epelc / goauth2 Goto Github PK

Support Service Accounts:

https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Excuse me if this would be better if in
http://code.google.com/p/google-api-go-client/issue

I don't know enough about the spec to say if it's possible to do this in a way 
that is agnostic to the auth provide (Google, Facebook, etc.)

Two files are currently not gofmtted:

oauth/jwt/jwt.go
oauth/jwt/example/main.go

Gomniauth has been built with a different architecture, but does the same job.  
I suggest we combine our efforts over there.

Reddit's Oauth implementation requires a basic HTTP auth header containing the 
ClientId & ClientSecret values to be included when a token is requested.

It would be great if goauth2 supported this.

What steps will reproduce the problem?
1. Get a token (and gob it to the disk for testing)
2. Wait for AccessToken to expire
3. Make request

What is the expected output? What do you see instead?
Expected: oauth will use the RefreshToken to obtain a new AccessToken and 
reissue the request with the new AccessToken.

Observed: Request will fail with the exact results depending on the server of 
the requested url.  The for example google spreadsheets server eventually times 
out with 502 Bad Gateway and some error message.

What version of the product are you using? On what operating system?
latest tip d7c746aa73cb on OSX

As far as I can tell, there are two issues:
1) After the initial failed request, the http.Request object is reused in a 2nd 
attempt.  Unfortunately the http.Request.Body will be all used up, so the 
proper data will not be sent.
2) After a new access token is retrieved, the request still has the 
Authorization header set to the old AccessToken.

I have attached a patch with fixes for these two issues, but I'm not sure 
you're going to like my approach with the readCloseDupper.  Another approach 
might be to proactively request a new AccessToken when it is going to expire 
soon before trying to make a request which will consume the Body.

After applying this patch, it works as I expect it to.

Facebook returns number of seconds till token expiration in "expires" field 
instead of "expires_in". See patch.

Adding a "Content-Type" of "application/x-www-form-urlencoded" is making 
goauth2 compatible with Salesforce.

How do you assign the appengine *http.Client to transport?

Tried something like this,

c := endpoints.NewContext(r)
transport.Client=func() *http.Client {return urlfetch.Client(c)}

What steps will reproduce the problem?
1. use go  weekly.2011-12-22
2.  goinstall code.google.com/p/goauth2/oauth

What is the expected output? What do you see instead?

goinstall should successfully intall the package

What version of the product are you using? On what operating system?

golang version

$ hg summary
parent: 11071:4a8268927758 weekly weekly.2011-12-22
 weekly.2011-12-22
branch: default
commit: (clean)
update: 15 new changesets (update)


Please provide any additional information below.

gofix and some changes to time.Seconds calls where needed

It would be nice for server to server oauth to have a JWT encoder.

Trying to auth with GitHub. Since no `Accept` header can set in the request, 
GitHub will default to urlencoding for the answer. Simply supporting both, json 
and urlencoding, and switching over the `Content-Type` header is a viable 
solution.

I tested it with GitHub and Google. As far as I can tell it should also fix the 
"Facebook problem" without ludicrous solutions like hardcoding hostnames[1].

[1]: 
https://github.com/robfig/goauth2/commit/c649965654aa4d41f076735d2df236066a37d2b
9#L0R302

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

"go get code.googlecode.com/p/goauth2/oauth"  returns "unrecognized import 
path..."

"go get code.google.com/p/goauth2/oauth" works fine as per 
http://weekly.golang.org/cmd/go/

What steps will reproduce the problem?

  1. Setup dropbox app console: https://www.dropbox.com/developers/apps 
  2. Fill in oauth.Config
  3. trasnport.AuthCodeURL() returns url with empty params: access_type and approval_prompt.  This causes dropbox API server to reject /authorize request.
  4. transport.Exchange passes in empty scope param.  This causes dropbox API server to reject /token request.

What is the expected output? What do you see instead?

  Dropbox oauth2 flow should succeed.

What version of the product are you using? On what operating system?

  I'm running go version 1.2 on Mac OSX

Please provide any additional information below.

  I've attached a patch to fix this problem.  Are you open to this fix?

This is an enhancement request:

goauth2/appengine/serviceaccount.NewClient() returns an http.Client containing 
an urlfetch.Transport with the default Deadline of just 5 seconds.
This is not enough when trying to handle large files on Google Cloud Storage. 
(I actually encountered the problem while transfering files  larger than 
approx. 12mb from blobstore to GCS).
Thus it's desirable to have a way of setting the deadline manually.

As property Transport in http.Client is declared as http.RoundTripper there is 
no direct way to change the Deadline Property on the client returned.

Possible solutions:
1. Have an exported method of serviceaccount.transport like SetDeadline(), so 
an interface "SetDeadliner" could be used to access it.
Package serviceaccount could eventually provide the interface as well.

2. Have an alternative Constructor like
NewClientFromTransport(t urlfetch.Transport, scopes ...string)  
This would have the benefit that AllowInvalidServerCertificate could be set by 
the user as well.

Alternatively the default Deadline could be increased in NewClient(), but 
anything below the max allowed request time on appengine will likely be too 
short for somebody at some point.

What steps will reproduce the problem?

Run this webapp demo with Facebook authentication: 
https://code.google.com/p/negentropia/source/browse/webserv/src/negentropia/samp
les/goauth2_webapp_demo.go
(See the source code from goauth2_webapp_demo.go for instructions.)

What is the expected output?

It should authenticate against Facebook.

What do you see instead?

callback: transp.Exchange(code): invalid character 'a' looking for beginning of 
value

What version of the product are you using?

go version go1.2.1 windows/amd64
go get code.google.com/p/goauth2/oauth

Please provide any additional information below.

In order to investigate the issue, I'm hitting an even more puzzling behavior. 
I have just cloned goauth2 into code.google.com/p/evertonmarques-goauth2/oauth, 
but
no changes have been made yet. However, when I use this cloned repo,
authentication against Facebook simply works!

This is how to reproduce:

1. Change goauth2_webapp_demo.go import to use 
code.google.com/p/evertonmarques-goauth2/oauth
2. go get code.google.com/p/evertonmarques-goauth2/oauth
3. Re-run go run goauth2_webapp_demo.go
4. Now authentication against Facebook will work!

oauth.Transport could abstract the refresh flow through an interface, so that 
other implementation (jwt, serviceaccount) could reuse part of the transport 
logic (roundtrip, caching).

context:
https://codereview.appspot.com/9998043/diff/13001/oauth/appengine/serviceaccount
/serviceaccount.go?context=&column_width=999

1. Download this project
2. Create private key and jsom ( https://code.google.com/apis/console )
3. Create key.pem (http://godoc.org/code.google.com/p/goauth2/oauth/jwt)
   $ openssl pkcs12 -in <key.p12> -nocerts -passin pass:notasecret -nodes -out <key.pem>
4. Run: example -k=./.google/key.pem -s=./.google/client_secrets.json

Result:
2013/03/29 12:17:54 assertion error:invalid response: 400 Bad Request

When fetching an item from memcache, Item.Expiration does not accurately 
reflect the actual expiration Duration set for that item so any token retrieved 
from memcache is always being mistakenly flagged as expired.

If, for some reason, the oauth provider does not return an 'access_token' value 
when the POST to tokenURL is performed, updateToken() currently populates 
tok.AccessToken with an empty string

It would be better for an error to be returned in this scenario as there is no 
valid case for having an empty access token AFAIK

Currently, if you don't specify a RedirectURL in your oauth.Config, it gets 
interpreted as "oob" when constructing an AuthCodeURL.  While I get that this 
is a nice convenience for when you actually want out-of-band token exchange, it 
means that it's impossible (unless I'm missing something) to construct an 
AuthCodeURL that legitimately does not specify a redirect_url.  For example, 
GitHub will use the redirect_url registered for that client_id if none if 
specified.

This doesn't support the use of network creds

http://tools.ietf.org/html/rfc6749#page-39

Add a field to the Config struct to allow limiting the oauth domain.

What steps will reproduce the problem?

