Commit Graph

52 Commits

Author SHA1 Message Date
Brad Fitzpatrick a835fc4358 oauth2: move global auth style cache to be per-Config
In 80673b4a4 (https://go.dev/cl/157820) I added a never-shrinking
package-global cache to remember which auto-detected auth style (HTTP
headers vs POST) was supported by a certain OAuth2 server, keyed by
its URL.

Unfortunately, some multi-tenant SaaS OIDC servers behave poorly and
have one global OpenID configuration document for all of their
customers which says ("we support all auth styles! you pick!") but
then give each customer control of which style they specifically
accept. This is bogus behavior on their part, but the oauth2 package's
global caching per URL isn't helping. (It's also bad to have a
package-global cache that can never be GC'ed)

So, this change moves the cache to hang off the oauth *Configs
instead. Unfortunately, it does so with some backwards compatiblity
compromises (an atomic.Value hack), lest people are using old versions
of Go still or copying a Config by value, both of which this package
previously accidentally supported, even though they weren't tested.

This change also means that anybody that's repeatedly making ephemeral
oauth.Configs without an explicit auth style will be losing &
reinitializing their cache on any auth style failures + fallbacks to
the other style. I think that should be pretty rare. People seem to
make an oauth2.Config once earlier and stash it away somewhere (often
deep in a token fetcher or HTTP client/transport).

Change-Id: I91f107368ab3c3d77bc425eeef65372a589feb7b
Signed-off-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/515675
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Adrian Dewhurst <adrian@tailscale.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
2023-08-09 17:53:10 +00:00
M Hickford cfe200d5bb oauth2: parse RFC 6749 error response
Parse error response described in https://datatracker.ietf.org/doc/html/rfc6749#section-5.2

Handle unorthodox servers responding 200 in error case.

Implements API changes in accepted proposal https://github.com/golang/go/issues/58125

Fixes #441
Fixes #274
Updates #173

Change-Id: If9399c3f952ac0501edbeefeb3a71ed057ca8d37
GitHub-Last-Rev: 0030e27422
GitHub-Pull-Request: golang/oauth2#610
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/451076
Run-TryBot: Matt Hickford <matt.hickford@gmail.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Matt Hickford <matt.hickford@gmail.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2023-04-11 16:15:57 +00:00
Bobby DeSimone aaccbc9213 google: update ApprovalForce to use openid connect friendly prompt=consent
It looks like in 2016 or so` approval_prompt=force` was replaced with the open id connect friendly `prompt=consent`.

See:
- https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- https://developers.google.com/identity/sign-in/web/reference#gapiauth2offlineaccessoptions
- https://github.com/googleapis/oauth2client/issues/453
- https://github.com/pomerium/pomerium/pull/82

Change-Id: Iad2d533f451a70b2941aafd11c9b7272026a2f16
GitHub-Last-Rev: d6d10ceec8
GitHub-Pull-Request: golang/oauth2#379
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/171123
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-05-23 18:27:46 +00:00
Ggicci c85d3e98c9 internal: remove fallback parsing for expires_in
Facebook has correctted its OAuth2 implementation. The code as
a fallback can be removed now.

Updates golang/oauth2#51, golang/oauth2#239

Change-Id: Ib5f84bc35c0c4ecbdd25d4169f950410d4ae79a2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/168017
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: JBD <jbd@google.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-03-19 18:23:50 +00:00
Brad Fitzpatrick 3e8b2be136 internal: tolerate malformed expires_in values more
Fixes golang/oauth2#239

Change-Id: Id3fdfbfb64bc1a12ab0e952e83ae444b50de1bb5
Reviewed-on: https://go-review.googlesource.com/c/161964
Reviewed-by: Ross Light <light@google.com>
Run-TryBot: Ross Light <light@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-02-12 23:04:46 +00:00
Brad Fitzpatrick 80673b4a4b oauth2: auto-detect auth style by default, add Endpoint.AuthStyle
Instead of maintaining a global map of which OAuth2 servers do which
auth style and/or requiring the user to tell us, just try both ways
and remember which way worked. But if users want to tell us in the
Endpoint, this CL also add Endpoint.AuthStyle.

