Google Git
Sign in
go / oauth2 / refs/heads/master
commit89ff2e1ac388c1a234a687cb2735341cde3f7122[log] [tgz]
authorChris Smith <chrisdsmith@google.com>Tue Dec 23 14:36:48 2025 -0700
committerCody Oss <codyoss@google.com>Mon Jan 12 11:50:33 2026 -0800
tree5945a264dcf59595a380e50acbc2b9f96af5db2d
parentacc38155b7f6f36aefcb58faff6f36d314dd915c [diff]
google: add safer credentials JSON loading options.

Add safer credentials JSON loading options in `google` package.

Adds `CredentialsFromJSONWithType` and `CredentialsFromJSONWithTypeAndParams`
to mitigate a security vulnerability where credential configurations
from untrusted sources could be used without validation. These new
functions require the credential type to be explicitly specified.

Deprecates the less safe `CredentialsFromJSON` and
`CredentialsFromJSONWithParams` functions.

Change-Id: I27848b5ebd2dff76d0397cdc08908d680c0ccd69
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/732440
Reviewed-by: Seth Hollyman <shollyman@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Sai Sunder Srinivasan <saisunder@google.com>
TryBot-Bypass: Cody Oss <codyoss@google.com>
6 files changed
tree: 5945a264dcf59595a380e50acbc2b9f96af5db2d
  1. amazon/
  2. authhandler/
  3. bitbucket/
  4. cern/
  5. clientcredentials/
  6. endpoints/
  7. facebook/
  8. fitbit/
  9. foursquare/
  10. github/
  11. gitlab/
  12. google/
  13. heroku/
  14. hipchat/
  15. instagram/
  16. internal/
  17. jira/
  18. jws/
  19. jwt/
  20. kakao/
  21. linkedin/
  22. mailchimp/
  23. mailru/
  24. mediamath/
  25. microsoft/
  26. nokiahealth/
  27. odnoklassniki/
  28. paypal/
  29. slack/
  30. spotify/
  31. stackoverflow/
  32. twitch/
  33. uber/
  34. vk/
  35. yahoo/
  36. yandex/
  37. .travis.yml
  38. CONTRIBUTING.md
  39. deviceauth.go
  40. deviceauth_test.go
  41. example_test.go
  42. go.mod
  43. go.sum
  44. LICENSE
  45. oauth2.go
  46. oauth2_test.go
  47. pkce.go
  48. README.md
  49. token.go
  50. token_test.go
  51. transport.go
  52. transport_test.go
README.md

OAuth2 for Go

Go Reference Build Status

oauth2 package contains a client implementation for OAuth 2.0 spec.

See pkg.go.dev for further documentation and examples.

Policy for new endpoints

We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the pkg.go.dev/golang.org/x/oauth2/endpoints package.

Report Issues / Send Patches

The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues.

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/oauth2.

Note:

  • Excluding trivial changes, all contributions should be connected to an existing issue.
  • API changes must go through the change proposal process before they can be accepted.
  • The code owners are listed at dev.golang.org/owners.