Replace sgauth with official oauth2 library (#117)

go.mod

@@ -3,14 +3,13 @@ module github.com/google/oauth2l
 go 1.13
 
 require (
-	cloud.google.com/go v0.48.0
-	github.com/golang/protobuf v1.3.2
+	cloud.google.com/go v0.65.0 // indirect
+	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/jessevdk/go-flags v1.4.0
-	github.com/wora/protorpc v0.0.0-20180730014223-ae9256a051d8
-	golang.org/x/net v0.0.0-20191112182307-2180aed22343
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sys v0.0.0-20191113165036-4c7a9d0fe056 // indirect
-	google.golang.org/appengine v1.6.5
-	google.golang.org/genproto v0.0.0-20191114150713-6bbd007550de
-	google.golang.org/grpc v1.25.1
+	github.com/wora/protorpc v0.0.0-20180730014223-ae9256a051d8 // indirect
+	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
+	golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c
+	google.golang.org/appengine v1.6.6 // indirect
+	google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
+	google.golang.org/grpc v1.31.0 // indirect
 )

integration/golden/curl-3lo.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fpubsub&state=state
 
-Enter verification code: 
+Enter authorization code:
 {}

integration/golden/fetch-3lo-openid.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+profile+email&state=state
 
-Enter verification code: 
+Enter authorization code:
 ya29.GltDB_y4Oz8lVB5diZu9YVMgHuXoSVBXx6jt7WU9n8IaXk63RejERFtx2LfrH-VL51CbaAxKsC8EoMZXg50h2QvOcUQ-YZTvFnKtIJpLj_Zj68M56_VagXpZkZd7

integration/golden/fetch-3lo-refresh-token.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fpubsub&state=state
 
-Enter verification code: 
+Enter authorization code:
 {"client_id":"144169.apps.googleusercontent.com","client_secret":"awesomesecret","token_uri":"http://localhost:8080/token","auth_uri":"https://accounts.google.com/o/oauth2/auth","refresh_token":"1/q8uQkblGs0Zzpe1LtpDtBLKsyf_NlEnPOxo1DcTR27U","type":"authorized_user"}

integration/golden/fetch-3lo-userinfo.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=state
 
-Enter verification code: 
+Enter authorization code:
 ya29.GltDB_y4Oz8lVB5diZu9YVMgHuXoSVBXx6jt7WU9n8IaXk63RejERFtx2LfrH-VL51CbaAxKsC8EoMZXg50h2QvOcUQ-YZTvFnKtIJpLj_Zj68M56_VagXpZkZd7

integration/golden/fetch-3lo.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fpubsub&state=state
 
-Enter verification code: 
+Enter authorization code:
 ya29.GltDB_y4Oz8lVB5diZu9YVMgHuXoSVBXx6jt7WU9n8IaXk63RejERFtx2LfrH-VL51CbaAxKsC8EoMZXg50h2QvOcUQ-YZTvFnKtIJpLj_Zj68M56_VagXpZkZd7

integration/golden/fetch-sts.golden

@@ -1 +1 @@
-{"issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer"}
+{"expiry":"0001-01-01T00:00:00Z","issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer"}

integration/golden/header-3lo.golden

@@ -2,5 +2,5 @@ Go to the following link in your browser:
 
    https://accounts.google.com/o/oauth2/auth?client_id=144169.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fpubsub&state=state
 
-Enter verification code: 
+Enter authorization code:
 Authorization: Bearer ya29.GltDB_y4Oz8lVB5diZu9YVMgHuXoSVBXx6jt7WU9n8IaXk63RejERFtx2LfrH-VL51CbaAxKsC8EoMZXg50h2QvOcUQ-YZTvFnKtIJpLj_Zj68M56_VagXpZkZd7

main.go

@@ -21,14 +21,18 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/google/oauth2l/sgauth"
 	"github.com/google/oauth2l/util"
 	"github.com/jessevdk/go-flags"
+
+	"golang.org/x/oauth2/authhandler"
 )
 
 const (
 	// Common prefix for google oauth scope
 	scopePrefix = "https://www.googleapis.com/auth/"
+
+	// Default state parameter used for 3LO flow
+	defaultState = "state"
 )
 
 var (
@@ -135,14 +139,19 @@ func readJSON(file string) (string, error) {
 }
 
 // Default 3LO authorization handler. Prints the authorization URL on stdout
-// and reads the verification code from stdin.
-func defaultAuthorizeFlowHandler(authorizeUrl string) (string, error) {
-	// Print the url on console, let user authorize and paste the token back.
-	fmt.Printf("Go to the following link in your browser:\n\n   %s\n\n", authorizeUrl)
-	fmt.Println("Enter verification code: ")
-	var code string
-	fmt.Scanln(&code)
-	return code, nil
+// and reads the authorization code from stdin.
+//
+// Note that the "state" parameter is used to prevent CSRF attacks.
+// For convenience, CmdAuthorizationHandler returns a pre-configured state
+// instead of requiring the user to copy it from the browser.
+func cmdAuthorizationHandler(state string) authhandler.AuthorizationHandler {
+	return func(authCodeURL string) (string, string, error) {
+		fmt.Printf("Go to the following link in your browser:\n\n   %s\n\n", authCodeURL)
+		fmt.Println("Enter authorization code:")
+		var code string
+		fmt.Scanln(&code)
+		return code, state, nil
+	}
 }
 
 // Append Google OAuth scope prefix if not provided and joins
@@ -251,7 +260,7 @@ func main() {
 	cmd := parser.Active.Name
 
 	// Tasks that fetch the access token.
-	fetchTasks := map[string]func(*sgauth.Settings, *util.TaskSettings){
+	fetchTasks := map[string]func(*util.Settings, *util.TaskSettings){
 		"fetch":  util.Fetch,
 		"header": util.Header,
 		"curl":   util.Curl,
@@ -291,7 +300,7 @@ func main() {
 		}
 
 		// Configure GUAC settings based on authType.
-		var settings *sgauth.Settings
+		var settings *util.Settings
 		if authType == "jwt" {
 			json, err := readJSON(credentials)
 			if err != nil {
@@ -312,7 +321,7 @@ func main() {
 
 			// JWT flow requires empty Scope.
 			// Also, JWT currently does not work with STS.
-			settings = &sgauth.Settings{
+			settings = &util.Settings{
 				CredentialsJSON: json,
 				Audience:        audience,
 			}
@@ -336,7 +345,7 @@ func main() {
 			}
 
 			// SSO flow does not use CredentialsJSON
-			settings = &sgauth.Settings{
+			settings = &util.Settings{
 				Email:          email,
 				Scope:          parseScopes(scopes),
 				Audience:       audience,
@@ -360,17 +369,17 @@ func main() {
 			}
 
 			// 3LO or 2LO depending on the credential type.
-			// For 2LO flow OAuthFlowHandler and State are not needed.
-			settings = &sgauth.Settings{
-				CredentialsJSON:  json,
-				Scope:            parseScopes(scopes),
-				OAuthFlowHandler: defaultAuthorizeFlowHandler,
-				State:            "state",
-				Audience:         audience,
-				QuotaProject:     quotaProject,
-				Sts:              sts,
-				ServiceAccount:   serviceAccount,
-        Email:            email,
+			// For 2LO flow AuthHandler and State are not needed.
+			settings = &util.Settings{
+				CredentialsJSON: json,
+				Scope:           parseScopes(scopes),
+				AuthHandler:     cmdAuthorizationHandler(defaultState),
+				State:           defaultState,
+				Audience:        audience,
+				QuotaProject:    quotaProject,
+				Sts:             sts,
+				ServiceAccount:  serviceAccount,
+				Email:           email,
 			}
 		}