Commit Graph

22 Commits

Author SHA1 Message Date
Cody Oss 54b70c833f google: update missing auth help URL
Update the URL to a newer page that better describes how to set
up credentials in different environments.

Change-Id: Ic0726fe298c543265d333cda60d62c235e4e2293
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/473735
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2023-03-17 18:50:21 +00:00
Andy Zhao 885f294722 google: Add support for OAuth2 token exchange over mTLS
With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport.

Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54
GitHub-Last-Rev: 07e4849e96
GitHub-Pull-Request: golang/oauth2#630
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396
Run-TryBot: Matthew Hickford <hickford@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Shin Fan <shinfan@google.com>
Reviewed-by: Matthew Hickford <hickford@google.com>
Reviewed-by: Andy Zhao <andyzhao@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2023-03-03 18:55:16 +00:00
Koichi Shiraishi 6f9c1a18cc google: use Credentials instead of deprecated DefaultCredentials
Change-Id: Ie2d972df025f6b6b7d172015aae7eb34e355cb28
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/412034
Reviewed-by: Matt Hickford <matt.hickford@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Matthew Hickford <hickford@google.com>
Run-TryBot: Matt Hickford <matt.hickford@gmail.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
2023-02-27 20:54:01 +00:00
Andy Zhao fd043fe589 authhandler: Add support for PKCE
- Added new TokenSourceWithPKCE function to authhandler package.
- Updated Token method to support PKCE flow, sending code challenge and challenge method on the auth-code request, and sending code verifier on the exchange request.
- Updated google/default.go to support PKCE param.

Change-Id: Iab895bc01407c4742706061753f5329a772068ec
GitHub-Last-Rev: c1fddd28bc
GitHub-Pull-Request: golang/oauth2#568
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/410515
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
2022-06-22 18:31:10 +00:00
Chris Smith d0670ef3b1 google: Wrap token sources in errWrappingTokenSource
Introduce new AuthenticationError type returned by
errWrappingTokenSource.Token. The new error wrapper
exposes a boolean method Temporary, identifying the
underlying network error as retryable based on the
following status codes: 500, 503, 408, or 429.

Bump go.mod version to 1.15

refs: https://github.com/googleapis/google-api-go-client/issues/1445

Change-Id: I27c76cb0c71b918c25a640f40d0bd515b2e488fc
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/403846
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
2022-06-08 16:14:50 +00:00
Russ Cox 9780585627 all: gofmt
Gofmt to update doc comments to the new formatting.

For golang/go#51082.

Change-Id: Id333e34e0c5cd0bea79dcf5dd51130639597b2ee
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/399616
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
2022-04-11 21:57:20 +00:00
Andy Zhao 81ed05c6b5 google: Add support for CredentialsParams, Client ID json, and JWT Subject
*Add support for Google Developers Console client_credentials.json as a TokenSource.
*Add support for JWT Subject (for domain-wide delegation when using service account as credentials source.)
*Add support for non-default AuthURL and TokenURL for authorized user credentials source.

To support this change, two new exported functions FindDefaultCredentialsWithParams and CredentialsFromJSONWithParams are introduced.

Change-Id: Ib467822e2c14e02f8ae68586665c439960cfbd5c
GitHub-Last-Rev: eb92ab4a21
GitHub-Pull-Request: golang/oauth2#490
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/311589
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-04-27 18:04:40 +00:00
Bassam Ojeil f145937023 google: update documentation for workload identity federation
Document using workload identity federation from non-Google Cloud platforms to access Google Cloud resources.
This covers federation from AWS, Azure and OIDC providers via Application Default Credentials.

Change-Id: I77ee7f6aac5a75d095304f07f3004ec3fb7b9613
GitHub-Last-Rev: 07c9dd0271
GitHub-Pull-Request: golang/oauth2#478
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/293751
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-02-18 20:13:42 +00:00
Steven Buss 9f3314589c google: Support scopes for ComputeTokenSource
Scopes have been added as a query parameter to the metadata server.

Change-Id: Ife68db01beeca386e558edd424fa11da508b7287
GitHub-Last-Rev: 1cb4a6ec12
GitHub-Pull-Request: golang/oauth2#376
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/170106
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-04-02 18:19:05 +00:00
Brad Fitzpatrick 232e455483 google: remove Go 1.8 support
Assume Go 1.9+, which is broader than Go's current Go 1.10+ support policy.

Change-Id: I9fe6954d21c2279cf4ea7da4d5bc7a9290a3bae2
Reviewed-on: https://go-review.googlesource.com/c/146677
Reviewed-by: Ross Light <light@google.com>
2018-11-02 17:01:40 +00:00
Antoine GIRARD c453e0c757 all: use stdlib context instead of x/net/context
This PR replaces use of `x/net/context` with the standard `context`

It has been nearly 6 months since
https://github.com/golang/oauth2/issues/246#issuecomment-387601277 so
I made this PR so it will be ready to merge when needed (and if
possible).

Fixes #246

Change-Id: Id2c316fcb27de0fb9163ceb4e8669b04cb39a987
GitHub-Last-Rev: 5b36321dcc
GitHub-Pull-Request: golang/oauth2#339
Reviewed-on: https://go-review.googlesource.com/c/145202
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-11-01 16:01:52 +00:00
Michael Traver 5a69e67f3f appengine: implement AppEngineTokenSource for 2nd gen runtimes
Go 1.11 on App Engine standard is a "second generation" runtime, and
second generation runtimes do not set the appengine build tag.
appengine_hook.go was behind the appengine build tag, meaning that
AppEngineTokenSource panicked on the go111 runtime, saying,
"AppEngineTokenSource can only be used on App Engine."

The second gen runtimes should use ComputeTokenSource, which is also
what flex does [1]. This commit does two things to remedy the situation:

1. Put the pre-existing implementation of AppEngineTokenSource behind
   the appengine build tag since it only works on first gen App Engine
   runtimes. This leaves first gen behavior unchanged.
2. Add a new implementation of AppEngineTokenSource and tag it
   !appengine. This implementation will therefore be used by second gen
   App Engine standard runtimes and App Engine flexible. It delegates
   to ComputeTokenSource.

The new AppEngineTokenSource implementation emits a log message
informing the user that AppEngineTokenSource is deprecated for second
gen runtimes and flex, instructing them to use DefaultTokenSource or
ComputeTokenSource instead. The documentation is updated to say the
same.

In this way users will not break when upgrading from Go 1.9 to Go 1.11
on App Engine but they will be nudged toward the world where App Engine
runtimes have less special behavior.

findDefaultCredentials still calls AppEngineTokenSource for first gen
runtimes and ComputeTokenSource for flex.

Fixes #334

Test: I deployed an app that uses AppEngineTokenSource to Go 1.9 and
      Go 1.11 on App Engine standard and to Go 1.11 on App Engine
      flexible and it worked in all cases. Also verified that the log
      message is present on go111 and flex.

[1] DefaultTokenSource did use ComputeTokenSource for flex but
AppEngineTokenSource did not. AppEngineTokenSource is supported on flex,
in the sense that it doesn't panic when used on flex in the way it does
when used outside App Engine. However, AppEngineTokenSource makes an API
call internally that isn't supported by default on flex, which emits a
log instructing the user to enable the compat runtime. The compat
runtimes are deprecated and deploys are blocked. This is a bad
experience. This commit has the side effect of fixing this.

Change-Id: Iab63547b410535db60dcf204782d5b6b599a4e0c
GitHub-Last-Rev: 5779afb167
GitHub-Pull-Request: golang/oauth2#341
Reviewed-on: https://go-review.googlesource.com/c/146177
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-11-01 15:54:53 +00:00
Jonathan Amsterdam 7af32f14d0 google: add CredentialsFromJSON
Support obtaining a DefaultCredentials value from JSON data.

Also, add an example, and write more package doc.

