internal: recognize Salesforce and Okta domains as broken providers

Fixes golang/oauth2#166

Change-Id: Ib3854db4a28a596af3565a84843fc0fa66709193
Reviewed-on: https://go-review.googlesource.com/38376
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>

internal/token.go

@@ -122,6 +122,13 @@ var brokenAuthHeaderProviders = []string{
 	"https://sandbox.codeswholesale.com/oauth/token",
 }
 
+// brokenAuthHeaderDomains lists broken providers that issue dynamic endpoints.
+var brokenAuthHeaderDomains = []string{
+	".force.com",
+	".okta.com",
+	".oktapreview.com",
+}
+
 func RegisterBrokenAuthHeaderProvider(tokenURL string) {
 	brokenAuthHeaderProviders = append(brokenAuthHeaderProviders, tokenURL)
 }
@@ -142,6 +149,14 @@ func providerAuthHeaderWorks(tokenURL string) bool {
 		}
 	}
 
+	if u, err := url.Parse(tokenURL); err == nil {
+		for _, s := range brokenAuthHeaderDomains {
+			if strings.HasSuffix(u.Host, s) {
+				return false
+			}
+		}
+	}
+
 	// Assume the provider implements the spec properly
 	// otherwise. We can add more exceptions as they're
 	// discovered. We will _not_ be adding configurable hooks

internal/token_test.go

@@ -58,3 +58,24 @@ func Test_providerAuthHeaderWorks(t *testing.T) {
 		t.Errorf("got %q as unbroken; want broken", p)
 	}
 }
+
+func TestProviderAuthHeaderWorksDomain(t *testing.T) {
+	tests := []struct {
+		tokenURL  string
+		wantWorks bool
+	}{
+		{"https://dev-12345.okta.com/token-url", false},
+		{"https://dev-12345.oktapreview.com/token-url", false},
+		{"https://dev-12345.okta.org/token-url", true},
+		{"https://foo.bar.force.com/token-url", false},
+		{"https://foo.force.com/token-url", false},
+		{"https://force.com/token-url", true},
+	}
+
+	for _, test := range tests {
+		got := providerAuthHeaderWorks(test.tokenURL)
+		if got != test.wantWorks {
+			t.Errorf("providerAuthHeaderWorks(%q) = %v; want %v", test.tokenURL, got, test.wantWorks)
+		}
+	}
+}