Documentation ¶
Overview ¶
Package oauth2 provides support for making OAuth2 authorized and authenticated HTTP requests. It can additionally grant authorization with Bearer JWT.
Index ¶
- Variables
- func NewClient(ctx context.Context, src TokenSource) *http.Client
- type AuthCodeOption
- type Config
- func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string
- func (c *Config) Client(ctx context.Context, t *Token) *http.Client
- func (c *Config) Exchange(ctx context.Context, code string) (*Token, error)
- func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error)
- func (c *Config) TokenSource(ctx context.Context, t *Token) TokenSource
- type Endpoint
- type Token
- type TokenSource
- type Transport
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var HTTPClient contextKey
HTTPClient is the context key to use with golang.org/x/net/context's WithValue function to associate an *http.Client value with a context.
var NoContext = context.TODO()
NoContext is the default context you should supply if not using your own context.Context (see https://golang.org/x/net/context).
Functions ¶
func NewClient ¶
func NewClient(ctx context.Context, src TokenSource) *http.Client
NewClient creates an *http.Client from a Context and TokenSource. The returned client is not valid beyond the lifetime of the context.
As a special case, if src is nil, a non-OAuth2 client is returned using the provided context. This exists to support related OAuth2 packages.
Types ¶
type AuthCodeOption ¶
type AuthCodeOption interface {
// contains filtered or unexported methods
}
An AuthCodeOption is passed to Config.AuthCodeURL.
var ( // AccessTypeOnline and AccessTypeOffline are options passed // to the Options.AuthCodeURL method. They modify the // "access_type" field that gets sent in the URL returned by // AuthCodeURL. // // Online is the default if neither is specified. If your // application needs to refresh access tokens when the user // is not present at the browser, then use offline. This will // result in your application obtaining a refresh token the // first time your application exchanges an authorization // code for a user. AccessTypeOnline AuthCodeOption = SetParam("access_type", "online") AccessTypeOffline AuthCodeOption = SetParam("access_type", "offline") // ApprovalForce forces the users to view the consent dialog // and confirm the permissions request at the URL returned // from AuthCodeURL, even if they've already done so. ApprovalForce AuthCodeOption = SetParam("approval_prompt", "force") )
func SetParam ¶
func SetParam(key, value string) AuthCodeOption
SetParam builds an AuthCodeOption which passes key/value parameters to a provider's authorization endpoint.
type Config ¶
type Config struct { // ClientID is the application's ID. ClientID string // ClientSecret is the application's secret. ClientSecret string // Endpoint contains the resource server's token endpoint // URLs. These are constants specific to each server and are // often available via site-specific packages, such as // google.Endpoint or github.Endpoint. Endpoint Endpoint // RedirectURL is the URL to redirect users going through // the OAuth flow, after the resource owner's URLs. RedirectURL string // Scope specifies optional requested permissions. Scopes []string }
Config describes a typical 3-legged OAuth2 flow, with both the client application information and the server's endpoint URLs.
Example ¶
package main import ( "fmt" "log" "bosun.org/_third_party/golang.org/x/oauth2" ) func main() { conf := &oauth2.Config{ ClientID: "YOUR_CLIENT_ID", ClientSecret: "YOUR_CLIENT_SECRET", Scopes: []string{"SCOPE1", "SCOPE2"}, Endpoint: oauth2.Endpoint{ AuthURL: "https://provider.com/o/oauth2/auth", TokenURL: "https://provider.com/o/oauth2/token", }, } // Redirect user to consent page to ask for permission // for the scopes specified above. url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline) fmt.Printf("Visit the URL for the auth dialog: %v", url) // Use the authorization code that is pushed to the redirect URL. // NewTransportWithCode will do the handshake to retrieve // an access token and initiate a Transport that is // authorized and authenticated by the retrieved token. var code string if _, err := fmt.Scan(&code); err != nil { log.Fatal(err) } tok, err := conf.Exchange(oauth2.NoContext, code) if err != nil { log.Fatal(err) } client := conf.Client(oauth2.NoContext, tok) client.Get("...") }
Output:
func (*Config) AuthCodeURL ¶
func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string
AuthCodeURL returns a URL to OAuth 2.0 provider's consent page that asks for permissions for the required scopes explicitly.
