Commit Graph

368 Commits

Author SHA1 Message Date
Tristan Colgate d7d64896b5 internal: remove facebook from brokenAuthHeadersProviders
A friend who now works at Facebook informs me that this is now fixed on their
side. I've asked for some public reference.

Change-Id: I68627e3211f24bc4bea7c698d1126438a0e8ab0d
Reviewed-on: https://go-review.googlesource.com/97055
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-02-27 00:04:27 +00:00
Charles Fenwick Elliott 543e37812f internal: add more brokenAuthHeadersProviders
Add log.finalsurge.com and api.medium.com

Fixes #267

Change-Id: I8a902f418f04ff87539fe2edda350a81974aaa6e
Reviewed-on: https://go-review.googlesource.com/92655
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-02-07 18:19:06 +00:00
Paul Tyng a032972e28 internal: Add .auth0.com to broken domains
Auth0 does not support `client_id` in basic auth
**without** a `client_secret` but they do support
one or both in the body.

Auth0 also uses account specific subdomains, so
needs to be in the domain suffix broken handling.

Change-Id: I06abec5c228c746b8b90758f452016eeb67f3e98
Reviewed-on: https://go-review.googlesource.com/70010
Reviewed-by: K.J. Valencik <kjvalencik@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-26 16:49:32 +00:00
Adam Bender b28fcf2b08 oauth2: minor clarification to function comment
Change-Id: I547bad73aae9130aac7dfa66a391661ed630c513
Reviewed-on: https://go-review.googlesource.com/88157
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-18 00:45:44 +00:00
Charles Fenwick Elliott 30785a2c43 spotify: add Spotify endpoints
Added Spotify endpoints as per documentation: https://developer.spotify.com/web-api/authorization-guide/

Fixes golang/go#23338

Change-Id: Ic1a0d6c8f35923b1c6d497e07f028fe92e97e6b6
Reviewed-on: https://go-review.googlesource.com/86250
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-04 23:00:36 +00:00
Ross Light 876b1c6ee6 internal: remove RegisterContextClientFunc
This function added a totally unused error path, since the only call
site is for App Engine, which cannot produce an error.

Change-Id: I86277ab4ff96e7bd140c53c5a114a338716668e3
Reviewed-on: https://go-review.googlesource.com/85935
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-03 15:50:54 +00:00
Ross Light ee2bad97a9 internal: return error if no access_token present in server response
This behavior and test was introduced in 0ae3d4edc9.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error.  Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.

Cleans up some tests responding with invalid data.

Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2018-01-03 00:38:26 +00:00
Ross Light 542ae755da oauth2: don't use tokenRefresher directly in tests
This changes the test to use the exported API instead of implementation
internals.

Change-Id: I07753b053c1a2a8eb027bed647ab921d95afda4e
Reviewed-on: https://go-review.googlesource.com/85658
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2018-01-03 00:37:46 +00:00
Ross Light 90155042cb internal: inline CondVal function
Change-Id: Ic1115ab639e2d7b499c3400b5310575a36b1b796
Reviewed-on: https://go-review.googlesource.com/85320
Reviewed-by: Tim Cooper <tim.cooper@layeh.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-02 15:01:22 +00:00
Ross Light 174986b227 internal: move ParseINI into google
This was the only usage of the function.

Change-Id: I081e20789ea9e37fe96f764641078472153bf577
Reviewed-on: https://go-review.googlesource.com/85197
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2018-01-02 15:01:02 +00:00
Ross Light 40a09c6c04 internal: fix flaky context test
Change-Id: I877fbcfdde33559baabbda2c275164dd98256892
Reviewed-on: https://go-review.googlesource.com/85196
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-02 15:00:49 +00:00
Tim Cooper 197281d4e0 jwt: use RetrieveError for invalid status code errors
CL 84156 added oauth2.RetrieveError to the oauth2 and clientcredentials
packages, but missed using it in jwt.

Change-Id: I06d77cd18667526bfc869ebc1b5cc2bcbabc03a6
Reviewed-on: https://go-review.googlesource.com/85457
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-26 13:35:31 +00:00
Tim Cooper 0448841f0c oauth2: add error type for unsuccessful token endpoint status
Allows the HTTP response and body to be extracted without parsing
the error string, but keeps backwards compatibility for users who
are currently doing so.

Fixes golang/oauth2#173

Change-Id: Id7709da827a155299b047f0bcb74aa8f91b01e96
Reviewed-on: https://go-review.googlesource.com/84156
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-19 02:07:21 +00:00
Vladimir Varankin 462316686f mailru: add Mail.Ru OAuth2 endpoint
Mail.Ru is one of the most popular email service provider in Russia.

