Documentation
¶
Overview ¶
Package google provides a Google OAuth 2.0 provider implementation.
This package implements the providers.Provider interface for Google's OAuth 2.0 authorization server. It supports:
- OAuth 2.0 authorization code flow with PKCE
- Token refresh
- Token revocation via Google's revocation endpoint
- User info retrieval via Google's userinfo endpoint
Google provider automatically includes "openid", "email", and "profile" as default scopes. Additional scopes can be requested for access to Google APIs like Gmail, Drive, Calendar, etc.
Example usage:
provider, err := google.NewProvider(&google.Config{
ClientID: os.Getenv("GOOGLE_CLIENT_ID"),
ClientSecret: os.Getenv("GOOGLE_CLIENT_SECRET"),
RedirectURL: "http://localhost:8080/oauth/callback",
Scopes: []string{
"openid", "email", "profile",
"https://www.googleapis.com/auth/gmail.readonly",
},
})
if err != nil {
log.Fatal(err)
}
The provider validates tokens by calling Google's userinfo endpoint and returns user information including email, name, and profile picture.
Package google implements the OAuth provider interface for Google OAuth 2.0. It supports user authentication, token exchange, and access to Google APIs.
Index ¶
- type Config
- type Provider
- func (p *Provider) AuthorizationURL(state string, codeChallenge string, codeChallengeMethod string, ...) string
- func (p *Provider) DefaultScopes() []string
- func (p *Provider) ExchangeCode(ctx context.Context, code string, verifier string) (*oauth2.Token, error)
- func (p *Provider) HealthCheck(ctx context.Context) error
- func (p *Provider) IssuerURL() string
- func (p *Provider) JWKSURI(_ context.Context) (string, error)
- func (p *Provider) Name() string
- func (p *Provider) RefreshToken(ctx context.Context, refreshToken string) (*oauth2.Token, error)
- func (p *Provider) RevokeToken(ctx context.Context, token string) error
- func (p *Provider) ValidateToken(ctx context.Context, accessToken string) (*providers.UserInfo, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
ClientID string
ClientSecret string
RedirectURL string
Scopes []string
HTTPClient *http.Client // Optional custom HTTP client
RequestTimeout time.Duration // Timeout for provider API calls (default: 30s)
// ForceConsent forces the consent screen on every authorization.
// This ensures a refresh token is always returned by Google.
// Google only sends refresh tokens on the first consent, so without this
// option, subsequent authorizations will not include a refresh token.
// Default: true (recommended for server applications that need refresh tokens)
//
// Set to false only if you don't need refresh tokens or prefer fewer consent prompts.
// See: https://developers.google.com/identity/protocols/oauth2/web-server#offline
ForceConsent *bool
}
Config holds Google OAuth configuration
type Provider ¶
Provider implements the providers.Provider interface for Google OAuth. Embeds oauth2.Config directly to avoid duplication.
func NewProvider ¶
NewProvider creates a new Google OAuth provider
func (*Provider) AuthorizationURL ¶
func (p *Provider) AuthorizationURL(state string, codeChallenge string, codeChallengeMethod string, scopes []string, authOpts *providers.AuthorizationURLOptions) string
AuthorizationURL generates the Google OAuth authorization URL with optional PKCE. Supports OAuth 2.1 defense-in-depth. See SECURITY_ARCHITECTURE.md for details. If scopes is empty, the provider's default configured scopes are used. opts contains optional OIDC parameters like prompt, login_hint, max_age (nil for defaults).
func (*Provider) DefaultScopes ¶ added in v0.1.37
DefaultScopes returns the provider's configured default scopes. Returns a deep copy to prevent external modification.
func (*Provider) ExchangeCode ¶
func (p *Provider) ExchangeCode(ctx context.Context, code string, verifier string) (*oauth2.Token, error)
ExchangeCode exchanges an authorization code for tokens with optional PKCE verification. Returns standard oauth2.Token. See SECURITY_ARCHITECTURE.md for security model details.
func (*Provider) HealthCheck ¶ added in v0.1.24
HealthCheck verifies that Google's OAuth endpoints are reachable. It performs a lightweight check by fetching the OpenID Connect discovery document. Uses the provided context for timeout and cancellation. If context has no deadline, uses provider's default request timeout.
Security Considerations:
- This method is designed for server-side health monitoring (k8s probes, monitoring systems)
- DO NOT expose the returned error messages directly to untrusted clients
- Error messages may contain HTTP status codes that could leak provider state information
- For public health endpoints, return generic "healthy/unhealthy" status only
Recommended usage:
// Internal monitoring - detailed errors OK
if err := provider.HealthCheck(ctx); err != nil {
log.Error("Provider health check failed", "error", err)
return http.StatusInternalServerError
}
// Public endpoint - hide error details
if err := provider.HealthCheck(ctx); err != nil {
w.WriteHeader(http.StatusServiceUnavailable)
json.NewEncoder(w).Encode(map[string]string{"status": "unhealthy"})
return
}
func (*Provider) IssuerURL ¶ added in v0.2.39
IssuerURL returns Google's issuer URL for JWT validation.
func (*Provider) JWKSURI ¶ added in v0.2.39
JWKSURI returns Google's JWKS URI for JWT signature verification. This implements the JWKSProvider interface for SSO token forwarding.
Note: The context parameter is unused for Google because the JWKS URI is a static well-known endpoint. Other providers (like Dex) use the context for OIDC discovery which may involve network calls.
func (*Provider) RefreshToken ¶
RefreshToken refreshes an expired token Returns standard oauth2.Token directly
func (*Provider) RevokeToken ¶
RevokeToken revokes a token at Google's revocation endpoint