oauth2/jwt.go

// Copyright 2014 The oauth2 Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package oauth2

import (
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
	"time"

	"golang.org/x/oauth2/internal"
	"golang.org/x/oauth2/jws"
)

var (
	defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
	defaultHeader    = &jws.Header{Algorithm: "RS256", Typ: "JWT"}
)

// JWTConfig is the configuration for using JWT to fetch tokens,
// commonly known as "two-legged OAuth".
type JWTConfig struct {
	// Email is the OAuth client identifier used when communicating with
	// the configured OAuth provider.
	Email string

	// PrivateKey contains the contents of an RSA private key or the
	// contents of a PEM file that contains a private key. The provided
	// private key is used to sign JWT payloads.
	// PEM containers with a passphrase are not supported.
	// Use the following command to convert a PKCS 12 file into a PEM.
	//
	//    $ openssl pkcs12 -in key.p12 -out key.pem -nodes
	//
	PrivateKey []byte

	// Subject is the optional user to impersonate.
	Subject string

	// Scopes optionally specifies a list of requested permission scopes.
	Scopes []string

	// TokenURL is the endpoint required to complete the 2-legged JWT flow.
	TokenURL string
}

// TokenSource returns a JWT TokenSource using the configuration
// in c and the HTTP client from the provided context.
func (c *JWTConfig) TokenSource(ctx Context) TokenSource {
	return ReuseTokenSource(nil, jwtSource{ctx, c})
}

// Client returns an HTTP client wrapping the context's
// HTTP transport and adding Authorization headers with tokens
// obtained from c.
//
// The returned client and its Transport should not be modified.
func (c *JWTConfig) Client(ctx Context) *http.Client {
	return NewClient(ctx, c.TokenSource(ctx))
}

// jwtSource is a source that always does a signed JWT request for a token.
// It should typically be wrapped with a reuseTokenSource.
type jwtSource struct {
	ctx  Context
	conf *JWTConfig
}

func (js jwtSource) Token() (*Token, error) {
	pk, err := internal.ParseKey(js.conf.PrivateKey)
	if err != nil {
		return nil, err
	}
	hc, err := contextClient(js.ctx)
	if err != nil {
		return nil, err
	}
	claimSet := &jws.ClaimSet{
		Iss:   js.conf.Email,
		Scope: strings.Join(js.conf.Scopes, " "),
		Aud:   js.conf.TokenURL,
	}
	if subject := js.conf.Subject; subject != "" {
		claimSet.Sub = subject
		// prn is the old name of sub. Keep setting it
		// to be compatible with legacy OAuth 2.0 providers.
		claimSet.Prn = subject
	}
	payload, err := jws.Encode(defaultHeader, claimSet, pk)
	if err != nil {
		return nil, err
	}
	v := url.Values{}
	v.Set("grant_type", defaultGrantType)
	v.Set("assertion", payload)
	resp, err := hc.PostForm(js.conf.TokenURL, v)
	if err != nil {
		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
	}
	defer resp.Body.Close()
	body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
	if err != nil {
		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
	}
	if c := resp.StatusCode; c < 200 || c > 299 {
		return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)
	}
	// tokenRes is the JSON response body.
	var tokenRes struct {
		AccessToken string `json:"access_token"`
		TokenType   string `json:"token_type"`
		IDToken     string `json:"id_token"`
		ExpiresIn   int64  `json:"expires_in"` // relative seconds from now
	}
	if err := json.Unmarshal(body, &tokenRes); err != nil {
		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
	}
	token := &Token{
		AccessToken: tokenRes.AccessToken,
		TokenType:   tokenRes.TokenType,
		raw:         make(map[string]interface{}),
	}
	json.Unmarshal(body, &token.raw) // no error checks for optional fields

	if secs := tokenRes.ExpiresIn; secs > 0 {
		token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
	}
	if v := tokenRes.IDToken; v != "" {
		// decode returned id token to get expiry
		claimSet, err := jws.Decode(v)
		if err != nil {
			return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err)
		}
		token.Expiry = time.Unix(claimSet.Exp, 0)
	}
	return token, nil
}
Reverting the license back to the original. 2014-05-17 11:26:57 -04:00			`// Copyright 2014 The oauth2 Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`
oauth2: adding license. 2014-05-13 14:06:46 -04:00
Initial commit 2014-05-05 17:54:23 -04:00			`package oauth2`