After applying this patch, to make the oauthreq work with any service:

22,23d21
<   authURL      = flag.String("auth", 
"https://accounts.google.com/o/oauth2/auth", "Authorization URL")
<   tokenURL     = flag.String("token", 
"https://accounts.google.com/o/oauth2/token", "Token URL")
25d22
<   redirectURL  = flag.String("redirect", "http://localhost/", "Redirect URL")
49a47
> 
55,57c53,55
<       AuthURL:      *authURL,
<       TokenURL:     *tokenURL,
<       RedirectURL:  *redirectURL,

---
>       AuthURL:      "https://accounts.google.com/o/oauth2/auth",
>       TokenURL:     "https://accounts.google.com/o/oauth2/token",
>       RedirectURL:  "http://localhost/",

and running this sequence:

./oauthreq \
    -id=$id \
    -secret=$secret  \
    -auth=https://oauth.live.com/authorize \
    -token=https://oauth.live.com/token  \
    -redirect=http://bigredbucket.com/  \
    -req=https://apis.live.net/v5.0/me/calendars  \
    -api=wl.calendars

authorizing and obtaining a code results in a valid token cached in 
"request.token"

./oauthreq .... -code

{"AccessToken":"....","RefreshToken":"","Expiry":"2012-08-16T18:35:27.230099-04:
00"}

running with:

./oauthreq -cache -req=https://apis.live.net/v5.0/me/calendars


{
   "error": {
      "code": "request_token_missing", 
      "message": "The provided request does not include an access token. An access token is required in order to perform this action."
   }
}


when changing the -req flag to include the token parameter:

./oauthreq -cache -req=https://apis.live.net/v5.0/me/calendars?access_token=....
the valid response is sent.

What version of the product are you using? On what operating system?

go1.0.2, Mac OS X 10.8


Please provide any additional information below.

This does not occur with  Google services, because the request URL does not 
need the ?access_token parameter.

What steps will reproduce the problem?
1. setup the douban(http://douban.com/) Config
2. run the http server and try to get access token from douban
3. got the code and try to exchange the access token

What is the expected output? What do you see instead?

Expected: getting the access token from douban
Getting Error: 
code: 400,
error_type: "OAuthException",
error_message: "You must provide a client_secret"


What version of the product are you using? On what operating system?

changeset:   76:eab72654f295
go version go1.3.1 darwin/amd64

Please provide any additional information below.

and the douban expection to the function `providerAuthHeaderWorks`, and it 
works well. diff is attached.

What steps will reproduce the problem?
1. Use OAuth2 with Linkedin Signin
2. Fails on retrieveToken ("https://www.linkedin.com/uas/oauth2/accessToken")

What is the expected output? What do you see instead?
Doesn't get OAuth token, linkedin returns this:
{"error_description":"missing required parameters, includes an invalid 
parameter value, parameter more than once. : 
client_secret","error":"invalid_request"}

What version of the product are you using? On what operating system?
Latest master.  This change introduced the problem 
https://github.com/golang/oauth2/commit/bb8496880f7e4671902be4e7251f40d971c5d535

Please provide any additional information below.
Linkedin needs to be added to the list of busted auths in 
providerAuthHeaderWorks function.  They require "client_secret" as a parameter, 
instead of taking it as basic auth header.  Please add linkedin to the list 
(https://www.linkedin.com/), or give users some way to manually add oauth2 
providers

What steps will reproduce the problem?
1. Attempt to encode multiple scopes in any possible format
2. The scopes are double encoded or otherwise unacceptable by Google OAuth2
3. Try other combinations, repeat.

What is the expected output? What do you see instead?

Setting the &oauth.Config Scope should not be double encoded

What version of the product are you using? On what operating system?

osx, latest

Please provide any additional information below.


I have not been able to work aroundt he pr

What steps will reproduce the problem?
1. authenticate and acquire access token which expires_in 3600 seconds
2. poll oauth endpoint indefinitely every 60 seconds
3. on the 60th poll, the query will fail, returning the upstream 401 authError 
(or whatever it returns)
4. the next poll (60 seconds later) will succeed

For a concrete (though complex) example, http://github.com/asjoyner/fuse_gdrive 
exhibits this behavior.

What is the expected output? What do you see instead?

On the 60th poll, when oauth.Transport.RoundTrip checks for "if t.Expired()", 
it should notice the token has expired, and trigger Refresh() before making the 
requested HTTP request.
https://code.google.com/p/goauth2/source/browse/oauth/oauth.go#318

What version of the product are you using? On what operating system?
80:afe77d958c70 cloned from this repo, on both OS X 10.9.5 and Debian Linux 7.7 
(wheezy, latest stable)

Please provide any additional information below.
I believe the root cause here is a subtle timing problem, where Go's high 
resolution timers are being a bit too precise.  Consider a select loop, driven 
by a time.Ticker, making a request every 60 seconds:

T0: timer ticks, Refresh() requests new AccessToken, server calculates expiry 
in 3600 seconds at T3600
T0.150: receive access token with expiry_in 3600, calculate Expiry at T3600.150
T60: timer ticks, make request, it's all roses
T120: timer ticks, make request, it's all roses
...
T3600: timer ticks, getAccessToken() checks Expired(), it's got another 150ms 
till Expiry... but when the request gets to the server it disagrees, and the 
request is rejected.

The combination of a 1 minute poll interval, HTTP request and response latency, 
expire_in only have 1 second resolution, and expiry being calculated by the 
client results in my code hits this *every* Refresh() cycle.  If I pad the 
Expiry by even 1 second, the problem disappears.

I propose that latency might be more than 1 second in some cases, and in the 
worst case clock drift might also contribute over an hour.  Depending on how 
the server stores the expiry, plausibly with only 1 second resolution, it might 
actually record one second earlier than we do when calculating the expiration 
locally.  I believe the right choice is to pad the Expiry by a few seconds.  I 
will concede in advance that "a few seconds" is a hand-wavy answer, but hope 
you too will acknowledge that timing across the internet can be unpredictable.

I've attached a patch (6 delta lines) which fixes the problem, by causing the 
ticket to expire 5 seconds earlier.  It also does a minor sanity check to 
ensure the access token isn't made invalid by the grace period (eg. it's valid 
for at least 5 seconds), and updates oauth_test.go to account for that value.

I'm in no way married to the 5 second value, it just felt about right to me.  
It didn't feel important enough to expose it as a tunable value, but if you'd 
like I'd be happy to submit a follow-on patch to expose it via the Config.

Rietveld?
Clone and then open an issue?

It is an opaque string that is included in the redirect URL's state GET 
parameter.
Needs to be documented.

OAuthError is too opaque. There is no way to determine if the oauth error was a 
refresh error and therefor should be retried or an auth error and should be 
looked into.

Suggest exporting prefix in struct.

Shouldn't Token() and PutToken() (on TokenCache) have "defer file.Close()" in 
there somewhere?

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?
JSON data from fb after callback, instead i see internal server error

What version of the product are you using? On what operating system?
most recent version, linux mint

Please provide any additional information below.

here's my code. it works with google, but not FB.

http://pastebin.com/UWeTcpXK

What steps will reproduce the problem?
1. Create service account credentials in the API console and download the 
private key
2. Populate example.client_secrets.json accordingly
3. Convert p12 private key to pem using `openssl pkcs12 -in key.p12 -nocerts 
-nodes -out key.pem`
4. `go run main.go -k key.pem -s example.client_secrets.json`

What is the expected output? What do you see instead?
I'm not quite sure, but I don't exepect an error to occur.

What version of the product are you using? On what operating system?
go1.1.1, Mac OS X 10.8.4

I was trying to access Google Cloud Storage via “Service Accounts” and – 
among other libs –  I'm using `code.google.com/p/goauth2/oauth/jwt` to obtain 
the access token.
However, the `t.Assert()` call always yields something like:

    2013/06/12 19:28:57 assertion error:invalid response: 400 Bad Request

I dug a little bit into the code and also dumped the response body, which turns 
out to be

    {
      "error" : "invalid_grant"
    }

According to a Google search, this can be the result of a lot of things, most 
commonly clock-skew, which I don't think I have (I am synched to a NTP server).
Then I tried the provided example code which yields exactly the same error.

To be honest, I'm not quite sure if this is a bug or I am doing something 
wrong. 

