appengine: implement AppEngineTokenSource for 2nd gen runtimes

Go 1.11 on App Engine standard is a "second generation" runtime, and
second generation runtimes do not set the appengine build tag.
appengine_hook.go was behind the appengine build tag, meaning that
AppEngineTokenSource panicked on the go111 runtime, saying,
"AppEngineTokenSource can only be used on App Engine."

The second gen runtimes should use ComputeTokenSource, which is also
what flex does [1]. This commit does two things to remedy the situation:

1. Put the pre-existing implementation of AppEngineTokenSource behind
   the appengine build tag since it only works on first gen App Engine
   runtimes. This leaves first gen behavior unchanged.
2. Add a new implementation of AppEngineTokenSource and tag it
   !appengine. This implementation will therefore be used by second gen
   App Engine standard runtimes and App Engine flexible. It delegates
   to ComputeTokenSource.

The new AppEngineTokenSource implementation emits a log message
informing the user that AppEngineTokenSource is deprecated for second
gen runtimes and flex, instructing them to use DefaultTokenSource or
ComputeTokenSource instead. The documentation is updated to say the

In this way users will not break when upgrading from Go 1.9 to Go 1.11
on App Engine but they will be nudged toward the world where App Engine
runtimes have less special behavior.

findDefaultCredentials still calls AppEngineTokenSource for first gen
runtimes and ComputeTokenSource for flex.

Fixes #334

Test: I deployed an app that uses AppEngineTokenSource to Go 1.9 and
      Go 1.11 on App Engine standard and to Go 1.11 on App Engine
      flexible and it worked in all cases. Also verified that the log
      message is present on go111 and flex.

[1] DefaultTokenSource did use ComputeTokenSource for flex but
AppEngineTokenSource did not. AppEngineTokenSource is supported on flex,
in the sense that it doesn't panic when used on flex in the way it does
when used outside App Engine. However, AppEngineTokenSource makes an API
call internally that isn't supported by default on flex, which emits a
log instructing the user to enable the compat runtime. The compat
runtimes are deprecated and deploys are blocked. This is a bad
experience. This commit has the side effect of fixing this.

Change-Id: Iab63547b410535db60dcf204782d5b6b599a4e0c
GitHub-Last-Rev: 5779afb167d6abe13c29bb9632c9ac516a817e49
GitHub-Pull-Request: golang/oauth2#341
Reviewed-by: Brad Fitzpatrick <>
8 files changed
tree: 7f9a40a94cc42ee2b115818ab8b7051a0af1026f
  1. .travis.yml
  7. amazon/
  8. bitbucket/
  9. cern/
  10. clientcredentials/
  11. example_test.go
  12. facebook/
  13. fitbit/
  14. foursquare/
  15. github/
  16. gitlab/
  17. google/
  18. heroku/
  19. hipchat/
  20. instagram/
  21. internal/
  22. jira/
  23. jws/
  24. jwt/
  25. kakao/
  26. linkedin/
  27. mailchimp/
  28. mailru/
  29. mediamath/
  30. microsoft/
  31. nokiahealth/
  32. oauth2.go
  33. oauth2_test.go
  34. odnoklassniki/
  35. paypal/
  36. slack/
  37. spotify/
  38. stackoverflow/
  39. token.go
  40. token_test.go
  41. transport.go
  42. transport_test.go
  43. twitch/
  44. uber/
  45. vk/
  46. yahoo/
  47. yandex/

OAuth2 for Go

Build Status GoDoc

oauth2 package contains a client implementation for OAuth 2.0 spec.


go get

Or you can manually git clone the repository to $(go env GOPATH)/src/

See godoc for further documentation and examples.

App Engine

In change 96e89be (March 2015), we removed the oauth2.Context2 type in favor of the context.Context type from the package

This means it‘s no longer possible to use the “Classic App Engine” appengine.Context type with the oauth2 package. (You’re using Classic App Engine if you import the package "appengine".)

To work around this, you may use the new "" package. This package has almost the same API as the "appengine" package, but it can be fetched with go get and used on “Managed VMs” and well as Classic App Engine.

See the new appengine package's readme for information on updating your app.

If you don't want to update your entire app to use the new App Engine packages, you may use both sets of packages in parallel, using only the new packages with the oauth2 package.

import (
	newappengine ""
	newurlfetch ""


func handler(w http.ResponseWriter, r *http.Request) {
	var c appengine.Context = appengine.NewContext(r)
	c.Infof("Logging a message with the old package")

	var ctx context.Context = newappengine.NewContext(r)
	client := &http.Client{
		Transport: &oauth2.Transport{
			Source: google.AppEngineTokenSource(ctx, "scope"),
			Base:   &newurlfetch.Transport{Context: ctx},

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the oauth2 repository is located at