• Subject Token needs to be query escaped
• Null options need to be omitted (like they are in other languages)
Change-Id: I67d1ed3ba96a35283a8928f196bc7e912084d1ab
GitHub-Last-Rev: 1aae076a907551ef0625e2859c6a31a4193a9fa0
GitHub-Pull-Request: golang/oauth2#474
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/290513
Reviewed-by: Cody Oss <codyoss@google.com>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Adds support for service account impersonation when a URL for service account impersonation is provided.
Change-Id: I9f3bbd6926212cecb13938fc5dac358ba56855b8
GitHub-Last-Rev: 9c218789db45e9b80bb8bec5c69539dd386d9668
GitHub-Pull-Request: golang/oauth2#468
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/285012
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cody Oss <codyoss@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
NewRequestWithContext requires 1.13. As this is just a convenience
we should try to retatin the 1.11 compatibility by using NewRequest
then calling WithContext instead.
Change-Id: I6208a92061b208a119fdf04fd561a3e4d22bc547
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/283535
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials.
Change-Id: I6e09a450f5221a1e06394b51374cff70ab3ab8a7
GitHub-Last-Rev: 3ab51622f8f7c6982a5e78ae9644675659318e7b
GitHub-Pull-Request: golang/oauth2#462
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276312
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Trust: Tyler Bui-Palsulich <tbp@google.com>
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Tyler Bui-Palsulich <tbp@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Links to godoc.org are changed to pkg.go.dev.
The README badge alt text is changed to "Go Reference" to match the
updated alt text generated by pkg.go.dev/badge.
Change-Id: I935cbe03477131a4361a8ac7b5ba9fd3e378cbdd
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/276016
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Trust: Julie Qiu <julie@golang.org>
These are used to support some extended utilities to help with STS requests.
Change-Id: Iafc145b06ca42374cfc2ac6572762a50bcf560f2
GitHub-Last-Rev: 3085fe570382318e6690304640751bf312e1a0b8
GitHub-Pull-Request: golang/oauth2#439
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/259777
Trust: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Tyler Bui-Palsulich <tbp@google.com>
Invokes go get -u -v ./... to try to get rid of
stale dependencies cloud.google.com/go@v0.34.0 (released in December 2018)
and that dependency unfortunately imported a stale
version of go.opencensus.io that then transitively
imports another that has a vulnerability.
Change-Id: I0a520e8f979ff3ddcd6197b234cdc0f4154bb735
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/245517
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
As per discussion in #401 and gerrit I have built out the proposed endpoint package.
I migrated all the existing endpoints, not sure if you wanted this but it does illustrate the pattern.
Change-Id: I53f56a06207633b2380b7cd7332cd56f9ef6578f
GitHub-Last-Rev: fde9e7bb756eb11384131a25bffa5242ba3b6b1e
GitHub-Pull-Request: golang/oauth2#402
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/212223
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Recently, Atlassian decided to remove `userKey` from JWT construction b/c they determined that it could contain personally identifiable information. They've since switched to the user account ID. This change updates the jira JWT to reflect these recent change.
Fixesgolang/oauth2#312
Change-Id: I4bd66cf925fdf38e02dd665befb5ab5f19f14ee7
GitHub-Last-Rev: 344bb6046cbc665f0aa428e62b70eb77f19b1c31
GitHub-Pull-Request: golang/oauth2#389
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/185081
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This is required for the direct path feature, which only works with this
token source. It's not currently possible to determine the token source
type from the return value of FindDefaultCredentials.
Another option is to add another field to the Credentials struct, which
we could still do later, but direct path is currently pretty experimental
and whitelisted/opt-in, so I don't want to add to the public API surface
unnecessarily.
This CL functionally blocks
https://code-review.googlesource.com/c/google-api-go-client/+/40950
Change-Id: Ifb5fe9c6e5c6b33eebb87b45d3c70eebfca691b3
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/175877
Reviewed-by: Chris Broadfoot <cbro@golang.org>
This would help add extra claim for certain 2-leg JWT exchange.
For example, Google service account key can be used to generate an OIDC token, but Google TokenURL requires "target_audience" claims set.
See this example usage:
https://gist.github.com/wlhee/64bc518190053e2122ca1909c2977c67#file-exmaple-go-L29
Change-Id: Ic10b006e45a34210634c5a76261a7e3706066965
GitHub-Last-Rev: 7a6e247e68f742129ac9a5d5a5f1a8ad428ccb09
GitHub-Pull-Request: golang/oauth2#374
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/166220
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Add an Audience field to jwt.Config which, if set, is used instead of TokenURL as the 'aud' claim in the generated JWT. This allows the jwt package to work with authorization servers that require the 'aud' claim and token endpoint URL to be different values.
Fixes#369.
Change-Id: I883aabece7f9b16ec726d5bfa98c1ec91876b651
GitHub-Last-Rev: fd73e4d50cfe0450fd59ffc6d4c5db7a3f660b60
GitHub-Pull-Request: golang/oauth2#370
Reviewed-on: https://go-review.googlesource.com/c/162937
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Password-based authentication to the [Keycloak](https://www.keycloak.org/) API requires `grant_type` to be `password`. It would be very helpful if `golang.org/x/oauth2` could be used for this, and all's that missing is the ability to override `grant_type`.
Fixes#283
Change-Id: I439dccb3e57042571ad92f115442ae1b7d59d4e0
GitHub-Last-Rev: 0e6f85e31efd7122721d75947178100eac62df0e
GitHub-Pull-Request: golang/oauth2#363
Reviewed-on: https://go-review.googlesource.com/c/158517
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The term "query parameters" suggested that the credentials are passed in the URL which is insecure and is actually not true as the credentials are passed in the request body. See 36a7019397/internal/token.go (L196)
Change-Id: Id0a83f8d317fed30e18310b30860000109dafe88
GitHub-Last-Rev: 3961bc9affcbdb16a6e0b4db58ce0526da8e728b
GitHub-Pull-Request: golang/oauth2#358
Reviewed-on: https://go-review.googlesource.com/c/157877
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
It was particularly flaky on Windows where time.Now doesn't advance as
fast as elsewhere.
Change-Id: Ic0b7c3e4c69389009d1e28750be0cd203fa770aa
Reviewed-on: https://go-review.googlesource.com/c/157578
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Commands run:
go mod init
go mod tidy
sed -i 's/go 1.12/go 1.11/' go.mod
go test ./...
Fixes#355
Change-Id: I196d77e9c15a2780e2649e735520578c01191a1b
Reviewed-on: https://go-review.googlesource.com/c/157137
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
I missed this in CL 146677.
Change-Id: Ie2735ba15d41e51fd5a99cba97514cd16399abaa
Reviewed-on: https://go-review.googlesource.com/c/147458
Reviewed-by: Ross Light <light@google.com>
Assume Go 1.9+, which is broader than Go's current Go 1.10+ support policy.
Change-Id: I9fe6954d21c2279cf4ea7da4d5bc7a9290a3bae2
Reviewed-on: https://go-review.googlesource.com/c/146677
Reviewed-by: Ross Light <light@google.com>
PR #341 introduce some new import `x/net/context` in parallel of PR #339 replacing them with the standard context.
This quick PR rename those imports.
Change-Id: I94f7edbee851a733b8a307c2ea60923dd990bdb4
GitHub-Last-Rev: fbe7944356b0741b69c075db921add044e5d3745
GitHub-Pull-Request: golang/oauth2#342
Reviewed-on: https://go-review.googlesource.com/c/146837
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Go 1.11 on App Engine standard is a "second generation" runtime, and
second generation runtimes do not set the appengine build tag.
appengine_hook.go was behind the appengine build tag, meaning that
AppEngineTokenSource panicked on the go111 runtime, saying,
"AppEngineTokenSource can only be used on App Engine."
The second gen runtimes should use ComputeTokenSource, which is also
what flex does [1]. This commit does two things to remedy the situation:
1. Put the pre-existing implementation of AppEngineTokenSource behind
the appengine build tag since it only works on first gen App Engine
runtimes. This leaves first gen behavior unchanged.
2. Add a new implementation of AppEngineTokenSource and tag it
!appengine. This implementation will therefore be used by second gen
App Engine standard runtimes and App Engine flexible. It delegates
to ComputeTokenSource.
The new AppEngineTokenSource implementation emits a log message
informing the user that AppEngineTokenSource is deprecated for second
gen runtimes and flex, instructing them to use DefaultTokenSource or
ComputeTokenSource instead. The documentation is updated to say the
same.
In this way users will not break when upgrading from Go 1.9 to Go 1.11
on App Engine but they will be nudged toward the world where App Engine
runtimes have less special behavior.
findDefaultCredentials still calls AppEngineTokenSource for first gen
runtimes and ComputeTokenSource for flex.
Fixes#334
Test: I deployed an app that uses AppEngineTokenSource to Go 1.9 and
Go 1.11 on App Engine standard and to Go 1.11 on App Engine
flexible and it worked in all cases. Also verified that the log
message is present on go111 and flex.
[1] DefaultTokenSource did use ComputeTokenSource for flex but
AppEngineTokenSource did not. AppEngineTokenSource is supported on flex,
in the sense that it doesn't panic when used on flex in the way it does
when used outside App Engine. However, AppEngineTokenSource makes an API
call internally that isn't supported by default on flex, which emits a
log instructing the user to enable the compat runtime. The compat
runtimes are deprecated and deploys are blocked. This is a bad
experience. This commit has the side effect of fixing this.
Change-Id: Iab63547b410535db60dcf204782d5b6b599a4e0c
GitHub-Last-Rev: 5779afb167d6abe13c29bb9632c9ac516a817e49
GitHub-Pull-Request: golang/oauth2#341
Reviewed-on: https://go-review.googlesource.com/c/146177
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
PKSC1 is not a thing, but PKCS1 is, and the parse function above the
error is for PKCS1.
Change-Id: I163bb158070da462caa034a19a89ce654acc7a5d
Reviewed-on: https://go-review.googlesource.com/c/146178
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
