As per https://tools.ietf.org/html/rfc6749#section-2.3.1 client IDs and secrets must be urlencoded in the authorization header. This patch addresses this by wrapping clientID and clientSecret with url.QueryEscape. A dedicated test for unsafe-url client IDs and secrets has been added as well.
Closes#237
Change-Id: I1f277b52caef4932e14147be8fb1712203da51d0
Reviewed-on: https://go-review.googlesource.com/46473
Reviewed-by: JBD <jbd@google.com>
This passes right now, but it's not obvious from looking at
tokenRefresher why it works. It depends on logic in
internal.RetrieveToken. I'm working on a larger refactor, but I want to
keep the test in place to avoid future regressions from seemingly
harmless code movements.
Change-Id: I742ccb952fbc069ca0887a556e362a0e59bef79b
Reviewed-on: https://go-review.googlesource.com/43573
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
A change introduced in https://golang.org/cl/18692 expanded upon the errors
returned by the json package to be more informative about where the error occurred.
This breaks a test in oauth2 that relies on the exact form that an error takes.
Fix this test by simply checking whether it passes or not.
Fixesgolang/go#17363
Updates golang/go#11811
Change-Id: I0062dc64fc1a8fd094b14ed1d0b21528edfbb282
Reviewed-on: https://go-review.googlesource.com/30600
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
There is not a good way of autogenerating the style fixes, hence I am
manually fixing them in small chunks.
Change-Id: I1fee5956dae93f38b8f1e7460b74d3d96e7ccd2c
Reviewed-on: https://go-review.googlesource.com/27922
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
There is no good reason why we suggest NoContext rather than
context.Background(). When the oauth2 library first came around, the
community was not familiar with the x/net/context package. For
documentation reasons, we decided to add NoContext to the oauth2
package. It was not a good idea even back then. And given that context
package is fairly popular, there is no good reason why we are
depending on this.
Updating all the references of NoContext with context.Background
and documenting it as deprecated.
Change-Id: I18e390f1351023a29b567777a3f963dd550cf657
Reviewed-on: https://go-review.googlesource.com/27690
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Since NewTransportFromTokenStore() is removed, mockCache is therefore
useless. It should be safe to remove it, too.
Change-Id: I5678684af31e5de75e420b28d859e33909e0a718
Reviewed-on: https://go-review.googlesource.com/22113
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
+ Added tests for TokenType by checking case.
+ Added numeric conversion for float and integer like
values from token.Extra.
Change-Id: I0909a4458ed58e33428afbf40478a668d150dda7
Reviewed-on: https://go-review.googlesource.com/15156
Reviewed-by: Andrew Gerrand <adg@golang.org>
Creates a new package called clientcredentials and
adds transport and token information to the internal
package. Also modifies the oauth2 package to make
use of the newly added files in the internal package.
The clientcredentials package allows for token requests
using a "client credentials" grant type.
Fixes https://github.com/golang/oauth2/issues/7
Change-Id: Iec649d1029870c27a2d1023baa9d52db42ff45e8
Reviewed-on: https://go-review.googlesource.com/2983
Reviewed-by: Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
SetParam is quite vague to represent an Option that sets the auth
URL query parameters. Renaming it for explicitness.
Fixes#108.
Change-Id: Ic9f0181097820ee83404c9432451d71658dd8c67
Reviewed-on: https://go-review.googlesource.com/8491
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
json.UnmarshalError has a new field in Go 1.5. Adjust tests to cope.
Change-Id: I6733b2e14513794676e7329a828001f3f8c6c342
Reviewed-on: https://go-review.googlesource.com/8341
Reviewed-by: Burcu Dogan <jbd@google.com>
Many OAuth 2.0 implementations support parameters beyond those supported
by this library. This change exports a SetParam function for
constructing arbitrary key/value parameters.
Change-Id: Ice4179e7c5341bbeac8a53e389b32d59415740fa
Reviewed-on: https://go-review.googlesource.com/8054
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Long if condition replaced with loop.
Related to issue #41.
Change-Id: Ib5b88ce2ee2841e9b6c24d78f93bb027141bf678
Reviewed-on: https://go-review.googlesource.com/7290
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Burcu Dogan <jbd@google.com>
PayPal returns "expires_in" token field as string, not integer.
So, current implementation cannot unmarshal json of tokenJSON due type mismatch.
This patch fixes the issue declaring field as interface{} in tokenJSON and performing type switch in "func (e *tokenJSON) expiry()".
Related to issue #41.
Change-Id: I69301e08c8a56fca049ca47906e32528cd22aef9
Reviewed-on: https://go-review.googlesource.com/6924
Reviewed-by: Andrew Gerrand <adg@golang.org>
Fixes bug documented in Issue #84 (https://github.com/golang/oauth2/issues/84#issuecomment-72711375).
During a refresh request, a new refresh token MAY be returned by the authorization server. When this occurs, tokenRefesher.Token() fails to capture the new refresh token leaving it with an invalid refresh token for future calls.
Change-Id: I33b18fdbb750549174865f75eddf85b9725cf281
Reviewed-on: https://go-review.googlesource.com/4151
Reviewed-by: Andrew Gerrand <adg@golang.org>
Adds support for the Resource Owner Password Credentials grant type, which
allows trusted clients to exchange user credentials for an access token
directly. This is generally a bad idea, but is extremely useful in some
situations, where an external redirect is undesirable or impossible.
See https://tools.ietf.org/html/rfc6749#section-4.3
Change-Id: I28efd77957bcf8e1174e93ba0c64a990b94eb839
Reviewed-on: https://go-review.googlesource.com/3862
Reviewed-by: Burcu Dogan <jbd@google.com>
Token caching is now done whenever you make a Client, and
ReuseTokenSource is exported from the oauth2 package and used by the
Google TokenSources (Compute and App Engine).
Token.Expired is now Token.Valid, and works on nil receivers.
Some other wording cleanups in the process.
All tests pass. App Engine should pass, but is untested.
Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311
Reviewed-on: https://go-review.googlesource.com/2195
Reviewed-by: Burcu Dogan <jbd@google.com>
- Removed Flow, flow is a nothing but options.
- Renamed Cacher to Storer.
- Removed the setter from the Transport. Store should do the initial set.
Getter is not removed, because extra fields are available through
Transport.Token.Extra(). It's not pleasant to implement a custom Storer
implementation to read such values.
oauth2: Remove VMs from the AppEngine example title
- Reduce the duplicate code by merging the flows and
determining the flow type by looking at the provided options.
- Options as a function type allows us to validate an individual
an option in its scope and makes it easier to compose the
built-in options with the third-party ones.
Aeneas Rekkas (arekkas)
Ross Light
Pablo Lalloni
Joe Tsai
Jaana Burcu Dogan
Cheng-Lung Sung
Andrew Gerrand
Emmanuel Odeke
Aaron Torres
Brad Fitzpatrick
Russell Haering
Nikolay Turpitko
Jim Cote
Paul Rosania
Brad Fitzpatrick
Burcu Dogan
Mal Curtis
JT Olds
Johan Euphrosine