From 5fd42413edb3b1699004a31b72e485e0e4ba1b13 Mon Sep 17 00:00:00 2001 From: Carl Lundin Date: Fri, 10 May 2024 13:56:44 -0700 Subject: [PATCH 01/13] google: update compute token refresh The shortest MDS token cache time is 4 minutes. The refresh window is updated to 3 minutes and 45 seconds to give the MDS time to update it's cache. This should make slow refreshes less likely to cause failures. Done in https://github.com/googleapis/google-cloud-go/pull/9139 for the other auth library. Change-Id: Ifa353248197d8998e6b0363d1f2821b45a0e6495 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/584815 Auto-Submit: Cody Oss TryBot-Bypass: Cody Oss Run-TryBot: Cody Oss TryBot-Result: Gopher Robot Reviewed-by: Cody Oss --- google/google.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/google/google.go b/google/google.go index ba931c2c3..7b82e7a08 100644 --- a/google/google.go +++ b/google/google.go @@ -252,7 +252,10 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar // Further information about retrieving access tokens from the GCE metadata // server can be found at https://cloud.google.com/compute/docs/authentication. func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource { - return computeTokenSource(account, 0, scope...) + // refresh 3 minutes and 45 seconds early. The shortest MDS cache is currently 4 minutes, so any + // refreshes earlier are a waste of compute. + earlyExpirySecs := 225 * time.Second + return computeTokenSource(account, earlyExpirySecs, scope...) } func computeTokenSource(account string, earlyExpiry time.Duration, scope ...string) oauth2.TokenSource { From 6d8340f1c53c54333dc5f280d68732afd4d05113 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Tue, 16 Jul 2024 11:35:21 -0400 Subject: [PATCH 02/13] LICENSE: update per Google Legal Very minor tweaks: - Remove (c) pseudosymbol. - Remove "All Rights Reserved." - Change "Google Inc." (no longer exists) to "Google LLC". [git-generate] echo ' ,s/\(c\) // ,s/ All rights reserved.// ,s/Google Inc./Google LLC/ w q ' | sam -d LICENSE Change-Id: I75efc3e2705b75748034e46a093bb71cb40eee5b Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/598580 Auto-Submit: Russ Cox LUCI-TryBot-Result: Go LUCI Reviewed-by: Ian Lance Taylor --- LICENSE | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 6a66aea5e..2a7cf70da 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2009 The Go Authors. All rights reserved. +Copyright 2009 The Go Authors. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer. copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - * Neither the name of Google Inc. nor the names of its + * Neither the name of Google LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. From b52af7d5b4e39d5bb1ee067d8aa110fcce9e4cc7 Mon Sep 17 00:00:00 2001 From: M Hickford Date: Tue, 23 Jul 2024 15:23:42 +0000 Subject: [PATCH 03/13] endpoints: add GitLab DeviceAuthURL See GitLab documentation https://docs.gitlab.com/ee/api/oauth2.html#device-authorization-grant-flow. Change-Id: Ideffbfcb67e0b25251a0b18148e57eab43124d37 GitHub-Last-Rev: 6ecd45efff1a39fa7f31da96be70243b6029d16f GitHub-Pull-Request: golang/oauth2#733 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/600095 TryBot-Result: Gopher Robot Run-TryBot: Matt Hickford Reviewed-by: Matt Hickford Reviewed-by: Michael Knyszek Reviewed-by: David Chase TryBot-Bypass: Matt Hickford LUCI-TryBot-Result: Go LUCI --- endpoints/endpoints.go | 5 +++-- gitlab/gitlab.go | 7 ++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go index 89ed30f2a..950754ce4 100644 --- a/endpoints/endpoints.go +++ b/endpoints/endpoints.go @@ -62,8 +62,9 @@ var GitHub = oauth2.Endpoint{ // GitLab is the endpoint for GitLab. var GitLab = oauth2.Endpoint{ - AuthURL: "https://gitlab.com/oauth/authorize", - TokenURL: "https://gitlab.com/oauth/token", + AuthURL: "https://gitlab.com/oauth/authorize", + TokenURL: "https://gitlab.com/oauth/token", + DeviceAuthURL: "https://gitlab.com/oauth/authorize_device", } // Google is the endpoint for Google. diff --git a/gitlab/gitlab.go b/gitlab/gitlab.go index 1231d75ac..aea2dfe50 100644 --- a/gitlab/gitlab.go +++ b/gitlab/gitlab.go @@ -6,11 +6,8 @@ package gitlab // import "golang.org/x/oauth2/gitlab" import ( - "golang.org/x/oauth2" + "golang.org/x/oauth2/endpoints" ) // Endpoint is GitLab's OAuth 2.0 endpoint. -var Endpoint = oauth2.Endpoint{ - AuthURL: "https://gitlab.com/oauth/authorize", - TokenURL: "https://gitlab.com/oauth/token", -} +var Endpoint = endpoints.GitLab From 16a9973a41c72ea3e252e9c14be34fcaa2928211 Mon Sep 17 00:00:00 2001 From: Ian Lance Taylor Date: Mon, 19 Aug 2024 17:06:17 -0700 Subject: [PATCH 04/13] jwt: rename example to avoid vet error After CL 603476 we were getting jwt/example_test.go:13:1: ExampleJWTConfig refers to unknown identifier: JWTConfig Change-Id: I51bcd06a50a852150eb6e42743431207ee00300f Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/606878 LUCI-TryBot-Result: Go LUCI Reviewed-by: Cherry Mui Auto-Submit: Ian Lance Taylor Reviewed-by: Alan Donovan --- jwt/example_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jwt/example_test.go b/jwt/example_test.go index 58503d80d..c99b8767f 100644 --- a/jwt/example_test.go +++ b/jwt/example_test.go @@ -10,7 +10,7 @@ import ( "golang.org/x/oauth2/jwt" ) -func ExampleJWTConfig() { +func ExampleConfig() { ctx := context.Background() conf := &jwt.Config{ Email: "xxx@developer.com", From 3e6480915d39dd1a80fa460e56413857f02cc1b9 Mon Sep 17 00:00:00 2001 From: andig Date: Thu, 15 Aug 2024 19:02:01 +0200 Subject: [PATCH 05/13] x/oauth2: add Token.ExpiresIn Fixes golang/go#61417 Change-Id: Ib8599f39b4839bf6eed021217350195ad36d1631 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/605955 Reviewed-by: Ian Lance Taylor Auto-Submit: Ian Lance Taylor Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI --- token.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/token.go b/token.go index 5bbb33217..109997d77 100644 --- a/token.go +++ b/token.go @@ -49,6 +49,13 @@ type Token struct { // mechanisms for that TokenSource will not be used. Expiry time.Time `json:"expiry,omitempty"` + // ExpiresIn is the OAuth2 wire format "expires_in" field, + // which specifies how many seconds later the token expires, + // relative to an unknown time base approximately around "now". + // It is the application's responsibility to populate + // `Expiry` from `ExpiresIn` when required. + ExpiresIn int64 `json:"expires_in,omitempty"` + // raw optionally contains extra metadata from the server // when updating a token. raw interface{} From 22134a41033e44c2cd074106770ab5b7ca910d15 Mon Sep 17 00:00:00 2001 From: Ian Lance Taylor Date: Thu, 31 Oct 2024 15:37:21 -0700 Subject: [PATCH 06/13] README: don't recommend go get These days people will just import the packages and the go tool will do the right thing. We don't need to explain it. Add a pointer to the git repo, though. For golang/go#62645 Change-Id: Ib6a6fb8989df8071b20d50de446d05b270c1f1ae Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/624195 Commit-Queue: Ian Lance Taylor LUCI-TryBot-Result: Go LUCI Reviewed-by: Cody Oss Reviewed-by: Ian Lance Taylor Auto-Submit: Ian Lance Taylor --- README.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 781770c20..48dbb9d84 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,6 @@ oauth2 package contains a client implementation for OAuth 2.0 spec. -## Installation - -~~~~ -go get golang.org/x/oauth2 -~~~~ - -Or you can manually git clone the repository to -`$(go env GOPATH)/src/golang.org/x/oauth2`. - See pkg.go.dev for further documentation and examples. * [pkg.go.dev/golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) @@ -33,7 +24,11 @@ The main issue tracker for the oauth2 repository is located at https://github.com/golang/oauth2/issues. This repository uses Gerrit for code changes. To learn how to submit changes to -this repository, see https://golang.org/doc/contribute.html. In particular: +this repository, see https://go.dev/doc/contribute. + +The git repository is https://go.googlesource.com/oauth2. + +Note: * Excluding trivial changes, all contributions should be connected to an existing issue. * API changes must go through the [change proposal process](https://go.dev/s/proposal-process) before they can be accepted. From 49a531d12a9ad6fa9f5a070d577ac752ada772c9 Mon Sep 17 00:00:00 2001 From: cuishuang Date: Thu, 2 Jan 2025 20:08:14 +0800 Subject: [PATCH 07/13] all: make method and struct comments match the names Change-Id: I9fd025393acc12da59fdac1c416563324cd26af1 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/639695 Auto-Submit: Dmitri Shuralyov Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov --- clientcredentials/clientcredentials.go | 2 +- google/externalaccount/aws.go | 2 +- google/externalaccount/basecredentials.go | 2 +- oauth2.