fix: migrate token info API to not pass token in query string (#991)

Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021. To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint. This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en `curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo`
googleapis · Aug 5, 2020 · a7e5701 · a7e5701
1 parent e2e840c
commit a7e5701
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/src/auth/oauth2client.ts b/src/auth/oauth2client.ts
@@ -1015,9 +1015,12 @@ export class OAuth2Client extends AuthClient {
    */
   async getTokenInfo(accessToken: string): Promise<TokenInfo> {
     const {data} = await this.transporter.request<TokenInfoRequest>({
-      method: 'GET',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
       url: OAuth2Client.GOOGLE_TOKEN_INFO_URL,
-      params: {access_token: accessToken},
+      data: querystring.stringify({access_token: accessToken}),
     });
     const info = Object.assign(
       {

diff --git a/test/test.oauth2.ts b/test/test.oauth2.ts
@@ -1323,7 +1323,17 @@ describe('oauth2', () => {
       };
 
       const scope = nock(baseUrl)
-        .get(`/tokeninfo?access_token=${accessToken}`)
+        .post(
+          '/tokeninfo',
+          qs.stringify({
+            access_token: accessToken,
+          }),
+          {
+            reqheaders: {
+              'content-type': 'application/x-www-form-urlencoded',
+            },
+          }
+        )
         .reply(200, tokenInfo);
 
       const info = await client.getTokenInfo(accessToken);