Commit Graph

109 Commits

Author SHA1 Message Date
Bobby DeSimone aaccbc9213 google: update ApprovalForce to use openid connect friendly prompt=consent
It looks like in 2016 or so` approval_prompt=force` was replaced with the open id connect friendly `prompt=consent`.

See:
- https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- https://developers.google.com/identity/sign-in/web/reference#gapiauth2offlineaccessoptions
- https://github.com/googleapis/oauth2client/issues/453
- https://github.com/pomerium/pomerium/pull/82

Change-Id: Iad2d533f451a70b2941aafd11c9b7272026a2f16
GitHub-Last-Rev: d6d10ceec8
GitHub-Pull-Request: golang/oauth2#379
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/171123
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-05-23 18:27:46 +00:00
Madhu Rajanna 9b3c75971f fix misspelled word in comment
Change-Id: Ic56ac2be3df36fac555cb4d42ca5fd8b973ec1dd
GitHub-Last-Rev: 03c9ae0ae4
GitHub-Pull-Request: golang/oauth2#371
Reviewed-on: https://go-review.googlesource.com/c/163117
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-02-20 15:47:21 +00:00
Brad Fitzpatrick 80673b4a4b oauth2: auto-detect auth style by default, add Endpoint.AuthStyle
Instead of maintaining a global map of which OAuth2 servers do which
auth style and/or requiring the user to tell us, just try both ways
and remember which way worked. But if users want to tell us in the
Endpoint, this CL also add Endpoint.AuthStyle.

Fixes golang/oauth2#111
Fixes golang/oauth2#365
Fixes golang/oauth2#362
Fixes golang/oauth2#357
Fixes golang/oauth2#353
Fixes golang/oauth2#345
Fixes golang/oauth2#326
Fixes golang/oauth2#352
Fixes golang/oauth2#268
Fixes https://go-review.googlesource.com/c/oauth2/+/58510
(... and surely many more ...)

Change-Id: I7b4d98ba1900ee2d3e11e629316b0bf867f7d237
Reviewed-on: https://go-review.googlesource.com/c/157820
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ross Light <light@google.com>
2019-02-11 18:49:51 +00:00
Peter Dotchev 5dab4167f3 Clarify that client credentials are not passed in the URL
The term "query parameters" suggested that the credentials are passed in the URL which is insecure and is actually not true as the credentials are passed in the request body. See 36a7019397/internal/token.go (L196)

Change-Id: Id0a83f8d317fed30e18310b30860000109dafe88
GitHub-Last-Rev: 3961bc9aff
GitHub-Pull-Request: golang/oauth2#358
Reviewed-on: https://go-review.googlesource.com/c/157877
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-01-15 18:14:02 +00:00
Adam Shannon f42d051822 doc: clarify context key usage to override *http.Client
Fixes golang/oauth2#321

Change-Id: I43724b107efafe189a3a76a81f6089dcc75cb167
Reviewed-on: https://go-review.googlesource.com/c/134436
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-11-06 18:21:50 +00:00
Antoine GIRARD c453e0c757 all: use stdlib context instead of x/net/context
This PR replaces use of `x/net/context` with the standard `context`

It has been nearly 6 months since
https://github.com/golang/oauth2/issues/246#issuecomment-387601277 so
I made this PR so it will be ready to merge when needed (and if
possible).

Fixes #246

Change-Id: Id2c316fcb27de0fb9163ceb4e8669b04cb39a987
GitHub-Last-Rev: 5b36321dcc
GitHub-Pull-Request: golang/oauth2#339
Reviewed-on: https://go-review.googlesource.com/c/145202
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-11-01 16:01:52 +00:00
Guillaume J. Charmes 088f8e1d43 oauth2: Add support for custom params in Exchange
Allows implementation of PKCE https://www.oauth.com/oauth2-servers/pkce/
for secure code exchange.

Fixes golang/oauth2#286

Change-Id: I07b6fefe6834a2406e8ca2fcbf118d38fc4875d1
GitHub-Last-Rev: 31c5ccbed3
GitHub-Pull-Request: golang/oauth2#285
Reviewed-on: https://go-review.googlesource.com/111515
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-06-19 21:35:08 +00:00
Tim Cooper 1e0a3fa8ba oauth2: mention RFC 6749 in package documentation
Change-Id: Iccf5c53fd5ea3c98447b6c6f4b751655847f1b5e
Reviewed-on: https://go-review.googlesource.com/115936
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-06-03 04:19:54 +00:00
Adam Bender b28fcf2b08 oauth2: minor clarification to function comment
Change-Id: I547bad73aae9130aac7dfa66a391661ed630c513
Reviewed-on: https://go-review.googlesource.com/88157
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-18 00:45:44 +00:00
Ross Light 876b1c6ee6 internal: remove RegisterContextClientFunc
This function added a totally unused error path, since the only call
site is for App Engine, which cannot produce an error.

Change-Id: I86277ab4ff96e7bd140c53c5a114a338716668e3
Reviewed-on: https://go-review.googlesource.com/85935
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-03 15:50:54 +00:00
Ross Light 90155042cb internal: inline CondVal function
Change-Id: Ic1115ab639e2d7b499c3400b5310575a36b1b796
Reviewed-on: https://go-review.googlesource.com/85320
Reviewed-by: Tim Cooper <tim.cooper@layeh.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-01-02 15:01:22 +00:00
zachgersh 3d1522b268 oauth2: add examples for basic/custom HTTP client
- provides a bare and custom context example
demonstrating that http client attributes are
not always passed along.
- adds clarifying note to the oauth2.go NewClient
godoc.
- trim down example_test

Change-Id: Iad6697eed83429c36b9ba0efc43293f4910938fb
Reviewed-on: https://go-review.googlesource.com/36553
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: JBD <jbd@google.com>
2017-09-01 17:26:33 +00:00
Pablo Lalloni 4464e78483 oauth2: remove scope & client_id params from access token request
Remove "scope" & "client_id" from "token request" in the "access token 
request" of the "authorization code grant" flow, keeping "client_id"
in case the provider is one of the known to be broken ones.

Please see https://tools.ietf.org/html/rfc6749#section-4.1.3

This change is required for interoperation with OpenAM.

Fixes golang/oauth2#145
Fixes golang/oauth2#110
Fixes golang/oauth2#188

Change-Id: Ie34c74980a6db7b5d34c851fb55a7d629fc7083e
Reviewed-on: https://go-review.googlesource.com/23790
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-02-07 21:18:51 +00:00
Jaana Burcu Dogan c10ba270aa all: deprecate NoContext
There is no good reason why we suggest NoContext rather than
context.Background(). When the oauth2 library first came around, the
community was not familiar with the x/net/context package. For
documentation reasons, we decided to add NoContext to the oauth2
package. It was not a good idea even back then. And given that context
package is fairly popular, there is no good reason why we are
depending on this.

Updating all the references of NoContext with context.Background
and documenting it as deprecated.

Change-Id: I18e390f1351023a29b567777a3f963dd550cf657
Reviewed-on: https://go-review.googlesource.com/27690
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2016-08-24 22:57:17 +00:00
Jon Chen 0aec23fa62 oauth2: add reference to clientcredentials package
This adds a reference to the golang.org/x/oauth2/clientcredentials
package in the docstring for oauth2.Config.

Change-Id: Iee0f36e07fda76c25b9f79e0db3807867a39fab2
Reviewed-on: https://go-review.googlesource.com/25387
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
2016-08-01 21:49:32 +00:00
Sean Rees 08c8d727d2 oauth2: fix warning from go vet
go vet reports the following warning:
oauth2.go:298: golang.org/x/oauth2/internal.ErrorTransport \
composite literal uses unkeyed fields

Change-Id: I576234fcaedb745702fdf8c3431e55128788079d
Reviewed-on: https://go-review.googlesource.com/24991
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-07-18 22:32:28 +00:00
Burcu Dogan 442624c9ec oauth2: allow users to register broken OAuth2 implementations
Fixes golang/oauth2#111.

Change-Id: Iaea8adb038bcff91b4b468b1a3bdaa5c03d7e8e7
Reviewed-on: https://go-review.googlesource.com/16976
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-11-17 21:03:13 +00:00
Andrew Gerrand 038cb4adce all: change copyright to 'Go Authors'
Fixes golang/go#12354

Change-Id: Ie4bbe9445e2a840c9db830c9bd52a783b7a6f9bc
Reviewed-on: https://go-review.googlesource.com/13952
Reviewed-by: Russ Cox <rsc@golang.org>
2015-10-22 04:14:42 +00:00
Will Norris e296c42d12 oauth2: add StaticTokenSource to return static tokens
Fixes #120

Change-Id: I2ef0cbf87c7124b89a68b5db0080f916c630072d
Reviewed-on: https://go-review.googlesource.com/9895
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-05-11 20:37:49 +00:00
Aaron Torres a8c019d04a oauth2: add support for client credential grant type
Creates a new package called clientcredentials and
adds transport and token information to the internal
package. Also modifies the oauth2 package to make
use of the newly added files in the internal package.

The clientcredentials package allows for token requests
using a "client credentials" grant type.

Fixes https://github.com/golang/oauth2/issues/7

Change-Id: Iec649d1029870c27a2d1023baa9d52db42ff45e8
Reviewed-on: https://go-review.googlesource.com/2983
Reviewed-by: Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-18 00:13:27 +00:00
Burcu Dogan ce5ea7da93 oauth2: rename SetParam to SetAuthURLParam
SetParam is quite vague to represent an Option that sets the auth
URL query parameters. Renaming it for explicitness.

Fixes #108.

Change-Id: Ic9f0181097820ee83404c9432451d71658dd8c67
Reviewed-on: https://go-review.googlesource.com/8491
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-06 14:29:48 +00:00
Russell Haering 3046bc76d6 oauth2: allow callers to pass arbitrary auth URL parameters
Many OAuth 2.0 implementations support parameters beyond those supported
by this library. This change exports a SetParam function for
constructing arbitrary key/value parameters.

Change-Id: Ice4179e7c5341bbeac8a53e389b32d59415740fa
Reviewed-on: https://go-review.googlesource.com/8054
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-31 07:24:46 +00:00
Kun 40163b0293 oauth2: Add Strava to list of broken oauth2 endpoints
Fixes #101

Change-Id: I26b460dd0261c9599b2917ff97fa4f0c13218a3e
Reviewed-on: https://go-review.googlesource.com/7850
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-19 23:02:46 +00:00
Andrew Gerrand c4932a9b59 oauth2: clarify docs on Exchange (nil context isn't ok)
Fixes golang/oauth2#100

Change-Id: I28afb4f02b817ffd0ff91fb10bfca5306d2c21c6
Reviewed-on: https://go-review.googlesource.com/7615
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-03-16 02:10:04 +00:00
Kun 42633ef623 oauth2: Add TrainingPeaks to list of broken oauth2 endpoints
Fixes #97

Change-Id: I8c61214aeb5fdd049a4eddbf8e8a25b130c908b0
Reviewed-on: https://go-review.googlesource.com/7450
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-12 02:54:27 +00:00
Alex Bramley 7e88c64e80 oauth2: Add Pushbullet to set of broken providers.
https://api.pushbullet.com/ accepts client_secret as a POST body parameter
but not via HTTP basic auth, so it needs to be on this list. I have asked
them to fix it properly too :-)

Change-Id: Iff3cba20592c66d5a38755f47b05f1e992dfbad6
Reviewed-on: https://go-review.googlesource.com/7381
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-12 01:13:50 +00:00
Nikolay Turpitko 2167774341 oauth2: long if condition in providerAuthHeaderWorks replaced with loop
Long if condition replaced with loop.

Related to issue #41.

Change-Id: Ib5b88ce2ee2841e9b6c24d78f93bb027141bf678
Reviewed-on: https://go-review.googlesource.com/7290
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-03-11 04:57:51 +00:00
Nikolay Turpitko 6d4eed4495 oauth2: fix expires_in for PayPal
PayPal returns "expires_in" token field as string, not integer.
So, current implementation cannot unmarshal json of tokenJSON due type mismatch.
This patch fixes the issue declaring field as interface{} in tokenJSON and performing type switch in "func (e *tokenJSON) expiry()".

Related to issue #41.

Change-Id: I69301e08c8a56fca049ca47906e32528cd22aef9
Reviewed-on: https://go-review.googlesource.com/6924
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-10 04:54:57 +00:00
Nikolay Turpitko 10e6bf9f9d oauth2: provider list modified in providerAuthHeaderWorks
Added vk.com and odnoklassniki.ru to provider list in providerAuthHeaderWorks.

Related to issue #41.

Change-Id: If1374528e8f1200d22f8694c5e32cdeae6ebb6ea
Reviewed-on: https://go-review.googlesource.com/6925
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-08 22:43:19 +00:00
HuKeping 5a0a1b2881 oauth2: remove unnecessary ClientSecret check
Since the empty client secret is permitted by the OAuth 2.0 spec.
The check for clientSecret in retriveTokoen is unnecessary.

Redo #6740

Signed-off-by: Hu Keping <hukeping@huawei.com>

Change-Id: I9126c79a1f8b9d6051c213ee3f93c442a36ca65d
Reviewed-on: https://go-review.googlesource.com/6900
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-05 23:19:29 +00:00
Andrew Gerrand 96e89befdc oauth2: remove oauth2.Context type, simplify App Engine token code
You can now use the "google.golang.org/appengine" packages on both
Managed VMs and App Engine Classic(TM). The newer packages use the
context.Context instead of appengine.Context, so we no longer need the
oauth2.Context type.

Some clients will require code changes, replacing oauth2.Context or
appengine.Context with context.Context (imported from
the repository "golang.org/x/net/context").

Users of classic App Engine must switch to using the new
"google.golang.org/appengine" packages in order to use the oauth2
package.

Fixes #89

Change-Id: Ibaff3117117f9f7c5d1b3048a6e4086f62c18c3b
Reviewed-on: https://go-review.googlesource.com/6075
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-03-05 03:18:37 +00:00
Ryan Lower 85a72d36ea oauth2: Add stripe connect to list of bad OAuth2 providers
Stripe connect only accepts client secret using via the
Authorization header using 'Bearer' as the method (not 'Basic').

Change-Id: I978d9ce2092fbad3c1a00fde21d689c8e57a3cf1
Reviewed-on: https://go-review.googlesource.com/5532
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-02-23 02:33:40 +00:00
James Sweet 35468a7526 Adds twitch.tv to the list of known OAuth2 providers that do not implement the spec fully.
Change-Id: I4db53ae2d039de3ddf9cb84e4211d2e0c4f6c41f
Reviewed-on: https://go-review.googlesource.com/5180
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-02-18 19:43:35 +00:00
Péter Surányi b0e7ac8c3a oauth2: Context godoc typo fix
Change-Id: I9fbc394a6545754621e808f5d6c4f7622248eaa2
Reviewed-on: https://go-review.googlesource.com/4163
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-08 18:20:03 +00:00
Andrew Gerrand 1406aeefb0 oauth2: clarify comment about tokenRefresher's thread safety
Change-Id: I9a3faedb8faf7701be7c82c7fff964b56d7c96c8
Reviewed-on: https://go-review.googlesource.com/4116
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-07 21:36:27 +00:00
Jim Cote cc2494a288 oauth2: fixes tokenRefresher.Token() ignores new refresh_token
Fixes bug documented in Issue #84 (https://github.com/golang/oauth2/issues/84#issuecomment-72711375).

During a refresh request, a new refresh token MAY be returned by the authorization server.  When this occurs, tokenRefesher.Token() fails to capture the new refresh token leaving it with an invalid refresh token for future calls.

Change-Id: I33b18fdbb750549174865f75eddf85b9725cf281
Reviewed-on: https://go-review.googlesource.com/4151
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-02-07 21:11:15 +00:00
Paul Rosania 6f28996586 oauth2: Resource Owner Password Credentials grant
Adds support for the Resource Owner Password Credentials grant type, which
allows trusted clients to exchange user credentials for an access token
directly. This is generally a bad idea, but is extremely useful in some
situations, where an external redirect is undesirable or impossible.

See https://tools.ietf.org/html/rfc6749#section-4.3

Change-Id: I28efd77957bcf8e1174e93ba0c64a990b94eb839
Reviewed-on: https://go-review.googlesource.com/3862
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-02-06 10:06:27 +00:00
Aaron Jacobs 7b840c3264 oauth2: Remove what appears to be an out of date comment.
TokenRefresher with that capitalization is not a symbol, and SetToken
doesn't occur anywhere in the package as far as I can tell.

Change-Id: If61f059ed8bb1ca21e27aa99669e542160747fe7
Reviewed-on: https://go-review.googlesource.com/3958
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-05 23:49:51 +00:00
Aaron Jacobs 53c5ae1b31 oauth2: Fix some redundant wording in the docs for AccessTypeOnline.
Change-Id: I124553bd38b229e409e152cf364d55c847b70ba4
Reviewed-on: https://go-review.googlesource.com/3950
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-05 16:18:09 +00:00
Andrew Gerrand 27daa780a8 oauth2: add googleapis.com to list of broken oauth2 endpoints
Fixes #85

Change-Id: Ic60eee227763ab4041248716880416056c850f95
Reviewed-on: https://go-review.googlesource.com/3873
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-02-04 14:04:51 +00:00
Brad Fitzpatrick ed997606a9 oauth2, oauth2/jwt: break JWT off into its own package
Change-Id: Iaaa36728f87744e0d9609674f0d0ad96e6ac80b4
Reviewed-on: https://go-review.googlesource.com/2198
Reviewed-by: Burcu Dogan <jbd@google.com>
2015-01-02 18:35:08 +00:00
Brad Fitzpatrick dfb470cc49 oauth2: fix typo in Token docs and clarify mutability of Token
Change-Id: I1093cffbd4b6fe25cd5b7cfb31e820b15fcfa41f
Reviewed-on: https://go-review.googlesource.com/2197
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-31 03:26:08 +00:00
Brad Fitzpatrick a379e41d44 oauth2, oauth2/google: add, use ReuseTokenSource
Token caching is now done whenever you make a Client, and
ReuseTokenSource is exported from the oauth2 package and used by the
Google TokenSources (Compute and App Engine).

Token.Expired is now Token.Valid, and works on nil receivers.

Some other wording cleanups in the process.

All tests pass. App Engine should pass, but is untested.

Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311
Reviewed-on: https://go-review.googlesource.com/2195
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-30 22:27:30 +00:00
Brad Fitzpatrick f5b40b26f1 oauth2: use a JSON struct types instead of empty interface maps
Change-Id: Ifd66ea35c15dbd14acca0c945b533ec755de12e4
Reviewed-on: https://go-review.googlesource.com/1872
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-20 06:52:21 +00:00
Brad Fitzpatrick 9abe144dd5 oauth2: move Token into its own file (no code changes)
Change-Id: I5248f48cc1af68a0f78a8ddf7e28b91a729f5460
Reviewed-on: https://go-review.googlesource.com/1870
Reviewed-by: David Symonds <dsymonds@golang.org>
2014-12-19 04:29:46 +00:00
Dave Day 7bbf2199a5 oauth2: add func NewClient as per issue #66
Change-Id: Icfae8530e725f2f31774e395319e6e6db330262a
Reviewed-on: https://go-review.googlesource.com/1701
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2014-12-17 00:04:06 +00:00
Johan Euphrosine a360c4ed80 oauth2: fix typo
Change-Id: Ic39a63c50a042ab836bbc496db9aea7fb52870d2
Reviewed-on: https://go-review.googlesource.com/1652
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-16 18:11:04 +00:00
Burcu Dogan 9b6b7610ad oauth2: rewrite google package, fix the broken build
Change-Id: I2753a88d7be483bdbc0cac09a1beccc4806ea4bc
Reviewed-on: https://go-review.googlesource.com/1361
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2014-12-16 06:20:58 +00:00
Brad Fitzpatrick a568078818 oauth2: redesign the API
Tests and examples aren't updated yet. The tree will be broken after this,
but nobody should be using this yet anyway.

Change-Id: I0004c738f40919ab46d107c71c011c510fbc748f
Reviewed-on: https://go-review.googlesource.com/1246
Reviewed-by: Burcu Dogan <jbd@google.com>
2014-12-16 06:20:49 +00:00
Andrew Gerrand 3ec35f1969 Merge branch 'master' of https://github.com/golang/oauth2 2014-11-28 10:17:23 +11:00