From 8419af869d24e3dbeb073a125bdbf96252eea377 Mon Sep 17 00:00:00 2001 From: Drew Foehn Date: Sun, 19 Oct 2025 21:24:54 -0400 Subject: [PATCH] feat: added updated google endpoints so id token has full profile info Signed-off-by: Drew Foehn --- CHANGELOG.md | 2 ++ providers/google.go | 21 ++++++++++++++------- providers/google_test.go | 6 +++--- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13ef6807..b3dfdb5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ ## Changes since v7.13.0 +- [#3236](https://github.com/oauth2-proxy/oauth2-proxy/pull/3236) Updated the Google Provider's token endpoint to match Google OIDC's token endpoint. As listed in https://accounts.google.com/.well-known/openid-configuration this token endpoint provides additional claims in the id token such as profile photo and full name (@pixeldrew) + # V7.13.0 ## Release Highlights diff --git a/providers/google.go b/providers/google.go index a6a9d283..3ab70525 100644 --- a/providers/google.go +++ b/providers/google.go @@ -69,19 +69,26 @@ var ( } // Default Redeem URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v3/token. + // pulled from https://accounts.google.com/.well-known/openid-configuration googleDefaultRedeemURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v3/token", + Host: "oauth2.googleapis.com", + Path: "/token", } // Default Validation URL for Google. - // Pre-parsed URL of https://www.googleapis.com/oauth2/v1/tokeninfo. + // https://developers.google.com/identity/sign-in/android/backend-auth#calling-the-tokeninfo-endpoint googleDefaultValidateURL = &url.URL{ Scheme: "https", - Host: "www.googleapis.com", - Path: "/oauth2/v1/tokeninfo", + Host: "oauth2.googleapis.com", + Path: "/tokeninfo", + } + + // pulled from https://openidconnect.googleapis.com/v1/userinfo + googleDefaultProfileURL = &url.URL{ + Scheme: "https", + Host: "openidconnect.googleapis.com", + Path: "/v1/userinfo", } ) @@ -91,7 +98,7 @@ func NewGoogleProvider(p *ProviderData, opts options.GoogleOptions) (*GoogleProv name: googleProviderName, loginURL: googleDefaultLoginURL, redeemURL: googleDefaultRedeemURL, - profileURL: nil, + profileURL: googleDefaultProfileURL, validateURL: googleDefaultValidateURL, scope: googleDefaultScope, }) diff --git a/providers/google_test.go b/providers/google_test.go index f168e31c..4e83c9dd 100644 --- a/providers/google_test.go +++ b/providers/google_test.go @@ -51,9 +51,9 @@ func TestNewGoogleProvider(t *testing.T) { g.Expect(providerData.ProviderName).To(Equal("Google")) g.Expect(providerData.LoginURL.String()).To(Equal("https://accounts.google.com/o/oauth2/auth?access_type=offline")) - g.Expect(providerData.RedeemURL.String()).To(Equal("https://www.googleapis.com/oauth2/v3/token")) - g.Expect(providerData.ProfileURL.String()).To(Equal("")) - g.Expect(providerData.ValidateURL.String()).To(Equal("https://www.googleapis.com/oauth2/v1/tokeninfo")) + g.Expect(providerData.RedeemURL.String()).To(Equal("https://oauth2.googleapis.com/token")) + g.Expect(providerData.ProfileURL.String()).To(Equal("https://openidconnect.googleapis.com/v1/userinfo")) + g.Expect(providerData.ValidateURL.String()).To(Equal("https://oauth2.googleapis.com/tokeninfo")) g.Expect(providerData.Scope).To(Equal("profile email")) }