This is required for the direct path feature, which only works with this
token source. It's not currently possible to determine the token source
type from the return value of FindDefaultCredentials.
Another option is to add another field to the Credentials struct, which
we could still do later, but direct path is currently pretty experimental
and whitelisted/opt-in, so I don't want to add to the public API surface
unnecessarily.
This CL functionally blocks
https://code-review.googlesource.com/c/google-api-go-client/+/40950
Change-Id: Ifb5fe9c6e5c6b33eebb87b45d3c70eebfca691b3
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/175877
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Add an Audience field to jwt.Config which, if set, is used instead of TokenURL as the 'aud' claim in the generated JWT. This allows the jwt package to work with authorization servers that require the 'aud' claim and token endpoint URL to be different values.
Fixes#369.
Change-Id: I883aabece7f9b16ec726d5bfa98c1ec91876b651
GitHub-Last-Rev: fd73e4d50c
GitHub-Pull-Request: golang/oauth2#370
Reviewed-on: https://go-review.googlesource.com/c/162937
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Password-based authentication to the [Keycloak](https://www.keycloak.org/) API requires `grant_type` to be `password`. It would be very helpful if `golang.org/x/oauth2` could be used for this, and all's that missing is the ability to override `grant_type`.
Fixes#283
Change-Id: I439dccb3e57042571ad92f115442ae1b7d59d4e0
GitHub-Last-Rev: 0e6f85e31e
GitHub-Pull-Request: golang/oauth2#363
Reviewed-on: https://go-review.googlesource.com/c/158517
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The term "query parameters" suggested that the credentials are passed in the URL which is insecure and is actually not true as the credentials are passed in the request body. See 36a7019397/internal/token.go (L196)
Change-Id: Id0a83f8d317fed30e18310b30860000109dafe88
GitHub-Last-Rev: 3961bc9aff
GitHub-Pull-Request: golang/oauth2#358
Reviewed-on: https://go-review.googlesource.com/c/157877
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
It was particularly flaky on Windows where time.Now doesn't advance as
fast as elsewhere.
Change-Id: Ic0b7c3e4c69389009d1e28750be0cd203fa770aa
Reviewed-on: https://go-review.googlesource.com/c/157578
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Commands run:
go mod init
go mod tidy
sed -i 's/go 1.12/go 1.11/' go.mod
go test ./...
Fixes#355
Change-Id: I196d77e9c15a2780e2649e735520578c01191a1b
Reviewed-on: https://go-review.googlesource.com/c/157137
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
I missed this in CL 146677.
Change-Id: Ie2735ba15d41e51fd5a99cba97514cd16399abaa
Reviewed-on: https://go-review.googlesource.com/c/147458
Reviewed-by: Ross Light <light@google.com>
Assume Go 1.9+, which is broader than Go's current Go 1.10+ support policy.
Change-Id: I9fe6954d21c2279cf4ea7da4d5bc7a9290a3bae2
Reviewed-on: https://go-review.googlesource.com/c/146677
Reviewed-by: Ross Light <light@google.com>
PR #341 introduce some new import `x/net/context` in parallel of PR #339 replacing them with the standard context.
This quick PR rename those imports.
Change-Id: I94f7edbee851a733b8a307c2ea60923dd990bdb4
GitHub-Last-Rev: fbe7944356
GitHub-Pull-Request: golang/oauth2#342
Reviewed-on: https://go-review.googlesource.com/c/146837
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Go 1.11 on App Engine standard is a "second generation" runtime, and
second generation runtimes do not set the appengine build tag.
appengine_hook.go was behind the appengine build tag, meaning that
AppEngineTokenSource panicked on the go111 runtime, saying,
"AppEngineTokenSource can only be used on App Engine."
The second gen runtimes should use ComputeTokenSource, which is also
what flex does [1]. This commit does two things to remedy the situation:
1. Put the pre-existing implementation of AppEngineTokenSource behind
the appengine build tag since it only works on first gen App Engine
runtimes. This leaves first gen behavior unchanged.
2. Add a new implementation of AppEngineTokenSource and tag it
!appengine. This implementation will therefore be used by second gen
App Engine standard runtimes and App Engine flexible. It delegates
to ComputeTokenSource.
The new AppEngineTokenSource implementation emits a log message
informing the user that AppEngineTokenSource is deprecated for second
gen runtimes and flex, instructing them to use DefaultTokenSource or
ComputeTokenSource instead. The documentation is updated to say the
same.
In this way users will not break when upgrading from Go 1.9 to Go 1.11
on App Engine but they will be nudged toward the world where App Engine
runtimes have less special behavior.
findDefaultCredentials still calls AppEngineTokenSource for first gen
runtimes and ComputeTokenSource for flex.
Fixes#334
Test: I deployed an app that uses AppEngineTokenSource to Go 1.9 and
Go 1.11 on App Engine standard and to Go 1.11 on App Engine
flexible and it worked in all cases. Also verified that the log
message is present on go111 and flex.
[1] DefaultTokenSource did use ComputeTokenSource for flex but
AppEngineTokenSource did not. AppEngineTokenSource is supported on flex,
in the sense that it doesn't panic when used on flex in the way it does
when used outside App Engine. However, AppEngineTokenSource makes an API
call internally that isn't supported by default on flex, which emits a
log instructing the user to enable the compat runtime. The compat
runtimes are deprecated and deploys are blocked. This is a bad
experience. This commit has the side effect of fixing this.
Change-Id: Iab63547b410535db60dcf204782d5b6b599a4e0c
GitHub-Last-Rev: 5779afb167
GitHub-Pull-Request: golang/oauth2#341
Reviewed-on: https://go-review.googlesource.com/c/146177
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
PKSC1 is not a thing, but PKCS1 is, and the parse function above the
error is for PKCS1.
Change-Id: I163bb158070da462caa034a19a89ce654acc7a5d
Reviewed-on: https://go-review.googlesource.com/c/146178
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This removes any assumption about how the underlying TokenSource is
implemented.
Change-Id: I03521e2f26bd07e25eb6ba00a78c285ece1835cc
Reviewed-on: https://go-review.googlesource.com/114955
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fix for a small bug that causes scopes to be prefixed by a bunch
of `+` chars, which results in an invalid scopes response from
the Jira Auth Server.
Change-Id: I00ded66c1eeb042a02f11ef3c84d7281159b1039
GitHub-Last-Rev: f76f480589
GitHub-Pull-Request: golang/oauth2#282
Reviewed-on: https://go-review.googlesource.com/110917
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>