google

package
v0.2.113 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2026 License: Apache-2.0 Imports: 10 Imported by: 1

Documentation

Overview

Package google provides a Google OAuth 2.0 provider implementation.

This package implements the providers.Provider interface for Google's OAuth 2.0 authorization server. It supports:

  • OAuth 2.0 authorization code flow with PKCE
  • Token refresh
  • Token revocation via Google's revocation endpoint
  • User info retrieval via Google's userinfo endpoint

Google provider automatically includes "openid", "email", and "profile" as default scopes. Additional scopes can be requested for access to Google APIs like Gmail, Drive, Calendar, etc.

Example usage:

provider, err := google.NewProvider(&google.Config{
    ClientID:     os.Getenv("GOOGLE_CLIENT_ID"),
    ClientSecret: os.Getenv("GOOGLE_CLIENT_SECRET"),
    RedirectURL:  "http://localhost:8080/oauth/callback",
    Scopes: []string{
        "openid", "email", "profile",
        "https://www.googleapis.com/auth/gmail.readonly",
    },
})
if err != nil {
    log.Fatal(err)
}

The provider validates tokens by calling Google's userinfo endpoint and returns user information including email, name, and profile picture.

Package google implements the OAuth provider interface for Google OAuth 2.0. It supports user authentication, token exchange, and access to Google APIs.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	ClientID       string
	ClientSecret   string
	RedirectURL    string
	Scopes         []string
	HTTPClient     *http.Client  // Optional custom HTTP client
	RequestTimeout time.Duration // Timeout for provider API calls (default: 30s)

	// ForceConsent forces the consent screen on every authorization.
	// This ensures a refresh token is always returned by Google.
	// Google only sends refresh tokens on the first consent, so without this
	// option, subsequent authorizations will not include a refresh token.
	// Default: true (recommended for server applications that need refresh tokens)
	//
	// Set to false only if you don't need refresh tokens or prefer fewer consent prompts.
	// See: https://developers.google.com/identity/protocols/oauth2/web-server#offline
	ForceConsent *bool
}

Config holds Google OAuth configuration

type Provider

type Provider struct {
	*oauth2.Config
	// contains filtered or unexported fields
}

Provider implements the providers.Provider interface for Google OAuth. Embeds oauth2.Config directly to avoid duplication.

func NewProvider

func NewProvider(cfg *Config) (*Provider, error)

NewProvider creates a new Google OAuth provider

func (*Provider) AuthorizationURL

func (p *Provider) AuthorizationURL(state string, codeChallenge string, codeChallengeMethod string, scopes []string, authOpts *providers.AuthorizationURLOptions) string

AuthorizationURL generates the Google OAuth authorization URL with optional PKCE. Supports OAuth 2.1 defense-in-depth. See SECURITY_ARCHITECTURE.md for details. If scopes is empty, the provider's default configured scopes are used. opts contains optional OIDC parameters like prompt, login_hint, max_age (nil for defaults).

func (*Provider) DefaultScopes added in v0.1.37

func (p *Provider) DefaultScopes() []string

DefaultScopes returns the provider's configured default scopes. Returns a deep copy to prevent external modification.

func (*Provider) ExchangeCode

func (p *Provider) ExchangeCode(ctx context.Context, code string, verifier string) (*oauth2.Token, error)

ExchangeCode exchanges an authorization code for tokens with optional PKCE verification. Returns standard oauth2.Token. See SECURITY_ARCHITECTURE.md for security model details.

func (*Provider) HealthCheck added in v0.1.24

func (p *Provider) HealthCheck(ctx context.Context) error

HealthCheck verifies that Google's OAuth endpoints are reachable. It performs a lightweight check by fetching the OpenID Connect discovery document. Uses the provided context for timeout and cancellation. If context has no deadline, uses provider's default request timeout.

Security Considerations:

  • This method is designed for server-side health monitoring (k8s probes, monitoring systems)
  • DO NOT expose the returned error messages directly to untrusted clients
  • Error messages may contain HTTP status codes that could leak provider state information
  • For public health endpoints, return generic "healthy/unhealthy" status only

Recommended usage:

// Internal monitoring - detailed errors OK
if err := provider.HealthCheck(ctx); err != nil {
    log.Error("Provider health check failed", "error", err)
    return http.StatusInternalServerError
}

// Public endpoint - hide error details
if err := provider.HealthCheck(ctx); err != nil {
    w.WriteHeader(http.StatusServiceUnavailable)
    json.NewEncoder(w).Encode(map[string]string{"status": "unhealthy"})
    return
}

func (*Provider) IssuerURL added in v0.2.39

func (p *Provider) IssuerURL() string

IssuerURL returns Google's issuer URL for JWT validation.

func (*Provider) JWKSURI added in v0.2.39

func (p *Provider) JWKSURI(_ context.Context) (string, error)

JWKSURI returns Google's JWKS URI for JWT signature verification. This implements the JWKSProvider interface for SSO token forwarding.

Note: The context parameter is unused for Google because the JWKS URI is a static well-known endpoint. Other providers (like Dex) use the context for OIDC discovery which may involve network calls.

func (*Provider) Name

func (p *Provider) Name() string

Name returns the provider name

func (*Provider) RefreshToken

func (p *Provider) RefreshToken(ctx context.Context, refreshToken string) (*oauth2.Token, error)

RefreshToken refreshes an expired token Returns standard oauth2.Token directly

func (*Provider) RevokeToken

func (p *Provider) RevokeToken(ctx context.Context, token string) error

RevokeToken revokes a token at Google's revocation endpoint

func (*Provider) ValidateToken

func (p *Provider) ValidateToken(ctx context.Context, accessToken string) (*providers.UserInfo, error)

ValidateToken validates an access token by calling Google's userinfo endpoint

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL