oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard
verified publisher icon golang

golang/oauth2/stsexchange: error handling enhancement proposal

Open olefirenque opened this issue 1 year ago • 3 comments

Hello!

The standard implementation of client_credentials grant_type uses a RetrieveError, which is really useful because it provides the raw response body and error code.

https://github.com/golang/oauth2/blob/3e6480915d39dd1a80fa460e56413857f02cc1b9/token.go#L184-L198

As I noticed, the stsexchange implementation wraps the raw error message, which makes it difficult to properly handle custom errors from different OIDC providers.

https://github.com/golang/oauth2/blob/3e6480915d39dd1a80fa460e56413857f02cc1b9/google/internal/stsexchange/sts_exchange.go#L89-L91

It would be great if stsexchange wrapped errors the same way client_credentials do.

olefirenque avatar Sep 06 '24 11:09 olefirenque

Would you mind raising an issue on https://github.com/googleapis/google-cloud-go instead. This package google package is slowly being phased out in favor of https://pkg.go.dev/cloud.google.com/go/auth/credentials

codyoss avatar Sep 13 '24 19:09 codyoss

Sure, I can bring this up, but I would like to point out that in my case I use both client_credentials and token-exchange from oauth2 (I don't actually use any Google cloud infrastructure). It would be more convenient to use this enhancement here, since it allows to handle token issuance errors in a more general way (in particular, they will have a common type for the error).

Can the attached MR still be considered?

olefirenque avatar Sep 13 '24 20:09 olefirenque

(I don't actually use any Google cloud infrastructure)

Your PR and issue mention the google sub-directory that is used for Google clients. This package will soon be deprecated in favor of the one I liked above. We don't plan on adding any more features to this google package at this time.

codyoss avatar Sep 13 '24 20:09 codyoss