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/clientcredentials/clientcredentials.go b/clientcredentials/clientcredentials.go index 2459d069f..51121a3d5 100644 --- a/clientcredentials/clientcredentials.go +++ b/clientcredentials/clientcredentials.go @@ -37,7 +37,7 @@ type Config struct { // URL. This is a constant specific to each server. TokenURL string - // Scope specifies optional requested permissions. + // Scopes specifies optional requested permissions. Scopes []string // EndpointParams specifies additional parameters for requests to the token endpoint. diff --git a/google/externalaccount/aws.go b/google/externalaccount/aws.go index ca27c2e98..55d59999e 100644 --- a/google/externalaccount/aws.go +++ b/google/externalaccount/aws.go @@ -28,7 +28,7 @@ import ( // AwsSecurityCredentials models AWS security credentials. type AwsSecurityCredentials struct { - // AccessKeyId is the AWS Access Key ID - Required. + // AccessKeyID is the AWS Access Key ID - Required. AccessKeyID string `json:"AccessKeyID"` // SecretAccessKey is the AWS Secret Access Key - Required. SecretAccessKey string `json:"SecretAccessKey"` diff --git a/google/externalaccount/basecredentials.go b/google/externalaccount/basecredentials.go index 6c81a6872..ee34924e3 100644 --- a/google/externalaccount/basecredentials.go +++ b/google/externalaccount/basecredentials.go @@ -329,7 +329,7 @@ type SubjectTokenSupplier interface { type AwsSecurityCredentialsSupplier interface { // AwsRegion should return the AWS region or an error. AwsRegion(ctx context.Context, options SupplierOptions) (string, error) - // GetAwsSecurityCredentials should return a valid set of AwsSecurityCredentials or an error. + // AwsSecurityCredentials should return a valid set of AwsSecurityCredentials or an error. // The external account token source does not cache the returned security credentials, so caching // logic should be implemented in the supplier to prevent multiple requests for the same security credentials. AwsSecurityCredentials(ctx context.Context, options SupplierOptions) (*AwsSecurityCredentials, error) diff --git a/oauth2.go b/oauth2.go index 09f6a49b8..74f052aa9 100644 --- a/oauth2.go +++ b/oauth2.go @@ -56,7 +56,7 @@ type Config struct { // the OAuth flow, after the resource owner's URLs. RedirectURL string - // Scope specifies optional requested permissions. + // Scopes specifies optional requested permissions. Scopes []string // authStyleCache caches which auth style to use when Endpoint.AuthStyle is From b9c813be7d0ec3262d46deb8677ba5cda93d95ec Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Thu, 16 Jan 2025 16:56:53 -0700 Subject: [PATCH 08/13] google: add warning about externally-provided credentials Change-Id: Ic2ce6e9c3ed735f4fc6d78a22cf0d5e95fca91a1 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/643158 TryBot-Result: Gopher Robot Reviewed-by: Sai Sunder Srinivasan Run-TryBot: Cody Oss LUCI-TryBot-Result: Go LUCI Reviewed-by: Cody Oss --- google/default.go | 12 +++++++++ google/externalaccount/basecredentials.go | 32 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/google/default.go b/google/default.go index df958359a..0260935ba 100644 --- a/google/default.go +++ b/google/default.go @@ -251,6 +251,12 @@ func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials // a Google Developers service account key file, a gcloud user credentials file (a.k.a. refresh // token JSON), or the JSON configuration file for workload identity federation in non-Google cloud // platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation). +// +// Important: If you accept a credential configuration (credential JSON/File/Stream) from an +// external source for authentication to Google Cloud Platform, you must validate it before +// providing it to any Google API or library. Providing an unvalidated credential configuration to +// Google APIs can compromise the security of your systems and data. For more information, refer to +// [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error) { // Make defensive copy of the slices in params. params = params.deepCopy() @@ -294,6 +300,12 @@ func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params } // CredentialsFromJSON invokes CredentialsFromJSONWithParams with the specified scopes. +// +// Important: If you accept a credential configuration (credential JSON/File/Stream) from an +// external source for authentication to Google Cloud Platform, you must validate it before +// providing it to any Google API or library. Providing an unvalidated credential configuration to +// Google APIs can compromise the security of your systems and data. For more information, refer to +// [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error) { var params CredentialsParams params.Scopes = scopes diff --git a/google/externalaccount/basecredentials.go b/google/externalaccount/basecredentials.go index