			`import (`
			`"encoding/json"`
better error handling in JWT fetchtoken 2014-09-01 00:39:59 -04:00			`"fmt"`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`"io"`
better error handling in JWT fetchtoken 2014-09-01 00:39:59 -04:00			`"io/ioutil"`
Initial commit 2014-05-05 17:54:23 -04:00			`"net/http"`
			`"net/url"`
			`"strings"`
			`"time"`

oauth2: rewrite google package, fix the broken build Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc Reviewed-on: https://go-review.googlesource.com/1361 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> 2014-12-11 02:30:13 -05:00			`"golang.org/x/oauth2/internal"`
oauth2: add vanity URL import comments, use the vanity URL on builds Change-Id: Ia20e40d98aa709e3d598388e0a15501584152ab5 2014-11-26 14:44:45 -05:00			`"golang.org/x/oauth2/jws"`
Initial commit 2014-05-05 17:54:23 -04:00			`)`

			`var (`
			`defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"`
			`defaultHeader = &jws.Header{Algorithm: "RS256", Typ: "JWT"}`
			`)`

oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`// JWTConfig is the configuration for using JWT to fetch tokens,`
			`// commonly known as "two-legged OAuth".`
			`type JWTConfig struct {`
			`// Email is the OAuth client identifier used when communicating with`
			`// the configured OAuth provider.`
			`Email string`

			`// PrivateKey contains the contents of an RSA private key or the`
			`// contents of a PEM file that contains a private key. The provided`
			`// private key is used to sign JWT payloads.`
			`// PEM containers with a passphrase are not supported.`
			`// Use the following command to convert a PKCS 12 file into a PEM.`
			`//`
			`// $ openssl pkcs12 -in key.p12 -out key.pem -nodes`
			`//`
oauth2: rewrite google package, fix the broken build Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc Reviewed-on: https://go-review.googlesource.com/1361 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> 2014-12-11 02:30:13 -05:00			`PrivateKey []byte`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00
			`// Subject is the optional user to impersonate.`
			`Subject string`

			`// Scopes optionally specifies a list of requested permission scopes.`
			`Scopes []string`

			`// TokenURL is the endpoint required to complete the 2-legged JWT flow.`
			`TokenURL string`
Initial commit 2014-05-05 17:54:23 -04:00			`}`
oauth2: Allow use of arbitrary RSA private keys to sign JWT token retrieving requests. 2014-08-11 20:54:04 -04:00
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`// TokenSource returns a JWT TokenSource using the configuration`
			`// in c and the HTTP client from the provided context.`
oauth2, oauth2/google: add, use ReuseTokenSource Token caching is now done whenever you make a Client, and ReuseTokenSource is exported from the oauth2 package and used by the Google TokenSources (Compute and App Engine). Token.Expired is now Token.Valid, and works on nil receivers. Some other wording cleanups in the process. All tests pass. App Engine should pass, but is untested. Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311 Reviewed-on: https://go-review.googlesource.com/2195 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-30 16:25:01 -05:00			`func (c *JWTConfig) TokenSource(ctx Context) TokenSource {`
			`return ReuseTokenSource(nil, jwtSource{ctx, c})`
Allow configs to be initialised with zero values for Client and Transport. 2014-09-02 17:06:51 -04:00			`}`

oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`// Client returns an HTTP client wrapping the context's`
			`// HTTP transport and adding Authorization headers with tokens`
			`// obtained from c.`
			`//`
			`// The returned client and its Transport should not be modified.`
oauth2, oauth2/google: add, use ReuseTokenSource Token caching is now done whenever you make a Client, and ReuseTokenSource is exported from the oauth2 package and used by the Google TokenSources (Compute and App Engine). Token.Expired is now Token.Valid, and works on nil receivers. Some other wording cleanups in the process. All tests pass. App Engine should pass, but is untested. Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311 Reviewed-on: https://go-review.googlesource.com/2195 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-30 16:25:01 -05:00			`func (c JWTConfig) Client(ctx Context) http.Client {`
			`return NewClient(ctx, c.TokenSource(ctx))`
Allow configs to be initialised with zero values for Client and Transport. 2014-09-02 17:06:51 -04:00			`}`

oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`// jwtSource is a source that always does a signed JWT request for a token.`
oauth2, oauth2/google: add, use ReuseTokenSource Token caching is now done whenever you make a Client, and ReuseTokenSource is exported from the oauth2 package and used by the Google TokenSources (Compute and App Engine). Token.Expired is now Token.Valid, and works on nil receivers. Some other wording cleanups in the process. All tests pass. App Engine should pass, but is untested. Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311 Reviewed-on: https://go-review.googlesource.com/2195 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-30 16:25:01 -05:00			`// It should typically be wrapped with a reuseTokenSource.`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`type jwtSource struct {`
			`ctx Context`
			`conf *JWTConfig`
			`}`

