OAuth2: Minting an authkey with a tag it belongs to doesn't work - only child tags

[antifuchs]

Here's a tricky bug: When you assign a tag "tag:hoopsnake" to your OAuth2 client, you can not mint authkeys for that tag, you must use a child tag. Everything else fails with requested tags [tag:hoopsnake] are invalid or not permitted.

As mentioned, you have to use a child tag.

Say you have this tag structure:

        "tagOwners": {
        // hoopsnake for initrd boots:
        "tag:hoopsnake":            ["example@example.com"],
        "tag:hoopsnake-selfhosted": ["tag:hoopsnake"],
        "tag:hoopsnake-remote":     ["tag:hoopsnake"],
        ...
        }

Then you can only request authkeys for tag:hoopsnake-selfhosted or tag:hoopsnake-remote (or both!), but no combination of the two with tag:hoopsnake in it.

[joshpearce]

Adding a couple files to highlight the differences in the HTTP requests between a working cURL based script and hoopsnake. I'm using OAuth creds that have device write permissions on a parent tag,

    "tagOwners": {
        "tag:workloads":      ["joshpearce@github"],
        "tag:hoopsnake-init": ["tag:workloads"],
    },

ts-oauth-curl-good.txt ts-oauth-golib-bad.txt

[joshpearce]

Here's a capture from hoopsnake during boot, where it works. ts-oauth-hoopsnake-boot-good.txt