func useJws() (token string, err error) { pk, err := internal.ParseKey([]byte(privateKey)) if err != nil { return "", err } claimSet := &jws.ClaimSet{ Iss: email, Scope: scope, Aud: tokenUrl, } payload, err := jws.Encode(defaultHeader, claimSet, pk) if err != nil { return "", err } v := url.Values{} v.Set("grant_type", defaultGrantType) v.Set("assertion", payload) resp, err := http.PostForm(tokenUrl, v) if err != nil { return "", fmt.Errorf("oauth2: cannot fetch token: %v", err) } defer resp.Body.Close() body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20)) if err != nil { return "", fmt.Errorf("oauth2: cannot fetch token: %v", err) } fmt.Println(string(body)) return string(body), nil }
func (ts *jwtAccessTokenSource) Token() (*oauth2.Token, error) { iat := time.Now() exp := iat.Add(time.Hour) cs := &jws.ClaimSet{ Iss: ts.email, Sub: ts.email, Aud: ts.audience, Iat: iat.Unix(), Exp: exp.Unix(), } hdr := &jws.Header{ Algorithm: "RS256", Typ: "JWT", } msg, err := jws.Encode(hdr, cs, ts.pk) if err != nil { return nil, fmt.Errorf("google: could not encode JWT: %v", err) } return &oauth2.Token{AccessToken: msg}, nil }
// doJWT performs an authenticated request using the credentials in the service account file. func doJWT() (*http.Response, error) { sa, err := ioutil.ReadFile(*serviceAccount) if err != nil { return nil, fmt.Errorf("Could not read service account file: %v", err) } conf, err := google.JWTConfigFromJSON(sa) if err != nil { return nil, fmt.Errorf("Could not parse service account JSON: %v", err) } rsaKey, err := parseKey(conf.PrivateKey) if err != nil { return nil, fmt.Errorf("Could not get RSA key: %v", err) } iat := time.Now() exp := iat.Add(time.Hour) jwt := &jws.ClaimSet{ Iss: "jwt-client.endpoints.sample.google.com", Sub: "foo!", Aud: "echo.endpoints.sample.google.com", Scope: "email", Iat: iat.Unix(), Exp: exp.Unix(), } jwsHeader := &jws.Header{ Algorithm: "RS256", Typ: "JWT", } msg, err := jws.Encode(jwsHeader, jwt, rsaKey) if err != nil { return nil, fmt.Errorf("Could not encode JWT: %v", err) } req, _ := http.NewRequest("GET", *host+"/auth/info/googlejwt?key="+*apiKey, nil) req.Header.Add("Authorization", "Bearer "+msg) return http.DefaultClient.Do(req) }
func (js jwtSource) Token() (*oauth2.Token, error) { pk, err := internal.ParseKey(js.conf.PrivateKey) if err != nil { return nil, err } hc := oauth2.NewClient(js.ctx, nil) claimSet := &jws.ClaimSet{ Iss: js.conf.Email, Scope: strings.Join(js.conf.Scopes, " "), Aud: js.conf.TokenURL, } if subject := js.conf.Subject; subject != "" { claimSet.Sub = subject // prn is the old name of sub. Keep setting it // to be compatible with legacy OAuth 2.0 providers. claimSet.Prn = subject } if t := js.conf.Expires; t > 0 { claimSet.Exp = time.Now().Add(t).Unix() } payload, err := jws.Encode(defaultHeader, claimSet, pk) if err != nil { return nil, err } v := url.Values{} v.Set("grant_type", defaultGrantType) v.Set("assertion", payload) resp, err := hc.PostForm(js.conf.TokenURL, v) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } defer resp.Body.Close() body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20)) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } if c := resp.StatusCode; c < 200 || c > 299 { return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body) } // tokenRes is the JSON response body. var tokenRes struct { AccessToken string `json:"access_token"` TokenType string `json:"token_type"` IDToken string `json:"id_token"` ExpiresIn int64 `json:"expires_in"` // relative seconds from now } if err := json.Unmarshal(body, &tokenRes); err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } token := &oauth2.Token{ AccessToken: tokenRes.AccessToken, TokenType: tokenRes.TokenType, } raw := make(map[string]interface{}) json.Unmarshal(body, &raw) // no error checks for optional fields token = token.WithExtra(raw) if secs := tokenRes.ExpiresIn; secs > 0 { token.Expiry = time.Now().Add(time.Duration(secs) * time.Second) } if v := tokenRes.IDToken; v != "" { // decode returned id token to get expiry claimSet, err := jws.Decode(v) if err != nil { return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err) } token.Expiry = time.Unix(claimSet.Exp, 0) } return token, nil }
func (js jwtSource) Token() (*Token, error) { pk, err := internal.ParseKey(js.conf.PrivateKey) if err != nil { return nil, err } hc, err := contextClient(js.ctx) if err != nil { return nil, err } claimSet := &jws.ClaimSet{ Iss: js.conf.Email, Scope: strings.Join(js.conf.Scopes, " "), Aud: js.conf.TokenURL, } if subject := js.conf.Subject; subject != "" { claimSet.Sub = subject // prn is the old name of sub. Keep setting it // to be compatible with legacy OAuth 2.0 providers. claimSet.Prn = subject } payload, err := jws.Encode(defaultHeader, claimSet, pk) if err != nil { return nil, err } v := url.Values{} v.Set("grant_type", defaultGrantType) v.Set("assertion", payload) resp, err := hc.PostForm(js.conf.TokenURL, v) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } defer resp.Body.Close() body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20)) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } if c := resp.StatusCode; c < 200 || c > 299 { return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body) } b := make(map[string]interface{}) if err := json.Unmarshal(body, &b); err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } token := &Token{} token.AccessToken, _ = b["access_token"].(string) token.TokenType, _ = b["token_type"].(string) token.raw = b if e, ok := b["expires_in"].(int); ok { token.Expiry = time.Now().Add(time.Duration(e) * time.Second) } if idtoken, ok := b["id_token"].(string); ok { // decode returned id token to get expiry claimSet, err := jws.Decode(idtoken) if err != nil { return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err) } token.Expiry = time.Unix(claimSet.Exp, 0) return token, nil } return token, nil }