oauth2: move global auth style cache to be per-Config

In 80673b4a4 (https://go.dev/cl/157820) I added a never-shrinking
package-global cache to remember which auto-detected auth style (HTTP
headers vs POST) was supported by a certain OAuth2 server, keyed by
its URL.

Unfortunately, some multi-tenant SaaS OIDC servers behave poorly and
have one global OpenID configuration document for all of their
customers which says ("we support all auth styles! you pick!") but
then give each customer control of which style they specifically
accept. This is bogus behavior on their part, but the oauth2 package's
global caching per URL isn't helping. (It's also bad to have a
package-global cache that can never be GC'ed)

So, this change moves the cache to hang off the oauth *Configs
instead. Unfortunately, it does so with some backwards compatiblity
compromises (an atomic.Value hack), lest people are using old versions
of Go still or copying a Config by value, both of which this package
previously accidentally supported, even though they weren't tested.

This change also means that anybody that's repeatedly making ephemeral
oauth.Configs without an explicit auth style will be losing &
reinitializing their cache on any auth style failures + fallbacks to
the other style. I think that should be pretty rare. People seem to
make an oauth2.Config once earlier and stash it away somewhere (often
deep in a token fetcher or HTTP client/transport).

Change-Id: I91f107368ab3c3d77bc425eeef65372a589feb7b
Signed-off-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/515675
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Adrian Dewhurst <adrian@tailscale.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
7 files changed
tree: 52163771dbfbbe7384a704fa23d42447ed3c0a39
  1. amazon/
  2. authhandler/
  3. bitbucket/
  4. cern/
  5. clientcredentials/
  6. endpoints/
  7. facebook/
  8. fitbit/
  9. foursquare/
  10. github/
  11. gitlab/
  12. google/
  13. heroku/
  14. hipchat/
  15. instagram/
  16. internal/
  17. jira/
  18. jws/
  19. jwt/
  20. kakao/
  21. linkedin/
  22. mailchimp/
  23. mailru/
  24. mediamath/
  25. microsoft/
  26. nokiahealth/
  27. odnoklassniki/
  28. paypal/
  29. slack/
  30. spotify/
  31. stackoverflow/
  32. twitch/
  33. uber/
  34. vk/
  35. yahoo/
  36. yandex/
  37. .travis.yml
  39. example_test.go
  40. go.mod
  41. go.sum
  43. oauth2.go
  44. oauth2_test.go
  45. README.md
  46. token.go
  47. token_test.go
  48. transport.go
  49. transport_test.go

OAuth2 for Go

Go Reference Build Status

oauth2 package contains a client implementation for OAuth 2.0 spec.


go get golang.org/x/oauth2

Or you can manually git clone the repository to $(go env GOPATH)/src/golang.org/x/oauth2.

See pkg.go.dev for further documentation and examples.

Policy for new endpoints

We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the pkg.go.dev/golang.org/x/oauth2/endpoints package.

Report Issues / Send Patches

The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues.

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html. In particular:

  • Excluding trivial changes, all contributions should be connected to an existing issue.
  • API changes must go through the change proposal process before they can be accepted.
  • The code owners are listed at dev.golang.org/owners.