forked from remote/oauth2
authhandler: Add support for 3-legged-OAuth
Added authhandler.go, which implements a TokenSource to support "three-legged OAuth 2.0" via a custom AuthorizationHandler. Added default_authhandler.go to provide a command line implementation for AuthorizationHandler.
This commit is contained in:
Andy Zhao
@@ -1,38 +0,0 @@
|
||||
// Copyright 2020 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package google
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// RandomAuthorizationState generates a state via UUID generator.
|
||||
func RandomAuthorizationState() string {
|
||||
return uuid.New().String()
|
||||
}
|
||||
|
||||
// DefaultAuthorizationHandler returns a command line auth handler
|
||||
// that prints the auth URL on the console and prompts the user to
|
||||
// authorize in the browser and paste the auth code back via stdin.
|
||||
//
|
||||
// For convenience, this handler returns a pre-configured state
|
||||
// instead of asking the user to additionally paste the state from
|
||||
// the auth response. In order for this to work, the state
|
||||
// configured here should match the one in the oauth2 AuthTokenURL.
|
||||
func DefaultAuthorizationHandler(state string) AuthorizationHandler {
|
||||
return func(authCodeURL string) (string, string, error) {
|
||||
return defaultAuthorizationHandlerHelper(state, authCodeURL)
|
||||
}
|
||||
}
|
||||
|
||||
func defaultAuthorizationHandlerHelper(state string, authCodeURL string) (string, string, error) {
|
||||
fmt.Printf("Go to the following link in your browser:\n\n %s\n\n", authCodeURL)
|
||||
fmt.Println("Enter authorization code: ")
|
||||
var code string
|
||||
fmt.Scanln(&code)
|
||||
return code, state, nil
|
||||
}
|
||||
@@ -207,38 +207,3 @@ func (cs computeSource) Token() (*oauth2.Token, error) {
|
||||
"oauth2.google.serviceAccount": acct,
|
||||
}), nil
|
||||
}
|
||||
|
||||
// AuthorizationHandler is a 3-legged-OAuth helper that
|
||||
// prompts the user for OAuth consent at the specified Auth URL
|
||||
// and returns an auth code and state upon approval.
|
||||
type AuthorizationHandler func(string) (string, string, error)
|
||||
|
||||
// OAuthClientTokenSource returns an oauth2.TokenSource that fetches access tokens
|
||||
// using 3-legged-OAuth workflow.
|
||||
// The provided oauth2.Config should be a full configuration containing AuthURL,
|
||||
// TokenURL, and scope.
|
||||
// An environment-specific AuthorizationHandler is used to obtain user consent.
|
||||
// Per OAuth protocol, a unique "state" string should be sent and verified
|
||||
// before token exchange to prevent CSRF attacks.
|
||||
func OAuthClientTokenSource(ctx context.Context, config *oauth2.Config, authHandler AuthorizationHandler, state string) oauth2.TokenSource {
|
||||
return oauth2.ReuseTokenSource(nil, oauthClientSource{config: config, ctx: ctx, authHandler: authHandler, state: state})
|
||||
}
|
||||
|
||||
type oauthClientSource struct {
|
||||
ctx context.Context
|
||||
config *oauth2.Config
|
||||
authHandler AuthorizationHandler
|
||||
state string
|
||||
}
|
||||
|
||||
func (ocs oauthClientSource) Token() (*oauth2.Token, error) {
|
||||
url := ocs.config.AuthCodeURL(ocs.state)
|
||||
code, state, err := ocs.authHandler(url)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if state == ocs.state {
|
||||
return ocs.config.Exchange(ocs.ctx, code)
|
||||
}
|
||||
return nil, errors.New("State mismatch in OAuth workflow.")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user