oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard
verified publisher icon golang

golang/oauth2/stsexchange: pass partial client authentification info

Open olefirenque opened this issue 1 year ago • 0 comments

Hi! I chose oauth2/google/externalaccount package as the basis for my implementation of token-exchange grant-type on the client side. As I see it, this token exchange configuration supports providing a ClientID:

https://github.com/golang/oauth2/blob/3e6480915d39dd1a80fa460e56413857f02cc1b9/google/externalaccount/basecredentials.go#L168

But it is only used in conjunction with ClientSecret, which is not required for my use, because the SubjectToken itself is used to authenticate the user:

https://github.com/golang/oauth2/blob/3e6480915d39dd1a80fa460e56413857f02cc1b9/google/internal/stsexchange/clientauth.go#L27

In my use case, the verified ClientID is extracted from the SubjectToken, but I would like to provide the unverified ClientID as a parameter to use for ratelimiting/metric export purposes, etc.

Is it possible to weaken this check to allow only the ClientID to be specified? Or is there a better way to provide this information?

olefirenque avatar Aug 25 '24 14:08 olefirenque