When using OAuth though Mashery (http://www.mashery.com/)
Their response is returned as follows:

{"jsonrpc":"2.0","result":{... expected oauth values here ...}}

The current json deserialization in 'updateToken' has no idea how to deal with 
that; it does not expect that nested structure.

The attached patch allows a user of goauth2 to provide their own JSON handling 
if desired. If none is provided the default (current) JSON decoding is used.

We see occasional TestOAuth failures, always exactly like this:

--- FAIL: TestOAuth (0.00 seconds)
    oauth_test.go:74: request[5] got path /secure, want /token
    oauth_test.go:79: query[grant_type] = , want refresh_token
    oauth_test.go:79: query[refresh_token] = , want refreshtoken2
    oauth_test.go:79: query[client_id] = , want cl13nt1d
    oauth_test.go:158: request body mismatch: got "access_token=token3&refresh_token=refreshtoken3&id_token=idtoken3&expires_in=3600", want "third payload"
    oauth_test.go:138: AccessToken = "token2", want "token3"
    oauth_test.go:141: RefreshToken = "refreshtoken2", want "refreshtoken3"
    oauth_test.go:144: Extra['id_token'] = "idtoken2", want "idtoken3"
    oauth_test.go:148: Expiry = -158.99us, want ~1 hour

It looks like the requests are coming in out of order (although it is not clear 
to me how this happens).

Please provide any additional information below.

We are using Go 1.2 rc2. I have yet to be able to reproduce on OS X; we're 
seeing these failures from within OpenShift.

The strava api (http://www.strava.com/developers) requires the same workaround 
as discussed in https://code.google.com/p/goauth2/issues/detail?id=31

Patch attached.

What steps will reproduce the problem?
1. Use an oauth.Config that doesn't make use of optional fields like Scope, 
AccessType, or ApprovalPrompt.
2. Call config.AuthCodeURL(foo). Useless parameters are included in the URL.

What is the expected output? What do you see instead?

I expect to see something like this:

https://example.com/auth?client_id=ClientId&redirect_uri=http%3A%2F%2Flocalhost%
3A8080%2Fhandler&response_type=code&state=foo

But instead I see this:

https://example.com/auth?access_type=&approval_prompt=&client_id=ClientId&redire
ct_uri=http%3A%2F%2Flocalhost%3A8080%2Fhandler&response_type=code&scope=&state=f
oo

What version of the product are you using? On what operating system?


Please provide any additional information below.

CacheFile.PutToken uses os.Create, which creates a world-readable file. Storing 
oauth secrets in world-readable files is a bad idea.

Attached diff world-readable.diff fixes that.

But that's not all. PutToken can also leave a partially-written file around. 
Attached diff atomic-write.diff fixes that (diffed against tip, not on top of 
the other diff).

google changed the http package, and this is now broken.
http://code.google.com/p/go/source/detail?r=1a47bb34b2bac6341e2ed98c8da45a964d95
4cb9

oauth.go:183: cannot use form (type map[string] string) as type http.Values in 
function argument

What steps will reproduce the problem?
1. Used it with facebook API, check expire date.

What is the expected output? What do you see instead?
invalid date, out of date range.

What version of the product are you using? On what operating system?
latest release of Go, Ubuntu server 12.04lts 64bit

Please provide any additional information below.

this line
b.ExpiresIn, _ = time.ParseDuration(vals.Get("expires") + "s")

and this
tok.Expiry = time.Now().Add(b.ExpiresIn * time.Second)

the 1st line should suffix with "ns" to be compatible with the 2nd line.

Thanks.

What steps will reproduce the problem?

try oauth with instagram api, after user accepts instagram app,
exchange user provided code for instagram access_token with Transport.Exchange()

What is the expected output? What do you see instead?

Expected: getting the access token from instagram
Getting Error: 
code: 400,
error_type: "OAuthException",
error_message: "You must provide a client_secret"


What version of the product are you using? On what operating system?

current version, fresh go get code.google.com/p/goauth2/oauth


Please provide any additional information below.

An issue was fixed 6 days ago, putting the client_id for calls to google as 
form parameter. This works for instagram too!

Fix for google: https://codereview.appspot.com/129150043

I tried adding Instagram as exception in oauth.go -> providerAuthHeaderWorks():

    if strings.HasPrefix(tokenURL, "https://api.instagram.com/oauth") {
        return false
    }

which works.

What steps will reproduce the problem?

Attached is a version of the example program (oauthreq.go) that adds -api and 
-req flags so that you can use it with any specified API, not just a hard-coded 
one.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Here's an example using the calendar API:

./example -id ${ID}  -secret ${SECRET}  -token=${TOKEN} \
 -api=https://www.googleapis.com/auth/calendar \
 -req=https://www.googleapis.com/calendar/v3/users/me/calendarList/

What steps will reproduce the problem?
1. Login to more than 4 google accounts.
2. Press Sign in with Google button.

What is the expected output? What do you see instead?
It should redirect to the Google account picker screen. Instead I see "400 Bad 
Request"

What version of the product are you using? On what operating system?
Rev: weekly-44, SHA: 696c088491246273e92442aa66b5281e5bb34faa
Running on a Linux platform.

Please provide any additional information below.
Related?: https://code.google.com/p/googleappengine/issues/detail?id=9045

I think it might be a bug with the API itself.

I was playing with Goauth2 over JWT following the example but every time i 
tried the  config the auth server exploded with a "400 bad request"

After looking at the NewToken code itself it expresses that the argument  must 
be the isa but in the example used with my secret.json(downloaded from google 
cloud api access) file the correct parameter must be the "client_id" not the 
"client_email" (which come empty in my secret.json) after that the example 
worked and i can interact with the google api.


why the such difference ?

If you look at the code:hm 
ttps://code.google.com/p/goauth2/source/browse/appengine/serviceaccount/servicea
ccount.go#45

There is no way to set the Deadline to be anything more than 5 seconds (0 is 5 
seconds by default in GAE).

This is a problem if you are using this client to upload larger files to Cloud 
Storage, as it can take longer than 5 seconds. 

I'm wondering if we should have an implementation of `NewClientWithTransport(c 
appengine.Context, t urlfetech.Transport, scopes ...string) (*http.Client, 
error)`

In which you can pass through a custom urlfetch.Transport, and can control 
aspects such as Deadline etc.

The other option (I can see) is to make serviceaccount.transport public, so you 
can cast to it, and pull out the public Transport property from that type (but 
IMHO the above solution is better) 

What steps will reproduce the problem?

try oauth with soundcloud api (https://api.soundcloud.com), after user accepts,
exchange provided code for soundcloud access_token with Transport.Exchange()

What is the expected output? What do you see instead?

Expected: getting the access token from Soundcoud
Getting Error 401 invalid client id

What version of the product are you using? On what operating system?

afe77d958c70 on OSX Yosemite

Please provide any additional information below.

Same issue as #39 for instagram, solution is to add soundcloud's base API URL 
to providerAuthHeaderWorks. See patch attached.

What steps will reproduce the problem?
1. Create a sample program that uses service accounts (e.g. 
https://gist.github.com/paddyforan/2522952517381aedc3ff)
2. Run said program from inside a Docker container

What is the expected output? What do you see instead?

The test program above should output a list of objects in a given GCS bucket. 
Instead, it returns the following error:

Get http://metadata/computeMetadata/v1/instance/service-accounts/default/token: 
dial tcp: lookup metadata: no such host

What version of the product are you using? On what operating system?

afe77d958c70, on CoreOS 410.2.0 in Google Compute Engine, on Docker with the 
following versions:

Client version: 1.1.2
Client API version: 1.13
Go version (client): go1.2
Git commit (client): d84a070
Server version: 1.1.2
Server API version: 1.13
Go version (server): go1.2
Git commit (server): d84a070

Please provide any additional information below.

I've successfully worked around this issue by vendoring the serviceaccount.go 
file, changing the metadataServer constant to "metadata.google.internal", and 
changing "serviceaccount.NewClient" to "NewClient". Obviously, this forking is 
undesirable and merging in a change upstream would be a preferable path forward.

Support http://tools.ietf.org/html/rfc6749#section-4.4

I have uploaded my current code to https://codereview.appspot.com/103240043 
please review.