Commit Graph

407 Commits

Author SHA1 Message Date
Ryan Kohler 6b3c2da341 google/externalaccount: add support for workforce pool credentials
Workforce pools (external account credentials for non-Google users) are
organization-level resources which means that issued workforce pool tokens
will not have any client project ID on token exchange as currently designed.

"To use a Google API, the client must identify the application to the server.
If the API requires authentication, the client must also identify the principal
running the application."

The application here is the client project. The token will identify the user
principal but not the application. This will result in APIs rejecting requests
authenticated with these tokens.

Note that passing a x-goog-user-project override header on API request is
still not sufficient. The token is still expected to have a client project.

As a result, we have extended the spec to support an additional
workforce_pool_user_project for these credentials (workforce pools) which will
be passed when exchanging an external token for a Google Access token. After the
exchange, the issued access token will use the supplied project as the client
project. The underlying principal must still have serviceusage.services.use
IAM permission to use the project for billing/quota.

This field is not needed for flows with basic client authentication (e.g. client
ID is supplied). The client ID is sufficient to determine the client project and
any additionally supplied workforce_pool_user_project value will be ignored.

Note that this feature is not usable yet publicly.

Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0
GitHub-Last-Rev: a6dc5ebc95
GitHub-Pull-Request: golang/oauth2#520
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/353393
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Bassam Ojeil <bojeil@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-10-05 18:02:43 +00:00
Cody Oss 2bc19b1117 google/downscope: return body in error message
Change-Id: Ic424a95895668c2f37ffdcea2e3012e4c929cbe5
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/343689
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-08-19 19:09:43 +00:00
Patrick Jones 7df4dd6e12 google/externalaccount: validate tokenURL and ServiceAccountImpersonationURL
Change-Id: Iab70cc967fd97ac8e349a14760df0f8b02ddf074
GitHub-Last-Rev: ddf4dbd0b7
GitHub-Pull-Request: golang/oauth2#514
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/340569
Reviewed-by: Patrick Jones <ithuriel@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-08-17 22:35:10 +00:00
Patrick Jones faf39c7919 google/downscope: additional examples
Updating examples to match the expected token broker & token consumer paradigm.

Change-Id: I9f6474e6d433e544dc92d8b1595e9538a5266043
GitHub-Last-Rev: 2149795f02
GitHub-Pull-Request: golang/oauth2#513
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/339190
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-08-10 18:38:15 +00:00
Patrick Jones 6f1e639406 google/downscope: update documentation
Change-Id: Ib4dfc7b554c1e7565cc61bc372a98ddd390e7453
GitHub-Last-Rev: 63894e5681
GitHub-Pull-Request: golang/oauth2#512
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/338389
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Trust: Cody Oss <codyoss@google.com>
Trust: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Cody Oss <codyoss@google.com>
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
2021-08-05 13:40:26 +00:00
Patrick Jones a41e5a7819 downscope: implement support for token downscoping
Implements support for token downscoping to allow for the creation of tokens with restricted permissions

Change-Id: I52459bdb0dfdd5e8d86e6043ba0362f4bf4b823c
GitHub-Last-Rev: 941cf10a8e
GitHub-Pull-Request: golang/oauth2#502
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/326529
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-06-28 18:02:05 +00:00
gIthuriel a8dc77f794 google: add external account documentation
Adds some documentation to existing public structures for third-party authentication.

Change-Id: I756f5cd5619fbd752c028e99176991139fd45c60
GitHub-Last-Rev: c846ea6748
GitHub-Pull-Request: golang/oauth2#485
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/301610
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
2021-06-22 21:54:36 +00:00
Eno Compton bce0382f6c google: fix syntax error
Change-Id: I18dd98234a87dca59a199d90a5d0b9cedd80e5af
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/330189
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-06-22 19:05:53 +00:00
gIthuriel 14747e66f6 google: check additional AWS variable
AWS_DEFAULT_REGION should have been checked as a backup to AWS_REGION but wasn't.  Also removed a redundant print statement in a test case.

Change-Id: Ia6e13eb20f509110a81e3071228283c43a1e9283
GitHub-Last-Rev: 1a10bcc079
GitHub-Pull-Request: golang/oauth2#486
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/302789
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
2021-06-22 16:52:04 +00:00
Shin Fan d04028783c google: support scopes for JWT access token
Change-Id: I11acd87a56cd003fdb68a5a687e37df450c400d1
GitHub-Last-Rev: efb2e8a08a
GitHub-Pull-Request: golang/oauth2#504
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/327929
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Shin Fan <shinfan@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
2021-06-15 19:07:21 +00:00
akay f6687ab280 endpoints: add Battlenet endpoints
OAuth APIs: https://develop.battle.net/documentation/battle-net/oauth-apis

Change-Id: I7c10f68c6ef0cb9b77cffa104e71a7198a599c89
GitHub-Last-Rev: e9596432c8
GitHub-Pull-Request: golang/oauth2#489
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/310249
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
2021-05-14 16:43:44 +00:00
Mattias Appelgren 9963728281 endpoints: Add Strava endpoint
As per the Strava API auth docs: http://developers.strava.com/docs/authentication/

Change-Id: Ibf6fcca193a1b63bf86830b669849653774a9df9
GitHub-Last-Rev: 296e91e1f2
GitHub-Pull-Request: golang/oauth2#473
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/289829
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Heschi Kreinick <heschi@google.com>
2021-05-14 16:43:25 +00:00
Andy Zhao 81ed05c6b5 google: Add support for CredentialsParams, Client ID json, and JWT Subject
*Add support for Google Developers Console client_credentials.json as a TokenSource.
*Add support for JWT Subject (for domain-wide delegation when using service account as credentials source.)
*Add support for non-default AuthURL and TokenURL for authorized user credentials source.

To support this change, two new exported functions FindDefaultCredentialsWithParams and CredentialsFromJSONWithParams are introduced.

Change-Id: Ib467822e2c14e02f8ae68586665c439960cfbd5c
GitHub-Last-Rev: eb92ab4a21
GitHub-Pull-Request: golang/oauth2#490
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/311589
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-04-27 18:04:40 +00:00
Andy Zhao 5e61552d6c authhandler: Remove example_test.go
The example test implementation uses stdin, which does not work in all environments:
https://github.com/golang/go/issues/45523

Removing for now to unblock release.

Change-Id: I49bafa9fe1d973b7c1d7ce00f51f110f9aa4a5a6
GitHub-Last-Rev: baf46329c2
GitHub-Pull-Request: golang/oauth2#488
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/309469
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
Trust: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-04-13 13:46:43 +00:00
Joel Ferrier 2e8d934016 google: Use bytes.Buffer for go 1.9 compatability
Update test cases to use const test data file references.

Change-Id: Ic08b6de5a84db7b2ae2c649ee676c5a2c13f4227
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/306749
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-04-02 16:14:24 +00:00
Andy Zhao 22b0adad75 authhandler: Add support for 3-legged-OAuth
Added authhandler.go, which implements a TokenSource to support "three-legged OAuth 2.0" via a custom AuthorizationHandler.

Added example_test.go with a sample command line implementation for AuthorizationHandler.

This patch adds support for 3-legged-OAuth flow using an OAuth Client ID file downloaded from Google Cloud Console.

Change-Id: Iefe54494d6f3ee326a6b1b2a81a7d5d1a7ba3331
GitHub-Last-Rev: 48fc0367c2
GitHub-Pull-Request: golang/oauth2#419
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/232238
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Shin Fan <shinfan@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-03-23 18:09:02 +00:00
Shaba Abhiram cd4f82c27b endpoints: add Zoom endpoint
See #424

Change-Id: I1fa6230082261f60a8e41387ad2bf481df0a1fce
GitHub-Last-Rev: 6fba3dd9d1
GitHub-Pull-Request: golang/oauth2#453
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/271826
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
2021-03-13 18:22:46 +00:00
Ryan Kohler 5366d9dc19 google: Make sure time is always in UTC
If times are stored in different time zones, then we occasionally get heisenbugs about expired tokens

Change-Id: I0c117977688d8d6c7b12b211092e5040a41a1f46
GitHub-Last-Rev: 3ff51b34f5
GitHub-Pull-Request: golang/oauth2#482
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/300929
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-03-11 16:31:35 +00:00
Russ Cox 9bb904979d all: go fmt ./...
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).

Not strictly necessary but will avoid spurious changes
as files are edited.

Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild

Change-Id: I22803ea9e936fbb08984a64155302f47e181de27
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/294420
Trust: Russ Cox <rsc@golang.org>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
2021-02-20 00:06:19 +00:00
Ryan Kohler ba52d332ba google: unexport private structs and funcs
These structs and funcs cannot be used by the end consumer. Unexporting them helps cleans up our documentation

Change-Id: I2eadb69e87de912ac39f53e83cd9bdfe76a15e3e
GitHub-Last-Rev: 60b58eef75
GitHub-Pull-Request: golang/oauth2#479
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/293752
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-02-18 20:24:05 +00:00
Bassam Ojeil f145937023 google: update documentation for workload identity federation
Document using workload identity federation from non-Google Cloud platforms to access Google Cloud resources.
This covers federation from AWS, Azure and OIDC providers via Application Default Credentials.

Change-Id: I77ee7f6aac5a75d095304f07f3004ec3fb7b9613
GitHub-Last-Rev: 07c9dd0271
GitHub-Pull-Request: golang/oauth2#478
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/293751
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-02-18 20:13:42 +00:00
Patrick Jones 16ff1888fd google: manual testing fixes
I found some errors while manually testing service account impersonation on Azure.  This PR includes the fixes that I made.

Change-Id: Ia2b194be6c9a7c843e615f9789c8f8203bcbc151
GitHub-Last-Rev: 5690716363
GitHub-Pull-Request: golang/oauth2#475
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/291209
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-02-16 19:45:17 +00:00
Ryan Kohler 66670185b0 google: Changes required to get AWS working in manual testing
• Subject Token needs to be query escaped
• Null options need to be omitted (like they are in other languages)

Change-Id: I67d1ed3ba96a35283a8928f196bc7e912084d1ab
GitHub-Last-Rev: 1aae076a90
GitHub-Pull-Request: golang/oauth2#474
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/290513
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-02-10 19:26:28 +00:00
Ryan Kohler 010130855d google: support AWS 3rd party credentials
Change-Id: I655b38f7fb8023866bb284c7ce80ab9888682e73
GitHub-Last-Rev: 648f0b3d45
GitHub-Pull-Request: golang/oauth2#471
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/287752
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-02-01 16:38:06 +00:00
Patrick Jones f9ce19ea30 google: support service account impersonation
Adds support for service account impersonation when a URL for service account impersonation is provided.

Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8
GitHub-Last-Rev: 9c218789db
GitHub-Pull-Request: golang/oauth2#468
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
2021-01-26 19:43:26 +00:00
Ryan Kohler af13f521f1 google: Create AWS V4 Signing Utility
Change-Id: I59b4a13ed0433de7dfaa064a0f7dc1f3dd724518
GitHub-Last-Rev: 8cdc6a9ad0
GitHub-Pull-Request: golang/oauth2#467
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/284632
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
2021-01-25 20:13:02 +00:00
Patrick Jones d3ed898aa8 google: support url-sourced 3rd party credentials
Implements functionality to allow for URL-sourced 3rd party credentials, expanding the functionality added in #462 .

Change-Id: Ib7615fb618486612960d60bee6b9a1ecf5de1404
GitHub-Last-Rev: 95713928e4
GitHub-Pull-Request: golang/oauth2#466
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/283372
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
2021-01-13 20:58:17 +00:00
Cody Oss 8b1d76fa04 google: restore 1.11 compatibility
NewRequestWithContext requires 1.13. As this is just a convenience
we should try to retatin the 1.11 compatibility by using NewRequest
then calling WithContext instead.

Change-Id: I6208a92061b208a119fdf04fd561a3e4d22bc547
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/283535
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-01-13 16:05:01 +00:00
Patrick Jones 01de73cf58 google: base account credentials with file-sourcing
Implements the core functionality to allow 3rd party identities access to Google APIs.  Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads.  Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials.

Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7
GitHub-Last-Rev: 3ab51622f8
GitHub-Pull-Request: golang/oauth2#462
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-01-12 20:04:29 +00:00
Julie Qiu 08078c50e5 README.md: change godoc.org links to pkg.go.dev
Links to godoc.org are changed to pkg.go.dev.

The README badge alt text is changed to "Go Reference" to match the
updated alt text generated by pkg.go.dev/badge.

Change-Id: I935cbe03477131a4361a8ac7b5ba9fd3e378cbdd
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276016
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Trust: Julie Qiu <julie@golang.org>
2020-12-08 15:28:58 +00:00
Julie Qiu 931764155e README.md: add badge to pkg.go.dev
Change-Id: I90a3334507f4501ee082afeb878b82f71b3392ae
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/275303
Trust: Julie Qiu <julie@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2020-12-07 16:36:04 +00:00
Patrick Jones 0b49973bad google: add ExchangeToken() to run STS exchanges.
Adds the ExchangeToken() function and support structs, but depends on  https://github.com/golang/oauth2/pull/439

Change-Id: Id738a27b0c2ac083409156af1f60283b9140b159
GitHub-Last-Rev: 1aa066dc21
GitHub-Pull-Request: golang/oauth2#444
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/261918
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
2020-12-03 00:10:11 +00:00
Patrick Jones 9fd604954f google: add utilities supporting upcoming oauth2 functionality
These are used to support some extended utilities to help with STS requests.

Change-Id: Iafc145b06ca42374cfc2ac6572762a50bcf560f2
GitHub-Last-Rev: 3085fe5703
GitHub-Pull-Request: golang/oauth2#439
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/259777
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
2020-11-09 20:14:03 +00:00
Emmanuel T Odeke 5d25da1a8d go.mod: update stale dependencies
Invokes go get -u -v ./... to try to get rid of
stale dependencies cloud.google.com/go@v0.34.0 (released in December 2018)
and that dependency unfortunately imported a stale
version of go.opencensus.io that then transitively
imports another that has a vulnerability.

Change-Id: I0a520e8f979ff3ddcd6197b234cdc0f4154bb735
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/245517
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
2020-09-02 21:34:28 +00:00
Brad Fitzpatrick bf48bf16ab README, endpoints: fix a typo, update README to point people at endpoints
Change-Id: Ic49fabc47eebb932a1a56f1dd3e65dc3af539d59
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/213637
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2020-01-07 19:09:31 +00:00
Mark Wolfe eca82077e2 endpoints: add new package for oauth2.Endpoint values
As per discussion in #401 and gerrit I have built out the proposed endpoint package.

I migrated all the existing endpoints, not sure if you wanted this but it does illustrate the pattern.

Change-Id: I53f56a06207633b2380b7cd7332cd56f9ef6578f
GitHub-Last-Rev: fde9e7bb75
GitHub-Pull-Request: golang/oauth2#402
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/212223
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2020-01-07 16:08:58 +00:00
Tim Cooper 858c2ad4c8 oauth2: turn Transport.CancelRequest into a no-op
Request cancellation should be done via http.Request.Context.

Fixes #271

Change-Id: Ia6251898e55bd15b27968504fc6efe14f05b1def
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/121438
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-12-02 22:59:59 +00:00
Shaun Dunning 5d9234df09 jira: update jira JWT subject per Atlassian's recent GDPR changes
Recently, Atlassian decided to remove `userKey` from JWT construction b/c they determined that it could contain personally identifiable information. They've since switched to the user account ID. This change updates the jira JWT to reflect these recent change.

Fixes golang/oauth2#312

Change-Id: I4bd66cf925fdf38e02dd665befb5ab5f19f14ee7
GitHub-Last-Rev: 344bb6046c
GitHub-Pull-Request: golang/oauth2#389
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/185081
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-11-22 20:06:57 +00:00
Chris Broadfoot 0f29369cfe google: add some metadata to GCE tokens to identify the token's source
This is required for the direct path feature, which only works with this
token source. It's not currently possible to determine the token source
type from the return value of FindDefaultCredentials.

Another option is to add another field to the Credentials struct, which
we could still do later, but direct path is currently pretty experimental
and whitelisted/opt-in, so I don't want to add to the public API surface
unnecessarily.

This CL functionally blocks
https://code-review.googlesource.com/c/google-api-go-client/+/40950

Change-Id: Ifb5fe9c6e5c6b33eebb87b45d3c70eebfca691b3
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/175877
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2019-06-04 05:34:49 +00:00
Bobby DeSimone aaccbc9213 google: update ApprovalForce to use openid connect friendly prompt=consent
It looks like in 2016 or so` approval_prompt=force` was replaced with the open id connect friendly `prompt=consent`.

See:
- https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- https://developers.google.com/identity/sign-in/web/reference#gapiauth2offlineaccessoptions
- https://github.com/googleapis/oauth2client/issues/453
- https://github.com/pomerium/pomerium/pull/82

Change-Id: Iad2d533f451a70b2941aafd11c9b7272026a2f16
GitHub-Last-Rev: d6d10ceec8
GitHub-Pull-Request: golang/oauth2#379
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/171123
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-05-23 18:27:46 +00:00
Wenlei (Frank) He 950ef44c6e jwt: support PrivateClaims in Config
This would help add extra claim for certain 2-leg JWT exchange.

For example, Google service account key can be used to generate an OIDC token, but Google TokenURL requires "target_audience" claims set.

See this example usage:
https://gist.github.com/wlhee/64bc518190053e2122ca1909c2977c67#file-exmaple-go-L29

Change-Id: Ic10b006e45a34210634c5a76261a7e3706066965
GitHub-Last-Rev: 7a6e247e68
GitHub-Pull-Request: golang/oauth2#374
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/166220
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-05-17 18:12:55 +00:00
Steven Buss 9f3314589c google: Support scopes for ComputeTokenSource
Scopes have been added as a query parameter to the metadata server.

Change-Id: Ife68db01beeca386e558edd424fa11da508b7287
GitHub-Last-Rev: 1cb4a6ec12
GitHub-Pull-Request: golang/oauth2#376
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/170106
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-04-02 18:19:05 +00:00
Ggicci c85d3e98c9 internal: remove fallback parsing for expires_in
Facebook has correctted its OAuth2 implementation. The code as
a fallback can be removed now.

Updates golang/oauth2#51, golang/oauth2#239

Change-Id: Ib5f84bc35c0c4ecbdd25d4169f950410d4ae79a2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/168017
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: JBD <jbd@google.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-03-19 18:23:50 +00:00
Brad Fitzpatrick e64efc72b4 internal: cap expires_in to MaxInt32
Fixes golang/oauth2#279

Change-Id: I29914e7995ec334a7474390a0ba96fe61deba6bb
Reviewed-on: https://go-review.googlesource.com/c/161962
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ross Light <light@google.com>
2019-02-26 20:54:17 +00:00
Jean de Klerk 529b322ea3 google: Use new endpoints for Google authentication
Fixes #310

Change-Id: I3b3a57b2758074535d07471b344334945be5bcbd
Reviewed-on: https://go-review.googlesource.com/c/136356
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2019-02-26 19:11:47 +00:00
Madhu Rajanna 9b3c75971f fix misspelled word in comment
Change-Id: Ic56ac2be3df36fac555cb4d42ca5fd8b973ec1dd
GitHub-Last-Rev: 03c9ae0ae4
GitHub-Pull-Request: golang/oauth2#371
Reviewed-on: https://go-review.googlesource.com/c/163117
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-02-20 15:47:21 +00:00
Niels Widger 4b83411ed2 jwt: add Config.Audience field
Add an Audience field to jwt.Config which, if set, is used instead of TokenURL as the 'aud' claim in the generated JWT.  This allows the jwt package to work with authorization servers that require the 'aud' claim and token endpoint URL to be different values.

Fixes #369.

Change-Id: I883aabece7f9b16ec726d5bfa98c1ec91876b651
GitHub-Last-Rev: fd73e4d50c
GitHub-Pull-Request: golang/oauth2#370
Reviewed-on: https://go-review.googlesource.com/c/162937
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-02-19 18:30:15 +00:00
Brad Fitzpatrick 3e8b2be136 internal: tolerate malformed expires_in values more
Fixes golang/oauth2#239

Change-Id: Id3fdfbfb64bc1a12ab0e952e83ae444b50de1bb5
Reviewed-on: https://go-review.googlesource.com/c/161964
Reviewed-by: Ross Light <light@google.com>
Run-TryBot: Ross Light <light@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-02-12 23:04:46 +00:00
Brad Fitzpatrick 5f6b76b7c9 google: remove legacy App Engine context stuff
Fixes golang/oauth2#276

Change-Id: I3f2bed7201f2e6bb58913f3fae2e64287b9a66d5
Reviewed-on: https://go-review.googlesource.com/c/161959
Reviewed-by: Ross Light <light@google.com>
Reviewed-by: Jean de Klerk <deklerk@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-02-11 22:52:00 +00:00
Brad Fitzpatrick 80673b4a4b oauth2: auto-detect auth style by default, add Endpoint.AuthStyle
Instead of maintaining a global map of which OAuth2 servers do which
auth style and/or requiring the user to tell us, just try both ways
and remember which way worked. But if users want to tell us in the
Endpoint, this CL also add Endpoint.AuthStyle.

Fixes golang/oauth2#111
Fixes golang/oauth2#365
Fixes golang/oauth2#362
Fixes golang/oauth2#357
Fixes golang/oauth2#353
Fixes golang/oauth2#345
Fixes golang/oauth2#326
Fixes golang/oauth2#352
Fixes golang/oauth2#268
Fixes https://go-review.googlesource.com/c/oauth2/+/58510
(... and surely many more ...)

Change-Id: I7b4d98ba1900ee2d3e11e629316b0bf867f7d237
Reviewed-on: https://go-review.googlesource.com/c/157820
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ross Light <light@google.com>
2019-02-11 18:49:51 +00:00