mirror of
https://github.com/golang/oauth2.git
synced 2025-07-21 00:00:09 +08:00
a835fc4358
In 80673b4a4 (https://go.dev/cl/157820) I added a never-shrinking package-global cache to remember which auto-detected auth style (HTTP headers vs POST) was supported by a certain OAuth2 server, keyed by its URL. Unfortunately, some multi-tenant SaaS OIDC servers behave poorly and have one global OpenID configuration document for all of their customers which says ("we support all auth styles! you pick!") but then give each customer control of which style they specifically accept. This is bogus behavior on their part, but the oauth2 package's global caching per URL isn't helping. (It's also bad to have a package-global cache that can never be GC'ed) So, this change moves the cache to hang off the oauth *Configs instead. Unfortunately, it does so with some backwards compatiblity compromises (an atomic.Value hack), lest people are using old versions of Go still or copying a Config by value, both of which this package previously accidentally supported, even though they weren't tested. This change also means that anybody that's repeatedly making ephemeral oauth.Configs without an explicit auth style will be losing & reinitializing their cache on any auth style failures + fallbacks to the other style. I think that should be pretty rare. People seem to make an oauth2.Config once earlier and stash it away somewhere (often deep in a token fetcher or HTTP client/transport). Change-Id: I91f107368ab3c3d77bc425eeef65372a589feb7b Signed-off-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/515675 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Adrian Dewhurst <adrian@tailscale.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
OAuth2 for Go
oauth2 package contains a client implementation for OAuth 2.0 spec.
Installation
go get golang.org/x/oauth2
Or you can manually git clone the repository to
$(go env GOPATH)/src/golang.org/x/oauth2.
See pkg.go.dev for further documentation and examples.
Policy for new endpoints
We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the pkg.go.dev/golang.org/x/oauth2/endpoints package.
Report Issues / Send Patches
The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. In particular:
- Excluding trivial changes, all contributions should be connected to an existing issue.
- API changes must go through the change proposal process before they can be accepted.
- The code owners are listed at dev.golang.org/owners.