From 314ee5b92bf23c4973aa8e61eba3ff458e80eef2 Mon Sep 17 00:00:00 2001
From: GHOST <ghostdevbusiness@gmail.com>
Date: Mon, 3 Feb 2025 18:28:31 +0000
Subject: [PATCH 1/5] endpoints: add patreon endpoint

Adds the patreon endpoints from their documentation.

https://docs.patreon.com/#oauth.

I've tested these thoroughly whilst making a pr to pocketbase.

https://github.com/pocketbase/pocketbase/pull/3323.

Change-Id: I023871a4340ee4ebcba9fd808d4a8f0c081fc10e
GitHub-Last-Rev: 890ef056bd78d109e0ecc464263f9e85586e3f7d
GitHub-Pull-Request: golang/oauth2#668
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/528640
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Auto-Submit: Jorropo <jorropo.pgm@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 endpoints/endpoints.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go
index 950754ce4..0d8cf64ae 100644
--- a/endpoints/endpoints.go
+++ b/endpoints/endpoints.go
@@ -146,6 +146,12 @@ var Odnoklassniki = oauth2.Endpoint{
 	TokenURL: "https://api.odnoklassniki.ru/oauth/token.do",
 }
 
+// Patreon is the endpoint for Patreon.
+var Patreon = oauth2.Endpoint{
+	AuthURL:  "https://www.patreon.com/oauth2/authorize",
+	TokenURL: "https://www.patreon.com/api/oauth2/token",
+}
+
 // PayPal is the endpoint for PayPal.
 var PayPal = oauth2.Endpoint{
 	AuthURL:  "https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize",

From ac571fa341c2a2b979d2b2c8341fd24767ef5d47 Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Thu, 13 Feb 2025 07:38:29 +0000
Subject: [PATCH 2/5] oauth2: fix docs for Config.DeviceAuth

Config.DeviceAccess should be Config.DeviceAuth when using GenerateVerifier() or S256ChallengeOption()

Change-Id: Ie21a808387f731d270ae54ea1705de3e786cad7f
GitHub-Last-Rev: 2d6b4fd736ce785cc1675b1963be165529b09b1f
GitHub-Pull-Request: golang/oauth2#763
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/636216
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
---
 pkce.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkce.go b/pkce.go
index 50593b6df..6a95da975 100644
--- a/pkce.go
+++ b/pkce.go
@@ -21,7 +21,7 @@ const (
 //
 // A fresh verifier should be generated for each authorization.
 // S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL
-// (or Config.DeviceAccess) and VerifierOption(verifier) to Config.Exchange
+// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange
 // (or Config.DeviceAccessToken).
 func GenerateVerifier() string {
 	// "RECOMMENDED that the output of a suitable random number generator be
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 }
 
 // S256ChallengeOption derives a PKCE code challenge derived from verifier with
-// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAccess
+// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
 	return challengeOption{

From 109dabf9017129171d1807e485ca5633ecd095ac Mon Sep 17 00:00:00 2001
From: Hamza Ali <github+hhhapz@hamza.sh>
Date: Thu, 13 Feb 2025 15:41:44 +0000
Subject: [PATCH 3/5] endpoints: add links/provider for Discord

Endpoints are provided from
https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-urls.

Change-Id: I7bcc8b4cb5527959acb8f177ffb8bbafbe727e82
GitHub-Last-Rev: 6869fc3f48c79750a9ab40276be08197300955cf
GitHub-Pull-Request: golang/oauth2#768
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649115
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 endpoints/endpoints.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go
index 0d8cf64ae..d6e575e1f 100644
--- a/endpoints/endpoints.go
+++ b/endpoints/endpoints.go
@@ -35,6 +35,12 @@ var Cern = oauth2.Endpoint{
 	TokenURL: "https://oauth.web.cern.ch/OAuth/Token",
 }
 
+// Discord is the endpoint for Discord.
+var Discord = oauth2.Endpoint{
+	AuthURL:  "https://discord.com/oauth2/authorize",
+	TokenURL: "https://discord.com/api/oauth2/token",
+}
+
 // Facebook is the endpoint for Facebook.
 var Facebook = oauth2.Endpoint{
 	AuthURL:  "https://www.facebook.com/v3.2/dialog/oauth",

From 3f78298beea38fb76a3fbca33e3056f4b7eb5502 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Fri, 14 Feb 2025 21:12:09 +0000
Subject: [PATCH 4/5] all: upgrade go directive to at least 1.23.0 [generated]

By now Go 1.24.0 has been released, and Go 1.22 is no longer supported
per the Go Release Policy (https://go.dev/doc/devel/release#policy).

For golang/go#69095.

[git-generate]
(cd . && go get go@1.23.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none)

Change-Id: I718ce0afa60729aeb89396db2b559faf03b90a68
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649795
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index d73aa6996..da302fb45 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module golang.org/x/oauth2
 
-go 1.18
+go 1.23.0
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0

From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Thu, 30 Jan 2025 14:10:09 -0500
Subject: [PATCH 5/5] jws: split token into fixed number of parts

Thanks to 'jub0bs' for reporting this issue.

Fixes #71490
Fixes CVE-2025-22868

Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 jws/jws.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/jws/jws.go b/jws/jws.go
index 95015648b..6f03a49d3 100644
--- a/jws/jws.go
+++ b/jws/jws.go
@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
 // Verify tests whether the provided JWT token's signature was produced by the private key
 // associated with the supplied public key.
 func Verify(token string, key *rsa.PublicKey) error {
-	parts := strings.Split(token, ".")
-	if len(parts) != 3 {
+	if strings.Count(token, ".") != 2 {
 		return errors.New("jws: invalid token received, token must have 3 parts")
 	}
 
+	parts := strings.SplitN(token, ".", 3)
 	signedContent := parts[0] + "." + parts[1]
 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
 	if err != nil {