ee34924e3..fc106347d 100644 --- a/google/externalaccount/basecredentials.go +++ b/google/externalaccount/basecredentials.go @@ -278,20 +278,52 @@ type Format struct { type CredentialSource struct { // File is the location for file sourced credentials. // One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question. + // + // Important: If you accept a credential configuration (credential + // JSON/File/Stream) from an external source for authentication to Google + // Cloud Platform, you must validate it before providing it to any Google + // API or library. Providing an unvalidated credential configuration to + // Google APIs can compromise the security of your systems and data. For + // more information, refer to [Validate credential configurations from + // external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). File string `json:"file"` // Url is the URL to call for URL sourced credentials. // One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question. + // + // Important: If you accept a credential configuration (credential + // JSON/File/Stream) from an external source for authentication to Google + // Cloud Platform, you must validate it before providing it to any Google + // API or library. Providing an unvalidated credential configuration to + // Google APIs can compromise the security of your systems and data. For + // more information, refer to [Validate credential configurations from + // external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). URL string `json:"url"` // Headers are the headers to attach to the request for URL sourced credentials. Headers map[string]string `json:"headers"` // Executable is the configuration object for executable sourced credentials. // One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question. + // + // Important: If you accept a credential configuration (credential + // JSON/File/Stream) from an external source for authentication to Google + // Cloud Platform, you must validate it before providing it to any Google + // API or library. Providing an unvalidated credential configuration to + // Google APIs can compromise the security of your systems and data. For + // more information, refer to [Validate credential configurations from + // external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). Executable *ExecutableConfig `json:"executable"` // EnvironmentID is the EnvironmentID used for AWS sourced credentials. This should start with "AWS". // One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question. + // + // Important: If you accept a credential configuration (credential + // JSON/File/Stream) from an external source for authentication to Google + // Cloud Platform, you must validate it before providing it to any Google + // API or library. Providing an unvalidated credential configuration to + // Google APIs can compromise the security of your systems and data. For + // more information, refer to [Validate credential configurations from + // external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials). EnvironmentID string `json:"environment_id"` // RegionURL is the metadata URL to retrieve the region from for EC2 AWS credentials. RegionURL string `json:"region_url"` From 314ee5b92bf23c4973aa8e61eba3ff458e80eef2 Mon Sep 17 00:00:00 2001 From: GHOST Date: Mon, 3 Feb 2025 18:28:31 +0000 Subject: [PATCH 09/13] endpoints: add patreon endpoint Adds the patreon endpoints from their documentation. https://docs.patreon.com/#oauth. I've tested these thoroughly whilst making a pr to pocketbase. https://github.com/pocketbase/pocketbase/pull/3323. Change-Id: I023871a4340ee4ebcba9fd808d4a8f0c081fc10e GitHub-Last-Rev: 890ef056bd78d109e0ecc464263f9e85586e3f7d GitHub-Pull-Request: golang/oauth2#668 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/528640 Reviewed-by: Cherry Mui Reviewed-by: Carlos Amedee Reviewed-by: Jorropo Auto-Submit: Jorropo LUCI-TryBot-Result: Go LUCI --- endpoints/endpoints.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go index 950754ce4..0d8cf64ae 100644 --- a/endpoints/endpoints.go +++ b/endpoints/endpoints.go @@ -146,6 +146,12 @@ var Odnoklassniki = oauth2.Endpoint{ TokenURL: "https://api.odnoklassniki.ru/oauth/token.do", } +// Patreon is the endpoint for Patreon. +var Patreon = oauth2.Endpoint{ + AuthURL: "https://www.patreon.com/oauth2/authorize", + TokenURL: "https://www.patreon.com/api/oauth2/token", +} + // PayPal is the endpoint for PayPal. var PayPal = oauth2.Endpoint{ AuthURL: "https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize", From ac571fa341c2a2b979d2b2c8341fd24767ef5d47 Mon Sep 17 00:00:00 2001 From: Patrik Lundin Date: Thu, 13 Feb 2025 07:38:29 +0000 Subject: [PATCH 10/13] oauth2: fix docs for Config.DeviceAuth Config.DeviceAccess should be Config.DeviceAuth when using GenerateVerifier() or S256ChallengeOption() Change-Id: Ie21a808387f731d270ae54ea1705de3e786cad7f GitHub-Last-Rev: 2d6b4fd736ce785cc1675b1963be165529b09b1f GitHub-Pull-Request: golang/oauth2#763 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/636216 Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Auto-Submit: Jorropo Reviewed-by: Jorropo --- pkce.