// Copyright 2014 The oauth2 Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package oauth2 import ( "net/http" "net/url" "sync" "time" ) const ( defaultTokenType = "Bearer" ) // Token represents the crendentials used to authorize // the requests to access protected resources on the OAuth 2.0 // provider's backend. type Token struct { // AccessToken is the token that authorizes and authenticates the requests. AccessToken string `json:"access_token"` // TokenType identifies the type of token returned. TokenType string `json:"token_type,omitempty"` // RefreshToken is a token that may be used to obtain a new access token. RefreshToken string `json:"refresh_token,omitempty"` // Expiry is the expiration datetime of the access token. Expiry time.Time `json:"expiry,omitempty"` // raw optionally contains extra metadata from the server // when updating a token. raw interface{} } // Extra returns an extra field returned from the server during token retrieval. // E.g. // idToken := token.Extra("id_token") // func (t *Token) Extra(key string) string { if vals, ok := t.raw.(url.Values); ok { return vals.Get(key) } if raw, ok := t.raw.(map[string]interface{}); ok { if val, ok := raw[key].(string); ok { return val } } return "" } // Expired returns true if there is no access token or the // access token is expired. func (t *Token) Expired() bool { if t.AccessToken == "" { return true } if t.Expiry.IsZero() { return false } return t.Expiry.Before(time.Now()) } // Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests. type Transport struct { opts *Options base http.RoundTripper mu sync.RWMutex token *Token } // NewTransport creates a new Transport that uses the provided // token fetcher as token retrieving strategy. It authenticates // the requests and delegates origTransport to make the actual requests. func newTransport(base http.RoundTripper, opts *Options, token *Token) *Transport { return &Transport{ base: base, opts: opts, token: token, } } // RoundTrip authorizes and authenticates the request with an // access token. If no token exists or token is expired, // tries to refresh/fetch a new token. func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { token := t.token if token == nil || token.Expired() { // Check if the token is refreshable. // If token is refreshable, don't return an error, // rather refresh. if err := t.refreshToken(); err != nil { return nil, err } token = t.token if t.opts.TokenStore != nil { t.opts.TokenStore.WriteToken(token) } } // To set the Authorization header, we must make a copy of the Request // so that we don't modify the Request we were given. // This is required by the specification of http.RoundTripper. req = cloneRequest(req) typ := token.TokenType if typ == "" { typ = defaultTokenType } req.Header.Set("Authorization", typ+" "+token.AccessToken) return t.base.RoundTrip(req) } // Token returns the token that authorizes and // authenticates the transport. func (t *Transport) Token() *Token { t.mu.RLock() defer t.mu.RUnlock() return t.token } // refreshToken retrieves a new token, if a refreshing/fetching // method is known and required credentials are presented // (such as a refresh token). func (t *Transport) refreshToken() error { t.mu.Lock() defer t.mu.Unlock() token, err := t.opts.TokenFetcherFunc(t.token) if err != nil { return err } t.token = token return nil } // cloneRequest returns a clone of the provided *http.Request. // The clone is a shallow copy of the struct and its Header map. func cloneRequest(r *http.Request) *http.Request { // shallow copy of the struct r2 := new(http.Request) *r2 = *r // deep copy of the Header r2.Header = make(http.Header) for k, s := range r.Header { r2.Header[k] = s } return r2 }