Documentation
¶
Overview ¶
Package oauthgoogle implements Google Sign-In via the OAuth 2.0 authorization-code flow with PKCE (RFC 7636), using only the standard library.
Configure the process-wide provider once at startup:
err := oauthgoogle.Configure(oauthgoogle.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: "https://example.com/auth/google/callback",
})
On the login route, generate a state and PKCE verifier, persist both in transient cookies (see auth/sessions.SetTransientCookie), then redirect:
state, _ := oauthgoogle.NewState() verifier, _ := oauthgoogle.NewVerifier() // set transient cookies for state and verifier ... oauthgoogle.Current().Start(w, state, verifier)
On the callback route, compare the state query parameter against the cookie, then exchange the code:
info, err := oauthgoogle.Current().Callback(ctx, code, verifier)
The returned UserInfo carries the stable Google subject and the account email, ready to upsert into the auth/schema oauth_accounts table.
The ID token signature is not verified: the token is received directly from Google's token endpoint over TLS, so per OpenID Connect Core §3.1.3.7 the TLS server validation suffices. Issuer, audience and expiry claims are validated.
Index ¶
Constants ¶
const ProviderName = "google"
ProviderName is the stable provider string stored in oauth_accounts.provider.
Variables ¶
var ErrNotAvailable = errors.New("oauth_google_not_available")
ErrNotAvailable is returned while the provider is not configured.
Functions ¶
func Configure ¶ added in v0.1.3
Configure sets the process-wide Google OAuth provider returned by Current.
func NewState ¶ added in v0.1.3
NewState returns a random base64url-encoded state value (32 bytes of entropy). Store it in a transient cookie and compare on callback.
func NewVerifier ¶ added in v0.1.3
NewVerifier returns a random PKCE code verifier (RFC 7636, 43 chars). Store it in a transient cookie and pass it to Start and Callback.
Types ¶
type Config ¶ added in v0.1.3
type Config struct {
// ClientID is the OAuth client ID from the Google Cloud console.
ClientID string
// ClientSecret is the OAuth client secret from the Google Cloud console.
ClientSecret string
// RedirectURL is the callback URL registered for the OAuth client.
RedirectURL string
// Scopes overrides the requested scopes. Defaults to "openid email".
Scopes []string
// HTTPClient overrides the client used for the token exchange.
// Defaults to an http.Client with a 10s timeout.
HTTPClient *http.Client
// AuthURL and TokenURL override the Google endpoints, for tests.
AuthURL string
TokenURL string
}
Config configures the Google OAuth provider.
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider starts and completes Google OAuth flows.
func New ¶ added in v0.1.3
New returns a Provider for the given config. ClientID, ClientSecret and RedirectURL are required.