diff options
Diffstat (limited to 'vendor/golang.org/x/oauth2/google/jwt.go')
-rw-r--r-- | vendor/golang.org/x/oauth2/google/jwt.go | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/vendor/golang.org/x/oauth2/google/jwt.go b/vendor/golang.org/x/oauth2/google/jwt.go new file mode 100644 index 0000000..b0fdb3a --- /dev/null +++ b/vendor/golang.org/x/oauth2/google/jwt.go | |||
@@ -0,0 +1,74 @@ | |||
1 | // Copyright 2015 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package google | ||
6 | |||
7 | import ( | ||
8 | "crypto/rsa" | ||
9 | "fmt" | ||
10 | "time" | ||
11 | |||
12 | "golang.org/x/oauth2" | ||
13 | "golang.org/x/oauth2/internal" | ||
14 | "golang.org/x/oauth2/jws" | ||
15 | ) | ||
16 | |||
17 | // JWTAccessTokenSourceFromJSON uses a Google Developers service account JSON | ||
18 | // key file to read the credentials that authorize and authenticate the | ||
19 | // requests, and returns a TokenSource that does not use any OAuth2 flow but | ||
20 | // instead creates a JWT and sends that as the access token. | ||
21 | // The audience is typically a URL that specifies the scope of the credentials. | ||
22 | // | ||
23 | // Note that this is not a standard OAuth flow, but rather an | ||
24 | // optimization supported by a few Google services. | ||
25 | // Unless you know otherwise, you should use JWTConfigFromJSON instead. | ||
26 | func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error) { | ||
27 | cfg, err := JWTConfigFromJSON(jsonKey) | ||
28 | if err != nil { | ||
29 | return nil, fmt.Errorf("google: could not parse JSON key: %v", err) | ||
30 | } | ||
31 | pk, err := internal.ParseKey(cfg.PrivateKey) | ||
32 | if err != nil { | ||
33 | return nil, fmt.Errorf("google: could not parse key: %v", err) | ||
34 | } | ||
35 | ts := &jwtAccessTokenSource{ | ||
36 | email: cfg.Email, | ||
37 | audience: audience, | ||
38 | pk: pk, | ||
39 | pkID: cfg.PrivateKeyID, | ||
40 | } | ||
41 | tok, err := ts.Token() | ||
42 | if err != nil { | ||
43 | return nil, err | ||
44 | } | ||
45 | return oauth2.ReuseTokenSource(tok, ts), nil | ||
46 | } | ||
47 | |||
48 | type jwtAccessTokenSource struct { | ||
49 | email, audience string | ||
50 | pk *rsa.PrivateKey | ||
51 | pkID string | ||
52 | } | ||
53 | |||
54 | func (ts *jwtAccessTokenSource) Token() (*oauth2.Token, error) { | ||
55 | iat := time.Now() | ||
56 | exp := iat.Add(time.Hour) | ||
57 | cs := &jws.ClaimSet{ | ||
58 | Iss: ts.email, | ||
59 | Sub: ts.email, | ||
60 | Aud: ts.audience, | ||
61 | Iat: iat.Unix(), | ||
62 | Exp: exp.Unix(), | ||
63 | } | ||
64 | hdr := &jws.Header{ | ||
65 | Algorithm: "RS256", | ||
66 | Typ: "JWT", | ||
67 | KeyID: string(ts.pkID), | ||
68 | } | ||
69 | msg, err := jws.Encode(hdr, cs, ts.pk) | ||
70 | if err != nil { | ||
71 | return nil, fmt.Errorf("google: could not encode JWT: %v", err) | ||
72 | } | ||
73 | return &oauth2.Token{AccessToken: msg, TokenType: "Bearer", Expiry: exp}, nil | ||
74 | } | ||