State is a token to protect the user from CSRF attacks. You must always provide a non-zero string and validate that it matches the the state query parameter on your redirect callback. See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
Opts may include AccessTypeOnline or AccessTypeOffline, as well as ApprovalForce.
func (*Config) Client ¶
Client returns an HTTP client using the provided token. The token will auto-refresh as necessary. The underlying HTTP transport will be obtained using the provided context. The returned client and its Transport should not be modified.
func (*Config) Exchange ¶
Exchange converts an authorization code into a token.
It is used after a resource provider redirects the user back to the Redirect URI (the URL obtained from AuthCodeURL).
The HTTP client to use is derived from the context. If a client is not provided via the context, http.DefaultClient is used.
The code will be in the *http.Request.FormValue("code"). Before calling Exchange, be sure to validate FormValue("state").
func (*Config) PasswordCredentialsToken ¶
func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error)
PasswordCredentialsToken converts a resource owner username and password pair into a token.
Per the RFC, this grant type should only be used "when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available." See https://tools.ietf.org/html/rfc6749#section-4.3 for more info.
The HTTP client to use is derived from the context. If nil, http.DefaultClient is used.
func (*Config) TokenSource ¶
func (c *Config) TokenSource(ctx context.Context, t *Token) TokenSource
TokenSource returns a TokenSource that returns t until t expires, automatically refreshing it as necessary using the provided context.
Most users will use Config.Client instead.
type Token ¶
type Token struct { // AccessToken is the token that authorizes and authenticates // the requests. AccessToken string `json:"access_token"` // TokenType is the type of token. // The Type method returns either this or "Bearer", the default. TokenType string `json:"token_type,omitempty"` // RefreshToken is a token that's used by the application // (as opposed to the user) to refresh the access token // if it expires. RefreshToken string `json:"refresh_token,omitempty"` // Expiry is the optional expiration time of the access token. // // If zero, TokenSource implementations will reuse the same // token forever and RefreshToken or equivalent // mechanisms for that TokenSource will not be used. Expiry time.Time `json:"expiry,omitempty"` // contains filtered or unexported fields }
Token represents the crendentials used to authorize the requests to access protected resources on the OAuth 2.0 provider's backend.
Most users of this package should not access fields of Token directly. They're exported mostly for use by related packages implementing derivative OAuth2 flows.
func (*Token) Extra ¶
Extra returns an extra field. Extra fields are key-value pairs returned by the server as a part of the token retrieval response.
func (*Token) SetAuthHeader ¶
SetAuthHeader sets the Authorization header to r using the access token in t.
This method is unnecessary when using Transport or an HTTP Client returned by this package.
type TokenSource ¶
type TokenSource interface { // Token returns a token or an error. // Token must be safe for concurrent use by multiple goroutines. // The returned Token must not be modified. Token() (*Token, error) }
A TokenSource is anything that can return a token.
func ReuseTokenSource ¶
func ReuseTokenSource(t *Token, src TokenSource) TokenSource
ReuseTokenSource returns a TokenSource which repeatedly returns the same token as long as it's valid, starting with t. When its cached token is invalid, a new token is obtained from src.
ReuseTokenSource is typically used to reuse tokens from a cache (such as a file on disk) between runs of a program, rather than obtaining new tokens unnecessarily.
The initial token t may be nil, in which case the TokenSource is wrapped in a caching version if it isn't one already. This also means it's always safe to wrap ReuseTokenSource around any other TokenSource without adverse effects.
type Transport ¶
type Transport struct { // Source supplies the token to add to outgoing requests' // Authorization headers. Source TokenSource // Base is the base RoundTripper used to make HTTP requests. // If nil, http.DefaultTransport is used. Base http.RoundTripper // contains filtered or unexported fields }
Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests, wrapping a base RoundTripper and adding an Authorization header with a token from the supplied Sources.
Transport is a low-level mechanism. Most code will use the higher-level Config.Client method instead.
func (*Transport) CancelRequest ¶
CancelRequest cancels an in-flight request by closing its connection.
Directories ¶
Path | Synopsis |
---|---|
Package google provides support for making OAuth2 authorized and authenticated HTTP requests to Google APIs.
|
Package google provides support for making OAuth2 authorized and authenticated HTTP requests to Google APIs. |
Package internal contains support packages for oauth2 package.
|
Package internal contains support packages for oauth2 package. |
Package jws provides encoding and decoding utilities for signed JWS messages.
|
Package jws provides encoding and decoding utilities for signed JWS messages. |
Package jwt implements the OAuth 2.0 JSON Web Token flow, commonly known as "two-legged OAuth 2.0".
|
Package jwt implements the OAuth 2.0 JSON Web Token flow, commonly known as "two-legged OAuth 2.0". |