-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: migrate token info API to not pass token in query string #991
Conversation
Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021. To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint. This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en `curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo`
Codecov Report
@@ Coverage Diff @@
## master #991 +/- ##
=======================================
Coverage 91.51% 91.52%
=======================================
Files 21 21
Lines 4090 4093 +3
Branches 488 488
=======================================
+ Hits 3743 3746 +3
Misses 347 347
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for doing this! I want to double check on the correct token Url internally, and make sure we have a public doc somewhere that has the "true" answer 😆
This endpoint now supports POST requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I think we should be careful about the rollout, but this looks good to me.
Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021.
To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint.
This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo