feat: added updated google endpoints so id token has full profile info

Signed-off-by: Drew Foehn <drew@pixelburn.net>

CHANGELOG.md

@@ -11,6 +11,7 @@
 - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
 - [#3244](https://github.com/oauth2-proxy/oauth2-proxy/pull/3244) chore(deps): upgrade to latest go1.25.3 (@tuunit)
 - [#3238](https://github.com/oauth2-proxy/oauth2-proxy/pull/3238) chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds)
+- [#3236](https://github.com/oauth2-proxy/oauth2-proxy/pull/3236) Updated the Google Provider's token endpoint to match Google OIDC's token endpoint. As listed in https://accounts.google.com/.well-known/openid-configuration this token endpoint provides additional claims in the id token such as profile photo and full name (@pixeldrew)
 
 # V7.12.0
 

providers/google.go

@@ -67,19 +67,26 @@ var (
 	}
 
 	// Default Redeem URL for Google.
-	// Pre-parsed URL of https://www.googleapis.com/oauth2/v3/token.
+	// pulled from https://accounts.google.com/.well-known/openid-configuration
 	googleDefaultRedeemURL = &url.URL{
 		Scheme: "https",
-		Host:   "www.googleapis.com",
-		Path:   "/oauth2/v3/token",
+		Host:   "oauth2.googleapis.com",
+		Path:   "/token",
 	}
 
 	// Default Validation URL for Google.
-	// Pre-parsed URL of https://www.googleapis.com/oauth2/v1/tokeninfo.
+	// https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint
 	googleDefaultValidateURL = &url.URL{
 		Scheme: "https",
-		Host:   "www.googleapis.com",
-		Path:   "/oauth2/v1/tokeninfo",
+		Host:   "oauth2.googleapis.com",
+		Path:   "/tokeninfo",
+	}
+
+	// pulled from https://openidconnect.googleapis.com/v1/userinfo
+	googleDefaultProfileURL = &url.URL{
+		Scheme: "https",
+		Host:   "openidconnect.googleapis.com",
+		Path:   "/v1/userinfo",
 	}
 )
 
@@ -89,7 +96,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv
 		name:        googleProviderName,
 		loginURL:    googleDefaultLoginURL,
 		redeemURL:   googleDefaultRedeemURL,
-		profileURL:  nil,
+		profileURL:  googleDefaultProfileURL,
 		validateURL: googleDefaultValidateURL,
 		scope:       googleDefaultScope,
 	})

providers/google_test.go

@@ -51,9 +51,9 @@ func TestNewGoogleProvider(t *testing.T) {
 
 	g.Expect(providerData.ProviderName).To(Equal("Google"))
 	g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline"))
-	g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token"))
-	g.Expect(providerData.ProfileURL.String()).To(Equal(""))
-	g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo"))
+	g.Expect(providerData.RedeemURL.String()).To(Equal("https://oauth2.googleapis.com/token"))
+	g.Expect(providerData.ProfileURL.String()).To(Equal("https://openidconnect.googleapis.com/v1/userinfo"))
+	g.Expect(providerData.ValidateURL.String()).To(Equal("https://oauth2.googleapis.com/tokeninfo"))
 	g.Expect(providerData.Scope).To(Equal("profile email"))
 }