OAuth2: Minting an authkey with a tag it belongs to doesn't work - only child tags

[antifuchs]

Here's a tricky bug: When you assign a tag "tag:hoopsnake" to your OAuth2 client, you can not mint authkeys for that tag, you must use a child tag. Everything else fails with requested tags [tag:hoopsnake] are invalid or not permitted.

As mentioned, you have to use a child tag.

Say you have this tag structure:

        "tagOwners": {
		// hoopsnake for initrd boots:
		"tag:hoopsnake":            ["[email protected]"],
		"tag:hoopsnake-selfhosted": ["tag:hoopsnake"],
		"tag:hoopsnake-remote":     ["tag:hoopsnake"],
        ...
        }

Then you can only request authkeys for tag:hoopsnake-selfhosted or tag:hoopsnake-remote (or both!), but no combination of the two with tag:hoopsnake in it.

[joshpearce]

Adding a couple files to highlight the differences in the HTTP requests between a working cURL based script and hoopsnake. I'm using OAuth creds that have device write permissions on a parent tag,

	"tagOwners": {
		"tag:workloads":      ["joshpearce@github"],
		"tag:hoopsnake-init": ["tag:workloads"],
	},

ts-oauth-curl-good.txt
ts-oauth-golib-bad.txt

[joshpearce]

Here's a capture from hoopsnake during boot, where it works.
ts-oauth-hoopsnake-boot-good.txt