Skip to content

Commit

Permalink
fix: migrate token info API to not pass token in query string (#991)
Browse files Browse the repository at this point in the history
Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021.
To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint.
This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en

`curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo`
  • Loading branch information
bojeil-google committed Aug 5, 2020
1 parent e2e840c commit a7e5701
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 3 deletions.
7 changes: 5 additions & 2 deletions src/auth/oauth2client.ts
Expand Up @@ -1015,9 +1015,12 @@ export class OAuth2Client extends AuthClient {
*/
async getTokenInfo(accessToken: string): Promise<TokenInfo> {
const {data} = await this.transporter.request<TokenInfoRequest>({
method: 'GET',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
url: OAuth2Client.GOOGLE_TOKEN_INFO_URL,
params: {access_token: accessToken},
data: querystring.stringify({access_token: accessToken}),
});
const info = Object.assign(
{
Expand Down
12 changes: 11 additions & 1 deletion test/test.oauth2.ts
Expand Up @@ -1323,7 +1323,17 @@ describe('oauth2', () => {
};

const scope = nock(baseUrl)
.get(`/tokeninfo?access_token=${accessToken}`)
.post(
'/tokeninfo',
qs.stringify({
access_token: accessToken,
}),
{
reqheaders: {
'content-type': 'application/x-www-form-urlencoded',
},
}
)
.reply(200, tokenInfo);

const info = await client.getTokenInfo(accessToken);
Expand Down

0 comments on commit a7e5701

Please sign in to comment.