mirror of https://github.com/docker/cli.git
vendor: golang.org/x/oauth2 bf48bf16ab8d622ce64ec6ce98d2c98f916b6303
full diff: ef147856a6...bf48bf16ab
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
9a41e375b5
commit
edf70dc308
|
@ -76,7 +76,7 @@ github.com/xeipuuv/gojsonreference bd5ef7bd5415a7ac448318e64f11
|
||||||
github.com/xeipuuv/gojsonschema f971f3cd73b2899de6923801c147f075263e0c50 # v1.1.0
|
github.com/xeipuuv/gojsonschema f971f3cd73b2899de6923801c147f075263e0c50 # v1.1.0
|
||||||
golang.org/x/crypto 2aa609cf4a9d7d1126360de73b55b6002f9e052a
|
golang.org/x/crypto 2aa609cf4a9d7d1126360de73b55b6002f9e052a
|
||||||
golang.org/x/net 0de0cce0169b09b364e001f108dc0399ea8630b3
|
golang.org/x/net 0de0cce0169b09b364e001f108dc0399ea8630b3
|
||||||
golang.org/x/oauth2 ef147856a6ddbb60760db74283d2424e98c87bff
|
golang.org/x/oauth2 bf48bf16ab8d622ce64ec6ce98d2c98f916b6303
|
||||||
golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb
|
golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb
|
||||||
golang.org/x/sys d5e6a3e2c0ae16fc7480523ebcb7fd4dd3215489
|
golang.org/x/sys d5e6a3e2c0ae16fc7480523ebcb7fd4dd3215489
|
||||||
golang.org/x/text 342b2e1fbaa52c93f31447ad2c6abc048c63e475 # v0.3.2
|
golang.org/x/text 342b2e1fbaa52c93f31447ad2c6abc048c63e475 # v0.3.2
|
||||||
|
|
|
@ -16,57 +16,16 @@ Or you can manually git clone the repository to
|
||||||
|
|
||||||
See godoc for further documentation and examples.
|
See godoc for further documentation and examples.
|
||||||
|
|
||||||
* [godoc.org/golang.org/x/oauth2](http://godoc.org/golang.org/x/oauth2)
|
* [godoc.org/golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2)
|
||||||
* [godoc.org/golang.org/x/oauth2/google](http://godoc.org/golang.org/x/oauth2/google)
|
* [godoc.org/golang.org/x/oauth2/google](https://godoc.org/golang.org/x/oauth2/google)
|
||||||
|
|
||||||
|
## Policy for new packages
|
||||||
|
|
||||||
## App Engine
|
We no longer accept new provider-specific packages in this repo if all
|
||||||
|
they do is add a single endpoint variable. If you just want to add a
|
||||||
In change 96e89be (March 2015), we removed the `oauth2.Context2` type in favor
|
single endpoint, add it to the
|
||||||
of the [`context.Context`](https://golang.org/x/net/context#Context) type from
|
[godoc.org/golang.org/x/oauth2/endpoints](https://godoc.org/golang.org/x/oauth2/endpoints)
|
||||||
the `golang.org/x/net/context` package
|
package.
|
||||||
|
|
||||||
This means it's no longer possible to use the "Classic App Engine"
|
|
||||||
`appengine.Context` type with the `oauth2` package. (You're using
|
|
||||||
Classic App Engine if you import the package `"appengine"`.)
|
|
||||||
|
|
||||||
To work around this, you may use the new `"google.golang.org/appengine"`
|
|
||||||
package. This package has almost the same API as the `"appengine"` package,
|
|
||||||
but it can be fetched with `go get` and used on "Managed VMs" and well as
|
|
||||||
Classic App Engine.
|
|
||||||
|
|
||||||
See the [new `appengine` package's readme](https://github.com/golang/appengine#updating-a-go-app-engine-app)
|
|
||||||
for information on updating your app.
|
|
||||||
|
|
||||||
If you don't want to update your entire app to use the new App Engine packages,
|
|
||||||
you may use both sets of packages in parallel, using only the new packages
|
|
||||||
with the `oauth2` package.
|
|
||||||
|
|
||||||
```go
|
|
||||||
import (
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
|
||||||
"golang.org/x/oauth2/google"
|
|
||||||
newappengine "google.golang.org/appengine"
|
|
||||||
newurlfetch "google.golang.org/appengine/urlfetch"
|
|
||||||
|
|
||||||
"appengine"
|
|
||||||
)
|
|
||||||
|
|
||||||
func handler(w http.ResponseWriter, r *http.Request) {
|
|
||||||
var c appengine.Context = appengine.NewContext(r)
|
|
||||||
c.Infof("Logging a message with the old package")
|
|
||||||
|
|
||||||
var ctx context.Context = newappengine.NewContext(r)
|
|
||||||
client := &http.Client{
|
|
||||||
Transport: &oauth2.Transport{
|
|
||||||
Source: google.AppEngineTokenSource(ctx, "scope"),
|
|
||||||
Base: &newurlfetch.Transport{Context: ctx},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
client.Get("...")
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Report Issues / Send Patches
|
## Report Issues / Send Patches
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
module golang.org/x/oauth2
|
||||||
|
|
||||||
|
go 1.11
|
||||||
|
|
||||||
|
require (
|
||||||
|
cloud.google.com/go v0.34.0
|
||||||
|
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e
|
||||||
|
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 // indirect
|
||||||
|
google.golang.org/appengine v1.4.0
|
||||||
|
)
|
|
@ -5,85 +5,34 @@
|
||||||
package google
|
package google
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"sort"
|
"context"
|
||||||
"strings"
|
|
||||||
"sync"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
// appengineFlex is set at init time by appengineflex_hook.go. If true, we are on App Engine Flex.
|
// Set at init time by appengine_gen1.go. If nil, we're not on App Engine standard first generation (<= Go 1.9) or App Engine flexible.
|
||||||
var appengineFlex bool
|
|
||||||
|
|
||||||
// Set at init time by appengine_hook.go. If nil, we're not on App Engine.
|
|
||||||
var appengineTokenFunc func(c context.Context, scopes ...string) (token string, expiry time.Time, err error)
|
var appengineTokenFunc func(c context.Context, scopes ...string) (token string, expiry time.Time, err error)
|
||||||
|
|
||||||
// Set at init time by appengine_hook.go. If nil, we're not on App Engine.
|
// Set at init time by appengine_gen1.go. If nil, we're not on App Engine standard first generation (<= Go 1.9) or App Engine flexible.
|
||||||
var appengineAppIDFunc func(c context.Context) string
|
var appengineAppIDFunc func(c context.Context) string
|
||||||
|
|
||||||
// AppEngineTokenSource returns a token source that fetches tokens
|
// AppEngineTokenSource returns a token source that fetches tokens from either
|
||||||
// issued to the current App Engine application's service account.
|
// the current application's service account or from the metadata server,
|
||||||
// If you are implementing a 3-legged OAuth 2.0 flow on App Engine
|
// depending on the App Engine environment. See below for environment-specific
|
||||||
// that involves user accounts, see oauth2.Config instead.
|
// details. If you are implementing a 3-legged OAuth 2.0 flow on App Engine that
|
||||||
|
// involves user accounts, see oauth2.Config instead.
|
||||||
//
|
//
|
||||||
// The provided context must have come from appengine.NewContext.
|
// First generation App Engine runtimes (<= Go 1.9):
|
||||||
|
// AppEngineTokenSource returns a token source that fetches tokens issued to the
|
||||||
|
// current App Engine application's service account. The provided context must have
|
||||||
|
// come from appengine.NewContext.
|
||||||
|
//
|
||||||
|
// Second generation App Engine runtimes (>= Go 1.11) and App Engine flexible:
|
||||||
|
// AppEngineTokenSource is DEPRECATED on second generation runtimes and on the
|
||||||
|
// flexible environment. It delegates to ComputeTokenSource, and the provided
|
||||||
|
// context and scopes are not used. Please use DefaultTokenSource (or ComputeTokenSource,
|
||||||
|
// which DefaultTokenSource will use in this case) instead.
|
||||||
func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
|
func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
|
||||||
if appengineTokenFunc == nil {
|
return appEngineTokenSource(ctx, scope...)