			`func (js jwtSource) Token() (*Token, error) {`
oauth2: rewrite google package, fix the broken build Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc Reviewed-on: https://go-review.googlesource.com/1361 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> 2014-12-11 02:30:13 -05:00			`pk, err := internal.ParseKey(js.conf.PrivateKey)`
			`if err != nil {`
			`return nil, err`
			`}`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`hc, err := contextClient(js.ctx)`
			`if err != nil {`
			`return nil, err`
			`}`
			`claimSet := &jws.ClaimSet{`
			`Iss: js.conf.Email,`
			`Scope: strings.Join(js.conf.Scopes, " "),`
			`Aud: js.conf.TokenURL,`
			`}`
			`if subject := js.conf.Subject; subject != "" {`
			`claimSet.Sub = subject`
			`// prn is the old name of sub. Keep setting it`
			`// to be compatible with legacy OAuth 2.0 providers.`
			`claimSet.Prn = subject`
			`}`
oauth2: rewrite google package, fix the broken build Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc Reviewed-on: https://go-review.googlesource.com/1361 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org> 2014-12-11 02:30:13 -05:00			`payload, err := jws.Encode(defaultHeader, claimSet, pk)`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`if err != nil {`
			`return nil, err`
			`}`
			`v := url.Values{}`
			`v.Set("grant_type", defaultGrantType)`
			`v.Set("assertion", payload)`
			`resp, err := hc.PostForm(js.conf.TokenURL, v)`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)`
			`}`
			`defer resp.Body.Close()`
			`body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))`
			`if err != nil {`
			`return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)`
			`}`
			`if c := resp.StatusCode; c < 200 \|\| c > 299 {`
			`return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)`
			`}`
oauth2: use a JSON struct types instead of empty interface maps Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4 Reviewed-on: https://go-review.googlesource.com/1872 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-19 00:20:30 -05:00			`// tokenRes is the JSON response body.`
			`var tokenRes struct {`
			AccessToken string `json:"access_token"`
			TokenType string `json:"token_type"`
			IDToken string `json:"id_token"`
			ExpiresIn int64 `json:"expires_in"` // relative seconds from now
			`}`
			`if err := json.Unmarshal(body, &tokenRes); err != nil {`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)`
			`}`
oauth2: use a JSON struct types instead of empty interface maps Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4 Reviewed-on: https://go-review.googlesource.com/1872 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-19 00:20:30 -05:00			`token := &Token{`
			`AccessToken: tokenRes.AccessToken,`
			`TokenType: tokenRes.TokenType,`
			`raw: make(map[string]interface{}),`
			`}`
			`json.Unmarshal(body, &token.raw) // no error checks for optional fields`

			`if secs := tokenRes.ExpiresIn; secs > 0 {`
			`token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`}`
oauth2: use a JSON struct types instead of empty interface maps Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4 Reviewed-on: https://go-review.googlesource.com/1872 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-19 00:20:30 -05:00			`if v := tokenRes.IDToken; v != "" {`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`// decode returned id token to get expiry`
oauth2: use a JSON struct types instead of empty interface maps Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4 Reviewed-on: https://go-review.googlesource.com/1872 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-19 00:20:30 -05:00			`claimSet, err := jws.Decode(v)`
Introduce an option function type - Reduce the duplicate code by merging the flows and determining the flow type by looking at the provided options. - Options as a function type allows us to validate an individual an option in its scope and makes it easier to compose the built-in options with the third-party ones. 2014-11-06 19:36:41 -05:00			`if err != nil {`
oauth2: use a JSON struct types instead of empty interface maps Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4 Reviewed-on: https://go-review.googlesource.com/1872 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-19 00:20:30 -05:00			`return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err)`
Introduce an option function type - Reduce the duplicate code by merging the flows and determining the flow type by looking at the provided options. - Options as a function type allows us to validate an individual an option in its scope and makes it easier to compose the built-in options with the third-party ones. 2014-11-06 19:36:41 -05:00			`}`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`token.Expiry = time.Unix(claimSet.Exp, 0)`
oauth2: Allow use of arbitrary RSA private keys to sign JWT token retrieving requests. 2014-08-11 20:54:04 -04:00			`}`
oauth2: redesign the API Tests and examples aren't updated yet. The tree will be broken after this, but nobody should be using this yet anyway. Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f Reviewed-on: https://go-review.googlesource.com/1246 Reviewed-by: Burcu Dogan <jbd@google.com> 2014-12-09 18:17:33 -05:00			`return token, nil`
oauth2: Allow use of arbitrary RSA private keys to sign JWT token retrieving requests. 2014-08-11 20:54:04 -04:00			`}`