In 80673b4a4 (https://go.dev/cl/157820) I added a never-shrinking
package-global cache to remember which auto-detected auth style (HTTP
headers vs POST) was supported by a certain OAuth2 server, keyed by
its URL.
Unfortunately, some multi-tenant SaaS OIDC servers behave poorly and
have one global OpenID configuration document for all of their
customers which says ("we support all auth styles! you pick!") but
then give each customer control of which style they specifically
accept. This is bogus behavior on their part, but the oauth2 package's
global caching per URL isn't helping. (It's also bad to have a
package-global cache that can never be GC'ed)
So, this change moves the cache to hang off the oauth *Configs
instead. Unfortunately, it does so with some backwards compatiblity
compromises (an atomic.Value hack), lest people are using old versions
of Go still or copying a Config by value, both of which this package
previously accidentally supported, even though they weren't tested.
This change also means that anybody that's repeatedly making ephemeral
oauth.Configs without an explicit auth style will be losing &
reinitializing their cache on any auth style failures + fallbacks to
the other style. I think that should be pretty rare. People seem to
make an oauth2.Config once earlier and stash it away somewhere (often
deep in a token fetcher or HTTP client/transport).
Change-Id: I91f107368ab3c3d77bc425eeef65372a589feb7b
Signed-off-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/515675
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Adrian Dewhurst <adrian@tailscale.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
This behavior and test was introduced in 0ae3d4edc9.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error. Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.
Cleans up some tests responding with invalid data.
Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Go 1.10 no longer sets implicit Content-Type on empty output.
Updates golang/go#20784
Change-Id: I3f13f76b94b58869481218ea2e1805f5f4175fd7
Reviewed-on: https://go-review.googlesource.com/82017
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Currently the HTTP request does not set the given context.
This change sets the context (if not nil) on the request.
Change-Id: I4bb21636d05050a68ba70ce92f9bf9ba608fbfad
Reviewed-on: https://go-review.googlesource.com/45370
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Creates a new package called clientcredentials and
adds transport and token information to the internal
package. Also modifies the oauth2 package to make
use of the newly added files in the internal package.
The clientcredentials package allows for token requests
using a "client credentials" grant type.
Fixes https://github.com/golang/oauth2/issues/7
Change-Id: Iec649d1029870c27a2d1023baa9d52db42ff45e8
Reviewed-on: https://go-review.googlesource.com/2983
Reviewed-by: Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Brad Fitzpatrick
Antoine GIRARD
Ross Light
Tim Cooper
Bastian Ike
Eric Chiang
Jaana Burcu Dogan
Andrew Gerrand
Aaron Torres