google: Add support for OAuth2 token exchange over mTLS

andyrzhao · shinfan · commit 885f294722ca · 2023-03-03T18:55:16.000Z
With Context Aware Access enabled, users must use the endpoint "https://oauth2.mtls.googleapis.com/token" for token exchange. This PR adds support for runtime configuration of the OAuth2 token endpoint (as determined by the caller). If using the mTLS oauth2 endpoint, the caller will also need to specify an mTLS-enabled HTTPClient via the "context" mechanism for use by the OAuth2 transport. Change-Id: Ic83342ec1d224d3acdabf00d863249330424fc54 GitHub-Last-Rev: 07e4849 GitHub-Pull-Request: #630 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/470396 Run-TryBot: Matthew Hickford <hickford@google.com> Reviewed-by: Shin Fan <shinfan@google.com> Run-TryBot: Shin Fan <shinfan@google.com> Reviewed-by: Matthew Hickford <hickford@google.com> Reviewed-by: Andy Zhao <andyzhao@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/google/default.go b/google/default.go
@@ -62,6 +62,10 @@ type CredentialsParams struct {
 
 	// PKCE is used to support PKCE flow. Optional for 3LO flow.
 	PKCE *authhandler.PKCEParams
+
+	// The OAuth2 TokenURL default override. This value overrides the default TokenURL,
+	// unless explicitly specified by the credentials config file. Optional.
+	TokenURL string
 }
 
 func (params CredentialsParams) deepCopy() CredentialsParams {
diff --git a/google/google.go b/google/google.go
@@ -26,6 +26,9 @@ var Endpoint = oauth2.Endpoint{
 	AuthStyle: oauth2.AuthStyleInParams,
 }
 
+// MTLSTokenURL is Google's OAuth 2.0 default mTLS endpoint.
+const MTLSTokenURL = "https://oauth2.mtls.googleapis.com/token"
+
 // JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
 const JWTTokenURL = "https://oauth2.googleapis.com/token"
 
@@ -172,7 +175,11 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 			cfg.Endpoint.AuthURL = Endpoint.AuthURL
 		}
 		if cfg.Endpoint.TokenURL == "" {
-			cfg.Endpoint.TokenURL = Endpoint.TokenURL
+			if params.TokenURL != "" {
+				cfg.Endpoint.TokenURL = params.TokenURL
+			} else {
+				cfg.Endpoint.TokenURL = Endpoint.TokenURL
+			}
 		}
 		tok := &oauth2.Token{RefreshToken: f.RefreshToken}
 		return cfg.TokenSource(ctx, tok), nil

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,10 @@ type CredentialsParams struct {`
`62`	`62`
`63`	`63`	`// PKCE is used to support PKCE flow. Optional for 3LO flow.`
`64`	`64`	`PKCE *authhandler.PKCEParams`
	`65`	`+`
	`66`	`+ // The OAuth2 TokenURL default override. This value overrides the default TokenURL,`
	`67`	`+ // unless explicitly specified by the credentials config file. Optional.`
	`68`	`+ TokenURL string`
`65`	`69`	`}`
`66`	`70`
`67`	`71`	`func (params CredentialsParams) deepCopy() CredentialsParams {`