all: upgrade go directive to at least 1.25.0 [generated]

By now Go 1.26.0 has been released, and Go 1.24 is no longer supported
per the Go Release Policy (see https://go.dev/doc/devel/release#policy).

See go.dev/doc/godebug#go-125 for GODEBUG changes relevant to Go 1.25.

For golang/go#69095.

[git-generate]
(cd . && go get go@1.25.0 && go mod tidy)

Change-Id: Ifd87f1cd8d96659db781537c2e424568a8384410
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/744560
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>

google: add safer credentials JSON loading options.

Add safer credentials JSON loading options in `google` package.

Adds `CredentialsFromJSONWithType` and `CredentialsFromJSONWithTypeAndParams`
to mitigate a security vulnerability where credential configurations
from untrusted sources could be used without validation. These new
functions require the credential type to be explicitly specified.

Deprecates the less safe `CredentialsFromJSON` and
`CredentialsFromJSONWithParams` functions.

Change-Id: I27848b5ebd2dff76d0397cdc08908d680c0ccd69
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/732440
Reviewed-by: Seth Hollyman <shollyman@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Reviewed-by: Sai Sunder Srinivasan <saisunder@google.com>
TryBot-Bypass: Cody Oss <codyoss@google.com>

endpoints: fix %q verb use with wrong type

Caught early by the improved vet check gated behind the 1.26 language
version combined with a tiplang builder that tests with 1.26 language
version.

Change-Id: Ie41542014acbbf24464111bd8dabb040ab0a0dea
Cq-Include-Trybots: luci.golang.try:x_oauth2-gotip-linux-amd64-tiplang
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/725240
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>

all: fix some comments

Change-Id: I3dd3785de7071e34320a148f35d4caa97cfd6db1
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/713361
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

oauth2: use strings.Builder instead of bytes.Buffer

The former does not make a copy of the accumulated buffer
to produce a string.

WriteByte() is faster than WriteRune() and we are not
appending non-ASCII here.

Change-Id: I562461eec2fdcf6230e46b3011fabe0979d05044
GitHub-Last-Rev: b7845f8
GitHub-Pull-Request: #785
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/694715
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev>

all: upgrade go directive to at least 1.24.0 [generated]

By now Go 1.25.0 has been released, and Go 1.23 is no longer supported
per the Go Release Policy (see https://go.dev/doc/devel/release#policy).

For golang/go#69095.

[git-generate]
(cd . && go get go@1.24.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none)

Change-Id: I9f54f22bd309b9f22524355294e844c9615a6281
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/695755
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>

oauth2: fix expiration time window check

Before CL 68017, the test verified that tokens expire exactly one day
after they are issued, within the time that Exchange() takes to execute.
A refactoring in the CL extended this time window to a whole day, making
the check much more lenient.

See: https://go-review.googlesource.com/c/oauth2/+/168017
Change-Id: I479db429f64b25a711624817c13f068b4675163e
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/630495
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Carlos Amedee <carlos@golang.org>

oauth2: remove extra period

Change-Id: I369d3bed0e28427b1e1d416952c3766932ba3773
GitHub-Last-Rev: ca611fe
GitHub-Pull-Request: #724
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/587017
Auto-Submit: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Shin Fan <shinfan@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>

oauth2: Deep copy context client in NewClient

OAuth2 client creation currently doesn't faithfully reuse the client
passed into the context. This causes config settings such as timeout to
be set to Default and may end up to be a gotcha for anyone who sends in
a context client with timeout set assuming that the timeout will be
copied to the new client.

Fix: #368
Change-Id: I4f5f052361ebe07f50fbd694379892833cd1056c
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/180920
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

jws: split token into fixed number of parts

Thanks to 'jub0bs' for reporting this issue.

Fixes #71490
Fixes CVE-2025-22868

Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>