|
||||||
panic("google: AppEngineTokenSource can only be used on App Engine.")
|
|
||||||
}
|
|
||||||
scopes := append([]string{}, scope...)
|
|
||||||
sort.Strings(scopes)
|
|
||||||
return &appEngineTokenSource{
|
|
||||||
ctx: ctx,
|
|
||||||
scopes: scopes,
|
|
||||||
key: strings.Join(scopes, " "),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// aeTokens helps the fetched tokens to be reused until their expiration.
|
|
||||||
var (
|
|
||||||
aeTokensMu sync.Mutex
|
|
||||||
aeTokens = make(map[string]*tokenLock) // key is space-separated scopes
|
|
||||||
)
|
|
||||||
|
|
||||||
type tokenLock struct {
|
|
||||||
mu sync.Mutex // guards t; held while fetching or updating t
|
|
||||||
t *oauth2.Token
|
|
||||||
}
|
|
||||||
|
|
||||||
type appEngineTokenSource struct {
|
|
||||||
ctx context.Context
|
|
||||||
scopes []string
|
|
||||||
key string // to aeTokens map; space-separated scopes
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ts *appEngineTokenSource) Token() (*oauth2.Token, error) {
|
|
||||||
if appengineTokenFunc == nil {
|
|
||||||
panic("google: AppEngineTokenSource can only be used on App Engine.")
|
|
||||||
}
|
|
||||||
|
|
||||||
aeTokensMu.Lock()
|
|
||||||
tok, ok := aeTokens[ts.key]
|
|
||||||
if !ok {
|
|
||||||
tok = &tokenLock{}
|
|
||||||
aeTokens[ts.key] = tok
|
|
||||||
}
|
|
||||||
aeTokensMu.Unlock()
|
|
||||||
|
|
||||||
tok.mu.Lock()
|
|
||||||
defer tok.mu.Unlock()
|
|
||||||
if tok.t.Valid() {
|
|
||||||
return tok.t, nil
|
|
||||||
}
|
|
||||||
access, exp, err := appengineTokenFunc(ts.ctx, ts.scopes...)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
tok.t = &oauth2.Token{
|
|
||||||
AccessToken: access,
|
|
||||||
Expiry: exp,
|
|
||||||
}
|
|
||||||
return tok.t, nil
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build appengine
|
||||||
|
|
||||||
|
// This file applies to App Engine first generation runtimes (<= Go 1.9).
|
||||||
|
|
||||||
|
package google
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"sort"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
|
||||||
|
"golang.org/x/oauth2"
|
||||||
|
"google.golang.org/appengine"
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
appengineTokenFunc = appengine.AccessToken
|
||||||
|
appengineAppIDFunc = appengine.AppID
|
||||||
|
}
|
||||||
|
|
||||||
|
// See comment on AppEngineTokenSource in appengine.go.
|
||||||
|
func appEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
|
||||||
|
scopes := append([]string{}, scope...)
|
||||||
|
sort.Strings(scopes)
|
||||||
|
return &gaeTokenSource{
|
||||||
|
ctx: ctx,
|
||||||
|
scopes: scopes,
|
||||||
|
key: strings.Join(scopes, " "),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// aeTokens helps the fetched tokens to be reused until their expiration.
|
||||||
|
var (
|
||||||
|
aeTokensMu sync.Mutex
|
||||||
|
aeTokens = make(map[string]*tokenLock) // key is space-separated scopes
|
||||||
|
)
|
||||||
|
|
||||||
|
type tokenLock struct {
|
||||||
|
mu sync.Mutex // guards t; held while fetching or updating t
|
||||||
|
t *oauth2.Token
|
||||||
|
}
|
||||||
|
|
||||||
|
type gaeTokenSource struct {
|
||||||
|
ctx context.Context
|
||||||
|
scopes []string
|
||||||
|
key string // to aeTokens map; space-separated scopes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ts *gaeTokenSource) Token() (*oauth2.Token, error) {
|
||||||
|
aeTokensMu.Lock()
|
||||||
|
tok, ok := aeTokens[ts.key]
|
||||||
|
if !ok {
|
||||||
|
tok = &tokenLock{}
|
||||||
|
aeTokens[ts.key] = tok
|
||||||
|
}
|
||||||
|
aeTokensMu.Unlock()
|
||||||
|
|
||||||
|
tok.mu.Lock()
|
||||||
|
defer tok.mu.Unlock()
|
||||||
|
if tok.t.Valid() {
|
||||||
|
return tok.t, nil
|
||||||
|
}
|
||||||
|
access, exp, err := appengineTokenFunc(ts.ctx, ts.scopes...)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
tok.t = &oauth2.Token{
|
||||||
|
AccessToken: access,
|
||||||
|
Expiry: exp,
|
||||||
|
}
|
||||||
|
return tok.t, nil
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !appengine
|
||||||
|
|
||||||
|
// This file applies to App Engine second generation runtimes (>= Go 1.11) and App Engine flexible.
|
||||||
|
|
||||||
|
package google
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"log"
|
||||||
|
"sync"
|
||||||
|
|
||||||
|
"golang.org/x/oauth2"
|
||||||
|
)
|
||||||
|
|
||||||
|
var logOnce sync.Once // only spam about deprecation once
|
||||||
|
|
||||||
|
// See comment on AppEngineTokenSource in appengine.go.
|
||||||
|
func appEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource {
|
||||||
|
logOnce.Do(func() {
|
||||||
|
log.Print("google: AppEngineTokenSource is deprecated on App Engine standard second generation runtimes (>= Go 1.11) and App Engine flexible. Please use DefaultTokenSource or ComputeTokenSource.")
|
||||||
|
})
|
||||||
|
return ComputeTokenSource("")
|
||||||
|
}
|
|
@ -1,14 +0,0 @@
|
||||||
// Copyright 2015 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build appengine appenginevm
|
|
||||||
|
|
||||||
package google
|
|
||||||
|
|
||||||
import "google.golang.org/appengine"
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
appengineTokenFunc = appengine.AccessToken
|
|
||||||
appengineAppIDFunc = appengine.AppID
|
|
||||||
}
|
|
|
@ -1,11 +0,0 @@
|
||||||
// Copyright 2015 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build appenginevm
|
|
||||||
|
|
||||||
package google
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
appengineFlex = true // Flex doesn't support appengine.AccessToken; depend on metadata server.
|
|
||||||
}
|
|
|
@ -5,6 +5,7 @@
|
||||||
package google
|
package google
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
@ -14,10 +15,28 @@ import (
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
"cloud.google.com/go/compute/metadata"
|
"cloud.google.com/go/compute/metadata"
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Credentials holds Google credentials, including "Application Default Credentials".
|
||||||
|
// For more details, see:
|
||||||
|
// https://developers.google.com/accounts/docs/application-default-credentials
|
||||||
|
type Credentials struct {
|
||||||
|
ProjectID string // may be empty
|
||||||
|
TokenSource oauth2.TokenSource
|
||||||
|
|
||||||
|
// JSON contains the raw bytes from a JSON credentials file.
|
||||||
|
// This field may be nil if authentication is provided by the
|
||||||
|
// environment and not with a credentials file, e.g. when code is
|
||||||
|
// running on Google Cloud Platform.
|
||||||
|
JSON []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// DefaultCredentials is the old name of Credentials.
|
||||||
|
//
|
||||||
|
// Deprecated: use Credentials instead.
|
||||||
|
type DefaultCredentials = Credentials
|
||||||
|
|
||||||
// DefaultClient returns an HTTP Client that uses the
|
// DefaultClient returns an HTTP Client that uses the
|
||||||
// DefaultTokenSource to obtain authentication credentials.
|
// DefaultTokenSource to obtain authentication credentials.
|
||||||
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
|
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
|
||||||
|
@ -39,8 +58,22 @@ func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSourc
|
||||||
return creds.TokenSource, nil
|
return creds.TokenSource, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Common implementation for FindDefaultCredentials.
|
// FindDefaultCredentials searches for "Application Default Credentials".
