authhandler: Add support for 3-legged-OAuth

Added authhandler.go, which implements a TokenSource to support "three-legged OAuth 2.0" via a custom AuthorizationHandler. Added default_authhandler.go to provide a command line implementation for AuthorizationHandler.
2021-03-09 14:05:58 -08:00
parent 04f020b1f2
commit 11059998b3
3 changed files with 65 additions and 45 deletions
--- a/authhandler/authhandler.go
+++ b/authhandler/authhandler.go
@@ -0,0 +1,51 @@
 // Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package authhandler implements a TokenSource to support
 // "three-legged OAuth 2.0" via a custom AuthorizationHandler.
 package authhandler
 import (
 	"context"
 	"errors"
 	"golang.org/x/oauth2"
 )
 // AuthorizationHandler is a 3-legged-OAuth helper that
 // prompts the user for OAuth consent at the specified Auth URL
 // and returns an auth code and state upon approval.
 type AuthorizationHandler func(string) (string, string, error)
 // TokenSource returns an oauth2.TokenSource that fetches access tokens
 // using 3-legged-OAuth flow.
 //
 // The provided oauth2.Config should be a full configuration containing AuthURL,
 // TokenURL, and scope. An environment-specific AuthorizationHandler is used to
 // obtain user consent.
 //
 // Per OAuth protocol, a unique "state" string should be sent and verified
 // before exchanging auth code for OAuth token to prevent CSRF attacks.
 func TokenSource(ctx context.Context, config *oauth2.Config, authHandler AuthorizationHandler, state string) oauth2.TokenSource {
 	return oauth2.ReuseTokenSource(nil, authHandlerSource{config: config, ctx: ctx, authHandler: authHandler, state: state})
 }
 type authHandlerSource struct {
 	ctx         context.Context
 	config      *oauth2.Config
 	authHandler AuthorizationHandler
 	state       string
 }
 func (source authHandlerSource) Token() (*oauth2.Token, error) {
 	url := source.config.AuthCodeURL(source.state)
 	code, state, err := source.authHandler(url)
 	if err != nil {
 		return nil, err
 	}
 	if state == source.state {
 		return source.config.Exchange(source.ctx, code)
 	}
 	return nil, errors.New("State mismatch in 3-legged-OAuth flow.")
 }
--- a/authhandler/default_authhandler.go
+++ b/authhandler/default_authhandler.go
@@ -1,28 +1,32 @@
-// Copyright 2020 The Go Authors. All rights reserved.
+// Copyright 2021 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-package google
+package authhandler
 import (
 	"fmt"
 	"github.com/google/uuid"
 )
 // RandomAuthorizationState generates a state via UUID generator.
 func RandomAuthorizationState() string {
 	return uuid.New().String()
 }
 // DefaultAuthorizationHandler returns a command line auth handler
 // that prints the auth URL on the console and prompts the user to
 // authorize in the browser and paste the auth code back via stdin.
 //
 // Per OAuth protocol, a unique "state" string should be sent and verified
 // before exchanging auth code for OAuth token to prevent CSRF attacks.
 //
 // For convenience, this handler returns a pre-configured state
 // instead of asking the user to additionally paste the state from
 // the auth response. In order for this to work, the state
-// configured here should match the one in the oauth2 AuthTokenURL.
+// configured here must match the state used in authCodeURL.
 //
 // Usage example:
 //
 // state := uuid.New().String()
 // tokenSource:= authhandler.TokenSource(ctx, conf
 //     authhandler.DefaultAuthorizationHandler(state), state)
 // pubsubService, err := pubsub.NewService(ctx,
 //     option.WithTokenSource(tokenSource))
 func DefaultAuthorizationHandler(state string) AuthorizationHandler {
 	return func(authCodeURL string) (string, string, error) {
 		return defaultAuthorizationHandlerHelper(state, authCodeURL)
--- a/google/google.go
+++ b/google/google.go
@@ -207,38 +207,3 @@ func (cs computeSource) Token() (*oauth2.Token, error) {
 		"oauth2.google.serviceAccount": acct,
 	}), nil
 }
 // AuthorizationHandler is a 3-legged-OAuth helper that
 // prompts the user for OAuth consent at the specified Auth URL
 // and returns an auth code and state upon approval.
 type AuthorizationHandler func(string) (string, string, error)
 // OAuthClientTokenSource returns an oauth2.TokenSource that fetches access tokens
 // using 3-legged-OAuth workflow.
 // The provided oauth2.Config should be a full configuration containing AuthURL,
 // TokenURL, and scope.
 // An environment-specific AuthorizationHandler is used to obtain user consent.
 // Per OAuth protocol, a unique "state" string should be sent and verified
 // before token exchange to prevent CSRF attacks.
 func OAuthClientTokenSource(ctx context.Context, config *oauth2.Config, authHandler AuthorizationHandler, state string) oauth2.TokenSource {
 	return oauth2.ReuseTokenSource(nil, oauthClientSource{config: config, ctx: ctx, authHandler: authHandler, state: state})
 }
 type oauthClientSource struct {
 	ctx         context.Context
 	config      *oauth2.Config
 	authHandler AuthorizationHandler
 	state       string
 }
 func (ocs oauthClientSource) Token() (*oauth2.Token, error) {
 	url := ocs.config.AuthCodeURL(ocs.state)
 	code, state, err := ocs.authHandler(url)
 	if err != nil {
 		return nil, err
 	}
 	if state == ocs.state {
 		return ocs.config.Exchange(ocs.ctx, code)
 	}
 	return nil, errors.New("State mismatch in OAuth workflow.")
 }