Google Git
Sign in
go / oauth2 / 885f294722cab86dbe73633465663b9a43e3ba78^! / .
commit885f294722cab86dbe73633465663b9a43e3ba78[log] [tgz]
authorAndy Zhao <andyzhao@google.com>Thu Mar 02 17:40:29 2023 +0000
committerShin Fan <shinfan@google.com>Fri Mar 03 18:55:16 2023 +0000
treeb8e54573bebb2a86e031fe07fb9fd2085e68f37f
parent6f9c1a18cc48103b815a810b907f038d953749a9 [diff]
google: Add support for OAuth2 token exchange over mTLS

With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport.

Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54
GitHub-Last-Rev: 07e4849e96a72028a8d6ff99b228846902f5bea6
GitHub-Pull-Request: golang/oauth2#630
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396
Run-TryBot: Matthew Hickford <hickford@google.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Run-TryBot: Shin Fan <shinfan@google.com>
Reviewed-by: Matthew Hickford <hickford@google.com>
Reviewed-by: Andy Zhao <andyzhao@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/google/default.go b/google/default.go
index a144d78..db6b19e 100644
--- a/google/default.go
+++ b/google/default.go

@@ -62,6 +62,10 @@
 
 	// PKCE is used to support PKCE flow. Optional for 3LO flow.
 	PKCE *authhandler.PKCEParams
+
+	// The OAuth2 TokenURL default override. This value overrides the default TokenURL,
+	// unless explicitly specified by the credentials config file. Optional.
+	TokenURL string
 }
 
 func (params CredentialsParams) deepCopy() CredentialsParams {

diff --git a/google/google.go b/google/google.go
index 8df0c49..a1b629a 100644
--- a/google/google.go
+++ b/google/google.go

@@ -26,6 +26,9 @@
 	AuthStyle: oauth2.AuthStyleInParams,
 }
 
+// MTLSTokenURL is Google's OAuth 2.0 default mTLS endpoint.
+const MTLSTokenURL = "https://oauth2.mtls.googleapis.com/token"
+
 // JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
 const JWTTokenURL = "https://oauth2.googleapis.com/token"
 
@@ -172,7 +175,11 @@
 			cfg.Endpoint.AuthURL = Endpoint.AuthURL
 		}
 		if cfg.Endpoint.TokenURL == "" {
-			cfg.Endpoint.TokenURL = Endpoint.TokenURL
+			if params.TokenURL != "" {
+				cfg.Endpoint.TokenURL = params.TokenURL
+			} else {
+				cfg.Endpoint.TokenURL = Endpoint.TokenURL
+			}
 		}
 		tok := &oauth2.Token{RefreshToken: f.RefreshToken}
 		return cfg.TokenSource(ctx, tok), nil