For Go 1.9 and higher, rename DefaultCredentials to
Credentials and make the former an alias for the latter.

Updates google/google-api-go-client#247.

Change-Id: I9f9e234ed79f8e08fa13914d9c6c60e0154a06e5
Reviewed-on: https://go-review.googlesource.com/99795
Reviewed-by: Ross Light <light@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-12 23:58:49 +00:00
Ross Light 9a379c6b3e google: add JSON field to DefaultCredentials
Change-Id: I9cde8eabf4a2cb87db74f7b805045e155fd4ef13
Reviewed-on: https://go-review.googlesource.com/51111
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-08-07 18:00:24 +00:00
Jaana Burcu Dogan 8cf58155e4 google: remove code duplication, note appenginevm case
Before AppEngine classic allowed "google.golang.org/appengine" imports,
we used to maintain two hook files to choose either from "appengine" or
"google.golang.org/appengine" namespaces. Now, both environments allow
importing from "google.golang.org/appengine". Therefore, there
is no need to set hooks in two separate files.

Also note that Flex prefers to use metadata server, so we still
need to be able to differentiate between these environments.

Change-Id: I7478ebdfa1b062d466aaf2aca938f93d42b4c58a
Reviewed-on: https://go-review.googlesource.com/37378
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-03-02 20:00:26 +00:00
Ross Light f6093e37b6 google: add DefaultCredentials function
This new function allows reading the project ID from a service account
JSON file without an additional disk read.

Change-Id: I1f03ca3ca39a2ae3bd6524367c17761b0f08de45
Reviewed-on: https://go-review.googlesource.com/32876
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2016-11-30 17:46:31 +00:00
Ross Light d5040cddfc google: refactor JWT parsing code internally
The ADC code and the JWT-parsing function operate on the same data
format, but were using separate code paths, each of which was missing
things from the other.

While this presents no change in API surface, JWTConfigFromJSON now
strictly checks the "type" field in the JSON file before building a
config.

Change-Id: I2f593a16bf4591059fbf9002bccea06e41e5e161
Reviewed-on: https://go-review.googlesource.com/32678
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2016-11-07 20:33:27 +00:00
Jonathan Amsterdam 04e1573abc oauth2/google: change import paths
Change google.golang.org/cloud to cloud.google.com/go.

Change-Id: I6955a38ab97019d3d1dc094979e0ca2e45dea071
Reviewed-on: https://go-review.googlesource.com/25363
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2016-08-03 22:09:26 +00:00
Andrew Gerrand 038cb4adce all: change copyright to 'Go Authors'
Fixes golang/go#12354

Change-Id: Ie4bbe9445e2a840c9db830c9bd52a783b7a6f9bc
Reviewed-on: https://go-review.googlesource.com/13952
Reviewed-by: Russ Cox <rsc@golang.org>
2015-10-22 04:14:42 +00:00
Chris Broadfoot 52dcf34690 google: Re-enable AppEngineTokenSource to be used from Managed VMs.
Fixes #152.

Change-Id: I757c011d3ac5dca8f80fb2119eda3adf8c178ca6
Reviewed-on: https://go-review.googlesource.com/14622
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-09-16 01:14:15 +00:00
Burcu Dogan d2a4aec992 oauth/google: fix the broken default credentials link
Change-Id: Iceb8f2fa393a1de4dbb0ab3b85ccee1da5c2b5b7
Reviewed-on: https://go-review.googlesource.com/8474
Reviewed-by: David Symonds <dsymonds@golang.org>
2015-04-05 01:25:05 +00:00
Andrew Gerrand 798d582d94 google: implement application default credentials
Google is moving toward a default, language-agnostic way of obtaining
authentication credentials on App Engine and Compute Engine.
This change implements this mechanism.

Fixes #90.

Change-Id: Iaae4d60bbc75b1a9f2ec6ad14ab76fb2e279d756
Reviewed-on: https://go-review.googlesource.com/6074
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-03-19 05:52:14 +00:00