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkce.go b/pkce.go index 50593b6df..6a95da975 100644 --- a/pkce.go +++ b/pkce.go @@ -21,7 +21,7 @@ const ( // // A fresh verifier should be generated for each authorization. // S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL -// (or Config.DeviceAccess) and VerifierOption(verifier) to Config.Exchange +// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange // (or Config.DeviceAccessToken). func GenerateVerifier() string { // "RECOMMENDED that the output of a suitable random number generator be @@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string { } // S256ChallengeOption derives a PKCE code challenge derived from verifier with -// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAccess +// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth // only. func S256ChallengeOption(verifier string) AuthCodeOption { return challengeOption{ From 109dabf9017129171d1807e485ca5633ecd095ac Mon Sep 17 00:00:00 2001 From: Hamza Ali Date: Thu, 13 Feb 2025 15:41:44 +0000 Subject: [PATCH 11/13] endpoints: add links/provider for Discord Endpoints are provided from https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-urls. Change-Id: I7bcc8b4cb5527959acb8f177ffb8bbafbe727e82 GitHub-Last-Rev: 6869fc3f48c79750a9ab40276be08197300955cf GitHub-Pull-Request: golang/oauth2#768 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649115 Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI --- endpoints/endpoints.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go index 0d8cf64ae..d6e575e1f 100644 --- a/endpoints/endpoints.go +++ b/endpoints/endpoints.go @@ -35,6 +35,12 @@ var Cern = oauth2.Endpoint{ TokenURL: "https://oauth.web.cern.ch/OAuth/Token", } +// Discord is the endpoint for Discord. +var Discord = oauth2.Endpoint{ + AuthURL: "https://discord.com/oauth2/authorize", + TokenURL: "https://discord.com/api/oauth2/token", +} + // Facebook is the endpoint for Facebook. var Facebook = oauth2.Endpoint{ AuthURL: "https://www.facebook.com/v3.2/dialog/oauth", From 3f78298beea38fb76a3fbca33e3056f4b7eb5502 Mon Sep 17 00:00:00 2001 From: Gopher Robot Date: Fri, 14 Feb 2025 21:12:09 +0000 Subject: [PATCH 12/13] all: upgrade go directive to at least 1.23.0 [generated] By now Go 1.24.0 has been released, and Go 1.22 is no longer supported per the Go Release Policy (https://go.dev/doc/devel/release#policy). For golang/go#69095. [git-generate] (cd . && go get go@1.23.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none) Change-Id: I718ce0afa60729aeb89396db2b559faf03b90a68 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649795 Auto-Submit: Gopher Robot Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d73aa6996..da302fb45 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module golang.org/x/oauth2 -go 1.18 +go 1.23.0 require ( cloud.google.com/go/compute/metadata v0.3.0 From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 From: Neal Patel Date: Thu, 30 Jan 2025 14:10:09 -0500 Subject: [PATCH 13/13] jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. Fixes #71490 Fixes CVE-2025-22868 Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 Auto-Submit: Gopher Robot Reviewed-by: Damien Neil Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI --- jws/jws.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jws/jws.go b/jws/jws.go index 95015648b..6f03a49d3 100644 --- a/jws/jws.go +++ b/jws/jws.go @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { // Verify tests whether the provided JWT token's signature was produced by the private key // associated with the supplied public key. func Verify(token string, key *rsa.PublicKey) error { - parts := strings.Split(token, ".") - if len(parts) != 3 { + if strings.Count(token, ".") != 2 { return errors.New("jws: invalid token received, token must have 3 parts") } + parts := strings.SplitN(token, ".", 3) signedContent := parts[0] + "." + parts[1] signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil {