Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity

authhandler: Add support for 3-legged-OAuth 

Added authhandler.go, which implements a TokenSource to support "three-legged OAuth 2.0" via a custom AuthorizationHandler.

Added example_test.go with a sample command line implementation for AuthorizationHandler.

This patch adds support for 3-legged-OAuth flow using an OAuth Client ID file downloaded from Google Cloud Console.

Change-Id: Iefe54494d6f3ee326a6b1b2a81a7d5d1a7ba3331
GitHub-Last-Rev: 48fc0367c2
GitHub-Pull-Request: golang/oauth2#419
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/232238
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
This commit is contained in:
Andy Zhao 2021-03-19 19:10:01 +00:00 committed by Shin Fan
parent cd4f82c27b
commit 22b0adad75
3 changed files with 234 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
authhandler/authhandler.go Normal file
View File

@ -0,0 +1,56 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package authhandler implements a TokenSource to support
// "three-legged OAuth 2.0" via a custom AuthorizationHandler.
package authhandler
import (
"context"
"errors"
"golang.org/x/oauth2"
)
// AuthorizationHandler is a 3-legged-OAuth helper that prompts
// the user for OAuth consent at the specified auth code URL
// and returns an auth code and state upon approval.
type AuthorizationHandler func(authCodeURL string) (code string, state string, err error)
// TokenSource returns an oauth2.TokenSource that fetches access tokens
// using 3-legged-OAuth flow.
//
// The provided context.Context is used for oauth2 Exchange operation.
//
// The provided oauth2.Config should be a full configuration containing AuthURL,
// TokenURL, and Scope.
//
// An environment-specific AuthorizationHandler is used to obtain user consent.
//
// Per the OAuth protocol, a unique "state" string should be specified here.
// This token source will verify that the "state" is identical in the request
// and response before exchanging the auth code for OAuth token to prevent CSRF
// attacks.
func TokenSource(ctx context.Context, config *oauth2.Config, state string, authHandler AuthorizationHandler) oauth2.TokenSource {
return oauth2.ReuseTokenSource(nil, authHandlerSource{config: config, ctx: ctx, authHandler: authHandler, state: state})
}
type authHandlerSource struct {
ctx context.Context
config *oauth2.Config
authHandler AuthorizationHandler
state string
}
func (source authHandlerSource) Token() (*oauth2.Token, error) {
url := source.config.AuthCodeURL(source.state)
code, state, err := source.authHandler(url)
if err != nil {
return nil, err
}
if state != source.state {
return nil, errors.New("state mismatch in 3-legged-OAuth flow")
}
return source.config.Exchange(source.ctx, code)
}

99
authhandler/authhandler_test.go Normal file
View File

@ -0,0 +1,99 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package authhandler
import (
"context"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"golang.org/x/oauth2"
)
func TestTokenExchange_Success(t *testing.T) {
authhandler := func(authCodeURL string) (string, string, error) {
if authCodeURL == "testAuthCodeURL?client_id=testClientID&response_type=code&scope=pubsub&state=testState" {
return "testCode", "testState", nil
}
return "", "", fmt.Errorf("invalid authCodeURL: %q", authCodeURL)
}
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
if r.Form.Get("code") == "testCode" {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{
"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",
"scope": "pubsub",
"token_type": "bearer",
"expires_in": 3600
}`))
}
}))
defer ts.Close()
conf := &oauth2.Config{
ClientID: "testClientID",
Scopes: []string{"pubsub"},
Endpoint: oauth2.Endpoint{
AuthURL: "testAuthCodeURL",
TokenURL: ts.URL,
},
}
tok, err := TokenSource(context.Background(), conf, "testState", authhandler).Token()
if err != nil {
t.Fatal(err)
}
if !tok.Valid() {
t.Errorf("got invalid token: %v", tok)
}
if got, want := tok.AccessToken, "90d64460d14870c08c81352a05dedd3465940a7c"; got != want {
t.Errorf("access token = %q; want %q", got, want)
}
if got, want := tok.TokenType, "bearer"; got != want {
t.Errorf("token type = %q; want %q", got, want)
}
if got := tok.Expiry.IsZero(); got {
t.Errorf("token expiry is zero = %v, want false", got)
}
scope := tok.Extra("scope")
if got, want := scope, "pubsub"; got != want {
t.Errorf("scope = %q; want %q", got, want)
}
}
func TestTokenExchange_StateMismatch(t *testing.T) {
authhandler := func(authCodeURL string) (string, string, error) {
return "testCode", "testStateMismatch", nil
}
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{
"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",
"scope": "pubsub",
"token_type": "bearer",
"expires_in": 3600
}`))
}))
defer ts.Close()
conf := &oauth2.Config{
ClientID: "testClientID",
Scopes: []string{"pubsub"},
Endpoint: oauth2.Endpoint{
AuthURL: "testAuthCodeURL",
TokenURL: ts.URL,
},
}
_, err := TokenSource(context.Background(), conf, "testState", authhandler).Token()
if want_err := "state mismatch in 3-legged-OAuth flow"; err == nil || err.Error() != want_err {
t.Errorf("err = %q; want %q", err, want_err)
}
}

79
authhandler/example_test.go Normal file
View File

@ -0,0 +1,79 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package authhandler_test
import (
"context"
"fmt"
"net/http"
"net/http/httptest"
"golang.org/x/oauth2"
"golang.org/x/oauth2/authhandler"
)
// CmdAuthorizationHandler returns a command line auth handler that prints
// the auth URL to the console and prompts the user to authorize in the
// browser and paste the auth code back via stdin.
//
// Per the OAuth protocol, a unique "state" string should be specified here.
// The authhandler token source will verify that the "state" is identical in
// the request and response before exchanging the auth code for OAuth token to
// prevent CSRF attacks.
//
// For convenience, this handler returns a pre-configured state instead of
// asking the user to additionally paste the state from the auth response.
// In order for this to work, the state configured here must match the state
// used in authCodeURL.
func CmdAuthorizationHandler(state string) authhandler.AuthorizationHandler {
return func(authCodeURL string) (string, string, error) {
fmt.Printf("Go to the following link in your browser:\n\n %s\n\n", authCodeURL)
fmt.Println("Enter authorization code:")
var code string
fmt.Scanln(&code)
return code, state, nil
}
}
func Example() {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{
"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",
"scope": "pubsub",
"token_type": "bearer",
"expires_in": 3600
}`))
}))
defer ts.Close()
ctx := context.Background()
conf := &oauth2.Config{
ClientID: "testClientID",
Scopes: []string{"pubsub"},
Endpoint: oauth2.Endpoint{
AuthURL: "testAuthCodeURL",
TokenURL: ts.URL,
},
}
state := "unique_state"
token, err := authhandler.TokenSource(ctx, conf, state, CmdAuthorizationHandler(state)).Token()
if err != nil {
fmt.Println(err)
}
fmt.Printf("AccessToken: %s", token.AccessToken)
// Output:
// Go to the following link in your browser:
//
// testAuthCodeURL?client_id=testClientID&response_type=code&scope=pubsub&state=unique_state
//
// Enter authorization code:
// AccessToken: 90d64460d14870c08c81352a05dedd3465940a7c
}