked how oauth2 uses the context for a client and I also wouldn't change the API for a case like this. If you have this situation, it's probably best you handle it on your own.

[fdcds]

I've never liked how oauth2 uses the context for a client and I also wouldn't change the API for a case like this. If you have this situation, it's probably best you handle it on your own.

I agree with you that the way oauth2 passes a http.Client through the context does not spark much joy, to put it mildly. Do you have a suggestion how to do it better that would be acceptable to you? AFAIK the general recommendation is also to not use the http.DefaultClient, so that option also seems not a good solution either.

[dghubble]

A more ordinary approach is just setting a Client as a Config field and continue defaulting to http.DefaultClient on use. Or just do any approach on your own, where there is no need for compatibility and I'll call this out of scope.

[fdcds]

A more ordinary approach is just setting a Client as a Config field and continue defaulting to http.DefaultClient on use.

Thanks. I implemented that in 37256b9.

Or just do any approach on your own, where there is no need for compatibility and I'll call this out of scope.

That would mean having to fork this fine library, which would be unfortunate. I would rather prefer to find a solution that is sound from an engineering point of view and merge it into your library.