Copyright 2014 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

package google

import (
	
	
	
	
	
	
	

	
	
	
)
Endpoint is Google's OAuth 2.0 endpoint.
var Endpoint = oauth2.Endpoint{
	AuthURL:   "https://accounts.google.com/o/oauth2/auth",
	TokenURL:  "https://oauth2.googleapis.com/token",
	AuthStyle: oauth2.AuthStyleInParams,
}
JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
const JWTTokenURL = "https://oauth2.googleapis.com/token"
ConfigFromJSON uses a Google Developers Console client_credentials.json file to construct a config. client_credentials.json can be downloaded from https://console.developers.google.com, under "Credentials". Download the Web application credentials in the JSON format and provide the contents of the file as jsonKey.
func ( []byte,  ...string) (*oauth2.Config, error) {
	type  struct {
		     string   `json:"client_id"`
		 string   `json:"client_secret"`
		 []string `json:"redirect_uris"`
		      string   `json:"auth_uri"`
		     string   `json:"token_uri"`
	}
	var  struct {
		       * `json:"web"`
		 * `json:"installed"`
	}
	if  := json.Unmarshal(, &);  != nil {
		return nil, 
	}
	var  *
	switch {
	case . != nil:
		 = .
	case . != nil:
		 = .
	default:
		return nil, fmt.Errorf("oauth2/google: no credentials found")
	}
	if len(.) < 1 {
		return nil, errors.New("oauth2/google: missing redirect URL in the client_credentials.json")
	}
	return &oauth2.Config{
		ClientID:     .,
		ClientSecret: .,
		RedirectURL:  .[0],
		Scopes:       ,
		Endpoint: oauth2.Endpoint{
			AuthURL:  .,
			TokenURL: .,
		},
	}, nil
}
JWTConfigFromJSON uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests. Create a service account on "Credentials" for your project at https://console.developers.google.com to download a JSON key file.
func ( []byte,  ...string) (*jwt.Config, error) {
	var  credentialsFile
	if  := json.Unmarshal(, &);  != nil {
		return nil, 
	}
	if .Type != serviceAccountKey {
		return nil, fmt.Errorf("google: read JWT from JSON credentials: 'type' field is %q (expected %q)", .Type, serviceAccountKey)
	}
	 = append([]string(nil), ...) // copy
	return .jwtConfig(), nil
}
JSON key file types.
const (
	serviceAccountKey  = "service_account"
	userCredentialsKey = "authorized_user"
)
credentialsFile is the unmarshalled representation of a credentials file.
type credentialsFile struct {
	Type string `json:"type"` // serviceAccountKey or userCredentialsKey
Service Account fields
	ClientEmail  string `json:"client_email"`
	PrivateKeyID string `json:"private_key_id"`
	PrivateKey   string `json:"private_key"`
	TokenURL     string `json:"token_uri"`
	ProjectID    string `json:"project_id"`
User Credential fields (These typically come from gcloud auth.)
	ClientSecret string `json:"client_secret"`
	ClientID     string `json:"client_id"`
	RefreshToken string `json:"refresh_token"`
}

func ( *credentialsFile) ( []string) *jwt.Config {
	 := &jwt.Config{
		Email:        .ClientEmail,
		PrivateKey:   []byte(.PrivateKey),
		PrivateKeyID: .PrivateKeyID,
		Scopes:       ,
		TokenURL:     .TokenURL,
	}
	if .TokenURL == "" {
		.TokenURL = JWTTokenURL
	}
	return 
}

func ( *credentialsFile) ( context.Context,  []string) (oauth2.TokenSource, error) {
	switch .Type {
	case serviceAccountKey:
		 := .jwtConfig()
		return .TokenSource(), nil
	case userCredentialsKey:
		 := &oauth2.Config{
			ClientID:     .ClientID,
			ClientSecret: .ClientSecret,
			Scopes:       ,
			Endpoint:     Endpoint,
		}
		 := &oauth2.Token{RefreshToken: .RefreshToken}
		return .TokenSource(, ), nil
	case "":
		return nil, errors.New("missing 'type' field in credentials")
	default:
		return nil, fmt.Errorf("unknown credential type: %q", .Type)
	}
}
ComputeTokenSource returns a token source that fetches access tokens from Google Compute Engine (GCE)'s metadata server. It's only valid to use this token source if your program is running on a GCE instance. If no account is specified, "default" is used. If no scopes are specified, a set of default scopes are automatically granted. Further information about retrieving access tokens from the GCE metadata server can be found at https://cloud.google.com/compute/docs/authentication.
func ( string,  ...string) oauth2.TokenSource {
	return oauth2.ReuseTokenSource(nil, computeSource{account: , scopes: })
}

type computeSource struct {
	account string
	scopes  []string
}

func ( computeSource) () (*oauth2.Token, error) {
	if !metadata.OnGCE() {
		return nil, errors.New("oauth2/google: can't get a token from the metadata service; not running on GCE")
	}
	 := .account
	if  == "" {
		 = "default"
	}
	 := "instance/service-accounts/" +  + "/token"
	if len(.scopes) > 0 {
		 := url.Values{}
		.Set("scopes", strings.Join(.scopes, ","))
		 =  + "?" + .Encode()
	}
	,  := metadata.Get()
	if  != nil {
		return nil, 
	}
	var  struct {
		  string `json:"access_token"`
		 int    `json:"expires_in"`
		    string `json:"token_type"`
	}
	 = json.NewDecoder(strings.NewReader()).Decode(&)
	if  != nil {
		return nil, fmt.Errorf("oauth2/google: invalid token JSON from metadata: %v", )
	}
	if . == 0 || . == "" {
		return nil, fmt.Errorf("oauth2/google: incomplete token received from metadata")
	}
	 := &oauth2.Token{
		AccessToken: .,
		TokenType:   .,
		Expiry:      time.Now().Add(time.Duration(.) * time.Second),
NOTE(cbro): add hidden metadata about where the token is from. This is needed for detection by client libraries to know that credentials come from the metadata server. This may be removed in a future version of this library.
	return .WithExtra(map[string]interface{}{
		"oauth2.google.tokenSource":    "compute-metadata",
		"oauth2.google.serviceAccount": ,
	}), nil