internal: recognize Salesforce and Okta domains as broken providers
Fixes golang/oauth2#166
Change-Id: Ib3854db4a28a596af3565a84843fc0fa66709193
Reviewed-on: https://go-review.googlesource.com/38376
Reviewed-by: Jaana Burcu Dogan <jbd@google.com>
diff --git a/internal/token.go b/internal/token.go
index b840067..018b58a 100644
--- a/internal/token.go
+++ b/internal/token.go
@@ -122,6 +122,13 @@
"https://sandbox.codeswholesale.com/oauth/token",
}
+// brokenAuthHeaderDomains lists broken providers that issue dynamic endpoints.
+var brokenAuthHeaderDomains = []string{
+ ".force.com",
+ ".okta.com",
+ ".oktapreview.com",
+}
+
func RegisterBrokenAuthHeaderProvider(tokenURL string) {
brokenAuthHeaderProviders = append(brokenAuthHeaderProviders, tokenURL)
}
@@ -142,6 +149,14 @@
}
}
+ if u, err := url.Parse(tokenURL); err == nil {
+ for _, s := range brokenAuthHeaderDomains {
+ if strings.HasSuffix(u.Host, s) {
+ return false
+ }
+ }
+ }
+
// Assume the provider implements the spec properly
// otherwise. We can add more exceptions as they're
// discovered. We will _not_ be adding configurable hooks
diff --git a/internal/token_test.go b/internal/token_test.go
index c7c7982..882de11 100644
--- a/internal/token_test.go
+++ b/internal/token_test.go
@@ -58,3 +58,24 @@
t.Errorf("got %q as unbroken; want broken", p)
}
}
+
+func TestProviderAuthHeaderWorksDomain(t *testing.T) {
+ tests := []struct {
+ tokenURL string
+ wantWorks bool
+ }{
+ {"https://dev-12345.okta.com/token-url", false},
+ {"https://dev-12345.oktapreview.com/token-url", false},
+ {"https://dev-12345.okta.org/token-url", true},
+ {"https://foo.bar.force.com/token-url", false},
+ {"https://foo.force.com/token-url", false},
+ {"https://force.com/token-url", true},
+ }
+
+ for _, test := range tests {
+ got := providerAuthHeaderWorks(test.tokenURL)
+ if got != test.wantWorks {
+ t.Errorf("providerAuthHeaderWorks(%q) = %v; want %v", test.tokenURL, got, test.wantWorks)
+ }
+ }
+}