luci: Index | Files

package googleoauth

import ""

Package googleoauth contains some helpers related to Google OAuth2.


Package Files

doc.go info.go token.go


const (
    // TokeninfoEndpoint is Google's token info endpoint.
    TokeninfoEndpoint = ""


var ErrBadToken = errors.New("bad token")

ErrBadToken is returned by GetTokenInfo if the passed token is invalid.

func GetAccessToken Uses

func GetAccessToken(c context.Context, params JwtFlowParams) (*oauth2.Token, error)

GetAccessToken grabs an access token using a JWT as an authorization grant.

It performs same kind of a flow as when using a regular service account private key, except it allows any signer implementation (not necessarily based on local crypto). This is particularly helpful when using 'signBlob' IAM API to sign JWTs, since it allows to mint an access token for accounts we don't have private keys for (but have "roles/iam.serviceAccountActor" role).

The returned token usually have 1 hour lifetime.

Does not retry transient errors. Returns signing and HTTP connection errors as is. Unsuccessful HTTP requests result in *googleapi.Error.

type JwtFlowParams Uses

type JwtFlowParams struct {
    // ServiceAccount is a service account name to get an access token for.
    ServiceAccount string

    // Signer signs JWTs with a private key owned by the service account.
    Signer Signer

    // Scopes is a list of OAuth2 scopes to claim.
    Scopes []string

    // Client is a non-authenticating client to use for the exchange.
    // If not set, http.DefaultClient will be used.
    Client *http.Client
    // contains filtered or unexported fields

JwtFlowParams describes how to perform GetAccessToken call.

type Signer Uses

type Signer interface {
    // SignJWT signs the claim set with some active private key to produce JWT.
    SignJWT(c context.Context, serviceAccount string, cs *iam.ClaimSet) (keyName, signedJwt string, err error)

Signer knows how to sign JWTs with a private key owned by a service account.

type TokenInfo Uses

type TokenInfo struct {
    Azp           string `json:"azp"`
    Aud           string `json:"aud"`
    Sub           string `json:"sub"`
    Scope         string `json:"scope"`
    Exp           int64  `json:"exp,string"`
    ExpiresIn     int64  `json:"expires_in,string"`
    Email         string `json:"email"`
    EmailVerified bool   `json:"email_verified,string"`
    AccessType    string `json:"access_type"`

TokenInfo is information about an access or ID tokens.

Of primary importance are 'email', 'email_verified', 'scope' and 'aud' fields. If the caller using token info endpoint to validate tokens, it MUST check correctness of these fields.

func GetTokenInfo Uses

func GetTokenInfo(c context.Context, params TokenInfoParams) (*TokenInfo, error)

GetTokenInfo queries token info endpoint and returns information about the token if it is recognized.


On invalid token (as indicated by 4** HTTP response) returns ErrBadToken. On other HTTP-level errors (e.g HTTP 500) returns transient-wrapped *googleapi.Error. On network-level errors returns them in a transient wrapper.

type TokenInfoParams Uses

type TokenInfoParams struct {
    AccessToken string // an access token to check
    IDToken     string // an ID token to check (overrides AccessToken)

    Client   *http.Client // non-authenticating client to use for the call
    Endpoint string       // an endpoint to use instead of the default one

TokenInfoParams are parameters for GetTokenInfo call.

Package googleoauth imports 15 packages (graph) and is imported by 9 packages. Updated 2018-08-14. Refresh now. Tools for package owners.