oauth2: use strings.Builder instead of bytes.Buffer The former does not make a copy of the accumulated buffer to produce a string. WriteByte() is faster than WriteRune() and we are not appending non-ASCII here. Change-Id: I562461eec2fdcf6230e46b3011fabe0979d05044 GitHub-Last-Rev: b7845f8 GitHub-Pull-Request: #785 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/694715 Reviewed-by: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Mark Freeman <markfreeman@google.com> Reviewed-by: Sean Liao <sean@liao.dev> Auto-Submit: Sean Liao <sean@liao.dev>

all: upgrade go directive to at least 1.24.0 [generated] By now Go 1.25.0 has been released, and Go 1.23 is no longer supported per the Go Release Policy (see https://go.dev/doc/devel/release#policy). For golang/go#69095. [git-generate] (cd . && go get go@1.24.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none) Change-Id: I9f54f22bd309b9f22524355294e844c9615a6281 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/695755 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>

oauth2: fix expiration time window check Before CL 68017, the test verified that tokens expire exactly one day after they are issued, within the time that Exchange() takes to execute. A refactoring in the CL extended this time window to a whole day, making the check much more lenient. See: https://go-review.googlesource.com/c/oauth2/+/168017 Change-Id: I479db429f64b25a711624817c13f068b4675163e Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/630495 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: Sean Liao <sean@liao.dev> Auto-Submit: Sean Liao <sean@liao.dev> Reviewed-by: Carlos Amedee <carlos@golang.org>

oauth2: remove extra period Change-Id: I369d3bed0e28427b1e1d416952c3766932ba3773 GitHub-Last-Rev: ca611fe GitHub-Pull-Request: #724 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/587017 Auto-Submit: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Shin Fan <shinfan@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com>

oauth2: Deep copy context client in NewClient OAuth2 client creation currently doesn't faithfully reuse the client passed into the context. This causes config settings such as timeout to be set to Default and may end up to be a gotcha for anyone who sends in a context client with timeout set assuming that the timeout will be copied to the new client. Fix: #368 Change-Id: I4f5f052361ebe07f50fbd694379892833cd1056c Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/180920 Auto-Submit: Sean Liao <sean@liao.dev> Reviewed-by: Sean Liao <sean@liao.dev> Reviewed-by: Junyang Shao <shaojunyang@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com>

jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. Fixes #71490 Fixes CVE-2025-22868 Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

google: add warning about externally-provided credentials Change-Id: Ic2ce6e9c3ed735f4fc6d78a22cf0d5e95fca91a1 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/643158 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Sai Sunder Srinivasan <saisunder@google.com> Run-TryBot: Cody Oss <codyoss@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cody Oss <codyoss@google.com>

all: make method and struct comments match the names Change-Id: I9fd025393acc12da59fdac1c416563324cd26af1 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/639695 Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

README: don't recommend go get These days people will just import the packages and the go tool will do the right thing. We don't need to explain it. Add a pointer to the git repo, though. For golang/go#62645 Change-Id: Ib6a6fb8989df8071b20d50de446d05b270c1f1ae Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/624195 Commit-Queue: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cody Oss <codyoss@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com>

x/oauth2: add Token.ExpiresIn Fixes golang/go#61417 Change-Id: Ib8599f39b4839bf6eed021217350195ad36d1631 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/605955 Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>