Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: migrate token info API to not pass token in query string #991

Merged
merged 5 commits into from
Aug 5, 2020
Merged

fix: migrate token info API to not pass token in query string #991

merged 5 commits into from
Aug 5, 2020

Conversation

bojeil-google
Copy link
Contributor

Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021.
To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint.
This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en

curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo

@bojeil-google
fix: migrate token info API to not pass token in query string
6cd45c7 
Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021.
To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint.
This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en

`curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo`
@bojeil-google bojeil-google requested a review from a team as a code owner July 7, 2020 02:33
@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Jul 7, 2020
@codecov
Copy link

codecov bot commented Jul 7, 2020
edited

Codecov Report

Merging #991 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #991   +/-   ##
=======================================
  Coverage   91.51%   91.52%           
=======================================
  Files          21       21           
  Lines        4090     4093    +3     
  Branches      488      488           
=======================================
+ Hits         3743     3746    +3     
  Misses        347      347
Impacted Files Coverage Δ
src/auth/oauth2client.ts 96.30% <100.00%> (+<0.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e2e840c...f59db43. Read the comment docs.

JustinBeckwith
JustinBeckwith reviewed Jul 7, 2020
View reviewed changes
Copy link
Contributor

@JustinBeckwith JustinBeckwith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this! I want to double check on the correct token Url internally, and make sure we have a public doc somewhere that has the "true" answer 😆

src/auth/oauth2client.ts Outdated Show resolved Hide resolved
src/auth/oauth2client.ts Show resolved Hide resolved
@sofisl sofisl removed their assignment Jul 8, 2020
@sofisl sofisl changed the title fix: migrate token info API to not pass token in query string typeo Jul 9, 2020
@sofisl sofisl changed the title typeo fix: migrate token info API to not pass token in query string Jul 9, 2020
@JustinBeckwith JustinBeckwith added the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jul 11, 2020
@bojeil-google
fix: reverts back to https://oauth2.googleapis.com/tokeninfo
4b225d4 
This endpoint now supports POST requests.
@JustinBeckwith JustinBeckwith removed the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jul 22, 2020
bcoe
bcoe approved these changes Jul 30, 2020
View reviewed changes
Copy link
Contributor

@bcoe bcoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I think we should be careful about the rollout, but this looks good to me.

@bcoe bcoe added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 5, 2020
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 5, 2020
@bcoe bcoe merged commit a7e5701 into googleapis:master Aug 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoe bcoe bcoe approved these changes

@JustinBeckwith JustinBeckwith JustinBeckwith approved these changes

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@bojeil-google @bcoe @JustinBeckwith @googlebot @yoshi-kokoro @sofisl