diff --git a/CHANGELOG.md b/CHANGELOG.md index e014aee3..d1e67d29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf) - [#3244](https://github.com/oauth2-proxy/oauth2-proxy/pull/3244) chore(deps): upgrade to latest go1.25.3 (@tuunit) - [#3238](https://github.com/oauth2-proxy/oauth2-proxy/pull/3238) chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds) +- [#3236](https://github.com/oauth2-proxy/oauth2-proxy/pull/3236) Updated the Google Provider's token endpoint to match Google OIDC's token endpoint. As listed in https://accounts.google.com/.well-known/openid-configuration this token endpoint provides additional claims in the id token such as profile photo and full name (@pixeldrew) # V7.12.0 diff --git a/providers/google.go b/providers/google.go index 097e3567..33d80eb4 100644 --- a/providers/google.go +++ b/providers/google.go @@ -67,19 +67,26 @@ var ( } // Default Redeem URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v3/token. + // pulled from https://accounts.google.com/.well-known/openid-configuration googleDefaultRedeemURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v3/token", + Host: "oauth2.googleapis.com", + Path: "/token", } // Default Validation URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v1/tokeninfo. + // https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint googleDefaultValidateURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v1/tokeninfo", + Host: "oauth2.googleapis.com", + Path: "/tokeninfo", + } + + // pulled from https://openidconnect.googleapis.com/v1/userinfo + googleDefaultProfileURL = &url.URL{ + Scheme: "https", + Host: "openidconnect.googleapis.com", + Path: "/v1/userinfo", } ) @@ -89,7 +96,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv name: googleProviderName, loginURL: googleDefaultLoginURL, redeemURL: googleDefaultRedeemURL, - profileURL: nil, + profileURL: googleDefaultProfileURL, validateURL: googleDefaultValidateURL, scope: googleDefaultScope, }) diff --git a/providers/google_test.go b/providers/google_test.go index dc061203..f4c7b515 100644 --- a/providers/google_test.go +++ b/providers/google_test.go @@ -51,9 +51,9 @@ func TestNewGoogleProvider(t *testing.T) { g.Expect(providerData.ProviderName).To(Equal("Google")) g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline")) - g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token")) - g.Expect(providerData.ProfileURL.String()).To(Equal("")) - g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo")) + g.Expect(providerData.RedeemURL.String()).To(Equal("https://oauth2.googleapis.com/token")) + g.Expect(providerData.ProfileURL.String()).To(Equal("https://openidconnect.googleapis.com/v1/userinfo")) + g.Expect(providerData.ValidateURL.String()).To(Equal("https://oauth2.googleapis.com/tokeninfo")) g.Expect(providerData.Scope).To(Equal("profile email")) }