diff options
| author | Andy Zhao <andyzhao@google.com> | 2023-03-02 17:40:29 +0000 |
|---|---|---|
| committer | Shin Fan <shinfan@google.com> | 2023-03-03 18:55:16 +0000 |
| commit | 885f294722cab86dbe73633465663b9a43e3ba78 (patch) | |
| tree | b8e54573bebb2a86e031fe07fb9fd2085e68f37f | |
| parent | 6f9c1a18cc48103b815a810b907f038d953749a9 (diff) | |
| download | golang-x-oauth2-885f294722cab86dbe73633465663b9a43e3ba78.tar.gz | |
google: Add support for OAuth2 token exchange over mTLS
With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport.
Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54
GitHub-Last-Rev: 07e4849e96a72028a8d6ff99b228846902f5bea6
GitHub-Pull-Request: golang/oauth2#630
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396
Run-TryBot: Matthew Hickford <hickford@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Shin Fan <shinfan@google.com>
Reviewed-by: Matthew Hickford <hickford@google.com>
Reviewed-by: Andy Zhao <andyzhao@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
| -rw-r--r-- | google/default.go | 4 | ||||
| -rw-r--r-- | google/google.go | 9 |
2 files changed, 12 insertions, 1 deletions
diff --git a/google/default.go b/google/default.go index a144d78..db6b19e 100644 --- a/google/default.go +++ b/google/default.go @@ -62,6 +62,10 @@ type CredentialsParams struct { // PKCE is used to support PKCE flow. Optional for 3LO flow. PKCE *authhandler.PKCEParams + + // The OAuth2 TokenURL default override. This value overrides the default TokenURL, + // unless explicitly specified by the credentials config file. Optional. + TokenURL string } func (params CredentialsParams) deepCopy() CredentialsParams { diff --git a/google/google.go b/google/google.go index 8df0c49..a1b629a 100644 --- a/google/google.go +++ b/google/google.go @@ -26,6 +26,9 @@ var Endpoint = oauth2.Endpoint{ AuthStyle: oauth2.AuthStyleInParams, } +// MTLSTokenURL is Google's OAuth 2.0 default mTLS endpoint. +const MTLSTokenURL = "https://oauth2.mtls.googleapis.com/token" + // JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow. const JWTTokenURL = "https://oauth2.googleapis.com/token" @@ -172,7 +175,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar cfg.Endpoint.AuthURL = Endpoint.AuthURL } if cfg.Endpoint.TokenURL == "" { - cfg.Endpoint.TokenURL = Endpoint.TokenURL + if params.TokenURL != "" { + cfg.Endpoint.TokenURL = params.TokenURL + } else { + cfg.Endpoint.TokenURL = Endpoint.TokenURL + } } tok := &oauth2.Token{RefreshToken: f.RefreshToken} return cfg.TokenSource(ctx, tok), nil |