A friend who now works at Facebook informs me that this is now fixed on their
side. I've asked for some public reference.
Change-Id: I68627e3211f24bc4bea7c698d1126438a0e8ab0d
Reviewed-on: https://go-review.googlesource.com/97055
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Auth0 does not support `client_id` in basic auth
**without** a `client_secret` but they do support
one or both in the body.
Auth0 also uses account specific subdomains, so
needs to be in the domain suffix broken handling.
Change-Id: I06abec5c228c746b8b90758f452016eeb67f3e98
Reviewed-on: https://go-review.googlesource.com/70010
Reviewed-by: K.J. Valencik <kjvalencik@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This function added a totally unused error path, since the only call
site is for App Engine, which cannot produce an error.
Change-Id: I86277ab4ff96e7bd140c53c5a114a338716668e3
Reviewed-on: https://go-review.googlesource.com/85935
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This behavior and test was introduced in 0ae3d4edc9.
It is not consistent with the other test introduced in the same commit,
where an incorrectly typed access_token does produce an error. Since a
*Token with a blank AccessToken is invalid, it is allowing an invalid
token to be returned without error.
Cleans up some tests responding with invalid data.
Change-Id: I777eb7a82ef598dc9042542ae65f8dce6768902e
Reviewed-on: https://go-review.googlesource.com/85659
Reviewed-by: Andrew Bonventre <andybons@golang.org>
This changes the test to use the exported API instead of implementation
internals.
Change-Id: I07753b053c1a2a8eb027bed647ab921d95afda4e
Reviewed-on: https://go-review.googlesource.com/85658
Reviewed-by: Andrew Bonventre <andybons@golang.org>
This was the only usage of the function.
Change-Id: I081e20789ea9e37fe96f764641078472153bf577
Reviewed-on: https://go-review.googlesource.com/85197
Reviewed-by: Andrew Bonventre <andybons@golang.org>
CL 84156 added oauth2.RetrieveError to the oauth2 and clientcredentials
packages, but missed using it in jwt.
Change-Id: I06d77cd18667526bfc869ebc1b5cc2bcbabc03a6
Reviewed-on: https://go-review.googlesource.com/85457
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Allows the HTTP response and body to be extracted without parsing
the error string, but keeps backwards compatibility for users who
are currently doing so.
Fixesgolang/oauth2#173
Change-Id: Id7709da827a155299b047f0bcb74aa8f91b01e96
Reviewed-on: https://go-review.googlesource.com/84156
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Mail.Ru is one of the most popular email service provider in Russia.
The documentation for Mail.Ru's OAuth2 endpoints is at
https://o2.mail.ru/docs/
Change-Id: I605979b85cff2b00c7b65bbd3306d3fa66faa56d
Reviewed-on: https://go-review.googlesource.com/84415
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This change ensures time comparisons Token expiry checking uses the wall
clock instead of the monotonic clock.
This situation can occur on laptops which enter sleep mode and don't
advance their monotonic clock.
Change-Id: If8518e96ca04f2137db4703440ff3b851d221aae
Reviewed-on: https://go-review.googlesource.com/83575
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Go 1.10 no longer sets implicit Content-Type on empty output.
Updates golang/go#20784
Change-Id: I3f13f76b94b58869481218ea2e1805f5f4175fd7
Reviewed-on: https://go-review.googlesource.com/82017
Reviewed-by: Ian Lance Taylor <iant@golang.org>
This adds 'https://login.live.com/' as a broken auth header provider.
Without this change the provider which is integrated in
golang.org/x/oauth2/microsoft isn't working correctly and returns
a "The provided value for the 'client_secret' parameter is not valid"
response from the endpoint.
Change-Id: I1887e1ad049ce37f81322de84dcddd0ce486d6e1
Reviewed-on: https://go-review.googlesource.com/78555
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
As per https://tools.ietf.org/html/rfc6749#section-2.3.1 client IDs and secrets must be urlencoded in the authorization header. This patch addresses this by wrapping clientID and clientSecret with url.QueryEscape. A dedicated test for unsafe-url client IDs and secrets has been added as well.
Closes#237
Change-Id: I1f277b52caef4932e14147be8fb1712203da51d0
Reviewed-on: https://go-review.googlesource.com/46473
Reviewed-by: JBD <jbd@google.com>
Fix the broken build and make it consistent with
the first example.
Change-Id: I7c240b826397e6ec04294a2c9de89762d68643de
Reviewed-on: https://go-review.googlesource.com/61050
Run-TryBot: JBD <jbd@google.com>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
- provides a bare and custom context example
demonstrating that http client attributes are
not always passed along.
- adds clarifying note to the oauth2.go NewClient
godoc.
- trim down example_test
Change-Id: Iad6697eed83429c36b9ba0efc43293f4910938fb
Reviewed-on: https://go-review.googlesource.com/36553
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: JBD <jbd@google.com>
Previously we described where to submit patches and report issues but
didn't have links to the right places, so let's fix that.
Change-Id: I49d9bf5f1570ba495454fa32f5fec4faa66f9667
Reviewed-on: https://go-review.googlesource.com/49851
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Change I9cfd46787ebfb27cf2775dd3357eb26e089322a3 added
login.microsoft.net as a broken auth header provider. This was meant to
be login.windows.net. This change removes login.microsoft.net and adds
login.windows.net.
Change-Id: I6178053ab5c86b4f38996042384e1f4a139560aa
Reviewed-on: https://go-review.googlesource.com/47250
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Currently the HTTP request does not set the given context.
This change sets the context (if not nil) on the request.
Change-Id: I4bb21636d05050a68ba70ce92f9bf9ba608fbfad
Reviewed-on: https://go-review.googlesource.com/45370
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Azure AD applications use login.microsoft.net for token URLs for OAuth
and OpenID Connect. This service expects the OAuth client ID and client
secret in the body of the OAuth exchange request.
Fixes#238
Change-Id: I9cfd46787ebfb27cf2775dd3357eb26e089322a3
Reviewed-on: https://go-review.googlesource.com/47097
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This passes right now, but it's not obvious from looking at
tokenRefresher why it works. It depends on logic in
internal.RetrieveToken. I'm working on a larger refactor, but I want to
keep the test in place to avoid future regressions from seemingly
harmless code movements.
Change-Id: I742ccb952fbc069ca0887a556e362a0e59bef79b
Reviewed-on: https://go-review.googlesource.com/43573
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Shopify uses URLs in the form my-shop-id.myshopify.com as the endpoints
for its OAuth2 dances.
Change-Id: I73d98ca285991b2f73dd9d8d366d3fdbe249e741
Reviewed-on: https://go-review.googlesource.com/42630
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
Before AppEngine classic allowed "google.golang.org/appengine" imports,
we used to maintain two hook files to choose either from "appengine" or
"google.golang.org/appengine" namespaces. Now, both environments allow
importing from "google.golang.org/appengine". Therefore, there
is no need to set hooks in two separate files.
Also note that Flex prefers to use metadata server, so we still
need to be able to differentiate between these environments.
Change-Id: I7478ebdfa1b062d466aaf2aca938f93d42b4c58a
Reviewed-on: https://go-review.googlesource.com/37378
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Checked with simple application, worked good for me.
Change-Id: I068b33c1b44a338a7b0a9b17220bc39db81f2eed
Reviewed-on: https://go-review.googlesource.com/37443
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
gofmt -s -w -l does this simplification. Running gofmt when this
package is vendored causes the vendored file to be simplified.
Change-Id: I00502ff564bd5cff2614a8372db7beb1eb4519ec
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Reviewed-on: https://go-review.googlesource.com/37013
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Godoc comments should start with the name of the thing they are describing.
Change-Id: Ic248aa8f549b22c716bf967c7574452085ea8c48
Reviewed-on: https://go-review.googlesource.com/36945
Reviewed-by: Chris Broadfoot <cbro@golang.org>
CL/23790 breaks the calls to Facebook, adding Facebook
to the brokens list is reported to fix the problem.
Fixesgolang/oauth2#214.
Change-Id: I3b3440de723b4933bc49b5a52698c825affbf643
Reviewed-on: https://go-review.googlesource.com/36633
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Set the KeyID hint in the token header. This allows remote servers to
identify the key used to sign the message.
Fixes#18307
Change-Id: Ib95398079833aad6b390650b465d7b09b5f53fda
Reviewed-on: https://go-review.googlesource.com/34320
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>