8 // It can additionally grant authorization with Bearer JWT. |
8 // It can additionally grant authorization with Bearer JWT. |
9 package oauth2 // import "golang.org/x/oauth2" |
9 package oauth2 // import "golang.org/x/oauth2" |
10 |
10 |
11 import ( |
11 import ( |
12 "bytes" |
12 "bytes" |
|
13 "context" |
13 "errors" |
14 "errors" |
14 "net/http" |
15 "net/http" |
15 "net/url" |
16 "net/url" |
16 "strings" |
17 "strings" |
17 "sync" |
18 "sync" |
18 |
19 |
19 "golang.org/x/net/context" |
|
20 "golang.org/x/oauth2/internal" |
20 "golang.org/x/oauth2/internal" |
21 ) |
21 ) |
22 |
22 |
23 // NoContext is the default context you should supply if not using |
23 // NoContext is the default context you should supply if not using |
24 // your own context.Context (see https://golang.org/x/net/context). |
24 // your own context.Context (see https://golang.org/x/net/context). |
25 // |
25 // |
26 // Deprecated: Use context.Background() or context.TODO() instead. |
26 // Deprecated: Use context.Background() or context.TODO() instead. |
27 var NoContext = context.TODO() |
27 var NoContext = context.TODO() |
28 |
28 |
29 // RegisterBrokenAuthHeaderProvider registers an OAuth2 server |
29 // RegisterBrokenAuthHeaderProvider previously did something. It is now a no-op. |
30 // identified by the tokenURL prefix as an OAuth2 implementation |
30 // |
31 // which doesn't support the HTTP Basic authentication |
31 // Deprecated: this function no longer does anything. Caller code that |
32 // scheme to authenticate with the authorization server. |
32 // wants to avoid potential extra HTTP requests made during |
33 // Once a server is registered, credentials (client_id and client_secret) |
33 // auto-probing of the provider's auth style should set |
34 // will be passed as query parameters rather than being present |
34 // Endpoint.AuthStyle. |
35 // in the Authorization header. |
35 func RegisterBrokenAuthHeaderProvider(tokenURL string) {} |
36 // See https://code.google.com/p/goauth2/issues/detail?id=31 for background. |
|
37 func RegisterBrokenAuthHeaderProvider(tokenURL string) { |
|
38 internal.RegisterBrokenAuthHeaderProvider(tokenURL) |
|
39 } |
|
40 |
36 |
41 // Config describes a typical 3-legged OAuth2 flow, with both the |
37 // Config describes a typical 3-legged OAuth2 flow, with both the |
42 // client application information and the server's endpoint URLs. |
38 // client application information and the server's endpoint URLs. |
43 // For the client credentials 2-legged OAuth2 flow, see the clientcredentials |
39 // For the client credentials 2-legged OAuth2 flow, see the clientcredentials |
44 // package (https://golang.org/x/oauth2/clientcredentials). |
40 // package (https://golang.org/x/oauth2/clientcredentials). |
69 // Token must be safe for concurrent use by multiple goroutines. |
65 // Token must be safe for concurrent use by multiple goroutines. |
70 // The returned Token must not be modified. |
66 // The returned Token must not be modified. |
71 Token() (*Token, error) |
67 Token() (*Token, error) |
72 } |
68 } |
73 |
69 |
74 // Endpoint contains the OAuth 2.0 provider's authorization and token |
70 // Endpoint represents an OAuth 2.0 provider's authorization and token |
75 // endpoint URLs. |
71 // endpoint URLs. |
76 type Endpoint struct { |
72 type Endpoint struct { |
77 AuthURL string |
73 AuthURL string |
78 TokenURL string |
74 TokenURL string |
79 } |
75 |
|
76 // AuthStyle optionally specifies how the endpoint wants the |
|
77 // client ID & client secret sent. The zero value means to |
|
78 // auto-detect. |
|
79 AuthStyle AuthStyle |
|
80 } |
|
81 |
|
82 // AuthStyle represents how requests for tokens are authenticated |
|
83 // to the server. |
|
84 type AuthStyle int |
|
85 |
|
86 const ( |
|
87 // AuthStyleAutoDetect means to auto-detect which authentication |
|
88 // style the provider wants by trying both ways and caching |
|
89 // the successful way for the future. |
|
90 AuthStyleAutoDetect AuthStyle = 0 |
|
91 |
|
92 // AuthStyleInParams sends the "client_id" and "client_secret" |
|
93 // in the POST body as application/x-www-form-urlencoded parameters. |
|
94 AuthStyleInParams AuthStyle = 1 |
|
95 |
|
96 // AuthStyleInHeader sends the client_id and client_password |
|
97 // using HTTP Basic Authorization. This is an optional style |
|
98 // described in the OAuth2 RFC 6749 section 2.3.1. |
|
99 AuthStyleInHeader AuthStyle = 2 |
|
100 ) |
80 |
101 |
81 var ( |
102 var ( |
82 // AccessTypeOnline and AccessTypeOffline are options passed |
103 // AccessTypeOnline and AccessTypeOffline are options passed |
83 // to the Options.AuthCodeURL method. They modify the |
104 // to the Options.AuthCodeURL method. They modify the |
84 // "access_type" field that gets sent in the URL returned by |
105 // "access_type" field that gets sent in the URL returned by |
94 AccessTypeOffline AuthCodeOption = SetAuthURLParam("access_type", "offline") |
115 AccessTypeOffline AuthCodeOption = SetAuthURLParam("access_type", "offline") |
95 |
116 |
96 // ApprovalForce forces the users to view the consent dialog |
117 // ApprovalForce forces the users to view the consent dialog |
97 // and confirm the permissions request at the URL returned |
118 // and confirm the permissions request at the URL returned |
98 // from AuthCodeURL, even if they've already done so. |
119 // from AuthCodeURL, even if they've already done so. |
99 ApprovalForce AuthCodeOption = SetAuthURLParam("approval_prompt", "force") |
120 ApprovalForce AuthCodeOption = SetAuthURLParam("prompt", "consent") |
100 ) |
121 ) |
101 |
122 |
102 // An AuthCodeOption is passed to Config.AuthCodeURL. |
123 // An AuthCodeOption is passed to Config.AuthCodeURL. |
103 type AuthCodeOption interface { |
124 type AuthCodeOption interface { |
104 setValue(url.Values) |
125 setValue(url.Values) |
122 // the state query parameter on your redirect callback. |
143 // the state query parameter on your redirect callback. |
123 // See http://tools.ietf.org/html/rfc6749#section-10.12 for more info. |
144 // See http://tools.ietf.org/html/rfc6749#section-10.12 for more info. |
124 // |
145 // |
125 // Opts may include AccessTypeOnline or AccessTypeOffline, as well |
146 // Opts may include AccessTypeOnline or AccessTypeOffline, as well |
126 // as ApprovalForce. |
147 // as ApprovalForce. |
127 // It can also be used to pass the PKCE challange. |
148 // It can also be used to pass the PKCE challenge. |
128 // See https://www.oauth.com/oauth2-servers/pkce/ for more info. |
149 // See https://www.oauth.com/oauth2-servers/pkce/ for more info. |
129 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string { |
150 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string { |
130 var buf bytes.Buffer |
151 var buf bytes.Buffer |
131 buf.WriteString(c.Endpoint.AuthURL) |
152 buf.WriteString(c.Endpoint.AuthURL) |
132 v := url.Values{ |
153 v := url.Values{ |
162 // degree of trust between the resource owner and the client (e.g., the client |
183 // degree of trust between the resource owner and the client (e.g., the client |
163 // is part of the device operating system or a highly privileged application), |
184 // is part of the device operating system or a highly privileged application), |
164 // and when other authorization grant types are not available." |
185 // and when other authorization grant types are not available." |
165 // See https://tools.ietf.org/html/rfc6749#section-4.3 for more info. |
186 // See https://tools.ietf.org/html/rfc6749#section-4.3 for more info. |
166 // |
187 // |
167 // The HTTP client to use is derived from the context. |
188 // The provided context optionally controls which HTTP client is used. See the HTTPClient variable. |
168 // If nil, http.DefaultClient is used. |
|
169 func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error) { |
189 func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error) { |
170 v := url.Values{ |
190 v := url.Values{ |
171 "grant_type": {"password"}, |
191 "grant_type": {"password"}, |
172 "username": {username}, |
192 "username": {username}, |
173 "password": {password}, |
193 "password": {password}, |
181 // Exchange converts an authorization code into a token. |
201 // Exchange converts an authorization code into a token. |
182 // |
202 // |
183 // It is used after a resource provider redirects the user back |
203 // It is used after a resource provider redirects the user back |
184 // to the Redirect URI (the URL obtained from AuthCodeURL). |
204 // to the Redirect URI (the URL obtained from AuthCodeURL). |
185 // |
205 // |
186 // The HTTP client to use is derived from the context. |
206 // The provided context optionally controls which HTTP client is used. See the HTTPClient variable. |
187 // If a client is not provided via the context, http.DefaultClient is used. |
|
188 // |
207 // |
189 // The code will be in the *http.Request.FormValue("code"). Before |
208 // The code will be in the *http.Request.FormValue("code"). Before |
190 // calling Exchange, be sure to validate FormValue("state"). |
209 // calling Exchange, be sure to validate FormValue("state"). |
191 // |
210 // |
192 // Opts may include the PKCE verifier code if previously used in AuthCodeURL. |
211 // Opts may include the PKCE verifier code if previously used in AuthCodeURL. |