Go OAuth2

Overview

OAuth2 for Go

Go Reference Build Status

oauth2 package contains a client implementation for OAuth 2.0 spec.

Installation

go get golang.org/x/oauth2

Or you can manually git clone the repository to $(go env GOPATH)/src/golang.org/x/oauth2.

See pkg.go.dev for further documentation and examples.

Policy for new packages

We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the pkg.go.dev/golang.org/x/oauth2/endpoints package.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues.

Issues
  • google: base account credentials with file-sourcing

    google: base account credentials with file-sourcing

    Implements the core functionality to allow 3rd party identities access to Google APIs. Specifically, this PR implements the base account credential type and supports file-sourced credentials such as Kubernetes workloads. Later updates will add support for URL-sourced credentials such as Microsoft Azure and support for AWS credentials.

    cla: yes 
    opened by gIthuriel 50
  • brokenAuthHeaderProviders - time to try something else?

    brokenAuthHeaderProviders - time to try something else?

    Perhaps add a BrokenAuthHeader to EndPoint?

    The server bug behind this seems pretty common (it's also in Shopify, with domain names [shop].myshopify.com), and it seems unfortunate to need to update this library every time someone finds one. I'd bet 90% of the forks are to add another broken provider.

    Let me know if you might accept a change like this and I'll work on it.

    opened by philpearl 40
  • authhandler: Add support for 3-legged-OAuth

    authhandler: Add support for 3-legged-OAuth

    Added authhandler.go, which implements a TokenSource to support "three-legged OAuth 2.0" via a custom AuthorizationHandler.

    Added example_test.go with a sample command line implementation for AuthorizationHandler.

    This patch adds support for 3-legged-OAuth flow using an OAuth Client ID file downloaded from Google Cloud Console.

    cla: yes 
    opened by andyrzhao 37
  • google:  add support for

    google: add support for "impersonated_service_account" credential type.

    New credential type supported: "impersonated_service_account".

    Extend the "credentialsFile" struct to take into account the credential source for the impersonation.

    Reuse of ImpersonateTokenSource struct, from `google/internal/externalaccount/Impersonate.go' file. The struct has a package-scope visibility now.

    Fixes: #515

    cla: yes 
    opened by guillaumeblaquiere 33
  • Caches should be Transport implementations

    Caches should be Transport implementations

    @proppy gave some feedback about caching. Cache interface doesn't have flexibility to support multiple users. Rather than providing another Cache interface with token identification such as

    type Cache interface {
        Read(id interface{}) (*Token, error)
        Write(id interface{}, token *Token) error
    }
    

    we should wrap the authorizedTransport with a cacher transport.

    t := FileCacheTransport{config.NewAuthorizedTransport()}
    

    FileCacheTransport's RoundTripper could handle token caching.

    opened by rakyll 26
  • oauth2/google: sign private claims with service account

    oauth2/google: sign private claims with service account

    In some cases it is desirable to generate a JWT signed by a service account with custom claims. For instance, when exchanging a service account signed token for a Google ID token.

    Fixes golang/oauth2#266

    cla: yes 
    opened by samsends 25
  • jwt: support PrivateClaims in Config

    jwt: support PrivateClaims in Config

    This would help add extra claim for certain 2-leg JWT exchange.

    For example, Google service account key can be used to generate an OIDC token, but Google TokenURL requires "target_audience" claims set.

    See this example usage: https://gist.github.com/wlhee/64bc518190053e2122ca1909c2977c67#file-exmaple-go-L29

    cla: yes 
    opened by wlhee 23
  • google/externalaccount: add support for workforce pool credentials

    google/externalaccount: add support for workforce pool credentials

    Workforce pools (external account credentials for non-Google users) are organization-level resources which means that issued workforce pool tokens will not have any client project ID on token exchange as currently designed.

    "To use a Google API, the client must identify the application to the server. If the API requires authentication, the client must also identify the principal running the application."

    The application here is the client project. The token will identify the user principal but not the application. This will result in APIs rejecting requests authenticated with these tokens.

    Note that passing a x-goog-user-project override header on API request is still not sufficient. The token is still expected to have a client project.

    As a result, we have extended the spec to support an additional workforce_pool_user_project for these credentials (workforce pools) which will be passed when exchanging an external token for a Google Access token. After the exchange, the issued access token will use the supplied project as the client project. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota.

    This field is not needed for flows with basic client authentication (e.g. client ID is supplied). The client ID is sufficient to determine the client project and any additionally supplied workforce_pool_user_project value will be ignored.

    Note that this feature is not usable yet publicly.

    cla: yes 
    opened by ScruffyProdigy 21
  • Facebook long lived access token

    Facebook long lived access token

    Hi,

    Is there a way I can use golang oauth2 to extend short lived facebook access tokens? With the new version of Go 1.5 I cannot use the "internal" package.

    What I used to do with the 1.4 version of go is:

    import (
          "golang.org/x/oauth2"
          "golang.org/x/oauth2/internal"
    )
    
    itk, err := internal.RetrieveToken(
            oauth2.NoContext,
            cfg.ClientID,
            cfg.ClientSecret,
            cfg.Endpoint.TokenURL,
            url.Values{
                "grant_type":        {"fb_exchange_token"},
                "fb_exchange_token": {tkn.AccessToken},
            },
        )
    

    Is there a "supported" or "suggested" way to do this with Go 1.5 that doesn't allow the usage of the "internal" package?

    Thanks, Alex

    opened by alexdeefuse 21
  • jwt: add Config.Audience field

    jwt: add Config.Audience field

    Add an Audience field to jwt.Config which, if set, is used instead of TokenURL as the 'aud' claim in the generated JWT. This allows the jwt package to work with authorization servers that require the 'aud' claim and token endpoint URL to be different values.

    Fixes #369.

    cla: yes 
    opened by nwidger 20
  • feat: Add AWS Session Token to Metadata Requests

    feat: Add AWS Session Token to Metadata Requests

    AWS released a new instance metadata service (IMDSv2). IMDSv2 brought a requirement that a session token header is now required on every call to metadata endpoint. Modify the AWS credential retrieval flow to fetch the session token and send it along with the calls to metadata endpoints

    opened by sai-sunder-s 19
  • golang.org/x/net dependency is superfluous

    golang.org/x/net dependency is superfluous

    There is a single use of golang.org/x/net dependency in the whole library: ctxhttp.Do.

    It can be easily inlined and the dependency dropped: https://github.com/ridge/oauth2/commit/b7f928651e695e33d6ec3cdf2213df1b5475bbbe

    opened by misha-ridge 0
  • Wrong documentation on NewClient

    Wrong documentation on NewClient

    Documentation of NewClient states:

    https://github.com/golang/oauth2/blob/9780585627b5122c8cc9c6a378ac9861507e7551/oauth2.go#L333

    However, even if you pass a canceled context into NewClient, it has absolutely no effect. For example:

    func (c *Config) NewCustomClient(ctx context.Context) *http.Client {
    
        ctx2, cancel := context.WithCancel(ctx)
        cancel()
        return oauth2.NewClient(ctx2, c.TokenSource(ctx))
    }
    

    and then make request with returned client:

    c := cfg.NewCustomClient(context.Background())
    req, _ := http.NewRequest(http.MethodGet, getURL().String(), http.NoBody)
    req.Header.Set("Accept", "application/json")
    resp, err := c.Do(req)
    

    it has no effect.

    or am I misunderstanding something?

    opened by Itshardtopickanusername 0
  • Allow set audience for Google Service Accounts

    Allow set audience for Google Service Accounts

    go 1.17

    When using Private Service Connect, the token uri and the audience are different.

    The token uri could be https://oauth2-<service_name>.p.googleapis.com/token but the audience will always be https://oauth2.googleapis.com/token, and currently we are sharing the same value for Service accounts.

    opened by DKbyo 0
Owner
Go
The Go Programming Language
Go
Hazelcast Storage for go-oauth2/oauth2

Hazelcast Storage for go-oauth2/oauth2

Clowre 0 Jan 26, 2022
A standalone, specification-compliant, OAuth2 server written in Golang.