|
||||||
func findDefaultCredentials(ctx context.Context, scopes []string) (*DefaultCredentials, error) {
|
//
|
||||||
|
// It looks for credentials in the following places,
|
||||||
|
// preferring the first location found:
|
||||||
|
//
|
||||||
|
// 1. A JSON file whose path is specified by the
|
||||||
|
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
||||||
|
// 2. A JSON file in a location known to the gcloud command-line tool.
|
||||||
|
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
||||||
|
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
||||||
|
// 3. On Google App Engine standard first generation runtimes (<= Go 1.9) it uses
|
||||||
|
// the appengine.AccessToken function.
|
||||||
|
// 4. On Google Compute Engine, Google App Engine standard second generation runtimes
|
||||||
|
// (>= Go 1.11), and Google App Engine flexible environment, it fetches
|
||||||
|
// credentials from the metadata server.
|
||||||
|
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
|
||||||
// First, try the environment variable.
|
// First, try the environment variable.
|
||||||
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
const envVar = "GOOGLE_APPLICATION_CREDENTIALS"
|
||||||
if filename := os.Getenv(envVar); filename != "" {
|
if filename := os.Getenv(envVar); filename != "" {
|
||||||
|
@ -59,20 +92,23 @@ func findDefaultCredentials(ctx context.Context, scopes []string) (*DefaultCrede
|
||||||
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
|
return nil, fmt.Errorf("google: error getting credentials using well-known file (%v): %v", filename, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Third, if we're on Google App Engine use those credentials.
|
// Third, if we're on a Google App Engine standard first generation runtime (<= Go 1.9)
|
||||||
if appengineTokenFunc != nil && !appengineFlex {
|
// use those credentials. App Engine standard second generation runtimes (>= Go 1.11)
|
||||||
|
// and App Engine flexible use ComputeTokenSource and the metadata server.
|
||||||
|
if appengineTokenFunc != nil {
|
||||||
return &DefaultCredentials{
|
return &DefaultCredentials{
|
||||||
ProjectID: appengineAppIDFunc(ctx),
|
ProjectID: appengineAppIDFunc(ctx),
|
||||||
TokenSource: AppEngineTokenSource(ctx, scopes...),
|
TokenSource: AppEngineTokenSource(ctx, scopes...),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fourth, if we're on Google Compute Engine use the metadata server.
|
// Fourth, if we're on Google Compute Engine, an App Engine standard second generation runtime,
|
||||||
|
// or App Engine flexible, use the metadata server.
|
||||||
if metadata.OnGCE() {
|
if metadata.OnGCE() {
|
||||||
id, _ := metadata.ProjectID()
|
id, _ := metadata.ProjectID()
|
||||||
return &DefaultCredentials{
|
return &DefaultCredentials{
|
||||||
ProjectID: id,
|
ProjectID: id,
|
||||||
TokenSource: ComputeTokenSource(""),
|
TokenSource: ComputeTokenSource("", scopes...),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -81,8 +117,11 @@ func findDefaultCredentials(ctx context.Context, scopes []string) (*DefaultCrede
|
||||||
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
|
return nil, fmt.Errorf("google: could not find default credentials. See %v for more information.", url)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Common implementation for CredentialsFromJSON.
|
// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can
|
||||||
func credentialsFromJSON(ctx context.Context, jsonData []byte, scopes []string) (*DefaultCredentials, error) {
|
// represent either a Google Developers Console client_credentials.json file (as in
|
||||||
|
// ConfigFromJSON) or a Google Developers service account key file (as in
|
||||||
|
// JWTConfigFromJSON).
|
||||||
|
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
|
||||||
var f credentialsFile
|
var f credentialsFile
|
||||||
if err := json.Unmarshal(jsonData, &f); err != nil {
|
if err := json.Unmarshal(jsonData, &f); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -2,8 +2,6 @@
|
||||||
// Use of this source code is governed by a BSD-style
|
// Use of this source code is governed by a BSD-style
|
||||||
// license that can be found in the LICENSE file.
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
// +build go1.9
|
|
||||||
|
|
||||||
// Package google provides support for making OAuth2 authorized and authenticated
|
// Package google provides support for making OAuth2 authorized and authenticated
|
||||||
// HTTP requests to Google APIs. It supports the Web server flow, client-side
|
// HTTP requests to Google APIs. It supports the Web server flow, client-side
|
||||||
// credentials, service accounts, Google Compute Engine service accounts, and Google
|
// credentials, service accounts, Google Compute Engine service accounts, and Google
|
|
@ -1,43 +0,0 @@
|
||||||
// Copyright 2018 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build !go1.9
|
|
||||||
|
|
||||||
// Package google provides support for making OAuth2 authorized and authenticated
|
|
||||||
// HTTP requests to Google APIs. It supports the Web server flow, client-side
|
|
||||||
// credentials, service accounts, Google Compute Engine service accounts, and Google
|
|
||||||
// App Engine service accounts.
|
|
||||||
//
|
|
||||||
// A brief overview of the package follows. For more information, please read
|
|
||||||
// https://developers.google.com/accounts/docs/OAuth2
|
|
||||||
// and
|
|
||||||
// https://developers.google.com/accounts/docs/application-default-credentials.
|
|
||||||
//
|
|
||||||
// OAuth2 Configs
|
|
||||||
//
|
|
||||||
// Two functions in this package return golang.org/x/oauth2.Config values from Google credential
|
|
||||||
// data. Google supports two JSON formats for OAuth2 credentials: one is handled by ConfigFromJSON,
|
|
||||||
// the other by JWTConfigFromJSON. The returned Config can be used to obtain a TokenSource or
|
|
||||||
// create an http.Client.
|
|
||||||
//
|
|
||||||
//
|
|
||||||
// Credentials
|
|
||||||
//
|
|
||||||
// The DefaultCredentials type represents Google Application Default Credentials, as
|
|
||||||
// well as other forms of credential.
|
|
||||||
//
|
|
||||||
// Use FindDefaultCredentials to obtain Application Default Credentials.
|
|
||||||
// FindDefaultCredentials looks in some well-known places for a credentials file, and
|
|
||||||
// will call AppEngineTokenSource or ComputeTokenSource as needed.
|
|
||||||
//
|
|
||||||
// DefaultClient and DefaultTokenSource are convenience methods. They first call FindDefaultCredentials,
|
|
||||||
// then use the credentials to construct an http.Client or an oauth2.TokenSource.
|
|
||||||
//
|
|
||||||
// Use CredentialsFromJSON to obtain credentials from either of the two JSON
|
|
||||||
// formats described in OAuth2 Configs, above. (The DefaultCredentials returned may
|
|
||||||
// not be "Application Default Credentials".) The TokenSource in the returned value
|
|
||||||
// is the same as the one obtained from the oauth2.Config returned from
|
|
||||||
// ConfigFromJSON or JWTConfigFromJSON, but the DefaultCredentials may contain
|
|
||||||
// additional information that is useful is some circumstances.
|
|
||||||
package google // import "golang.org/x/oauth2/google"
|
|
|
@ -1,57 +0,0 @@
|
||||||
// Copyright 2018 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build go1.9
|
|
||||||
|
|
||||||
package google
|
|
||||||
|
|
||||||
import (
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Credentials holds Google credentials, including "Application Default Credentials".
|
|
||||||
// For more details, see:
|
|
||||||
// https://developers.google.com/accounts/docs/application-default-credentials
|
|
||||||
type Credentials struct {
|
|
||||||
ProjectID string // may be empty
|
|
||||||
TokenSource oauth2.TokenSource
|
|
||||||
|
|
||||||
// JSON contains the raw bytes from a JSON credentials file.
|
|
||||||
// This field may be nil if authentication is provided by the
|
|
||||||
// environment and not with a credentials file, e.g. when code is
|
|
||||||
// running on Google Cloud Platform.
|
|
||||||
JSON []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
// DefaultCredentials is the old name of Credentials.
|
|
||||||
//
|
|
||||||
// Deprecated: use Credentials instead.
|
|
||||||
type DefaultCredentials = Credentials
|
|
||||||
|
|
||||||
// FindDefaultCredentials searches for "Application Default Credentials".
|
|
||||||
//
|
|
||||||
// It looks for credentials in the following places,
|
|
||||||
// preferring the first location found:
|
|
||||||
//
|
|
||||||
// 1. A JSON file whose path is specified by the
|
|
||||||
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
|
||||||
// 2. A JSON file in a location known to the gcloud command-line tool.
|
|
||||||
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
|
||||||
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
|
||||||
// 3. On Google App Engine it uses the appengine.AccessToken function.
|
|
||||||
// 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
|
|
||||||
// credentials from the metadata server.
|
|
||||||
// (In this final case any provided scopes are ignored.)
|
|
||||||
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error) {
|
|
||||||
return findDefaultCredentials(ctx, scopes)
|
|
||||||
}
|
|
||||||
|
|
||||||
// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can
|
|
||||||
// represent either a Google Developers Console client_credentials.json file (as in
|
|
||||||
// ConfigFromJSON) or a Google Developers service account key file (as in
|
|
||||||
// JWTConfigFromJSON).
|
|
||||||
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) {
|
|
||||||
return credentialsFromJSON(ctx, jsonData, scopes)
|
|
||||||
}
|
|
|
@ -5,14 +5,15 @@
|
||||||
package google
|
package google
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"cloud.google.com/go/compute/metadata"
|
"cloud.google.com/go/compute/metadata"
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
"golang.org/x/oauth2/jwt"
|
"golang.org/x/oauth2/jwt"
|
||||||
)
|
)
|
||||||
|
@ -20,11 +21,12 @@ import (
|
||||||
// Endpoint is Google's OAuth 2.0 endpoint.
|
// Endpoint is Google's OAuth 2.0 endpoint.
|
||||||
var Endpoint = oauth2.Endpoint{
|
var Endpoint = oauth2.Endpoint{
|
||||||
AuthURL: "https://accounts.google.com/o/oauth2/auth",
|
AuthURL: "https://accounts.google.com/o/oauth2/auth",
|
||||||
TokenURL: "https://accounts.google.com/o/oauth2/token",
|
TokenURL: "https://oauth2.googleapis.com/token",
|
||||||
|
AuthStyle: oauth2.AuthStyleInParams,
|
||||||
}
|
}
|
||||||
|
|
||||||
// JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
|
// JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
|
||||||
const JWTTokenURL = "https://accounts.google.com/o/oauth2/token"
|
const JWTTokenURL = "https://oauth2.googleapis.com/token"
|
||||||
|
|
||||||
// ConfigFromJSON uses a Google Developers Console client_credentials.json
|
// ConfigFromJSON uses a Google Developers Console client_credentials.json
|
||||||
// file to construct a config.
|
// file to construct a config.
|
||||||
|
@ -150,14 +152,16 @@ func (f *credentialsFile) tokenSource(ctx context.Context, scopes []string) (oau
|
||||||
// from Google Compute Engine (GCE)'s metadata server. It's only valid to use
|
// from Google Compute Engine (GCE)'s metadata server. It's only valid to use
|
||||||
// this token source if your program is running on a GCE instance.
|
// this token source if your program is running on a GCE instance.
|
||||||
// If no account is specified, "default" is used.
|
// If no account is specified, "default" is used.
|
||||||
|
// If no scopes are specified, a set of default scopes are automatically granted.
|
||||||
// Further information about retrieving access tokens from the GCE metadata
|
// Further information about retrieving access tokens from the GCE metadata
|
||||||
// server can be found at https://cloud.google.com/compute/docs/authentication.
|
// server can be found at https://cloud.google.com/compute/docs/authentication.
|
||||||
func ComputeTokenSource(account string) oauth2.TokenSource {
|
func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource {
|
||||||
return oauth2.ReuseTokenSource(nil, computeSource{account: account})
|
return oauth2.ReuseTokenSource(nil, computeSource{account: account, scopes: scope})
|
||||||
}
|
}
|
||||||
|
|
||||||
type computeSource struct {
|
type computeSource struct {
|
||||||
account string
|
account string
|
||||||
|
scopes []string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (cs computeSource) Token() (*oauth2.Token, error) {
|
func (cs computeSource) Token() (*oauth2.Token, error) {
|
||||||
|
@ -168,7 +172,13 @@ func (cs computeSource) Token() (*oauth2.Token, error) {
|
||||||
if acct == "" {
|
if acct == "" {
|
||||||
acct = "default"
|
acct = "default"
|
||||||
}
|
}
|
||||||
tokenJSON, err := metadata.Get("instance/service-accounts/" + acct + "/token")
|
tokenURI := "instance/service-accounts/" + acct + "/token"
|
||||||
|
if len(cs.scopes) > 0 {
|
||||||
|
v := url.Values{}
|
||||||
|
v.Set("scopes", strings.Join(cs.scopes, ","))
|
||||||
|
tokenURI = tokenURI + "?" + v.Encode()
|
||||||
|
}
|
||||||
|
tokenJSON, err := metadata.Get(tokenURI)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -184,9 +194,16 @@ func (cs computeSource) Token() (*oauth2.Token, error) {
|
||||||
if res.ExpiresInSec == 0 || res.AccessToken == "" {
|
if res.ExpiresInSec == 0 || res.AccessToken == "" {
|
||||||
return nil, fmt.Errorf("oauth2/google: incomplete token received from metadata")
|
return nil, fmt.Errorf("oauth2/google: incomplete token received from metadata")
|
||||||
}
|
}
|
||||||
return &oauth2.Token{
|
tok := &oauth2.Token{
|
||||||
AccessToken: res.AccessToken,
|
AccessToken: res.AccessToken,
|
||||||
TokenType: res.TokenType,
|
TokenType: res.TokenType,
|
||||||
Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
|
Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second),
|
||||||
}, nil
|
}
|
||||||
|
// NOTE(cbro): add hidden metadata about where the token is from.
|
||||||
|
// This is needed for detection by client libraries to know that credentials come from the metadata server.
|
||||||
|
// This may be removed in a future version of this library.
|
||||||
|
return tok.WithExtra(map[string]interface{}{
|
||||||
|
"oauth2.google.tokenSource": "compute-metadata",
|
||||||
|
"oauth2.google.serviceAccount": acct,
|
||||||
|
}), nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,54 +0,0 @@
|
||||||
// Copyright 2018 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build !go1.9
|
|
||||||
|
|
||||||
package google
|
|
||||||
|
|
||||||
import (
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
|
||||||
)
|
|
||||||
|
|
||||||
// DefaultCredentials holds Google credentials, including "Application Default Credentials".
|
|
||||||
// For more details, see:
|
|
||||||
// https://developers.google.com/accounts/docs/application-default-credentials
|
|
||||||
type DefaultCredentials struct {
|
|
||||||
ProjectID string // may be empty
|
|
||||||
TokenSource oauth2.TokenSource
|
|
||||||
|
|
||||||
// JSON contains the raw bytes from a JSON credentials file.
|
|
||||||
// This field may be nil if authentication is provided by the
|
|
||||||
// environment and not with a credentials file, e.g. when code is
|
|
||||||
// running on Google Cloud Platform.
|
|
||||||
JSON []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
// FindDefaultCredentials searches for "Application Default Credentials".
|
|
||||||
//
|
|
||||||
// It looks for credentials in the following places,
|
|
||||||
// preferring the first location found:
|
|
||||||
//
|
|
||||||
// 1. A JSON file whose path is specified by the
|
|
||||||
// GOOGLE_APPLICATION_CREDENTIALS environment variable.
|
|
||||||
// 2. A JSON file in a location known to the gcloud command-line tool.
|
|
||||||
// On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
|
|
||||||
// On other systems, $HOME/.config/gcloud/application_default_credentials.json.
|
|
||||||
// 3. On Google App Engine it uses the appengine.AccessToken function.
|
|
||||||
// 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
|
|
||||||
// credentials from the metadata server.
|
|
||||||
// (In this final case any provided scopes are ignored.)
|
|
||||||
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*DefaultCredentials, error) {
|
|
||||||
return findDefaultCredentials(ctx, scopes)
|
|
||||||
}
|
|
||||||
|
|
||||||
// CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can
|
|
||||||
// represent either a Google Developers Console client_credentials.json file (as in
|
|
||||||
// ConfigFromJSON) or a Google Developers service account key file (as in
|
|
||||||
// JWTConfigFromJSON).
