Documentation ¶
Overview ¶
Package googleoauth contains some helpers related to Google OAuth2.
Index ¶
Constants ¶
const (
// TokeninfoEndpoint is Google's token info endpoint.
TokeninfoEndpoint = "https://www.googleapis.com/oauth2/v3/tokeninfo"
)
Variables ¶
ErrBadToken is returned by GetTokenInfo if the passed token is invalid.
Functions ¶
func GetAccessToken ¶
GetAccessToken grabs an access token using a JWT as an authorization grant.
It performs same kind of a flow as when using a regular service account private key, except it allows any signer implementation (not necessarily based on local crypto). This is particularly helpful when using 'signBlob' IAM API to sign JWTs, since it allows to mint an access token for accounts we don't have private keys for (but have "roles/iam.serviceAccountActor" role).
The returned token usually have 1 hour lifetime.
Does not retry transient errors. Returns signing and HTTP connection errors as is. Unsuccessful HTTP requests result in *googleapi.Error.
Types ¶
type JwtFlowParams ¶
type JwtFlowParams struct { // ServiceAccount is a service account name to get an access token for. ServiceAccount string // Signer signs JWTs with a private key owned by the service account. Signer Signer // Scopes is a list of OAuth2 scopes to claim. Scopes []string // Client is a non-authenticating client to use for the exchange. // // If not set, http.DefaultClient will be used. Client *http.Client // contains filtered or unexported fields }
JwtFlowParams describes how to perform GetAccessToken call.
type Signer ¶
type Signer interface { // SignJWT signs the claim set with some active private key to produce JWT. SignJWT(c context.Context, serviceAccount string, cs *iam.ClaimSet) (keyName, signedJwt string, err error) }
Signer knows how to sign JWTs with a private key owned by a service account.
type TokenInfo ¶
type TokenInfo struct { Azp string `json:"azp"` Aud string `json:"aud"` Sub string `json:"sub"` Scope string `json:"scope"` Exp int64 `json:"exp,string"` ExpiresIn int64 `json:"expires_in,string"` Email string `json:"email"` EmailVerified bool `json:"email_verified,string"` AccessType string `json:"access_type"` }
TokenInfo is information about an access or ID tokens.
Of primary importance are 'email', 'email_verified', 'scope' and 'aud' fields. If the caller using token info endpoint to validate tokens, it MUST check correctness of these fields.
func GetTokenInfo ¶
func GetTokenInfo(c context.Context, params TokenInfoParams) (*TokenInfo, error)
GetTokenInfo queries token info endpoint and returns information about the token if it is recognized.
See https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint.
On invalid token (as indicated by 4** HTTP response) returns ErrBadToken. On other HTTP-level errors (e.g HTTP 500) returns transient-wrapped *googleapi.Error. On network-level errors returns them in a transient wrapper.
type TokenInfoParams ¶
type TokenInfoParams struct { AccessToken string // an access token to check IDToken string // an ID token to check (overrides AccessToken) Client *http.Client // non-authenticating client to use for the call Endpoint string // an endpoint to use instead of the default one }
TokenInfoParams are parameters for GetTokenInfo call.