mirror of
https://github.com/golang/oauth2.git
synced 2025-07-21 00:00:09 +08:00
a379e41d44
Token caching is now done whenever you make a Client, and ReuseTokenSource is exported from the oauth2 package and used by the Google TokenSources (Compute and App Engine). Token.Expired is now Token.Valid, and works on nil receivers. Some other wording cleanups in the process. All tests pass. App Engine should pass, but is untested. Change-Id: Ibe1d2599ac3ccfe9b399b1672f74bb24cfc8d311 Reviewed-on: https://go-review.googlesource.com/2195 Reviewed-by: Burcu Dogan <jbd@google.com>
144 lines
4.1 KiB
Go
144 lines
4.1 KiB
Go
// Copyright 2014 The oauth2 Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package oauth2
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2/internal"
|
|
"golang.org/x/oauth2/jws"
|
|
)
|
|
|
|
var (
|
|
defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
|
|
defaultHeader = &jws.Header{Algorithm: "RS256", Typ: "JWT"}
|
|
)
|
|
|
|
// JWTConfig is the configuration for using JWT to fetch tokens,
|
|
// commonly known as "two-legged OAuth".
|
|
type JWTConfig struct {
|
|
// Email is the OAuth client identifier used when communicating with
|
|
// the configured OAuth provider.
|
|
Email string
|
|
|
|
// PrivateKey contains the contents of an RSA private key or the
|
|
// contents of a PEM file that contains a private key. The provided
|
|
// private key is used to sign JWT payloads.
|
|
// PEM containers with a passphrase are not supported.
|
|
// Use the following command to convert a PKCS 12 file into a PEM.
|
|
//
|
|
// $ openssl pkcs12 -in key.p12 -out key.pem -nodes
|
|
//
|
|
PrivateKey []byte
|
|
|
|
// Subject is the optional user to impersonate.
|
|
Subject string
|
|
|
|
// Scopes optionally specifies a list of requested permission scopes.
|
|
Scopes []string
|
|
|
|
// TokenURL is the endpoint required to complete the 2-legged JWT flow.
|
|
TokenURL string
|
|
}
|
|
|
|
// TokenSource returns a JWT TokenSource using the configuration
|
|
// in c and the HTTP client from the provided context.
|
|
func (c *JWTConfig) TokenSource(ctx Context) TokenSource {
|
|
return ReuseTokenSource(nil, jwtSource{ctx, c})
|
|
}
|
|
|
|
// Client returns an HTTP client wrapping the context's
|
|
// HTTP transport and adding Authorization headers with tokens
|
|
// obtained from c.
|
|
//
|
|
// The returned client and its Transport should not be modified.
|
|
func (c *JWTConfig) Client(ctx Context) *http.Client {
|
|
return NewClient(ctx, c.TokenSource(ctx))
|
|
}
|
|
|
|
// jwtSource is a source that always does a signed JWT request for a token.
|
|
// It should typically be wrapped with a reuseTokenSource.
|
|
type jwtSource struct {
|
|
ctx Context
|
|
conf *JWTConfig
|
|
}
|
|
|
|
func (js jwtSource) Token() (*Token, error) {
|
|
pk, err := internal.ParseKey(js.conf.PrivateKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
hc, err := contextClient(js.ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
claimSet := &jws.ClaimSet{
|
|
Iss: js.conf.Email,
|
|
Scope: strings.Join(js.conf.Scopes, " "),
|
|
Aud: js.conf.TokenURL,
|
|
}
|
|
if subject := js.conf.Subject; subject != "" {
|
|
claimSet.Sub = subject
|
|
// prn is the old name of sub. Keep setting it
|
|
// to be compatible with legacy OAuth 2.0 providers.
|
|
claimSet.Prn = subject
|
|
}
|
|
payload, err := jws.Encode(defaultHeader, claimSet, pk)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
v := url.Values{}
|
|
v.Set("grant_type", defaultGrantType)
|
|
v.Set("assertion", payload)
|
|
resp, err := hc.PostForm(js.conf.TokenURL, v)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
|
|
}
|
|
if c := resp.StatusCode; c < 200 || c > 299 {
|
|
return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)
|
|
}
|
|
// tokenRes is the JSON response body.
|
|
var tokenRes struct {
|
|
AccessToken string `json:"access_token"`
|
|
TokenType string `json:"token_type"`
|
|
IDToken string `json:"id_token"`
|
|
ExpiresIn int64 `json:"expires_in"` // relative seconds from now
|
|
}
|
|
if err := json.Unmarshal(body, &tokenRes); err != nil {
|
|
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
|
|
}
|
|
token := &Token{
|
|
AccessToken: tokenRes.AccessToken,
|
|
TokenType: tokenRes.TokenType,
|
|
raw: make(map[string]interface{}),
|
|
}
|
|
json.Unmarshal(body, &token.raw) // no error checks for optional fields
|
|
|
|
if secs := tokenRes.ExpiresIn; secs > 0 {
|
|
token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
|
|
}
|
|
if v := tokenRes.IDToken; v != "" {
|
|
// decode returned id token to get expiry
|
|
claimSet, err := jws.Decode(v)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err)
|
|
}
|
|
token.Expiry = time.Unix(claimSet.Exp, 0)
|
|
}
|
|
return token, nil
|
|
}
|