From 131ad2280e323ef370d54f5c2564f05877317dc6 Mon Sep 17 00:00:00 2001 From: Drew Foehn Date: Sun, 19 Oct 2025 21:24:54 -0400 Subject: [PATCH] feat: added updated google endpoints so id token has full profile info Signed-off-by: Drew Foehn --- CHANGELOG.md | 1 + providers/google.go | 21 ++++++++++++++------- providers/google_test.go | 6 +++--- 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e014aee3..d1e67d29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf) - [#3244](https://github.com/oauth2-proxy/oauth2-proxy/pull/3244) chore(deps): upgrade to latest go1.25.3 (@tuunit) - [#3238](https://github.com/oauth2-proxy/oauth2-proxy/pull/3238) chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds) +- [#3236](https://github.com/oauth2-proxy/oauth2-proxy/pull/3236) Updated the Google Provider's token endpoint to match Google OIDC's token endpoint. As listed in https://accounts.google.com/.well-known/openid-configuration this token endpoint provides additional claims in the id token such as profile photo and full name (@pixeldrew) # V7.12.0 diff --git a/providers/google.go b/providers/google.go index 097e3567..33d80eb4 100644 --- a/providers/google.go +++ b/providers/google.go @@ -67,19 +67,26 @@ var ( } // Default Redeem URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v3/token. + // pulled from https://accounts.google.com/.well-known/openid-configuration googleDefaultRedeemURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v3/token", + Host: "oauth2.googleapis.com", + Path: "/token", } // Default Validation URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v1/tokeninfo. + // https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint googleDefaultValidateURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v1/tokeninfo", + Host: "oauth2.googleapis.com", + Path: "/tokeninfo", + } + + // pulled from https://openidconnect.googleapis.com/v1/userinfo + googleDefaultProfileURL = &url.URL{ + Scheme: "https", + Host: "openidconnect.googleapis.com", + Path: "/v1/userinfo", } ) @@ -89,7 +96,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv name: googleProviderName, loginURL: googleDefaultLoginURL, redeemURL: googleDefaultRedeemURL, - profileURL: nil, + profileURL: googleDefaultProfileURL, validateURL: googleDefaultValidateURL, scope: googleDefaultScope, }) diff --git a/providers/google_test.go b/providers/google_test.go index dc061203..f4c7b515 100644 --- a/providers/google_test.go +++ b/providers/google_test.go @@ -51,9 +51,9 @@ func TestNewGoogleProvider(t *testing.T) { g.Expect(providerData.ProviderName).To(Equal("Google")) g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline")) - g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token")) - g.Expect(providerData.ProfileURL.String()).To(Equal("")) - g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo")) + g.Expect(providerData.RedeemURL.String()).To(Equal("https://oauth2.googleapis.com/token")) + g.Expect(providerData.ProfileURL.String()).To(Equal("https://openidconnect.googleapis.com/v1/userinfo")) + g.Expect(providerData.ValidateURL.String()).To(Equal("https://oauth2.googleapis.com/tokeninfo")) g.Expect(providerData.Scope).To(Equal("profile email")) }