|
|
||||||
//
|
|
||||||
// Note: despite the name, the returned credentials may not be Application Default Credentials.
|
|
||||||
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*DefaultCredentials, error) {
|
|
||||||
return credentialsFromJSON(ctx, jsonData, scopes)
|
|
||||||
}
|
|
|
@ -6,6 +6,7 @@ package google
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bufio"
|
"bufio"
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
@ -18,7 +19,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ func ParseKey(key []byte) (*rsa.PrivateKey, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
parsedKey, err = x509.ParsePKCS1PrivateKey(key)
|
parsedKey, err = x509.ParsePKCS1PrivateKey(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: %v", err)
|
return nil, fmt.Errorf("private key should be a PEM or plain PKCS1 or PKCS8; parse error: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
parsed, ok := parsedKey.(*rsa.PrivateKey)
|
parsed, ok := parsedKey.(*rsa.PrivateKey)
|
||||||
|
|
|
@ -5,19 +5,21 @@
|
||||||
package internal
|
package internal
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"math"
|
||||||
"mime"
|
"mime"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/net/context/ctxhttp"
|
"golang.org/x/net/context/ctxhttp"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -61,22 +63,21 @@ type tokenJSON struct {
|
||||||
TokenType string `json:"token_type"`
|
TokenType string `json:"token_type"`
|
||||||
RefreshToken string `json:"refresh_token"`
|
RefreshToken string `json:"refresh_token"`
|
||||||
ExpiresIn expirationTime `json:"expires_in"` // at least PayPal returns string, while most return number
|
ExpiresIn expirationTime `json:"expires_in"` // at least PayPal returns string, while most return number
|
||||||
Expires expirationTime `json:"expires"` // broken Facebook spelling of expires_in
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *tokenJSON) expiry() (t time.Time) {
|
func (e *tokenJSON) expiry() (t time.Time) {
|
||||||
if v := e.ExpiresIn; v != 0 {
|
if v := e.ExpiresIn; v != 0 {
|
||||||
return time.Now().Add(time.Duration(v) * time.Second)
|
return time.Now().Add(time.Duration(v) * time.Second)
|
||||||
}
|
}
|
||||||
if v := e.Expires; v != 0 {
|
|
||||||
return time.Now().Add(time.Duration(v) * time.Second)
|
|
||||||
}
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
type expirationTime int32
|
type expirationTime int32
|
||||||
|
|
||||||
func (e *expirationTime) UnmarshalJSON(b []byte) error {
|
func (e *expirationTime) UnmarshalJSON(b []byte) error {
|
||||||
|
if len(b) == 0 || string(b) == "null" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
var n json.Number
|
var n json.Number
|
||||||
err := json.Unmarshal(b, &n)
|
err := json.Unmarshal(b, &n)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -86,99 +87,78 @@ func (e *expirationTime) UnmarshalJSON(b []byte) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if i > math.MaxInt32 {
|
||||||
|
i = math.MaxInt32
|
||||||
|
}
|
||||||
*e = expirationTime(i)
|
*e = expirationTime(i)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var brokenAuthHeaderProviders = []string{
|
// RegisterBrokenAuthHeaderProvider previously did something. It is now a no-op.
|
||||||
"https://accounts.google.com/",
|
//
|
||||||
"https://api.codeswholesale.com/oauth/token",
|
// Deprecated: this function no longer does anything. Caller code that
|
||||||
"https://api.dropbox.com/",
|
// wants to avoid potential extra HTTP requests made during
|
||||||
"https://api.dropboxapi.com/",
|
// auto-probing of the provider's auth style should set
|
||||||
"https://api.instagram.com/",
|
// Endpoint.AuthStyle.
|
||||||
"https://api.netatmo.net/",
|
func RegisterBrokenAuthHeaderProvider(tokenURL string) {}
|
||||||
"https://api.odnoklassniki.ru/",
|
|
||||||
"https://api.pushbullet.com/",
|
// AuthStyle is a copy of the golang.org/x/oauth2 package's AuthStyle type.
|
||||||
"https://api.soundcloud.com/",
|
type AuthStyle int
|
||||||
"https://api.twitch.tv/",
|
|
||||||
"https://id.twitch.tv/",
|
const (
|
||||||
"https://app.box.com/",
|
AuthStyleUnknown AuthStyle = 0
|
||||||
"https://connect.stripe.com/",
|
AuthStyleInParams AuthStyle = 1
|
||||||
"https://login.mailchimp.com/",
|
AuthStyleInHeader AuthStyle = 2
|
||||||
"https://login.microsoftonline.com/",
|
)
|
||||||
"https://login.salesforce.com/",
|
|
||||||
"https://login.windows.net",
|
// authStyleCache is the set of tokenURLs we've successfully used via
|
||||||
"https://login.live.com/",
|
// RetrieveToken and which style auth we ended up using.
|
||||||
"https://oauth.sandbox.trainingpeaks.com/",
|
// It's called a cache, but it doesn't (yet?) shrink. It's expected that
|
||||||
"https://oauth.trainingpeaks.com/",
|
// the set of OAuth2 servers a program contacts over time is fixed and
|
||||||
"https://oauth.vk.com/",
|
// small.
|
||||||
"https://openapi.baidu.com/",
|
var authStyleCache struct {
|
||||||
"https://slack.com/",
|
sync.Mutex
|
||||||
"https://test-sandbox.auth.corp.google.com",
|
m map[string]AuthStyle // keyed by tokenURL
|
||||||
"https://test.salesforce.com/",
|
|
||||||
"https://user.gini.net/",
|
|
||||||
"https://www.douban.com/",
|
|
||||||
"https://www.googleapis.com/",
|
|
||||||
"https://www.linkedin.com/",
|
|
||||||
"https://www.strava.com/oauth/",
|
|
||||||
"https://www.wunderlist.com/oauth/",
|
|
||||||
"https://api.patreon.com/",
|
|
||||||
"https://sandbox.codeswholesale.com/oauth/token",
|
|
||||||
"https://api.sipgate.com/v1/authorization/oauth",
|
|
||||||
"https://api.medium.com/v1/tokens",
|
|
||||||
"https://log.finalsurge.com/oauth/token",
|
|
||||||
"https://multisport.todaysplan.com.au/rest/oauth/access_token",
|
|
||||||
"https://whats.todaysplan.com.au/rest/oauth/access_token",
|
|
||||||
"https://stackoverflow.com/oauth/access_token",
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// brokenAuthHeaderDomains lists broken providers that issue dynamic endpoints.
|
// ResetAuthCache resets the global authentication style cache used
|
||||||
var brokenAuthHeaderDomains = []string{
|
// for AuthStyleUnknown token requests.
|
||||||
".auth0.com",
|
func ResetAuthCache() {
|
||||||
".force.com",
|
authStyleCache.Lock()
|
||||||
".myshopify.com",
|
defer authStyleCache.Unlock()
|
||||||
".okta.com",
|
authStyleCache.m = nil
|
||||||
".oktapreview.com",
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func RegisterBrokenAuthHeaderProvider(tokenURL string) {
|
// lookupAuthStyle reports which auth style we last used with tokenURL
|
||||||
brokenAuthHeaderProviders = append(brokenAuthHeaderProviders, tokenURL)
|
// when calling RetrieveToken and whether we have ever done so.
|
||||||
|
func lookupAuthStyle(tokenURL string) (style AuthStyle, ok bool) {
|
||||||
|
authStyleCache.Lock()
|
||||||
|
defer authStyleCache.Unlock()
|
||||||
|
style, ok = authStyleCache.m[tokenURL]
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// providerAuthHeaderWorks reports whether the OAuth2 server identified by the tokenURL
|
// setAuthStyle adds an entry to authStyleCache, documented above.
|
||||||
// implements the OAuth2 spec correctly
|
func setAuthStyle(tokenURL string, v AuthStyle) {
|
||||||
// See https://code.google.com/p/goauth2/issues/detail?id=31 for background.
|
authStyleCache.Lock()
|
||||||
// In summary:
|
defer authStyleCache.Unlock()
|
||||||
// - Reddit only accepts client secret in the Authorization header
|
if authStyleCache.m == nil {
|
||||||
// - Dropbox accepts either it in URL param or Auth header, but not both.
|
authStyleCache.m = make(map[string]AuthStyle)
|
||||||
// - Google only accepts URL param (not spec compliant?), not Auth header
|
|
||||||
// - Stripe only accepts client secret in Auth header with Bearer method, not Basic
|
|
||||||
func providerAuthHeaderWorks(tokenURL string) bool {
|
|
||||||
for _, s := range brokenAuthHeaderProviders {
|
|
||||||
if strings.HasPrefix(tokenURL, s) {
|
|
||||||
// Some sites fail to implement the OAuth2 spec fully.
|
|
||||||
return false
|
|
||||||
}
|
}
|
||||||
|
authStyleCache.m[tokenURL] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
if u, err := url.Parse(tokenURL); err == nil {
|
// newTokenRequest returns a new *http.Request to retrieve a new token
|
||||||
for _, s := range brokenAuthHeaderDomains {
|
// from tokenURL using the provided clientID, clientSecret, and POST
|
||||||
if strings.HasSuffix(u.Host, s) {
|
// body parameters.
|
||||||
return false
|
//
|
||||||
}
|
// inParams is whether the clientID & clientSecret should be encoded
|
||||||
}
|
// as the POST body. An 'inParams' value of true means to send it in
|
||||||
}
|
// the POST body (along with any values in v); false means to send it
|
||||||
|
// in the Authorization header.
|
||||||
// Assume the provider implements the spec properly
|
func newTokenRequest(tokenURL, clientID, clientSecret string, v url.Values, authStyle AuthStyle) (*http.Request, error) {
|
||||||
// otherwise. We can add more exceptions as they're
|
if authStyle == AuthStyleInParams {
|
||||||
// discovered. We will _not_ be adding configurable hooks
|
v = cloneURLValues(v)
|
||||||
// to this package to let users select server bugs.
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string, v url.Values) (*Token, error) {
|
|
||||||
bustedAuth := !providerAuthHeaderWorks(tokenURL)
|
|
||||||
if bustedAuth {
|
|
||||||
if clientID != "" {
|
if clientID != "" {
|
||||||
v.Set("client_id", clientID)
|
v.Set("client_id", clientID)
|
||||||
}
|
}
|
||||||
|
@ -191,15 +171,70 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
if !bustedAuth {
|
if authStyle == AuthStyleInHeader {
|
||||||
req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
|
req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
|
||||||
}
|
}
|
||||||
|
return req, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func cloneURLValues(v url.Values) url.Values {
|
||||||
|
v2 := make(url.Values, len(v))
|
||||||
|
for k, vv := range v {
|
||||||
|
v2[k] = append([]string(nil), vv...)
|
||||||
|
}
|
||||||
|
return v2
|
||||||
|
}
|
||||||
|
|
||||||
|
func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string, v url.Values, authStyle AuthStyle) (*Token, error) {
|
||||||
|
needsAuthStyleProbe := authStyle == 0
|
||||||
|
if needsAuthStyleProbe {
|
||||||
|
if style, ok := lookupAuthStyle(tokenURL); ok {
|
||||||
|
authStyle = style
|
||||||
|
needsAuthStyleProbe = false
|
||||||
|
} else {
|
||||||
|
authStyle = AuthStyleInHeader // the first way we'll try
|
||||||
|
}
|
||||||
|
}
|
||||||
|
req, err := newTokenRequest(tokenURL, clientID, clientSecret, v, authStyle)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
token, err := doTokenRoundTrip(ctx, req)
|
||||||
|
if err != nil && needsAuthStyleProbe {
|
||||||
|
// If we get an error, assume the server wants the
|
||||||
|
// clientID & clientSecret in a different form.
|
||||||
|
// See https://code.google.com/p/goauth2/issues/detail?id=31 for background.
|
||||||
|
// In summary:
|
||||||
|
// - Reddit only accepts client secret in the Authorization header
|
||||||
|
// - Dropbox accepts either it in URL param or Auth header, but not both.
|
||||||
|
// - Google only accepts URL param (not spec compliant?), not Auth header
|
||||||
|
// - Stripe only accepts client secret in Auth header with Bearer method, not Basic
|
||||||
|
//
|
||||||
|
// We used to maintain a big table in this code of all the sites and which way
|
||||||
|
// they went, but maintaining it didn't scale & got annoying.
|
||||||
|
// So just try both ways.
|
||||||
|
authStyle = AuthStyleInParams // the second way we'll try
|
||||||
|
req, _ = newTokenRequest(tokenURL, clientID, clientSecret, v, authStyle)
|
||||||
|
token, err = doTokenRoundTrip(ctx, req)
|
||||||
|
}
|
||||||
|
if needsAuthStyleProbe && err == nil {
|
||||||
|
setAuthStyle(tokenURL, authStyle)
|
||||||
|
}
|
||||||
|
// Don't overwrite `RefreshToken` with an empty value
|
||||||
|
// if this was a token refreshing request.
|
||||||
|
if token != nil && token.RefreshToken == "" {
|
||||||
|
token.RefreshToken = v.Get("refresh_token")
|
||||||
|
}
|
||||||
|
return token, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
|
||||||
r, err := ctxhttp.Do(ctx, ContextClient(ctx), req)
|
r, err := ctxhttp.Do(ctx, ContextClient(ctx), req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
defer r.Body.Close()
|
|
||||||
body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
|
body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
|
||||||
|
r.Body.Close()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
|
return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -225,12 +260,6 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
|
||||||
Raw: vals,
|
Raw: vals,
|
||||||
}
|
}
|
||||||
e := vals.Get("expires_in")
|
e := vals.Get("expires_in")
|
||||||
if e == "" {
|
|
||||||
// TODO(jbd): Facebook's OAuth2 implementation is broken and
|
|
||||||
// returns expires_in field in expires. Remove the fallback to expires,
|
|
||||||
// when Facebook fixes their implementation.
|
|
||||||
e = vals.Get("expires")
|
|
||||||
}
|
|
||||||
expires, _ := strconv.Atoi(e)
|
expires, _ := strconv.Atoi(e)
|
||||||
if expires != 0 {
|
if expires != 0 {
|
||||||
token.Expiry = time.Now().Add(time.Duration(expires) * time.Second)
|
token.Expiry = time.Now().Add(time.Duration(expires) * time.Second)
|
||||||
|
@ -249,13 +278,8 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
|
||||||
}
|
}
|
||||||
json.Unmarshal(body, &token.Raw) // no error checks for optional fields
|
json.Unmarshal(body, &token.Raw) // no error checks for optional fields
|
||||||
}
|
}
|
||||||
// Don't overwrite `RefreshToken` with an empty value
|
|
||||||
// if this was a token refreshing request.
|
|
||||||
if token.RefreshToken == "" {
|
|
||||||
token.RefreshToken = v.Get("refresh_token")
|
|
||||||
}
|
|
||||||
if token.AccessToken == "" {
|
if token.AccessToken == "" {
|
||||||
return token, errors.New("oauth2: server response missing access_token")
|
return nil, errors.New("oauth2: server response missing access_token")
|
||||||
}
|
}
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,9 +5,8 @@
|
||||||
package internal
|
package internal
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// HTTPClient is the context key to use with golang.org/x/net/context's
|
// HTTPClient is the context key to use with golang.org/x/net/context's
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
package jwt
|
package jwt
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
@ -18,7 +19,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
"golang.org/x/oauth2/internal"
|
"golang.org/x/oauth2/internal"
|
||||||
"golang.org/x/oauth2/jws"
|
"golang.org/x/oauth2/jws"
|
||||||
|
@ -61,6 +61,19 @@ type Config struct {
|
||||||
|
|
||||||
// Expires optionally specifies how long the token is valid for.
|
// Expires optionally specifies how long the token is valid for.
|
||||||
Expires time.Duration
|
Expires time.Duration
|
||||||
|
|
||||||
|
// Audience optionally specifies the intended audience of the
|
||||||
|
// request. If empty, the value of TokenURL is used as the
|
||||||
|
// intended audience.
|
||||||
|
Audience string
|
||||||
|
|
||||||
|
// PrivateClaims optionally specifies custom private claims in the JWT.
|
||||||
|
// See http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.3
|
||||||
|
PrivateClaims map[string]interface{}
|
||||||
|
|
||||||
|
// UseIDToken optionally specifies whether ID token should be used instead
|
||||||
|
// of access token when the server returns both.
|
||||||
|
UseIDToken bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenSource returns a JWT TokenSource using the configuration
|
// TokenSource returns a JWT TokenSource using the configuration
|
||||||
|
@ -95,6 +108,7 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
|
||||||
Iss: js.conf.Email,
|
Iss: js.conf.Email,
|
||||||
Scope: strings.Join(js.conf.Scopes, " "),
|
Scope: strings.Join(js.conf.Scopes, " "),
|
||||||
Aud: js.conf.TokenURL,
|
Aud: js.conf.TokenURL,
|
||||||
|
PrivateClaims: js.conf.PrivateClaims,
|
||||||
}
|
}
|
||||||
if subject := js.conf.Subject; subject != "" {
|
if subject := js.conf.Subject; subject != "" {
|
||||||
claimSet.Sub = subject
|
claimSet.Sub = subject
|
||||||
|
@ -105,6 +119,9 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
|
||||||
if t := js.conf.Expires; t > 0 {
|
if t := js.conf.Expires; t > 0 {
|
||||||
claimSet.Exp = time.Now().Add(t).Unix()
|
claimSet.Exp = time.Now().Add(t).Unix()
|
||||||
}
|
}
|
||||||
|
if aud := js.conf.Audience; aud != "" {
|
||||||
|
claimSet.Aud = aud
|
||||||
|
}
|
||||||
h := *defaultHeader
|
h := *defaultHeader
|
||||||
h.KeyID = js.conf.PrivateKeyID
|
h.KeyID = js.conf.PrivateKeyID
|
||||||
payload, err := jws.Encode(&h, claimSet, pk)
|
payload, err := jws.Encode(&h, claimSet, pk)
|
||||||
|
@ -158,5 +175,11 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
|
||||||
}
|
}
|
||||||
token.Expiry = time.Unix(claimSet.Exp, 0)
|
token.Expiry = time.Unix(claimSet.Exp, 0)
|
||||||
}
|
}
|
||||||
|
if js.conf.UseIDToken {
|
||||||
|
if tokenRes.IDToken == "" {
|
||||||
|
return nil, fmt.Errorf("oauth2: response doesn't have JWT token")
|
||||||
|
}
|
||||||
|
token.AccessToken = tokenRes.IDToken
|
||||||
|
}
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,13 +10,13 @@ package oauth2 // import "golang.org/x/oauth2"
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2/internal"
|
"golang.org/x/oauth2/internal"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -26,17 +26,13 @@ import (
|
||||||
// Deprecated: Use context.Background() or context.TODO() instead.
|
// Deprecated: Use context.Background() or context.TODO() instead.
|
||||||
var NoContext = context.TODO()
|
var NoContext = context.TODO()
|
||||||
|
|
||||||
// RegisterBrokenAuthHeaderProvider registers an OAuth2 server
|
// RegisterBrokenAuthHeaderProvider previously did something. It is now a no-op.
|
||||||
// identified by the tokenURL prefix as an OAuth2 implementation
|
//
|
||||||
// which doesn't support the HTTP Basic authentication
|
// Deprecated: this function no longer does anything. Caller code that
|
||||||
// scheme to authenticate with the authorization server.
|
// wants to avoid potential extra HTTP requests made during
|
||||||
// Once a server is registered, credentials (client_id and client_secret)
|
// auto-probing of the provider's auth style should set
|
||||||
// will be passed as query parameters rather than being present
|
// Endpoint.AuthStyle.
|
||||||
// in the Authorization header.
|
func RegisterBrokenAuthHeaderProvider(tokenURL string) {}
|
||||||
// See https://code.google.com/p/goauth2/issues/detail?id=31 for background.
|
|
||||||
func RegisterBrokenAuthHeaderProvider(tokenURL string) {
|
|
||||||
internal.RegisterBrokenAuthHeaderProvider(tokenURL)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Config describes a typical 3-legged OAuth2 flow, with both the
|
// Config describes a typical 3-legged OAuth2 flow, with both the
|
||||||
// client application information and the server's endpoint URLs.
|
// client application information and the server's endpoint URLs.
|
||||||
|
@ -71,13 +67,38 @@ type TokenSource interface {
|
||||||
Token() (*Token, error)
|
Token() (*Token, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Endpoint contains the OAuth 2.0 provider's authorization and token
|
// Endpoint represents an OAuth 2.0 provider's authorization and token
|
||||||
// endpoint URLs.
|
// endpoint URLs.
|
||||||
type Endpoint struct {
|
type Endpoint struct {
|
||||||
AuthURL string
|
AuthURL string
|
||||||
TokenURL string
|
TokenURL string
|
||||||
|
|
||||||
|
// AuthStyle optionally specifies how the endpoint wants the
|
||||||
|
// client ID & client secret sent. The zero value means to
|
||||||
|
// auto-detect.
|
||||||
|
AuthStyle AuthStyle
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// AuthStyle represents how requests for tokens are authenticated
|
||||||
|
// to the server.
|
||||||
|
type AuthStyle int
|
||||||
|
|
||||||
|
const (
|
||||||
|
// AuthStyleAutoDetect means to auto-detect which authentication
|
||||||
|
// style the provider wants by trying both ways and caching
|
||||||
|
// the successful way for the future.
|
||||||
|
AuthStyleAutoDetect AuthStyle = 0
|
||||||
|
|
||||||
|
// AuthStyleInParams sends the "client_id" and "client_secret"
|
||||||
|
// in the POST body as application/x-www-form-urlencoded parameters.
|
||||||
|
AuthStyleInParams AuthStyle = 1
|
||||||
|
|
||||||
|
// AuthStyleInHeader sends the client_id and client_password
|
||||||
|
// using HTTP Basic Authorization. This is an optional style
|
||||||
|
// described in the OAuth2 RFC 6749 section 2.3.1.
|
||||||
|
AuthStyleInHeader AuthStyle = 2
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// AccessTypeOnline and AccessTypeOffline are options passed
|
// AccessTypeOnline and AccessTypeOffline are options passed
|
||||||
// to the Options.AuthCodeURL method. They modify the
|
// to the Options.AuthCodeURL method. They modify the
|
||||||
|
@ -96,7 +117,7 @@ var (
|
||||||
// ApprovalForce forces the users to view the consent dialog
|
// ApprovalForce forces the users to view the consent dialog
|
||||||
// and confirm the permissions request at the URL returned
|
// and confirm the permissions request at the URL returned
|
||||||
// from AuthCodeURL, even if they've already done so.
|
// from AuthCodeURL, even if they've already done so.
|
||||||
ApprovalForce AuthCodeOption = SetAuthURLParam("approval_prompt", "force")
|
ApprovalForce AuthCodeOption = SetAuthURLParam("prompt", "consent")
|
||||||
)
|
)
|
||||||
|
|
||||||
// An AuthCodeOption is passed to Config.AuthCodeURL.
|
// An AuthCodeOption is passed to Config.AuthCodeURL.
|
||||||
|
@ -124,7 +145,7 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
|
||||||
//
|
//
|
||||||
// Opts may include AccessTypeOnline or AccessTypeOffline, as well
|
// Opts may include AccessTypeOnline or AccessTypeOffline, as well
|
||||||
// as ApprovalForce.
|
// as ApprovalForce.
|
||||||
// It can also be used to pass the PKCE challange.
|
// It can also be used to pass the PKCE challenge.
|
||||||
// See https://www.oauth.com/oauth2-servers/pkce/ for more info.
|
// See https://www.oauth.com/oauth2-servers/pkce/ for more info.
|
||||||
func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
|
func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
|
||||||
var buf bytes.Buffer
|
var buf bytes.Buffer
|
||||||
|
@ -164,8 +185,7 @@ func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
|
||||||
// and when other authorization grant types are not available."
|
// and when other authorization grant types are not available."
|
||||||
// See https://tools.ietf.org/html/rfc6749#section-4.3 for more info.
|
// See https://tools.ietf.org/html/rfc6749#section-4.3 for more info.
|
||||||
//
|
//
|
||||||
// The HTTP client to use is derived from the context.
|
// The provided context optionally controls which HTTP client is used. See the HTTPClient variable.
|
||||||
// If nil, http.DefaultClient is used.
|
|
||||||
func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error) {
|
func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error) {
|
||||||
v := url.Values{
|
v := url.Values{
|
||||||
"grant_type": {"password"},
|
"grant_type": {"password"},
|
||||||
|
@ -183,8 +203,7 @@ func (c *Config) PasswordCredentialsToken(ctx context.Context, username, passwor
|
||||||
// It is used after a resource provider redirects the user back
|
// It is used after a resource provider redirects the user back
|
||||||
// to the Redirect URI (the URL obtained from AuthCodeURL).
|
// to the Redirect URI (the URL obtained from AuthCodeURL).
|
||||||
//
|
//
|
||||||
// The HTTP client to use is derived from the context.
|
// The provided context optionally controls which HTTP client is used. See the HTTPClient variable.
|
||||||
// If a client is not provided via the context, http.DefaultClient is used.
|
|
||||||
//
|
//
|
||||||
// The code will be in the *http.Request.FormValue("code"). Before
|
// The code will be in the *http.Request.FormValue("code"). Before
|
||||||
// calling Exchange, be sure to validate FormValue("state").
|
// calling Exchange, be sure to validate FormValue("state").
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
package oauth2
|
package oauth2
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
@ -12,7 +13,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
|
||||||
"golang.org/x/oauth2/internal"
|
"golang.org/x/oauth2/internal"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -118,13 +118,16 @@ func (t *Token) Extra(key string) interface{} {
|
||||||
return v
|
return v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// timeNow is time.Now but pulled out as a variable for tests.
|
||||||
|
var timeNow = time.Now
|
||||||
|
|
||||||
// expired reports whether the token is expired.
|
// expired reports whether the token is expired.
|
||||||
// t must be non-nil.
|
// t must be non-nil.
|
||||||
func (t *Token) expired() bool {
|
func (t *Token) expired() bool {
|
||||||
if t.Expiry.IsZero() {
|
if t.Expiry.IsZero() {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
return t.Expiry.Round(0).Add(-expiryDelta).Before(time.Now())
|
return t.Expiry.Round(0).Add(-expiryDelta).Before(timeNow())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
|
// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
|
||||||
|
@ -151,7 +154,7 @@ func tokenFromInternal(t *internal.Token) *Token {
|
||||||
// This token is then mapped from *internal.Token into an *oauth2.Token which is returned along
|
// This token is then mapped from *internal.Token into an *oauth2.Token which is returned along
|
||||||
// with an error..
|
// with an error..
|
||||||
func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token, error) {
|
func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token, error) {
|
||||||
tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret, c.Endpoint.TokenURL, v)
|
tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret, c.Endpoint.TokenURL, v, internal.AuthStyle(c.Endpoint.AuthStyle))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if rErr, ok := err.(*internal.RetrieveError); ok {
|
if rErr, ok := err.(*internal.RetrieveError); ok {
|
||||||
return nil, (*RetrieveError)(rErr)
|
return nil, (*RetrieveError)(rErr)
|
||||||
|
|
|
@ -6,7 +6,7 @@ package oauth2
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"io"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"sync"
|
"sync"
|
||||||
)
|
)
|
||||||
|
@ -25,9 +25,6 @@ type Transport struct {
|
||||||
// Base is the base RoundTripper used to make HTTP requests.
|
// Base is the base RoundTripper used to make HTTP requests.
|
||||||
// If nil, http.DefaultTransport is used.
|
// If nil, http.DefaultTransport is used.
|
||||||
Base http.RoundTripper
|
Base http.RoundTripper
|
||||||
|
|
||||||
mu sync.Mutex // guards modReq
|
|
||||||
modReq map[*http.Request]*http.Request // original -> modified
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// RoundTrip authorizes and authenticates the request with an
|
// RoundTrip authorizes and authenticates the request with an
|
||||||
|
@ -52,35 +49,22 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||||
|
|
||||||
req2 := cloneRequest(req) // per RoundTripper contract
|
req2 := cloneRequest(req) // per RoundTripper contract
|
||||||
token.SetAuthHeader(req2)
|
token.SetAuthHeader(req2)
|
||||||
t.setModReq(req, req2)
|
|
||||||
res, err := t.base().RoundTrip(req2)
|
|
||||||
|
|
||||||
// req.Body is assumed to have been closed by the base RoundTripper.
|
// req.Body is assumed to be closed by the base RoundTripper.
|
||||||
reqBodyClosed = true
|
reqBodyClosed = true
|
||||||
|
return t.base().RoundTrip(req2)
|
||||||
if err != nil {
|
|
||||||
t.setModReq(req, nil)
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
res.Body = &onEOFReader{
|
|
||||||
rc: res.Body,
|
|
||||||
fn: func() { t.setModReq(req, nil) },
|
|
||||||
}
|
|
||||||
return res, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// CancelRequest cancels an in-flight request by closing its connection.
|
var cancelOnce sync.Once
|
||||||
|
|
||||||
|
// CancelRequest does nothing. It used to be a legacy cancellation mechanism
|
||||||
|
// but now only it only logs on first use to warn that it's deprecated.
|
||||||
|
//
|
||||||
|
// Deprecated: use contexts for cancellation instead.
|
||||||
func (t *Transport) CancelRequest(req *http.Request) {
|
func (t *Transport) CancelRequest(req *http.Request) {
|
||||||
type canceler interface {
|
cancelOnce.Do(func() {
|
||||||
CancelRequest(*http.Request)
|
log.Printf("deprecated: golang.org/x/oauth2: Transport.CancelRequest no longer does anything; use contexts")
|
||||||
}
|
})
|
||||||
if cr, ok := t.base().(canceler); ok {
|
|
||||||
t.mu.Lock()
|
|
||||||
modReq := t.modReq[req]
|
|
||||||
delete(t.modReq, req)
|
|
||||||
t.mu.Unlock()
|
|
||||||
cr.CancelRequest(modReq)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *Transport) base() http.RoundTripper {
|
func (t *Transport) base() http.RoundTripper {
|
||||||
|
@ -90,19 +74,6 @@ func (t *Transport) base() http.RoundTripper {
|
||||||
return http.DefaultTransport
|
return http.DefaultTransport
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *Transport) setModReq(orig, mod *http.Request) {
|
|
||||||
t.mu.Lock()
|
|
||||||
defer t.mu.Unlock()
|
|
||||||
if t.modReq == nil {
|
|
||||||
t.modReq = make(map[*http.Request]*http.Request)
|
|
||||||
}
|
|
||||||
if mod == nil {
|
|
||||||
delete(t.modReq, orig)
|
|
||||||
} else {
|
|
||||||
t.modReq[orig] = mod
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// cloneRequest returns a clone of the provided *http.Request.
|
// cloneRequest returns a clone of the provided *http.Request.
|
||||||
// The clone is a shallow copy of the struct and its Header map.
|
// The clone is a shallow copy of the struct and its Header map.
|
||||||
func cloneRequest(r *http.Request) *http.Request {
|
func cloneRequest(r *http.Request) *http.Request {
|
||||||
|
@ -116,29 +87,3 @@ func cloneRequest(r *http.Request) *http.Request {
|
||||||
}
|
}
|
||||||
return r2
|
return r2
|
||||||
}
|
}
|
||||||
|
|
||||||
type onEOFReader struct {
|
|
||||||
rc io.ReadCloser
|
|
||||||
fn func()
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *onEOFReader) Read(p []byte) (n int, err error) {
|
|
||||||
n, err = r.rc.Read(p)
|
|
||||||
if err == io.EOF {
|
|
||||||
r.runFunc()
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *onEOFReader) Close() error {
|
|
||||||
err := r.rc.Close()
|
|
||||||
r.runFunc()
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *onEOFReader) runFunc() {
|
|
||||||
if fn := r.fn; fn != nil {
|
|
||||||
fn()
|
|
||||||
r.fn = nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue