Merge 131ad2280e into 110d51d1d7

2025-10-28 13:42:08 +00:00 · 2025-10-28 13:42:08 +00:00 · 8c8b90bbab
parent 110d51d1d7 131ad2280e
commit 8c8b90bbab
3 changed files with 18 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@
 - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
 - [#3244](https://github.com/oauth2-proxy/oauth2-proxy/pull/3244) chore(deps): upgrade to latest go1.25.3 (@tuunit)
 - [#3238](https://github.com/oauth2-proxy/oauth2-proxy/pull/3238) chore: Replace pkg/clock with narrowly targeted stub clocks (@dsymonds)
 - [#3236](https://github.com/oauth2-proxy/oauth2-proxy/pull/3236) Updated the Google Provider's token endpoint to match Google OIDC's token endpoint. As listed in https://accounts.google.com/.well-known/openid-configuration this token endpoint provides additional claims in the id token such as profile photo and full name (@pixeldrew)
 # V7.12.0
--- a/providers/google.go
+++ b/providers/google.go
@ -67,19 +67,26 @@ var (
 	}
 	// Default Redeem URL for Google.
-	// Pre-parsed URL of https://www.googleapis.com/oauth2/v3/token.
+	// pulled from https://accounts.google.com/.well-known/openid-configuration
 	googleDefaultRedeemURL = &url.URL{
 		Scheme: "https",
-		Host:   "www.googleapis.com",
+		Host:   "oauth2.googleapis.com",
-		Path:   "/oauth2/v3/token",
+		Path:   "/token",
 	}
 	// Default Validation URL for Google.
-	// Pre-parsed URL of https://www.googleapis.com/oauth2/v1/tokeninfo.
+	// https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint
 	googleDefaultValidateURL = &url.URL{
 		Scheme: "https",
-		Host:   "www.googleapis.com",
+		Host:   "oauth2.googleapis.com",
-		Path:   "/oauth2/v1/tokeninfo",
+		Path:   "/tokeninfo",
 	}
 	// pulled from https://openidconnect.googleapis.com/v1/userinfo
 	googleDefaultProfileURL = &url.URL{
 		Scheme: "https",
 		Host:   "openidconnect.googleapis.com",
 		Path:   "/v1/userinfo",
 	}
 )
@ -89,7 +96,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv
 		name:        googleProviderName,
 		loginURL:    googleDefaultLoginURL,
 		redeemURL:   googleDefaultRedeemURL,
-		profileURL:  nil,
+		profileURL:  googleDefaultProfileURL,
 		validateURL: googleDefaultValidateURL,
 		scope:       googleDefaultScope,
 	})
--- a/providers/google_test.go
+++ b/providers/google_test.go
@ -51,9 +51,9 @@ func TestNewGoogleProvider(t *testing.T) {
 	g.Expect(providerData.ProviderName).To(Equal("Google"))
 	g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline"))
-	g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token"))
+	g.Expect(providerData.RedeemURL.String()).To(Equal("https://oauth2.googleapis.com/token"))
-	g.Expect(providerData.ProfileURL.String()).To(Equal(""))
+	g.Expect(providerData.ProfileURL.String()).To(Equal("https://openidconnect.googleapis.com/v1/userinfo"))
-	g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo"))
+	g.Expect(providerData.ValidateURL.String()).To(Equal("https://oauth2.googleapis.com/tokeninfo"))
 	g.Expect(providerData.Scope).To(Equal("profile email"))
 }