Go OAuth2 Server This service implements OAuth 2.0 specification. Excerpts from the specification are included in this README file to describe differe

Richard Knop 1.9k May 17, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dalton Hubble 1.5k May 4, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.9k May 6, 2022
Go OAuth2

OAuth2 for Go oauth2 package contains a client implementation for OAuth 2.0 spec. Installation go get golang.org/x/oauth2 Or you can manually git clo

Go 4.2k May 17, 2022
Golang OAuth2 server library

OSIN Golang OAuth2 server library OSIN is an OAuth2 server library for the Go language, as specified at http://tools.ietf.org/html/rfc6749 and http://

OpenShift 1.7k May 15, 2022
A Sample Integration of Google and GitHub OAuth2 in Golang (GoFiber) utilising MongoDB

Go Oauth Server This is sample OAuth integration written in GoLang that also uses MongoDB. This is a sample TODO Application where people can Create a

Hemanth Krishna 8 Apr 25, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
Envoy Oauth2 Filter helloworld

Envoy Oauth2 Filter A simple sample demonstrating Envoy's Oauth2 Filter. Basically, this filter will handle all the details for OAuth 2.0 for Web Serv

null 2 Apr 17, 2022
Identity-service - An OAuth2 identity provider that operates over gRPC

Identity-service - An OAuth2 identity provider that operates over gRPC

Otter Social 2 May 2, 2022
Identity - An OAuth2 identity provider that operates over gRPC

Otter Social > Identity Provider An OAuth2 identity provider that operates over

Otter Social 2 May 2, 2022
Golang OAuth2.0 server

Golang OAuth2.0 server

BOKS 1 Feb 5, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Loren Lisk 0 Feb 12, 2022
Oauth2-golang - Oauth2 Golang Mysql

Oauth2-golang - Oauth2 Golang Mysql

null 1 Jan 27, 2022
Hazelcast Storage for go-oauth2/oauth2

Hazelcast Storage for go-oauth2/oauth2

Clowre 0 Jan 26, 2022
A standalone, specification-compliant, OAuth2 server written in Golang.

Go OAuth2 Server This service implements OAuth 2.0 specification. Excerpts from the specification are included in this README file to describe differe

Richard Knop 1.9k May 17, 2022
Go login handlers for authentication providers (OAuth1, OAuth2)

gologin Package gologin provides chainable login http.Handler's for Google, Github, Twitter, Facebook, Bitbucket, Tumblr, or any OAuth1 or OAuth2 auth

Dalton Hubble 1.5k May 4, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.9k May 6, 2022
Go OAuth2

OAuth2 for Go oauth2 package contains a client implementation for OAuth 2.0 spec. Installation go get golang.org/x/oauth2 Or you can manually git clo

Go 4.2k May 17, 2022
Golang OAuth2 server library

OSIN Golang OAuth2 server library OSIN is an OAuth2 server library for the Go language, as specified at http://tools.ietf.org/html/rfc6749 and http://

OpenShift 1.7k May 15, 2022
A Golang SDK for Medium's OAuth2 API

Medium SDK for Go This repository contains the open source SDK for integrating Medium's OAuth2 API into your Go app. Install go get github.com/Medium/

Medium 131 May 18, 2022
A Sample Integration of Google and GitHub OAuth2 in Golang (GoFiber) utilising MongoDB

Go Oauth Server This is sample OAuth integration written in GoLang that also uses MongoDB. This is a sample TODO Application where people can Create a

Hemanth Krishna 8 Apr 25, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
Envoy Oauth2 Filter helloworld

Envoy Oauth2 Filter A simple sample demonstrating Envoy's Oauth2 Filter. Basically, this filter will handle all the details for OAuth 2.0 for Web Serv

null 2 Apr 17, 2022
Identity-service - An OAuth2 identity provider that operates over gRPC

Identity-service - An OAuth2 identity provider that operates over gRPC

Otter Social 2 May 2, 2022
Identity - An OAuth2 identity provider that operates over gRPC

Otter Social > Identity Provider An OAuth2 identity provider that operates over

Otter Social 2 May 2, 2022
Golang OAuth2.0 server

Golang OAuth2.0 server

BOKS 1 Feb 5, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd

login-service login-service is a standalone minimalistic login server providing a (JWT)[https://jwt.io/] login for multiple login backends. Abstract l

Loren Lisk 0 Feb 12, 2022
publish github pages privately secured by github sso (oauth2)

private-ghp Serves static sites from private repositories to members with read access (or higher), secured using GitHub OAuth2. The server is written

john dev 5 May 10, 2022