oauth2: use strings.Builder instead of bytes.Buffer

The former does not make a copy of the accumulated buffer
to produce a string.

WriteByte() is faster than WriteRune() and we are not
appending non-ASCII here.

Change-Id: I562461eec2fdcf6230e46b3011fabe0979d05044
GitHub-Last-Rev: b7845f8
GitHub-Pull-Request: #785
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/694715
Reviewed-by: Michael Knyszek <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Mark Freeman <[email protected]>
Reviewed-by: Sean Liao <[email protected]>
Auto-Submit: Sean Liao <[email protected]>

all: upgrade go directive to at least 1.24.0 [generated]

By now Go 1.25.0 has been released, and Go 1.23 is no longer supported
per the Go Release Policy (see https://go.dev/doc/devel/release#policy).

For golang/go#69095.

[git-generate]
(cd . && go get [email protected] && go mod tidy && go fix ./... && go mod edit -toolchain=none)

Change-Id: I9f54f22bd309b9f22524355294e844c9615a6281
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/695755
Reviewed-by: David Chase <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>

oauth2: fix expiration time window check

Before CL 68017, the test verified that tokens expire exactly one day
after they are issued, within the time that Exchange() takes to execute.
A refactoring in the CL extended this time window to a whole day, making
the check much more lenient.

See: https://go-review.googlesource.com/c/oauth2/+/168017
Change-Id: I479db429f64b25a711624817c13f068b4675163e
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/630495
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Junyang Shao <[email protected]>
Reviewed-by: Sean Liao <[email protected]>
Auto-Submit: Sean Liao <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>

oauth2: remove extra period

Change-Id: I369d3bed0e28427b1e1d416952c3766932ba3773
GitHub-Last-Rev: ca611fe
GitHub-Pull-Request: #724
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/587017
Auto-Submit: Ian Lance Taylor <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Shin Fan <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>

oauth2: Deep copy context client in NewClient

OAuth2 client creation currently doesn't faithfully reuse the client
passed into the context. This causes config settings such as timeout to
be set to Default and may end up to be a gotcha for anyone who sends in
a context client with timeout set assuming that the timeout will be
copied to the new client.

Fix: #368
Change-Id: I4f5f052361ebe07f50fbd694379892833cd1056c
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/180920
Auto-Submit: Sean Liao <[email protected]>
Reviewed-by: Sean Liao <[email protected]>
Reviewed-by: Junyang Shao <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>

jws: split token into fixed number of parts

Thanks to 'jub0bs' for reporting this issue.

Fixes #71490
Fixes CVE-2025-22868

Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

google: add warning about externally-provided credentials

Change-Id: Ic2ce6e9c3ed735f4fc6d78a22cf0d5e95fca91a1
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/643158
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Sai Sunder Srinivasan <[email protected]>
Run-TryBot: Cody Oss <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Cody Oss <[email protected]>

all: make method and struct comments match the names

Change-Id: I9fd025393acc12da59fdac1c416563324cd26af1
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/639695
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

README: don't recommend go get

These days people will just import the packages and the go tool will
do the right thing. We don't need to explain it.

Add a pointer to the git repo, though.

For golang/go#62645

Change-Id: Ib6a6fb8989df8071b20d50de446d05b270c1f1ae
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/624195
Commit-Queue: Ian Lance Taylor <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Cody Oss <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>

x/oauth2: add Token.ExpiresIn

Fixes golang/go#61417

Change-Id: Ib8599f39b4839bf6eed021217350195ad36d1631
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/605955
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>