From 885f294722cab86dbe73633465663b9a43e3ba78 Mon Sep 17 00:00:00 2001 From: Andy Zhao Date: Thu, 2 Mar 2023 17:40:29 +0000 Subject: [PATCH] google: Add support for OAuth2 token exchange over mTLS With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport. Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54 GitHub-Last-Rev: 07e4849e96a72028a8d6ff99b228846902f5bea6 GitHub-Pull-Request: golang/oauth2#630 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396 Run-TryBot: Matthew Hickford Reviewed-by: Shin Fan Run-TryBot: Shin Fan Reviewed-by: Matthew Hickford Reviewed-by: Andy Zhao TryBot-Result: Gopher Robot --- google/default.go | 4 ++++ google/google.go | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/google/default.go b/google/default.go index a144d78..db6b19e 100644 --- a/google/default.go +++ b/google/default.go @@ -62,6 +62,10 @@ type CredentialsParams struct { // PKCE is used to support PKCE flow. Optional for 3LO flow. PKCE *authhandler.PKCEParams + + // The OAuth2 TokenURL default override. This value overrides the default TokenURL, + // unless explicitly specified by the credentials config file. Optional. + TokenURL string } func (params CredentialsParams) deepCopy() CredentialsParams { diff --git a/google/google.go b/google/google.go index 8df0c49..a1b629a 100644 --- a/google/google.go +++ b/google/google.go @@ -26,6 +26,9 @@ var Endpoint = oauth2.Endpoint{ AuthStyle: oauth2.AuthStyleInParams, } +// MTLSTokenURL is Google's OAuth 2.0 default mTLS endpoint. +const MTLSTokenURL = "https://oauth2.mtls.googleapis.com/token" + // JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow. const JWTTokenURL = "https://oauth2.googleapis.com/token" @@ -172,7 +175,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar cfg.Endpoint.AuthURL = Endpoint.AuthURL } if cfg.Endpoint.TokenURL == "" { - cfg.Endpoint.TokenURL = Endpoint.TokenURL + if params.TokenURL != "" { + cfg.Endpoint.TokenURL = params.TokenURL + } else { + cfg.Endpoint.TokenURL = Endpoint.TokenURL + } } tok := &oauth2.Token{RefreshToken: f.RefreshToken} return cfg.TokenSource(ctx, tok), nil