Support specifying AuthCodeOption in PasswordCredentialsToken #259
Comments
|
Also it would be good to support adding custom headers to auth requests (useful for tracing or custom extensions). This could be modelled as an additional AuthCodeOption impl (with some changes to the interface). We are happy to contribute those changes if you are willing to merge them, but if not just let us know and we'll create our own fork instead. Thanks! |
Allow clients to pass additional URL parameters as part of the PasswordCredentialsToken grant. Fixes golang#259
|
Suggested fix: https://go-review.googlesource.com/c/oauth2/+/84295 |
|
I had some API comments on Gerrit, but I don't understand the problem yet so it's hard to find a solution. It sounds like there are multiple use cases here. I've heard:
and
Can we get more concrete? APIs that expose arbitrary "do whatever you want here" hooks never age well. Which "custom extensions" or "extra args" are we talking about? For tracing, that would likely be done at the RoundTripper/RPC layer, not something user code would concern itself with, or it might be attached to the already-existing Talk me through some example use cases. |
|
Thanks @bradfitz , we have two use cases we wish to support:
|
Is this something your one server is doing, or something multiple parties are doing? If it's one-off, I'd rather clients experimenting with new things just make their own HTTP requests. I don't want to add cognitive load to all users of the oauth2 package by adding more API surface they need to read in the godoc, obscuring the parts they're probably looking for.
Tracing should be done independently of this bug and just be automatic. If this package received a context with trace info attached from some upper level HTTP server or gRPC server or whatever, it should just pass through in the context and the underlying HTTP client should add the trace headers. User code using oauth2 shouldn't need to think about it. There should be existing bugs open for tracing. @rakyll, got any pointers? |
|
This is something that our own server is doing. Note anyway that what we are suggesting is semantically equivalent to the existing https://godoc.org/golang.org/x/oauth2#SetAuthURLParam , we are only suggesting extending it to the password credentials grant; I would imagine that all the considerations that applied to adding Making our own HTTP request is indeed an option, but we would also need to parse the resulting token, and currently the As for tracing, I doubt that tracing could ever be fully automatic (unless you are talking about embedding an opentracing tracer within the oauth client as a special case, which would obviously only work for that particular kind of tracing). Anyway we can leave that out of the scope of this discussion for now, and I may create a separate issue for it. |
|
/cc @zombiezen for another case of users wanting raw token retrieval. |
|
Suggested fix: https://go-review.googlesource.com/c/oauth2/+/555395 |
Our use case is to pass additional URL parameters as part of the password credentials grant. Currently we need to hook into the context, create a
RoundTripperthat attaches extra args to the request, and inject that into the call toPasswordCredentialsToken.If it supported options similarly to
AuthCodeURL, this would be trivial to do from the client point of view instead.I propose modifying
into
If the
AuthCodeOptionnaming is confusing, I imagine we could have a separatePasswordCredentialsOptiontype, but I'm not sure it's worth it.The text was updated successfully, but these errors were encountered: