From be6c76eab7da862793ba8be7df679a2db4a20680 Mon Sep 17 00:00:00 2001
From: "red-hat-konflux[bot]"
 <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Date: Fri, 16 Jan 2026 00:30:29 +0000
Subject: [PATCH] NO-ISSUE: Update module github.com/openshift/golang-oauth2 to
 v0.28.0

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
---
 go.mod                               | 2 +-
 go.sum                               | 4 ++--
 vendor/golang.org/x/oauth2/oauth2.go | 8 ++++++--
 vendor/golang.org/x/oauth2/pkce.go   | 4 ++--
 vendor/modules.txt                   | 6 +++---
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/go.mod b/go.mod
index fb2efbe2a..3cf5ef695 100644
--- a/go.mod
+++ b/go.mod
@@ -146,7 +146,7 @@ replace (
 	github.com/openshift/cluster-api-provider-agent/api => ./api
 	// CVE-2025-22868
 	// This is from tag v0.26.openshift.1
-	golang.org/x/oauth2 => github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d
+	golang.org/x/oauth2 => github.com/openshift/golang-oauth2 v0.28.0
 
 	sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.11.0
 )
diff --git a/go.sum b/go.sum
index fc7dd86ab..f1b96979d 100644
--- a/go.sum
+++ b/go.sum
@@ -367,8 +367,8 @@ github.com/openshift/assisted-service/models v0.0.0-20251208131030-ae39457e926d
 github.com/openshift/assisted-service/models v0.0.0-20251208131030-ae39457e926d/go.mod h1:5EkIueBSaLnt64HR8drgSewdm+GeuE7W5mr9pa2JXXk=
 github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87 h1:cHyxR+Y8rAMT6m1jQCaYGRwikqahI0OjjUDhFNf3ySQ=
 github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA=
-github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d h1:iQfTKBmMcwFTxxVWV7U/C6GqgIIWTKD8l5HXslvn53s=
-github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+github.com/openshift/golang-oauth2 v0.28.0 h1:3lcktQl0+nplVotPrWVK6m24GJZyx+Ls2oE+fJ+3PPM=
+github.com/openshift/golang-oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 github.com/openshift/hive/apis v0.0.0-20251208194543-6648a44ea777 h1:mjG8tiJ19KKZ9IltJI7eqI9Cab7l94rFNQlyh9UW3qc=
 github.com/openshift/hive/apis v0.0.0-20251208194543-6648a44ea777/go.mod h1:zvKBte4Ji2mDrqSMhxD61kT4dL0v0SDonqIeKqSlqyw=
 github.com/pin/tftp v2.1.0+incompatible/go.mod h1:xVpZOMCXTy+A5QMjEVN0Glwa1sUvaJhFXbr/aAxuxGY=
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index 74f052aa9..eacdd7fd9 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -288,7 +288,7 @@ func (tf *tokenRefresher) Token() (*Token, error) {
 	if tf.refreshToken != tk.RefreshToken {
 		tf.refreshToken = tk.RefreshToken
 	}
-	return tk, err
+	return tk, nil
 }
 
 // reuseTokenSource is a TokenSource that holds a single token in memory
@@ -356,11 +356,15 @@ func NewClient(ctx context.Context, src TokenSource) *http.Client {
 	if src == nil {
 		return internal.ContextClient(ctx)
 	}
+	cc := internal.ContextClient(ctx)
 	return &http.Client{
 		Transport: &Transport{
-			Base:   internal.ContextClient(ctx).Transport,
+			Base:   cc.Transport,
 			Source: ReuseTokenSource(nil, src),
 		},
+		CheckRedirect: cc.CheckRedirect,
+		Jar:           cc.Jar,
+		Timeout:       cc.Timeout,
 	}
 }
 
diff --git a/vendor/golang.org/x/oauth2/pkce.go b/vendor/golang.org/x/oauth2/pkce.go
index 50593b6df..6a95da975 100644
--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -21,7 +21,7 @@ const (
 //
 // A fresh verifier should be generated for each authorization.
 // S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL
-// (or Config.DeviceAccess) and VerifierOption(verifier) to Config.Exchange
+// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange
 // (or Config.DeviceAccessToken).
 func GenerateVerifier() string {
 	// "RECOMMENDED that the output of a suitable random number generator be
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 }
 
 // S256ChallengeOption derives a PKCE code challenge derived from verifier with
-// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAccess
+// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
 	return challengeOption{
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 60b96799f..2c4740938 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -377,8 +377,8 @@ golang.org/x/net/http2
 golang.org/x/net/http2/hpack
 golang.org/x/net/idna
 golang.org/x/net/internal/httpcommon
-# golang.org/x/oauth2 v0.33.0 => github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d
-## explicit; go 1.18
+# golang.org/x/oauth2 v0.33.0 => github.com/openshift/golang-oauth2 v0.28.0
+## explicit; go 1.23.0
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
 # golang.org/x/sync v0.18.0
@@ -1018,5 +1018,5 @@ sigs.k8s.io/yaml
 # github.com/openshift/assisted-service/api => github.com/openshift/assisted-service/api v0.0.0-20251209011235-28a9e58dea34
 # github.com/openshift/assisted-service/models => github.com/openshift/assisted-service/models v0.0.0-20251208131030-ae39457e926d
 # github.com/openshift/cluster-api-provider-agent/api => ./api
-# golang.org/x/oauth2 => github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d
+# golang.org/x/oauth2 => github.com/openshift/golang-oauth2 v0.28.0
 # sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.11.0