Add id_token refresh to Google provider (#83)

This commit is contained in:
Gabor Lekeny 2019-03-05 15:07:10 +01:00 committed by Joel Speed
parent 8816a2a972
commit eacba4ec7d
2 changed files with 7 additions and 3 deletions

View File

@ -4,6 +4,7 @@
- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery - [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery
- [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75)
# v3.1.0 # v3.1.0

View File

@ -16,7 +16,7 @@ import (
"golang.org/x/oauth2" "golang.org/x/oauth2"
"golang.org/x/oauth2/google" "golang.org/x/oauth2/google"
"google.golang.org/api/admin/directory/v1" admin "google.golang.org/api/admin/directory/v1"
"google.golang.org/api/googleapi" "google.golang.org/api/googleapi"
) )
@ -260,7 +260,7 @@ func (p *GoogleProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
return false, nil return false, nil
} }
newToken, duration, err := p.redeemRefreshToken(s.RefreshToken) newToken, newIDToken, duration, err := p.redeemRefreshToken(s.RefreshToken)
if err != nil { if err != nil {
return false, err return false, err
} }
@ -272,12 +272,13 @@ func (p *GoogleProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
origExpiration := s.ExpiresOn origExpiration := s.ExpiresOn
s.AccessToken = newToken s.AccessToken = newToken
s.IDToken = newIDToken
s.ExpiresOn = time.Now().Add(duration).Truncate(time.Second) s.ExpiresOn = time.Now().Add(duration).Truncate(time.Second)
log.Printf("refreshed access token %s (expired on %s)", s, origExpiration) log.Printf("refreshed access token %s (expired on %s)", s, origExpiration)
return true, nil return true, nil
} }
func (p *GoogleProvider) redeemRefreshToken(refreshToken string) (token string, expires time.Duration, err error) { func (p *GoogleProvider) redeemRefreshToken(refreshToken string) (token string, idToken string, expires time.Duration, err error) {
// https://developers.google.com/identity/protocols/OAuth2WebServer#refresh // https://developers.google.com/identity/protocols/OAuth2WebServer#refresh
params := url.Values{} params := url.Values{}
params.Add("client_id", p.ClientID) params.Add("client_id", p.ClientID)
@ -310,12 +311,14 @@ func (p *GoogleProvider) redeemRefreshToken(refreshToken string) (token string,
var data struct { var data struct {
AccessToken string `json:"access_token"` AccessToken string `json:"access_token"`
ExpiresIn int64 `json:"expires_in"` ExpiresIn int64 `json:"expires_in"`
IDToken string `json:"id_token"`
} }
err = json.Unmarshal(body, &data) err = json.Unmarshal(body, &data)
if err != nil { if err != nil {
return return
} }
token = data.AccessToken token = data.AccessToken
idToken = data.IDToken
expires = time.Duration(data.ExpiresIn) * time.Second expires = time.Duration(data.ExpiresIn) * time.Second
return return
} }