Merge branch 'golang:master' into pr

Author: nikolay-turpitko

README.md

@@ -19,7 +19,7 @@ See pkg.go.dev for further documentation and examples.
 * [pkg.go.dev/golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2)
 * [pkg.go.dev/golang.org/x/oauth2/google](https://pkg.go.dev/golang.org/x/oauth2/google)
 
-## Policy for new packages
+## Policy for new endpoints
 
 We no longer accept new provider-specific packages in this repo if all
 they do is add a single endpoint variable. If you just want to add a
@@ -29,8 +29,12 @@ package.
 
 ## Report Issues / Send Patches
 
-This repository uses Gerrit for code changes. To learn how to submit changes to
-this repository, see https://golang.org/doc/contribute.html.
-
 The main issue tracker for the oauth2 repository is located at
 https://github.com/golang/oauth2/issues.
+
+This repository uses Gerrit for code changes. To learn how to submit changes to
+this repository, see https://golang.org/doc/contribute.html. In particular:
+
+* Excluding trivial changes, all contributions should be connected to an existing issue.
+* API changes must go through the [change proposal process](https://go.dev/s/proposal-process) before they can be accepted.
+* The code owners are listed at [dev.golang.org/owners](https://dev.golang.org/owners#:~:text=x/oauth2).

clientcredentials/clientcredentials.go

@@ -47,6 +47,10 @@ type Config struct {
 	// client ID & client secret sent. The zero value means to
 	// auto-detect.
 	AuthStyle oauth2.AuthStyle
+
+	// authStyleCache caches which auth style to use when Endpoint.AuthStyle is
+	// the zero value (AuthStyleAutoDetect).
+	authStyleCache internal.LazyAuthStyleCache
 }
 
 // Token uses client credentials to retrieve a token.
@@ -103,7 +107,7 @@ func (c *tokenSource) Token() (*oauth2.Token, error) {
 		v[k] = p
 	}
 
-	tk, err := internal.RetrieveToken(c.ctx, c.conf.ClientID, c.conf.ClientSecret, c.conf.TokenURL, v, internal.AuthStyle(c.conf.AuthStyle))
+	tk, err := internal.RetrieveToken(c.ctx, c.conf.ClientID, c.conf.ClientSecret, c.conf.TokenURL, v, internal.AuthStyle(c.conf.AuthStyle), c.conf.authStyleCache.Get())
 	if err != nil {
 		if rErr, ok := err.(*internal.RetrieveError); ok {
 			return nil, (*oauth2.RetrieveError)(rErr)

clientcredentials/clientcredentials_test.go

@@ -12,8 +12,6 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"testing"
-
-	"golang.org/x/oauth2/internal"
 )
 
 func newConf(serverURL string) *Config {
@@ -114,7 +112,6 @@ func TestTokenRequest(t *testing.T) {
 }
 
 func TestTokenRefreshRequest(t *testing.T) {
-	internal.ResetAuthCache()
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.String() == "/somethingelse" {
 			return

deviceauth.go

@@ -0,0 +1,198 @@
+package oauth2
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2/internal"
+)
+
+// https://datatracker.ietf.org/doc/html/rfc8628#section-3.5
+const (
+	errAuthorizationPending = "authorization_pending"
+	errSlowDown             = "slow_down"
+	errAccessDenied         = "access_denied"
+	errExpiredToken         = "expired_token"
+)
+
+// DeviceAuthResponse describes a successful RFC 8628 Device Authorization Response
+// https://datatracker.ietf.org/doc/html/rfc8628#section-3.2
+type DeviceAuthResponse struct {
+	// DeviceCode
+	DeviceCode string `json:"device_code"`
+	// UserCode is the code the user should enter at the verification uri
+	UserCode string `json:"user_code"`
+	// VerificationURI is where user should enter the user code
+	VerificationURI string `json:"verification_uri"`
+	// VerificationURIComplete (if populated) includes the user code in the verification URI. This is typically shown to the user in non-textual form, such as a QR code.
+	VerificationURIComplete string `json:"verification_uri_complete,omitempty"`
+	// Expiry is when the device code and user code expire
+	Expiry time.Time `json:"expires_in,omitempty"`
+	// Interval is the duration in seconds that Poll should wait between requests
+	Interval int64 `json:"interval,omitempty"`
+}
+
+func (d DeviceAuthResponse) MarshalJSON() ([]byte, error) {
+	type Alias DeviceAuthResponse
+	var expiresIn int64
+	if !d.Expiry.IsZero() {
+		expiresIn = int64(time.Until(d.Expiry).Seconds())
+	}
+	return json.Marshal(&struct {
+		ExpiresIn int64 `json:"expires_in,omitempty"`
+		*Alias
+	}{
+		ExpiresIn: expiresIn,
+		Alias:     (*Alias)(&d),
+	})
+
+}
+
+func (c *DeviceAuthResponse) UnmarshalJSON(data []byte) error {
+	type Alias DeviceAuthResponse
+	aux := &struct {
+		ExpiresIn int64 `json:"expires_in"`
+		// workaround misspelling of verification_uri
+		VerificationURL string `json:"verification_url"`
+		*Alias
+	}{
+		Alias: (*Alias)(c),
+	}
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+	if aux.ExpiresIn != 0 {
+		c.Expiry = time.Now().UTC().Add(time.Second * time.Duration(aux.ExpiresIn))
+	}
+	if c.VerificationURI == "" {
+		c.VerificationURI = aux.VerificationURL
+	}
+	return nil
+}
+
+// DeviceAuth returns a device auth struct which contains a device code
+// and authorization information provided for users to enter on another device.
+func (c *Config) DeviceAuth(ctx context.Context, opts ...AuthCodeOption) (*DeviceAuthResponse, error) {
+	// https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
+	v := url.Values{
+		"client_id": {c.ClientID},
+	}
+	if len(c.Scopes) > 0 {
+		v.Set("scope", strings.Join(c.Scopes, " "))
+	}
+	for _, opt := range opts {
+		opt.setValue(v)
+	}
+	return retrieveDeviceAuth(ctx, c, v)
+}
+
+func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAuthResponse, error) {
+	if c.Endpoint.DeviceAuthURL == "" {
+		return nil, errors.New("endpoint missing DeviceAuthURL")
+	}
+
+	req, err := http.NewRequest("POST", c.Endpoint.DeviceAuthURL, strings.NewReader(v.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	t := time.Now()
+	r, err := internal.ContextClient(ctx).Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))
+	if err != nil {
+		return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
+	}
+	if code := r.StatusCode; code < 200 || code > 299 {
+		return nil, &RetrieveError{
+			Response: r,
+			Body:     body,
+		}
+	}
+
+	da := &DeviceAuthResponse{}
+	err = json.Unmarshal(body, &da)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshal %s", err)
+	}
+
+	if !da.Expiry.IsZero() {
+		// Make a small adjustment to account for time taken by the request
+		da.Expiry = da.Expiry.Add(-time.Since(t))
+	}
+
+	return da, nil
+}
+
+// DeviceAccessToken polls the server to exchange a device code for a token.
+func (c *Config) DeviceAccessToken(ctx context.Context, da *DeviceAuthResponse, opts ...AuthCodeOption) (*Token, error) {
+	if !da.Expiry.IsZero() {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithDeadline(ctx, da.Expiry)
+		defer cancel()
+	}
+
+	// https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
+	v := url.Values{
+		"client_id":   {c.ClientID},
+		"grant_type":  {"urn:ietf:params:oauth:grant-type:device_code"},
+		"device_code": {da.DeviceCode},
+	}
+	if len(c.Scopes) > 0 {
+		v.Set("scope", strings.Join(c.Scopes, " "))
+	}
+	for _, opt := range opts {
+		opt.setValue(v)
+	}
+
+	// "If no value is provided, clients MUST use 5 as the default."
+	// https://datatracker.ietf.org/doc/html/rfc8628#section-3.2
+	interval := da.Interval
+	if interval == 0 {
+		interval = 5
+	}
+
+	ticker := time.NewTicker(time.Duration(interval) * time.Second)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-ticker.C:
+			tok, err := retrieveToken(ctx, c, v)
+			if err == nil {
+				return tok, nil
+			}
+
+			e, ok := err.(*RetrieveError)
+			if !ok {
+				return nil, err
+			}
+			switch e.ErrorCode {
+			case errSlowDown:
+				// https://datatracker.ietf.org/doc/html/rfc8628#section-3.5
+				// "the interval MUST be increased by 5 seconds for this and all subsequent requests"
+				interval += 5
+				ticker.Reset(time.Duration(interval) * time.Second)
+			case errAuthorizationPending:
+				// Do nothing.
+			case errAccessDenied, errExpiredToken:
+				fallthrough
+			default:
+				return tok, err
+			}
+		}
+	}
+}

deviceauth_test.go

@@ -0,0 +1,97 @@
+package oauth2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+)
+
+func TestDeviceAuthResponseMarshalJson(t *testing.T) {
+	tests := []struct {
+		name     string
+		response DeviceAuthResponse
+		want     string
+	}{
+		{
+			name:     "empty",
+			response: DeviceAuthResponse{},
+			want:     `{"device_code":"","user_code":"","verification_uri":""}`,
+		},
+		{
+			name: "soon",
+			response: DeviceAuthResponse{
+				Expiry: time.Now().Add(100*time.Second + 999*time.Millisecond),
+			},
+			want: `{"expires_in":100,"device_code":"","user_code":"","verification_uri":""}`,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			begin := time.Now()
+			gotBytes, err := json.Marshal(tc.response)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if strings.Contains(tc.want, "expires_in") && time.Since(begin) > 999*time.Millisecond {
+				t.Skip("test ran too slowly to compare `expires_in`")
+			}
+			got := string(gotBytes)
+			if got != tc.want {
+				t.Errorf("want=%s, got=%s", tc.want, got)
+			}
+		})
+	}
+}
+
+func TestDeviceAuthResponseUnmarshalJson(t *testing.T) {
+	tests := []struct {
+		name string
+		data string
+		want DeviceAuthResponse
+	}{
+		{
+			name: "empty",
+			data: `{}`,
+			want: DeviceAuthResponse{},
+		},
+		{
+			name: "soon",
+			data: `{"expires_in":100}`,
+			want: DeviceAuthResponse{Expiry: time.Now().UTC().Add(100 * time.Second)},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			begin := time.Now()
+			got := DeviceAuthResponse{}
+			err := json.Unmarshal([]byte(tc.data), &got)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if !cmp.Equal(got, tc.want, cmpopts.IgnoreUnexported(DeviceAuthResponse{}), cmpopts.EquateApproxTime(time.Second+time.Since(begin))) {
+				t.Errorf("want=%#v, got=%#v", tc.want, got)
+			}
+		})
+	}
+}
+
+func ExampleConfig_DeviceAuth() {
+	var config Config
+	ctx := context.Background()
+	response, err := config.DeviceAuth(ctx)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("please enter code %s at %s\n", response.UserCode, response.VerificationURI)
+	token, err := config.DeviceAccessToken(ctx, response)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(token)
+}

endpoints/endpoints.go

@@ -55,8 +55,9 @@ var Fitbit = oauth2.Endpoint{
 
 // GitHub is the endpoint for Github.
 var GitHub = oauth2.Endpoint{
-	AuthURL:  "https://github.com/login/oauth/authorize",
-	TokenURL: "https://github.com/login/oauth/access_token",
+	AuthURL:       "https://github.com/login/oauth/authorize",
+	TokenURL:      "https://github.com/login/oauth/access_token",
+	DeviceAuthURL: "https://github.com/login/device/code",
 }
 
 // GitLab is the endpoint for GitLab.
@@ -67,8 +68,9 @@ var GitLab = oauth2.Endpoint{
 
 // Google is the endpoint for Google.
 var Google = oauth2.Endpoint{
-	AuthURL:  "https://accounts.google.com/o/oauth2/auth",
-	TokenURL: "https://oauth2.googleapis.com/token",
+	AuthURL:       "https://accounts.google.com/o/oauth2/auth",
+	TokenURL:      "https://oauth2.googleapis.com/token",
+	DeviceAuthURL: "https://oauth2.googleapis.com/device/code",
 }
 
 // Heroku is the endpoint for Heroku.
@@ -225,8 +227,9 @@ func AzureAD(tenant string) oauth2.Endpoint {
 		tenant = "common"
 	}
 	return oauth2.Endpoint{
-		AuthURL:  "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
-		TokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
+		AuthURL:       "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize",
+		TokenURL:      "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token",
+		DeviceAuthURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/devicecode",
 	}
 }