Skip to content

x/oauth2/clientcredentials: Refresh token is never used #66620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lukawaay opened this issue Mar 30, 2024 · 4 comments
Open

x/oauth2/clientcredentials: Refresh token is never used #66620

lukawaay opened this issue Mar 30, 2024 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@lukawaay
Copy link

lukawaay commented Mar 30, 2024
edited
Loading

Go version

go version go1.22.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/luka/.cache/go-build'
GOENV='/home/luka/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/luka/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/luka/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1339062877=/tmp/go-build -gno-record-gcc-switches'

What did you do?

  • Create TokenSource by calling TokenSource on a clientcredentials.Config
  • Ask for a new token after a previously acquired one has expired

What did you see happen?

The function requests an entirely new token with grant_type=client_credentials, even if a refresh token is available to use.

The SoundCloud API has a strict rate limit of 50 tokens every 12 hours for an app, which is why I ran into this problem: https://developers.soundcloud.com/docs/api/guide#authentication

What did you expect to see?

The function uses the previously acquired refresh token to get a new token, which is the behavior of x/oauth2
@gopherbot gopherbot added this to the Unreleased milestone Mar 30, 2024
@seankhliao
Copy link
Member

the TokenSource creates an oauth2.Token https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.18.0:clientcredentials/clientcredentials.go;l=117-123
So it should have default behavior?

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 31, 2024
@lukawaay
Copy link
Author

the TokenSource creates an oauth2.Token https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.18.0:clientcredentials/clientcredentials.go;l=117-123 So it should have default behavior?

The code that actually sends the HTTP request for the new token is handled in whatever struct implements the oauth2.TokenSource interface. Here's the implementation in the regular oauth2 package: https://cs.opensource.google/go/x/oauth2/+/master:oauth2.go;l=280
You can see it giving a "grant_type" of "refresh_token".
Here's the implementation within the clientcredentials package: https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.18.0:clientcredentials/clientcredentials.go;l=110
No reference is made to a "grant_type" that could cause that line of code to do the correct thing. The only place in the codebase that asks for a refresh token is the implementation of the oauth2.TokenSource interface in oauth2.tokenRefresher.

@lukawaay
Copy link
Author

The refresh code for the clientcredentials implementation will only ever give a "grant_type" of "client_credentials": https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.18.0:clientcredentials/clientcredentials.go;l=96

@lukawaay
Copy link
Author

lukawaay commented Apr 1, 2024

Another observation: The API for acquiring a token is different between oauth2 and oauth2.credentials. The former uses this:
https://pkg.go.dev/golang.org/x/oauth2#Config.TokenSource
You take an existing token that you're already acquired, and you create a TokenSource from it that will refresh that already acquired token when needed.

The latter, on the other hand, uses this:
https://pkg.go.dev/golang.org/x/oauth2@v0.18.0/clientcredentials#Config.TokenSource
The TokenSource is generated from a config, not from an already-existing token.

The benefit of the way oauth2 does it is that it allows for persistent caching. Since you supply the initial token, you can get that token from anywhere. You could get it from the HTTP API provided by the server, but you could also have it stored in a database or something and retrieve it from there. The interface provided by oauth2.clientcredentials makes it impossible to do persistent caching. When the program restarts, it must get an entirely new token with a "grant_type" of "client_credentials", and that wouldn't change through this issue being resolved without an API change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @lukawaay