The documentation for Mail.Ru's OAuth2 endpoints is at
https://o2.mail.ru/docs/

Change-Id: I605979b85cff2b00c7b65bbd3306d3fa66faa56d
Reviewed-on: https://go-review.googlesource.com/84415
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-15 22:01:12 +00:00
Vladimir Varankin dfbc866441 yahoo: add Yahoo OAuth2 endpoint
Change-Id: I4587eaf06cd94821052095345bb76b24ba500699
Reviewed-on: https://go-review.googlesource.com/84195
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-15 00:49:36 +00:00
Elena Grahovac 09bba2746c microsoft: improve azure active directory endpoint
Rename AzureActiveDirectoryEndpoint to AzureADEndpoint. Add default tenant ("common").
Delete azure package (azure.Endpoint duplicates microsoft.AzureADEndpoint).

Change-Id: I48a7679ffddd984f5744a64edfa4df958c18ed66
Reviewed-on: https://go-review.googlesource.com/83696
Reviewed-by: JBD <jbd@google.com>
2017-12-13 21:28:14 +00:00
Blake Mesdag 00dc70155e oauth2: ignore monotonic time when considering whether Tokens are expired
This change ensures time comparisons Token expiry checking uses the wall
clock instead of the monotonic clock.

This situation can occur on laptops which enter sleep mode and don't
advance their monotonic clock.

Change-Id: If8518e96ca04f2137db4703440ff3b851d221aae
Reviewed-on: https://go-review.googlesource.com/83575
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-12 20:54:36 +00:00
JBD e585185218 azure: add Azure endpoints
Fixes #257.

Change-Id: I0fa087fd921256f03a0cd62a8ab559c5c63f4d0f
Reviewed-on: https://go-review.googlesource.com/79397
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-11 18:11:51 +00:00
Anthony Alves 3ea2187447 twitch: add twitch OAuth2 endpoint
Twitch Auth API documentation: https://dev.twitch.tv/docs/authentication

Change-Id: I1a517609c229c8893d2dbf91f8821db386f822ab
Reviewed-on: https://go-review.googlesource.com/83136
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-11 00:15:14 +00:00
Elena Grahovac 6a2004c890 microsoft: add azure active directory endpoint
Relevant Azure AD API documentation is here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints

Fixes #257

Change-Id: Ia4fb136bbaa9d4445cd098f354070f16ace3b24b
Reviewed-on: https://go-review.googlesource.com/82315
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-12-06 20:57:13 +00:00
Brad Fitzpatrick ea8c6730ed internal: fix test on Go 1.10
Go 1.10 no longer sets implicit Content-Type on empty output.

Updates golang/go#20784

Change-Id: I3f13f76b94b58869481218ea2e1805f5f4175fd7
Reviewed-on: https://go-review.googlesource.com/82017
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-12-05 22:58:16 +00:00
Max Schmitt f95fa95eaa internal: add login.live.com to brokenAuthHeaderProviders
This adds 'https://login.live.com/' as a broken auth header provider.
Without this change the provider which is integrated in
golang.org/x/oauth2/microsoft isn't working correctly and returns
a "The provided value for the 'client_secret' parameter is not valid"
response from the endpoint.

Change-Id: I1887e1ad049ce37f81322de84dcddd0ce486d6e1
Reviewed-on: https://go-review.googlesource.com/78555
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-11-17 23:52:51 +00:00
Vladimir Varankin 9ff8ebcc8e oauth2: fix some typos in code comments
Change-Id: I3bd85f097e30d693965541eac65df057288c2086
Reviewed-on: https://go-review.googlesource.com/73130
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-11-06 15:28:52 +00:00
Tim Cooper bb50c06bab oauth2/internal: remove duplicate package documentation
Fixes golang/go#15855

Change-Id: I71a532a95995fbbfd8a9acd75244537cd05f02f0
Reviewed-on: https://go-review.googlesource.com/66730
Reviewed-by: JBD <jbd@google.com>
2017-09-28 01:05:08 +00:00
Aeneas Rekkas (arekkas) 13449ad91c internal: urlencode client id and secret in header
As per https://tools.ietf.org/html/rfc6749#section-2.3.1 client IDs and secrets must be urlencoded in the authorization header. This patch addresses this by wrapping clientID and clientSecret with url.QueryEscape. A dedicated test for unsafe-url client IDs and secrets has been added as well.

Closes #237

Change-Id: I1f277b52caef4932e14147be8fb1712203da51d0
Reviewed-on: https://go-review.googlesource.com/46473
Reviewed-by: JBD <jbd@google.com>
2017-09-12 21:29:05 +00:00
Jaana Burcu Dogan d89af98d7c oauth2: improve the custom HTTP client example
Fix the broken build and make it consistent with
the first example.

Change-Id: I7c240b826397e6ec04294a2c9de89762d68643de
Reviewed-on: https://go-review.googlesource.com/61050
Run-TryBot: JBD <jbd@google.com>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
2017-09-01 19:30:52 +00:00
zachgersh 3d1522b268 oauth2: add examples for basic/custom HTTP client
- provides a bare and custom context example
demonstrating that http client attributes are
not always passed along.
- adds clarifying note to the oauth2.go NewClient
godoc.
- trim down example_test

Change-Id: Iad6697eed83429c36b9ba0efc43293f4910938fb
Reviewed-on: https://go-review.googlesource.com/36553
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: JBD <jbd@google.com>
2017-09-01 17:26:33 +00:00
Ross Light 9a379c6b3e google: add JSON field to DefaultCredentials
Change-Id: I9cde8eabf4a2cb87db74f7b805045e155fd4ef13
Reviewed-on: https://go-review.googlesource.com/51111
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-08-07 18:00:24 +00:00
Jaana Burcu Dogan 96fca6c793 LICENSE: attribute to the Go authors
Fixes #242.

Change-Id: Idbb9853e3ffd51aaad6a022a8a736408273e3549
Reviewed-on: https://go-review.googlesource.com/52610
Reviewed-by: Andrew Bonventre <andybons@golang.org>
2017-08-02 15:54:48 +00:00
Kevin Burke b53b38ad8a README: add links for contributions
Previously we described where to submit patches and report issues but
didn't have links to the right places, so let's fix that.

Change-Id: I49d9bf5f1570ba495454fa32f5fec4faa66f9667
Reviewed-on: https://go-review.googlesource.com/49851
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-07-19 20:01:32 +00:00
voutasaurus cce311a261 internal: fix broken auth header provider
Change I9cfd46787ebfb27cf2775dd3357eb26e089322a3 added
login.microsoft.net as a broken auth header provider. This was meant to
be login.windows.net. This change removes login.microsoft.net and adds
login.windows.net.

Change-Id: I6178053ab5c86b4f38996042384e1f4a139560aa
Reviewed-on: https://go-review.googlesource.com/47250
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-06-29 19:07:18 +00:00
Bastian Ike 626d87b993 internal: Use provided context in subsequent request
Currently the HTTP request does not set the given context.
This change sets the context (if not nil) on the request.

Change-Id: I4bb21636d05050a68ba70ce92f9bf9ba608fbfad
Reviewed-on: https://go-review.googlesource.com/45370
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-06-29 18:09:26 +00:00
voutasaurus 5432cc9688 internal: add broken auth header provider
Azure AD applications use login.microsoft.net for token URLs for OAuth
and OpenID Connect. This service expects the OAuth client ID and client
secret in the body of the OAuth exchange request.

Fixes #238

Change-Id: I9cfd46787ebfb27cf2775dd3357eb26e089322a3
Reviewed-on: https://go-review.googlesource.com/47097
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-06-29 03:27:40 +00:00
Ross Light f047394b6d oauth2: add test for preserving refresh token if none is received
This passes right now, but it's not obvious from looking at
tokenRefresher why it works.  It depends on logic in
internal.RetrieveToken.  I'm working on a larger refactor, but I want to
keep the test in place to avoid future regressions from seemingly
harmless code movements.

Change-Id: I742ccb952fbc069ca0887a556e362a0e59bef79b
Reviewed-on: https://go-review.googlesource.com/43573
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-05-17 17:44:39 +00:00
Martin Hoefling ad516a297a oauth2: adds sipgate api to brokenAuthHeaderProviders
according to the documentation, client_id and client_secret must be
provided in the token request:

https://api.sipgate.com/doc/#!/authorization/createOauthAccessToken

Change-Id: I4133a1bfc4d2474013e6b716451c98cb93e30da8
Reviewed-on: https://go-review.googlesource.com/43170
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-05-10 21:56:23 +00:00
Dave Day e7a4820799 internal: add Shopify to list of broken auth providers
Shopify uses URLs in the form my-shop-id.myshopify.com as the endpoints
for its OAuth2 dances.

Change-Id: I73d98ca285991b2f73dd9d8d366d3fdbe249e741
Reviewed-on: https://go-review.googlesource.com/42630
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-05-07 21:47:37 +00:00
Jaana Burcu Dogan a6bd8cefa1 amazon: add amazon endpoints
Change-Id: Ib34eee690295615576ea6b0a5a17fa4ecde0ce01
Reviewed-on: https://go-review.googlesource.com/40402
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-04-12 23:27:59 +00:00
Eric Chiang 7fdf099824 clientcredentials: update RFC doc link
Fixes golang/oauth2#211

Change-Id: I84a09ea933379420d49883c582aa4f6ede8de544
Reviewed-on: https://go-review.googlesource.com/38387
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-03-21 01:34:21 +00:00
Eric Chiang 7374b3f1ec internal: recognize Salesforce and Okta domains as broken providers
Fixes golang/oauth2#166

Change-Id: Ib3854db4a28a596af3565a84843fc0fa66709193
Reviewed-on: https://go-review.googlesource.com/38376
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2017-03-21 00:32:59 +00:00
Jaana Burcu Dogan 30fcca6531 note that Gerrit is used for reviews on README
Fixes golang/oauth2#217.

Change-Id: I251a74b9b26f6b911333bc5d31d0a96a5734ea60
Reviewed-on: https://go-review.googlesource.com/36914
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-03-15 17:32:23 +00:00
Jaana Burcu Dogan 1611bb46e6 internal: don't set client_id and client_secret form values if empty
Fixes golang/oauth2#220.

Change-Id: Ic43b10971e102a8571c7bc895c3ad02b80b685ee
Reviewed-on: https://go-review.googlesource.com/38135
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-03-13 20:11:47 +00:00
Richard Musiol 01b79d9447 clientcredentials: add option for additional endpoint parameters
This is to support https://auth0.com/docs/api-auth/config/asking-for-access-tokens.

Fixes https://github.com/golang/oauth2/issues/216

Change-Id: I9b8fdb4fe22c688fd71e43bd21d80b796434b8b0
Reviewed-on: https://go-review.googlesource.com/36880
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-03-13 17:59:03 +00:00
Jaana Burcu Dogan efb10a3061 oauth2: add example how to use a custom HTTP client
Change-Id: Iffff423c167610c80e8dd1c51945c32b781e8653
Reviewed-on: https://go-review.googlesource.com/37695
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-03-02 20:23:04 +00:00
Jaana Burcu Dogan 8cf58155e4 google: remove code duplication, note appenginevm case
Before AppEngine classic allowed "google.golang.org/appengine" imports,
we used to maintain two hook files to choose either from "appengine" or
"google.golang.org/appengine" namespaces. Now, both environments allow
importing from "google.golang.org/appengine". Therefore, there
is no need to set hooks in two separate files.

Also note that Flex prefers to use metadata server, so we still
need to be able to differentiate between these environments.

Change-Id: I7478ebdfa1b062d466aaf2aca938f93d42b4c58a
Reviewed-on: https://go-review.googlesource.com/37378
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-03-02 20:00:26 +00:00
Sergey Mishin 810daf0509 oauth2: add Yandex endpoint
Checked with simple application, worked good for me.

Change-Id: I068b33c1b44a338a7b0a9b17220bc39db81f2eed
Reviewed-on: https://go-review.googlesource.com/37443
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-02-27 16:23:13 +00:00
Ahmet Alp Balkan b9780ec788 internal: simplify map value literal
gofmt -s -w -l does this simplification. Running gofmt when this
package is vendored causes the vendored file to be simplified.

Change-Id: I00502ff564bd5cff2614a8372db7beb1eb4519ec
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Reviewed-on: https://go-review.googlesource.com/37013
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-14 23:18:24 +00:00
Jaana Burcu Dogan e1e827deaa clientcredentials: fix comment for Client struct to match godoc style
Godoc comments should start with the name of the thing they are describing.

Change-Id: Ic248aa8f549b22c716bf967c7574452085ea8c48
Reviewed-on: https://go-review.googlesource.com/36945
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-14 18:55:41 +00:00
Jaana Burcu Dogan de0725b330 internal: add Facebook Graph API to the brokens list
CL/23790 breaks the calls to Facebook, adding Facebook
to the brokens list is reported to fix the problem.

Fixes golang/oauth2#214.

Change-Id: I3b3440de723b4933bc49b5a52698c825affbf643
Reviewed-on: https://go-review.googlesource.com/36633
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-09 00:21:43 +00:00
Pablo Lalloni 4464e78483 oauth2: remove scope & client_id params from access token request
Remove "scope" & "client_id" from "token request" in the "access token 
request" of the "authorization code grant" flow, keeping "client_id"
in case the provider is one of the known to be broken ones.

Please see https://tools.ietf.org/html/rfc6749#section-4.1.3

This change is required for interoperation with OpenAM.

Fixes golang/oauth2#145
Fixes golang/oauth2#110
Fixes golang/oauth2#188

Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e
Reviewed-on: https://go-review.googlesource.com/23790
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-07 21:18:51 +00:00
Tristan Colgate 314dd2c0bf golang.org/x/oauth2/jwt: Set kid to KeyID of private key
Set the KeyID hint in the token header. This allows remote servers to
identify the key used to sign the message.

Fixes #18307

Change-Id: Ib95398079833aad6b390650b465d7b09b5f53fda
Reviewed-on: https://go-review.googlesource.com/34320
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2016-12-19 19:29:54 +00:00