Fixes golang/oauth2#111
Fixes golang/oauth2#365
Fixes golang/oauth2#362
Fixes golang/oauth2#357
Fixes golang/oauth2#353
Fixes golang/oauth2#345
Fixes golang/oauth2#326
Fixes golang/oauth2#352
Fixes golang/oauth2#268
Fixes https://go-review.googlesource.com/c/oauth2/+/58510
(... and surely many more ...)

Change-Id: I7b4d98ba1900ee2d3e11e629316b0bf867f7d237
Reviewed-on: https://go-review.googlesource.com/c/157820
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ross Light <light@google.com>
2019-02-11 18:49:51 +00:00
Antoine GIRARD c453e0c757 all: use stdlib context instead of x/net/context
This PR replaces use of `x/net/context` with the standard `context`

It has been nearly 6 months since
https://github.com/golang/oauth2/issues/246#issuecomment-387601277 so
I made this PR so it will be ready to merge when needed (and if
possible).

Fixes #246

Change-Id: Id2c316fcb27de0fb9163ceb4e8669b04cb39a987
GitHub-Last-Rev: 5b36321dcc
GitHub-Pull-Request: golang/oauth2#339
Reviewed-on: https://go-review.googlesource.com/c/145202
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-11-01 16:01:52 +00:00
Guillaume J. Charmes 088f8e1d43 oauth2: Add support for custom params in Exchange
Allows implementation of PKCE https://www.oauth.com/oauth2-servers/pkce/
for secure code exchange.

Fixes golang/oauth2#286

Change-Id: I07b6fefe6834a2406e8ca2fcbf118d38fc4875d1
GitHub-Last-Rev: 31c5ccbed3
GitHub-Pull-Request: golang/oauth2#285
Reviewed-on: https://go-review.googlesource.com/111515
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-06-19 21:35:08 +00:00
Ross Light ee2bad97a9 internal: return error if no access_token present in server response
This behavior and test was introduced in 0ae3d4edc9.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error.  Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.

Cleans up some tests responding with invalid data.

Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2018-01-03 00:38:26 +00:00
Ross Light 542ae755da oauth2: don't use tokenRefresher directly in tests
This changes the test to use the exported API instead of implementation
internals.

Change-Id: I07753b053c1a2a8eb027bed647ab921d95afda4e
Reviewed-on: https://go-review.googlesource.com/85658
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2018-01-03 00:37:46 +00:00
Tim Cooper 0448841f0c oauth2: add error type for unsuccessful token endpoint status
Allows the HTTP response and body to be extracted without parsing
the error string, but keeps backwards compatibility for users who
are currently doing so.

Fixes golang/oauth2#173

Change-Id: Id7709da827a155299b047f0bcb74aa8f91b01e96
Reviewed-on: https://go-review.googlesource.com/84156
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-19 02:07:21 +00:00
Aeneas Rekkas (arekkas) 13449ad91c internal: urlencode client id and secret in header
As per https://tools.ietf.org/html/rfc6749#section-2.3.1 client IDs and secrets must be urlencoded in the authorization header. This patch addresses this by wrapping clientID and clientSecret with url.QueryEscape. A dedicated test for unsafe-url client IDs and secrets has been added as well.

Closes #237

Change-Id: I1f277b52caef4932e14147be8fb1712203da51d0
Reviewed-on: https://go-review.googlesource.com/46473
Reviewed-by: JBD <jbd@google.com>
2017-09-12 21:29:05 +00:00
Ross Light f047394b6d oauth2: add test for preserving refresh token if none is received
This passes right now, but it's not obvious from looking at
tokenRefresher why it works.  It depends on logic in
internal.RetrieveToken.  I'm working on a larger refactor, but I want to
keep the test in place to avoid future regressions from seemingly
harmless code movements.

Change-Id: I742ccb952fbc069ca0887a556e362a0e59bef79b
Reviewed-on: https://go-review.googlesource.com/43573
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-05-17 17:44:39 +00:00
Pablo Lalloni 4464e78483 oauth2: remove scope & client_id params from access token request
Remove "scope" & "client_id" from "token request" in the "access token 
request" of the "authorization code grant" flow, keeping "client_id"
in case the provider is one of the known to be broken ones.

Please see https://tools.ietf.org/html/rfc6749#section-4.1.3

This change is required for interoperation with OpenAM.

Fixes golang/oauth2#145
Fixes golang/oauth2#110
Fixes golang/oauth2#188

Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e
Reviewed-on: https://go-review.googlesource.com/23790
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-07 21:18:51 +00:00
Joe Tsai 1e695b1c8f oauth2: fix brittle test
A change introduced in https://golang.org/cl/18692 expanded upon the errors
returned by the json package to be more informative about where the error occurred.
This breaks a test in oauth2 that relies on the exact form that an error takes.
Fix this test by simply checking whether it passes or not.

Fixes golang/go#17363
Updates golang/go#11811

Change-Id: I0062dc64fc1a8fd094b14ed1d0b21528edfbb282
Reviewed-on: https://go-review.googlesource.com/30600
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-07 18:00:02 +00:00
Jaana Burcu Dogan 3c3a985cb7 oauth2: fix more poorly styled test messages
There is not a good way of autogenerating the style fixes, hence I am
manually fixing them in small chunks.

Change-Id: I1fee5956dae93f38b8f1e7460b74d3d96e7ccd2c
Reviewed-on: https://go-review.googlesource.com/27922
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-09-02 05:59:13 +00:00
Jaana Burcu Dogan c10ba270aa all: deprecate NoContext
There is no good reason why we suggest NoContext rather than
context.Background(). When the oauth2 library first came around, the
community was not familiar with the x/net/context package. For
documentation reasons, we decided to add NoContext to the oauth2
package. It was not a good idea even back then. And given that context
package is fairly popular, there is no good reason why we are
depending on this.

Updating all the references of NoContext with context.Background
and documenting it as deprecated.

Change-Id: I18e390f1351023a29b567777a3f963dd550cf657
Reviewed-on: https://go-review.googlesource.com/27690
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2016-08-24 22:57:17 +00:00
Cheng-Lung Sung 7e9cd5d595 oauth2: remove mockCache since NewTransportFromTokenStore() removed.
Since NewTransportFromTokenStore() is removed, mockCache is therefore
useless. It should be safe to remove it, too.

Change-Id: I5678684af31e5de75e420b28d859e33909e0a718
Reviewed-on: https://go-review.googlesource.com/22113
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2016-04-15 16:57:16 +00:00
Andrew Gerrand 038cb4adce all: change copyright to 'Go Authors'
Fixes golang/go#12354

Change-Id: Ie4bbe9445e2a840c9db830c9bd52a783b7a6f9bc
Reviewed-on: https://go-review.googlesource.com/13952
Reviewed-by: Russ Cox <rsc@golang.org>
2015-10-22 04:14:42 +00:00
Emmanuel Odeke 2fbf3d7329 token: extra numeric values + test TokenType case
+ Added tests for TokenType by checking case.
+ Added numeric conversion for float and integer like
  values from token.Extra.

Change-Id: I0909a4458ed58e33428afbf40478a668d150dda7
Reviewed-on: https://go-review.googlesource.com/15156
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-10-01 05:36:47 +00:00
Aaron Torres a8c019d04a oauth2: add support for client credential grant type
Creates a new package called clientcredentials and
adds transport and token information to the internal
package. Also modifies the oauth2 package to make
use of the newly added files in the internal package.

The clientcredentials package allows for token requests
using a "client credentials" grant type.

Fixes https://github.com/golang/oauth2/issues/7

Change-Id: Iec649d1029870c27a2d1023baa9d52db42ff45e8
Reviewed-on: https://go-review.googlesource.com/2983
Reviewed-by: Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-18 00:13:27 +00:00
Burcu Dogan ce5ea7da93 oauth2: rename SetParam to SetAuthURLParam
SetParam is quite vague to represent an Option that sets the auth
URL query parameters. Renaming it for explicitness.

Fixes #108.

Change-Id: Ic9f0181097820ee83404c9432451d71658dd8c67
Reviewed-on: https://go-review.googlesource.com/8491
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-06 14:29:48 +00:00
Brad Fitzpatrick c58fcf0ffc oauth2: fix test to work with Go tip also
json.UnmarshalError has a new field in Go 1.5. Adjust tests to cope.

Change-Id: I6733b2e14513794676e7329a828001f3f8c6c342
Reviewed-on: https://go-review.googlesource.com/8341
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-04-02 05:54:06 +00:00
Russell Haering 3046bc76d6 oauth2: allow callers to pass arbitrary auth URL parameters
Many OAuth 2.0 implementations support parameters beyond those supported
by this library. This change exports a SetParam function for
constructing arbitrary key/value parameters.

Change-Id: Ice4179e7c5341bbeac8a53e389b32d59415740fa
Reviewed-on: https://go-review.googlesource.com/8054
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-31 07:24:46 +00:00
Nikolay Turpitko 2167774341 oauth2: long if condition in providerAuthHeaderWorks replaced with loop
Long if condition replaced with loop.

Related to issue #41.

Change-Id: Ib5b88ce2ee2841e9b6c24d78f93bb027141bf678
Reviewed-on: https://go-review.googlesource.com/7290
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-03-11 04:57:51 +00:00
Nikolay Turpitko 6d4eed4495 oauth2: fix expires_in for PayPal
PayPal returns "expires_in" token field as string, not integer.
So, current implementation cannot unmarshal json of tokenJSON due type mismatch.
This patch fixes the issue declaring field as interface{} in tokenJSON and performing type switch in "func (e *tokenJSON) expiry()".

Related to issue #41.

Change-Id: I69301e08c8a56fca049ca47906e32528cd22aef9
Reviewed-on: https://go-review.googlesource.com/6924
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-10 04:54:57 +00:00
Burcu Dogan 5cccf1a7e7 oauth2: add a test that checks token reuse
Change-Id: I6bd9cadc489418708635ca55a21955b94203bede
Reviewed-on: https://go-review.googlesource.com/7240
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-09 23:38:39 +00:00
Jim Cote cc2494a288 oauth2: fixes tokenRefresher.Token() ignores new refresh_token
Fixes bug documented in Issue #84 (https://github.com/golang/oauth2/issues/84#issuecomment-72711375).

During a refresh request, a new refresh token MAY be returned by the authorization server.  When this occurs, tokenRefesher.Token() fails to capture the new refresh token leaving it with an invalid refresh token for future calls.

Change-Id: I33b18fdbb750549174865f75eddf85b9725cf281
Reviewed-on: https://go-review.googlesource.com/4151
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-02-07 21:11:15 +00:00
Paul Rosania 6f28996586 oauth2: Resource Owner Password Credentials grant
Adds support for the Resource Owner Password Credentials grant type, which
allows trusted clients to exchange user credentials for an access token
directly. This is generally a bad idea, but is extremely useful in some
situations, where an external redirect is undesirable or impossible.

See https://tools.ietf.org/html/rfc6749#section-4.3

Change-Id: I28efd77957bcf8e1174e93ba0c64a990b94eb839
Reviewed-on: https://go-review.googlesource.com/3862
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-02-06 10:06:27 +00:00
Brad Fitzpatrick a379e41d44 oauth2, oauth2/google: add, use ReuseTokenSource
Token caching is now done whenever you make a Client, and
ReuseTokenSource is exported from the oauth2 package and used by the
Google TokenSources (Compute and App Engine).

Token.Expired is now Token.Valid, and works on nil receivers.

Some other wording cleanups in the process.

All tests pass. App Engine should pass, but is untested.

Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311
Reviewed-on: https://go-review.googlesource.com/2195
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-30 22:27:30 +00:00
Brad Fitzpatrick f5b40b26f1 oauth2: use a JSON struct types instead of empty interface maps
Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4
Reviewed-on: https://go-review.googlesource.com/1872
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-20 06:52:21 +00:00
Burcu Dogan 9b6b7610ad oauth2: rewrite google package, fix the broken build
Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc
Reviewed-on: https://go-review.googlesource.com/1361
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2014-12-16 06:20:58 +00:00
Burcu Dogan 5fd31d511c Merge pull request #50 from snikch/fix-json-expiry
Handle expiry correctly in json response
2014-11-25 19:48:01 -08:00
Burcu Dogan b846388564 oauth2: Removing the inconsistent and duplicate features, better naming
- Removed Flow, flow is a nothing but options.
- Renamed Cacher to Storer.
- Removed the setter from the Transport. Store should do the initial set.
  Getter is not removed, because extra fields are available through
  Transport.Token.Extra(). It's not pleasant to implement a custom Storer
  implementation to read such values.

oauth2: Remove VMs from the AppEngine example title
2014-11-25 14:36:49 -08:00
Mal Curtis 778494f9ec Handle expiry correctly in json response
Go treats json numbers as float64 not int. Previously json response
expiry information was ignored since it was expected to be an int.
2014-11-21 13:07:44 +13:00
Burcu Dogan c048af9da2 Add Cacher interface. 2014-11-13 15:41:14 +11:00
Burcu Dogan 0cf6f9b144 Introduce an option function type
- Reduce the duplicate code by merging the flows and
determining the flow type by looking at the provided options.
- Options as a function type allows us to validate an individual
an option in its scope and makes it easier to compose the
built-in options with the third-party ones.
2014-11-08 09:46:26 +11:00
Burcu Dogan 0ae3d4edc9 Allow users to get extra fields from a token response. 2014-10-27 20:01:11 -07:00
JT Olds 8551f9eee2 some pr review fixes 2014-09-06 19:03:51 -06:00
JT Olds e68820a209 fix token exchange 2014-09-06 17:39:43 -06:00
Burcu Dogan 97a89b3be5 Access type and approval prompt should be set at URL generation. 2014-09-04 23:30:06 -07:00
Burcu Dogan bb8496880f Don't assume optional fields are required and use Basic Auth if available.
See https://github.com/golang/oauth2/issues/33
2014-09-04 13:28:18 -07:00
Burcu Dogan de4c4313f9 Adding required client_secret credential. 2014-08-13 13:59:53 -07:00
Burcu Dogan 4c579cbd0d Export exchange.
Allows users to exchange and retrieve a token
without initialising a Transport.
2014-08-11 00:27:43 -07:00
Burcu Dogan 70bd497612 Fail during conf init if auth or token URL is not valid. 2014-07-20 16:56:38 -07:00
Burcu Dogan 0f597d5ad4 oauth2: don't use http.DefaultTransport.
http.DefaultTransport is not available on App Engine.
2014-07-11 10:57:28 -07:00
Johan Euphrosine 93ad3f4a9e remove cache 2014-07-08 22:27:34 -07:00
Burcu Dogan abc4bcd940 Reverting the license back to the original. 2014-05-17 17:26:57 +02:00
Burcu Dogan d7c8bcd0d0 oauth2: adding license. 2014-05-13 21:06:46 +03:00
Burcu Dogan 1b3c225070 oauth2: removing unnecessary interface definitions. 2014-05-10 14:43:21 +03:00