This option is a followup to to cl/479676 where an option was added
to configure the preemptive token refresh. Currently the option
in this package is only being used by compute credentials. In the
future we can support more/all auth flows but that would require
a lot of new surfaces to be added. Compute credentials are currently
the only case where we are expirencing the need to configure this
setting.
Change-Id: Ib78ca4beec44d0fe030ae81e84c8fcc4924793ba
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/479956
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Add a constructor which allows for the configuration of the expiryDelta
buffer. Due to the construction of reuseTokenSource and Token we need
to store the new delta in both places, so the behavior of Valid is
consistent regardless of where it is called from.
Fixes#623
Change-Id: I89f9c206a9cc16bb473b8c619605c8410a82fff0
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/479676
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Update the URL to a newer page that better describes how to set
up credentials in different environments.
Change-Id: Ic0726fe298c543265d333cda60d62c235e4e2293
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/473735
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: If7957dff90ca75fa8fd84ace90ed15066bfd3e48
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/473438
Reviewed-by: Heschi Kreinick <heschi@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Gopher Robot <gobot@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport.
Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54
GitHub-Last-Rev: 07e4849e96
GitHub-Pull-Request: golang/oauth2#630
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396
Run-TryBot: Matthew Hickford <hickford@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Shin Fan <shinfan@google.com>
Reviewed-by: Matthew Hickford <hickford@google.com>
Reviewed-by: Andy Zhao <andyzhao@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Removes URL validation for token_url, service_account_impersonation_url to allow for TPC urls and adds line to the docs to warn users. See https://github.com/googleapis/google-auth-library-nodejs/pull/1517 for same change in node.js library.
Change-Id: I85fa67ee0b99deed2adb75668a1b5501851c499c
GitHub-Last-Rev: 15d7759884
GitHub-Pull-Request: golang/oauth2#627
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/465696
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: I011be77aad8a91714b6af22e05408254e4110f3f
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/466737
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: Ic017d7ac9986ab17999bbf9a9528e5671946e57a
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/460501
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: Iddd5948b1dc74c208372e82df1971f9cd2b5f296
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/455435
Run-TryBot: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Adds check for aws values in environment variables before the metadata server is called to prevent unnecessary off box calls. See https://github.com/googleapis/google-auth-library-java/pull/1100 for same change in java library.
Change-Id: Ie86a899be88c38d3fcbbe377f9bf30a7a66530c0
GitHub-Last-Rev: bcab69572c
GitHub-Pull-Request: golang/oauth2#612
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/453715
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Auto-Submit: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: I3f0d7b406644af66ea5bef4e6edbe60044b96274
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/448756
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
This newly carved out module has 0 external dependencies which should
help simiplify many peoples dep trees.
Change-Id: I59fcc8517b92fea0142fdee1be12076c4ece3e61
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/446075
Auto-Submit: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.
Change-Id: Ib3b54f9298e19a100fe350d299731738197cabcc
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/443997
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Gopher Robot <gobot@golang.org>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
In 2009, Google's open-source lawyers asked us to create the AUTHORS
file to define "The Go Authors", and the CONTRIBUTORS file was in
keeping with open source best practices of the time.
Re-reviewing our repos now in 2022, the open-source lawyers are
comfortable with source control history taking the place of the
AUTHORS file, and most open source projects no longer maintain
CONTRIBUTORS files.
To ease maintenance, remove AUTHORS and CONTRIBUTORS from all repos.
For #53961.
Change-Id: If3ee4896e8e520c5f3ad2fa49559c68043a4e6b8
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/419100
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Right now, impersonation tokens used for external accounts have a hardcoded lifetime of 1 hour (3600 seconds), but some of our customers want to be able to adjust this lifetime. These changes (along with others in the gcloud cli) should allow this
Change-Id: I705f83dc2a092d8cdd0fcbfff83b014c220e28bb
GitHub-Last-Rev: 7e0ea92c8e
GitHub-Pull-Request: golang/oauth2#571
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/416797
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Notably, this updates the transitive dependency providing the package
"cloud.google.com/go/compute" from module cloud.google.com/go to
module cloud.google.com/go/compute.
In combination with module graph pruning, this may help modules that
depend on this one avoid unnecessary dependencies on (and via)
the cloud.google.com/go module.
Change-Id: Ie74d0b2bf34e071ecf316ddb1ed567a05789fdf2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/415395
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This enables module graph pruning
(https://go.dev/ref/mod#graph-pruning) for this module, pruning out
unncessary dependencies for other modules at 'go 1.17' or higher that
require this one.
Notably, this may prune out a great many transitive dependencies of
cloud.google.com/go.
Change-Id: Ide1030fc0d308dc768447c4e47c371dfdca6387c
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/415394
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
This changeset would allow users to specify a command to be run which will return a token
Change-Id: If84cce97c273cdd08ef2010a1693cd813d053ed3
GitHub-Last-Rev: 98f37871ca
GitHub-Pull-Request: golang/oauth2#563
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/404114
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
- Added new TokenSourceWithPKCE function to authhandler package.
- Updated Token method to support PKCE flow, sending code challenge and challenge method on the auth-code request, and sending code verifier on the exchange request.
- Updated google/default.go to support PKCE param.
Change-Id: Iab895bc01407c4742706061753f5329a772068ec
GitHub-Last-Rev: c1fddd28bc
GitHub-Pull-Request: golang/oauth2#568
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/410515
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Introduce new AuthenticationError type returned by
errWrappingTokenSource.Token. The new error wrapper
exposes a boolean method Temporary, identifying the
underlying network error as retryable based on the
following status codes: 500, 503, 408, or 429.
Bump go.mod version to 1.15
refs: https://github.com/googleapis/google-api-go-client/issues/1445
Change-Id: I27c76cb0c71b918c25a640f40d0bd515b2e488fc
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/403846
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Add support to set JWT Audience in JWTConfigFromJSON() to allow setting
the audience field from the JSON config, rather than only allowing it
the default value of the token_uri.
Previous change 272766 (approved but abandoned).
Change-Id: I14d46f3628df0a04801949bf99520b210e778f99
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/406836
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Gofmt to update doc comments to the new formatting.
For golang/go#51082.
Change-Id: Id333e34e0c5cd0bea79dcf5dd51130639597b2ee
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/399616
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
AWS released a new instance metadata service (IMDSv2). IMDSv2 brought a requirement that a session token header is now required on every call to metadata endpoint.
Modify the AWS credential retrieval flow to fetch the session token and send it along with the calls to metadata endpoints
Change-Id: I539912ab38f5e591658b29a1e7a99d2b828a1128
GitHub-Last-Rev: 29e1f4aad1
GitHub-Pull-Request: golang/oauth2#554
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/390794
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
It seems like these handful of test would fail because of issues
related to timings. When running the tests there was sometimes a
second scew from when the subjectToken got and want were calculated.
Switched them all to use a static clock so the time portion will
never differ.
Fixesgolang/go#49339
Change-Id: Ia2e4e140526ee1fc37fa9d24765cd8ec3033ea22
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/361354
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
New credential type supported: "impersonated_service_account".
Extend the "credentialsFile" struct to take into account the credential source for the impersonation.
Reuse of `ImpersonateTokenSource` struct, from `google/internal/externalaccount/Impersonate.go' file. The struct has a package-scope visibility now.
Fixes: #515
Change-Id: I87e213be6d4b6add2d6d82b91b1b38e43a0d2fe4
GitHub-Last-Rev: 14806e6b37
GitHub-Pull-Request: golang/oauth2#516
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/344369
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Workforce pools (external account credentials for non-Google users) are
organization-level resources which means that issued workforce pool tokens
will not have any client project ID on token exchange as currently designed.
"To use a Google API, the client must identify the application to the server.
If the API requires authentication, the client must also identify the principal
running the application."
The application here is the client project. The token will identify the user
principal but not the application. This will result in APIs rejecting requests
authenticated with these tokens.
Note that passing a x-goog-user-project override header on API request is
still not sufficient. The token is still expected to have a client project.
As a result, we have extended the spec to support an additional
workforce_pool_user_project for these credentials (workforce pools) which will
be passed when exchanging an external token for a Google Access token. After the
exchange, the issued access token will use the supplied project as the client
project. The underlying principal must still have serviceusage.services.use
IAM permission to use the project for billing/quota.
This field is not needed for flows with basic client authentication (e.g. client
ID is supplied). The client ID is sufficient to determine the client project and
any additionally supplied workforce_pool_user_project value will be ignored.
Note that this feature is not usable yet publicly.
Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0
GitHub-Last-Rev: a6dc5ebc95
GitHub-Pull-Request: golang/oauth2#520
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Bassam Ojeil <bojeil@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Implements support for token downscoping to allow for the creation of tokens with restricted permissions
Change-Id: I52459bdb0dfdd5e8d86e6043ba0362f4bf4b823c
GitHub-Last-Rev: 941cf10a8e
GitHub-Pull-Request: golang/oauth2#502
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/326529
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
AWS_DEFAULT_REGION should have been checked as a backup to AWS_REGION but wasn't. Also removed a redundant print statement in a test case.
Change-Id: Ia6e13eb20f509110a81e3071228283c43a1e9283
GitHub-Last-Rev: 1a10bcc079
GitHub-Pull-Request: golang/oauth2#486
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/302789
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
*Add support for Google Developers Console client_credentials.json as a TokenSource.
*Add support for JWT Subject (for domain-wide delegation when using service account as credentials source.)
*Add support for non-default AuthURL and TokenURL for authorized user credentials source.
To support this change, two new exported functions FindDefaultCredentialsWithParams and CredentialsFromJSONWithParams are introduced.
Change-Id: Ib467822e2c14e02f8ae68586665c439960cfbd5c
GitHub-Last-Rev: eb92ab4a21
GitHub-Pull-Request: golang/oauth2#490
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/311589
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>