Enable passing of additional Querystring params when requesting token

Some JWT Authentication APIs require the ability to pass additional
querystring parameters. For example Box.com API requires "client_id" and
"client_secret" parameters to be set ([ref][1]).

[1]: https://developer.box.com/docs/construct-jwt-claim-manually#section-4-request-access-token

Author: Zoran Plesivčak

jwt/jwt.go

@@ -71,6 +71,11 @@ type Config struct {
 	// See http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.3
 	PrivateClaims map[string]interface{}
 
+	// Query-string parameters in addition to ones already set ("grant_type"
+	// and "assertion"). "grant_type" and "assertion" should not be set through
+	// this parameter.
+	Querystring url.Values
+
 	// UseIDToken optionally specifies whether ID token should be used instead
 	// of access token when the server returns both.
 	UseIDToken bool
@@ -131,6 +136,12 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
 	v := url.Values{}
 	v.Set("grant_type", defaultGrantType)
 	v.Set("assertion", payload)
+	for qn, qv := range js.conf.Querystring {
+		if qn == "grant_type" || qn == "assertion" {
+			return nil, fmt.Errorf("oauth2: supplying param \"%v\" in Querystring is illegal", qn)
+		}
+		v[qn] = qv
+	}
 	resp, err := hc.PostForm(js.conf.TokenURL, v)
 	if err != nil {
 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)

jwt/jwt_test.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"reflect"
 	"strings"
 	"testing"
@@ -142,9 +143,12 @@ func TestJWTFetch_BadResponseType(t *testing.T) {
 
 func TestJWTFetch_Assertion(t *testing.T) {
 	var assertion string
+	var extra_querystring_param string
+
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()
 		assertion = r.Form.Get("assertion")
+		extra_querystring_param = r.Form.Get("extra_querystring_param")
 
 		w.Header().Set("Content-Type", "application/json")
 		w.Write([]byte(`{
@@ -161,13 +165,18 @@ func TestJWTFetch_Assertion(t *testing.T) {
 		PrivateKey:   dummyPrivateKey,
 		PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
 		TokenURL:     ts.URL,
+		Querystring:  url.Values{"extra_querystring_param": []string{"example_value"}},
 	}
 
 	_, err := conf.TokenSource(context.Background()).Token()
 	if err != nil {
 		t.Fatalf("Failed to fetch token: %v", err)
 	}
 
+	if extra_querystring_param != "example_value" {
+		t.Fatalf("extra_querystring_param = %v; should be \"example_value\"", extra_querystring_param)
+	}
+
 	parts := strings.Split(assertion, ".")
 	if len(parts) != 3 {
 		t.Fatalf("assertion = %q; want 3 parts", assertion)
@@ -316,3 +325,17 @@ func TestTokenRetrieveError(t *testing.T) {
 		t.Fatalf("got %#v, expected %#v", errStr, expected)
 	}
 }
+
+func TestInvalidConfigArgument(t *testing.T) {
+	conf := &Config{
+		Email:       "[email protected]",
+		PrivateKey:  dummyPrivateKey,
+		Audience:    "https://example.com",
+		Querystring: url.Values{"assertion": []string{"Trying to override assertion"}},
+	}
+
+	_, err := conf.TokenSource(context.Background()).Token()
+	if err == nil {
+		t.Fatalf("got no error, expected one")
+	}
+}