@@ -1,5 +1,6 @@

 package api

+// TODO: Add display name to common meta?

 type UserInfo interface {

 	GetName() string

 	GetUID() string

@@ -1,7 +1,6 @@

 package bearertoken

 import (

-	"fmt"

 	"net/http"

 	"strings"

@@ -30,7 +29,3 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (api.UserInfo, bo

 	token := parts[1]

 	return a.auth.AuthenticateToken(token)

 }

-

-func (a *Authenticator) String() string {

-	return fmt.Sprintf("TokenBearerAuthenticator{tokenValidator:%v}", a.auth)

-}

@@ -2,7 +2,6 @@ package file

 import (

 	"encoding/csv"

-	"fmt"

 	"io"

 	"os"

@@ -57,7 +56,3 @@ func (a *TokenAuthenticator) AuthenticateToken(value string) (api.UserInfo, bool

 	}

 	return user, true, nil

 }

-

-func (a *TokenAuthenticator) String() string {

-	return fmt.Sprintf("CsvTokenValidator{csvLocation:%v}", a.path)

-}

@@ -1,7 +1,6 @@

 package requestheader

 import (

-	"fmt"

 	"net/http"

 	"github.com/openshift/origin/pkg/auth/api"

@@ -35,7 +34,3 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (api.UserInfo, bo

 	}

 	return user, true, nil

 }

-

-func (h *Authenticator) String() string {

-	return fmt.Sprintf("RequestHeaderAuthenticator{userHeaderName:%v}", h.config.UserNameHeader)

-}

@@ -16,11 +16,8 @@ func NewRequestAuthenticator(context RequestContext, auth authenticator.Request,

 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

 		user, ok, err := auth.AuthenticateRequest(req)

 		if err != nil || !ok {

-			// TODO make this actually fail.  For now, just let us know and continue on your merry way

-			glog.V(2).Infof("Token authentication failed when accessing: %v", req.URL)

-

-			// failed.ServeHTTP(w, req)

-			// return

+			failed.ServeHTTP(w, req)

+			return

 		} else {

 			glog.V(1).Infof("Found user, %v, when accessing %v", user, req.URL)

deleted file mode 100644

@@ -1,42 +0,0 @@

-package googlecallback

-

-import (

-	"fmt"

-	"net/http"

-	"net/url"

-

-	"github.com/golang/glog"

-)

-

-type GoogleAuthenticationHandler struct {

-	RedirectUri string

-	ClientId    string

-}

-

-func (g *GoogleAuthenticationHandler) AuthenticationNeeded(w http.ResponseWriter, req *http.Request) {

-	glog.V(1).Infof("Authentication needed for %v", g)

-

-	// TODO: tidy this

-	// build our url:

-	oauthUrl, _ := url.Parse("https://accounts.google.com/o/oauth2/auth")

-	query := url.Values{}

-	query.Set("response_type", "code")

-	query.Set("client_id", g.ClientId)

-	query.Set("redirect_uri", g.RedirectUri)

-	query.Set("scope", "profile email")

-	query.Set("state", "go-to-somewhere")

-	query.Set("include_granted_scopes", "true")

-	query.Set("access_type", "offline")

-	oauthUrl.RawQuery = query.Encode()

-

-	glog.V(1).Infof("redirect to  %v", oauthUrl)

-

-	http.Redirect(w, req, oauthUrl.String(), http.StatusFound)

-}

-func (g *GoogleAuthenticationHandler) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) {

-	fmt.Fprintf(w, "<body>AuthenticationError - %s</body>", err)

-}

-

-func (g *GoogleAuthenticationHandler) String() string {

-	return fmt.Sprintf("GoogleAuthenticationHandler{ClientId: %v}", g.ClientId)

-}

deleted file mode 100644

@@ -1,86 +0,0 @@

-package googlecallback

-

-import (

-	// "bytes"

-	"encoding/base64"

-	"encoding/json"

-	"io/ioutil"

-	"net/http"

-	"net/url"

-	"strings"

-

-	"github.com/golang/glog"

-	"github.com/openshift/origin/pkg/oauth/registry/accesstoken"

-)

-

-type OauthCallbackHandler struct {

-	TokenRegistry accesstoken.Registry

-	ClientId      string

-	ClientSecret  string

-}

-

-func (o *OauthCallbackHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {

-	code := req.URL.Query().Get("code")

-	if len(code) == 0 {

-		w.WriteHeader(http.StatusBadRequest)

-		return

-	}

-

-	// the code we get back seems to have multiple parts, we need everything before the period

-	code = code[0:strings.Index(code, ".")]

-	glog.Infof("Got a callback from google for: %v", code)

-

-	//

-	// with this code, I thee post.  We need the token

-	resp, err := http.PostForm("https://accounts.google.com/o/oauth2/token", url.Values{

-		"grant_type":    {"authorization_code"},

-		"code":          {code},

-		"client_id":     {o.ClientId},

-		"client_secret": {o.ClientSecret},

-		"redirect_uri":  {"http://localhost:8080/oauth2callback/google"},

-	})

-	if err != nil {

-		glog.Errorf("Error making post: %v", err)

-	}

-	body, err := ioutil.ReadAll(resp.Body)

-	if err != nil {

-		glog.Errorf("Error making post: %v", err)

-	}

-	var jsonResponse interface{}

-	err = json.Unmarshal(body, &jsonResponse)

-	if err != nil {

-		glog.Errorf("Error making post: %v", err)

-	}

-	tokenResponseMap := jsonResponse.(map[string]interface{})

-	glog.V(1).Infof("Got a response: %v", tokenResponseMap)

-

-	googleAccessToken := tokenResponseMap["access_token"].(string)

-	glog.Infof("Got a google access token of: %v", googleAccessToken)

-	googleIdToken := tokenResponseMap["id_token"].(string)

-	glog.Infof("Got a google id token of: %v", googleIdToken)

-

-	// pull the ID from the id token.  We don't need to validate since we got the info directly from

-	// our https request to google

-	encodedIdTokenParts := strings.Split(googleIdToken, ".")

-	if len(encodedIdTokenParts) >= 2 {

-		encodedId := encodedIdTokenParts[1]

-		decodedIdBytes := make([]byte, base64.StdEncoding.DecodedLen(len(encodedId)))

-		base64.StdEncoding.Decode(decodedIdBytes, []byte(encodedId))

-

-		// TODO complete hack. figure out why the decode fails

-		decodedIdBytes = append(decodedIdBytes, byte('}'))

-

-		glog.V(1).Infof("decodedIdBytes %v", string(decodedIdBytes))

-

-		var decodedIdJson interface{}

-		err = json.Unmarshal(decodedIdBytes, &decodedIdJson)

-		if err != nil {

-			glog.Errorf("Error interpretting token: %v", err)

-		}

-

-		idMap := decodedIdJson.(map[string]interface{})

-		emailAddress := idMap["email"]

-		glog.Infof("User email: %v", emailAddress)

-

-	}

-}

new file mode 100644

@@ -0,0 +1,86 @@

+package github

+

+import (

+	"encoding/json"

+	"fmt"

+	"io/ioutil"

+	"net/http"

+

+	"github.com/RangelReale/osincli"

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/oauth/external"

+)

+

+const (

+	githubAuthorizeUrl = "https://github.com/login/oauth/authorize"

+	githubTokenUrl     = "https://github.com/login/oauth/access_token"

+	githubUserApiUrl   = "https://api.github.com/user"

+	githubOauthScope   = "user:email"

+)

+

+type provider struct {

+	client_id, client_secret string

+}

+

+type githubUser struct {

+	ID    uint64

+	Login string

+	Email string

+	Name  string

+}

+

+func NewProvider(client_id, client_secret string) external.Provider {

+	return provider{client_id, client_secret}

+}

+

+func (p provider) NewConfig() (*osincli.ClientConfig, error) {

+	config := &osincli.ClientConfig{

+		ClientId:                 p.client_id,

+		ClientSecret:             p.client_secret,

+		ErrorsInStatusCode:       true,

+		SendClientSecretInParams: true,

+		AuthorizeUrl:             githubAuthorizeUrl,

+		TokenUrl:                 githubTokenUrl,

+		Scope:                    githubOauthScope,

+	}

+	return config, nil

+}

+

+func (p provider) AddCustomParameters(req *osincli.AuthorizeRequest) {

+}

+

+func (p provider) GetUserInfo(data *osincli.AccessData) (api.UserInfo, bool, error) {

+

+	req, _ := http.NewRequest("GET", githubUserApiUrl, nil)

+	req.Header.Set("Authorization", fmt.Sprintf("bearer %s", data.AccessToken))

+

+	res, err := http.DefaultClient.Do(req)

+	if err != nil {

+		return nil, false, err

+	}

+

+	body, err := ioutil.ReadAll(res.Body)

+	if err != nil {

+		return nil, false, err

+	}

+

+	userdata := githubUser{}

+	err = json.Unmarshal(body, &userdata)

+	if err != nil {

+		return nil, false, err

+	}

+

+	if userdata.ID == 0 {

+		return nil, false, fmt.Errorf("Could not retrieve GitHub id")

+	}

+

+	user := &api.DefaultUserInfo{

+		Name: fmt.Sprintf("%d", userdata.ID),

+		Extra: map[string]string{

+			"name":  userdata.Name,

+			"login": userdata.Login,

+			"email": userdata.Email,

+		},

+	}

+	return user, true, nil

+}

new file mode 100644

@@ -0,0 +1,99 @@

+package google

+

+import (

+	"encoding/base64"

+	"encoding/json"

+	"fmt"

+	"strings"

+

+	"github.com/RangelReale/osincli"

+	"github.com/golang/glog"

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/oauth/external"

+)

+

+const (

+	googleAuthorizeUrl = "https://accounts.google.com/o/oauth2/auth"

+	googleTokenUrl     = "https://accounts.google.com/o/oauth2/token"

+	googleOauthScope   = "profile email"

+)

+

+type provider struct {

+	client_id, client_secret string

+}

+

+func NewProvider(client_id, client_secret string) external.Provider {

+	return provider{client_id, client_secret}

+}

+

+func (p provider) NewConfig() (*osincli.ClientConfig, error) {

+	config := &osincli.ClientConfig{

+		ClientId:                 p.client_id,

+		ClientSecret:             p.client_secret,

+		ErrorsInStatusCode:       true,

+		SendClientSecretInParams: true,

+		AuthorizeUrl:             googleAuthorizeUrl,

+		TokenUrl:                 googleTokenUrl,

+		Scope:                    googleOauthScope,

+	}

+	return config, nil

+}

+

+func (p provider) AddCustomParameters(req *osincli.AuthorizeRequest) {

+	req.CustomParameters["include_granted_scopes"] = "true"

+	req.CustomParameters["access_type"] = "offline"

+}

+

+func (p provider) GetUserInfo(data *osincli.AccessData) (api.UserInfo, bool, error) {

+	idToken, ok := data.ResponseData["id_token"].(string)

+	if !ok {

+		return nil, false, fmt.Errorf("No id_token returned in %v", data.ResponseData)

+	}

+

+	userdata, err := decodeJWT(idToken)

+	if err != nil {

+		return nil, false, err

+	}

+

+	id, _ := userdata["id"].(string)

+	email, _ := userdata["email"].(string)

+	if id == "" || email == "" {

+		return nil, false, fmt.Errorf("Could not retrieve Google id")

+	}

+

+	user := &api.DefaultUserInfo{

+		Name: id,

+		Extra: map[string]string{

+			"name":  email,

+			"email": email,

+		},

+	}

+	return user, true, nil

+}

+

+// Decode JWT

+// http://openid.net/specs/draft-jones-json-web-token-07.html

+func decodeJWT(jwt string) (map[string]interface{}, error) {

+	jwtParts := strings.Split(jwt, ".")

+	if len(jwtParts) != 3 {

+		return nil, fmt.Errorf("Invalid JSON Web Token: expected 3 parts, got %d", len(jwtParts))

+	}

+

+	encodedPayload := jwtParts[1]

+	glog.Infof("encodedPayload: %s\n", encodedPayload)

+

+	decodedPayload, err := base64.StdEncoding.DecodeString(encodedPayload)

+	if err != nil {

+		return nil, fmt.Errorf("Error decoding payload: %v\n", err)

+	}

+	glog.Infof("decodedPayload: %s\n", decodedPayload)

+

+	var data map[string]interface{}

+	err = json.Unmarshal([]byte(decodedPayload), &data)

+	if err != nil {

+		return nil, fmt.Errorf("Error parsing token: %v\n", err)

+	}

+	glog.Infof("data: %#v\n", data)

+

+	return data, nil

+}

new file mode 100644

@@ -0,0 +1,173 @@

+package external

+

+import (

+	"fmt"

+	"net/http"

+	"net/url"

+

+	"github.com/RangelReale/osincli"

+	"github.com/golang/glog"

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/oauth/handlers"

+)

+

+type Handler struct {

+	provider     Provider

+	state        State

+	clientConfig *osincli.ClientConfig

+	client       *osincli.Client

+	success      handlers.AuthenticationSuccessHandler

+	error        handlers.AuthenticationErrorHandler

+}

+

+func NewHandler(provider Provider, state State, redirectUrl string, success handlers.AuthenticationSuccessHandler, error handlers.AuthenticationErrorHandler) (*Handler, error) {

+	clientConfig, err := provider.NewConfig()

+	if err != nil {

+		return nil, err

+	}

+

+	clientConfig.RedirectUrl = redirectUrl

+

+	client, err := osincli.NewClient(clientConfig)

+	if err != nil {

+		return nil, err

+	}

+

+	return &Handler{

+		provider:     provider,

+		state:        state,

+		clientConfig: clientConfig,

+		client:       client,

+		success:      success,

+		error:        error,

+	}, nil

+}

+

+// Implements oauth.handlers.AuthenticationHandler

+func (h *Handler) AuthenticationNeeded(w http.ResponseWriter, req *http.Request) {

+	glog.V(4).Infof("Authentication needed for %v", h)

+

+	authReq := h.client.NewAuthorizeRequest(osincli.CODE)

+	h.provider.AddCustomParameters(authReq)

+

+	state, err := h.state.Generate(w, req)

+	if err != nil {

+		glog.V(4).Infof("Error generating state: %v", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+

+	oauthUrl := authReq.GetAuthorizeUrlWithParams(state)

+	glog.V(4).Infof("redirect to %v", oauthUrl)

+

+	http.Redirect(w, req, oauthUrl.String(), http.StatusFound)

+}

+

+// Implements oauth.handlers.AuthenticationHandler

+func (h *Handler) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) {

+	h.error.AuthenticationError(err, w, req)

+}

+

+// Handles the callback request in response to an external oauth flow

+func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {

+

+	// Extract auth code

+	authReq := h.client.NewAuthorizeRequest(osincli.CODE)

+	authData, err := authReq.HandleRequest(req)

+	if err != nil {

+		glog.V(4).Infof("Error handling request: %v", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+

+	glog.V(4).Infof("Got auth data")

+

+	// Exchange code for a token

+	accessReq := h.client.NewAccessRequest(osincli.AUTHORIZATION_CODE, authData)

+	accessData, err := accessReq.GetToken()

+	if err != nil {

+		glog.V(4).Infof("Error getting access token:", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+

+	glog.V(4).Infof("Got access data")

+

+	user, ok, err := h.provider.GetUserInfo(accessData)

+	if err != nil {

+		glog.V(4).Infof("Error getting user info: %v", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+	if !ok || user == nil {

+		glog.V(4).Infof("Could not get user info from access token")

+		h.AuthenticationError(fmt.Errorf("Could not get user info from access token"), w, req)

+		return

+	}

+

+	glog.V(4).Infof("Got user data: %#v", user)

+

+	ok, err = h.state.Check(authData.State, w, req)

+	if !ok {

+		glog.V(4).Infof("State is invalid")

+		h.AuthenticationError(fmt.Errorf("State is invalid"), w, req)

+		return

+	}

+	if err != nil {

+		glog.V(4).Infof("Error verifying state: %v", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+

+	err = h.success.AuthenticationSucceeded(user, authData.State, w, req)

+	if err != nil {

+		glog.V(4).Infof("Error calling success handler: %v", err)

+		h.AuthenticationError(err, w, req)

+		return

+	}

+}

+

+// Provides default state-building, validation, and parsing to contain CSRF and "then" redirection

+type defaultState struct{}

+

+func DefaultState() State {

+	return defaultState{}

+}

+func (defaultState) Generate(w http.ResponseWriter, req *http.Request) (string, error) {

+	state := url.Values{

+		"csrf": {"..."}, // TODO: get csrf

+		"then": {req.URL.String()},

+	}

+	return state.Encode(), nil

+}

+func (defaultState) Check(state string, w http.ResponseWriter, req *http.Request) (bool, error) {

+	values, err := url.ParseQuery(state)

+	if err != nil {

+		return false, err

+	}

+	csrf := values.Get("csrf")

+	if csrf != "..." {

+		return false, fmt.Errorf("State did not contain valid CSRF token (expected %s, got %s)", "...", csrf)

+	}

+

+	then := values.Get("then")

+	if then == "" {

+		return false, fmt.Errorf("State did not contain a redirect")

+	}

+

+	return true, nil

+}

+func (defaultState) AuthenticationSucceeded(user api.UserInfo, state string, w http.ResponseWriter, req *http.Request) error {

+	values, err := url.ParseQuery(state)

+	if err != nil {

+		return err

+	}

+

+	then := values.Get("then")

+	if len(then) == 0 {

+		return fmt.Errorf("No redirect given")

+	}

+

+	http.Redirect(w, req, then, http.StatusFound)

+	return nil

+}

new file mode 100644

@@ -0,0 +1,27 @@

+/*

+Package external implements an OAuth flow with an external identity provider

+*/

+

+package external

+

+import (

+	"net/http"

+

+	"github.com/RangelReale/osincli"

+	"github.com/openshift/origin/pkg/auth/api"

+)

+

+// Provider encapsulates the URLs, configuration, any custom authorize request parameters, and

+// the method for transforming an access token into an identity, for an external OAuth provider.

+type Provider interface {

+	NewConfig() (*osincli.ClientConfig, error)

+	AddCustomParameters(*osincli.AuthorizeRequest)

+	GetUserInfo(*osincli.AccessData) (api.UserInfo, bool, error)

+}

+

+// State handles generating and verifying the state parameter round-tripped to an external OAuth flow.

+// Examples: CSRF protection, post authentication redirection

+type State interface {

+	Generate(w http.ResponseWriter, req *http.Request) (string, error)

+	Check(state string, w http.ResponseWriter, req *http.Request) (bool, error)

+}

@@ -1,7 +1,6 @@

 package handlers

 import (

-	"fmt"

 	"net/http"

 	"github.com/RangelReale/osin"

@@ -107,7 +106,3 @@ func (denyAuthenticator) AuthenticateAssertion(assertionType, data string) (api.

 func (denyAuthenticator) AuthenticateClient(client api.Client) (api.UserInfo, bool, error) {

 	return nil, false, nil

 }

-

-func (h *AuthorizeAuthenticator) String() string {

-	return fmt.Sprintf("AuthorizationAuthenticator{AuthenticationHandler:%v, RequestAuthenticator:%v}", h.handler, h.request)

-}

@@ -42,7 +42,7 @@ func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseW

 		return true

 	}

 	if !ok {

-		h.handler.GrantNeeded(grant, w, req)

+		h.handler.GrantNeeded(ar.Client, user, grant, w, req)

 		return true

 	}

@@ -11,16 +11,12 @@ type AuthenticationHandler interface {

 	AuthenticationError(err error, w http.ResponseWriter, req *http.Request)

 }

-// AuthenticationSucceeded is called when a user was successfully authenticated

-// The user object may not be nil

-type AuthenticationSucceeded interface {

-	AuthenticationSucceeded(user api.UserInfo, w http.ResponseWriter, req *http.Request) error

+type AuthenticationSuccessHandler interface {

+	AuthenticationSucceeded(user api.UserInfo, state string, w http.ResponseWriter, req *http.Request) error

 }

-// InvalidateAuthentication is called when an authentication is being invalidated (e.g. session timeout or log out)

-// The user parameter may be nil if unknown

-type AuthenticationInvalidator interface {

-	InvalidateAuthentication(user api.UserInfo, w http.ResponseWriter, req *http.Request) error

+type AuthenticationErrorHandler interface {

+	AuthenticationError(err error, w http.ResponseWriter, req *http.Request)

 }

 type GrantChecker interface {

@@ -28,6 +24,19 @@ type GrantChecker interface {

 }

 type GrantHandler interface {

-	GrantNeeded(grant *api.Grant, w http.ResponseWriter, req *http.Request)

+	GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request)

 	GrantError(err error, w http.ResponseWriter, req *http.Request)

 }

+

+// AuthenticationSuccessHandlers combines multiple AuthenticationSuccessHandler objects into a chain.

+// On success, each handler is called. If any handler returns an error, the chain is aborted.

+type AuthenticationSuccessHandlers []AuthenticationSuccessHandler

+

+func (all AuthenticationSuccessHandlers) AuthenticationSucceeded(user api.UserInfo, state string, w http.ResponseWriter, req *http.Request) error {

+	for _, h := range all {

+		if err := h.AuthenticationSucceeded(user, state, w, req); err != nil {

+			return err

+		}

+	}

+	return nil

+}

@@ -38,7 +38,7 @@ func (h *testHandlers) AuthenticateRequest(req *http.Request) (api.UserInfo, boo

 	return h.User, h.Authenticate, h.Err

 }

-func (h *testHandlers) GrantNeeded(grant *api.Grant, w http.ResponseWriter, req *http.Request) {

+func (h *testHandlers) GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) {

 	h.GrantNeed = true

 }

@@ -37,7 +37,3 @@ func (a *TokenAuthenticator) AuthenticateToken(value string) (api.UserInfo, bool

 		Scope: scope.Join(token.AuthorizeToken.Scopes),

 	}, true, nil

 }

-

-func (a *TokenAuthenticator) String() string {

-	return "EtcdTokenValidator"

-}

@@ -8,11 +8,12 @@ import (

 	"github.com/openshift/origin/pkg/auth/api"

 	"github.com/openshift/origin/pkg/auth/authenticator"

+	"github.com/openshift/origin/pkg/auth/oauth/handlers"

 )

 type RequestAuthenticator interface {

 	authenticator.Request

-	AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request)

+	handlers.AuthenticationSuccessHandler

 }

 type ConfirmFormRenderer interface {

@@ -26,10 +26,11 @@ func (t *testImplicit) AuthenticateRequest(req *http.Request) (api.UserInfo, boo

 	return t.User, t.Success, t.Err

 }

-func (t *testImplicit) AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request) {

+func (t *testImplicit) AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request) error {

 	t.Called = true

 	t.User = user

 	t.Then = then

+	return nil

 }

 func TestImplicit(t *testing.T) {

@@ -7,13 +7,13 @@ import (

 	"github.com/golang/glog"

-	"github.com/openshift/origin/pkg/auth/api"

 	"github.com/openshift/origin/pkg/auth/authenticator"

+	"github.com/openshift/origin/pkg/auth/oauth/handlers"

 )

 type PasswordAuthenticator interface {

 	authenticator.Password

-	AuthenticationSucceeded(context api.UserInfo, then string, w http.ResponseWriter, req *http.Request)

+	handlers.AuthenticationSuccessHandler

 }

 type LoginFormRenderer interface {

@@ -41,10 +41,11 @@ func (t *testAuth) AuthenticatePassword(user, password string) (api.UserInfo, bo

 	return t.User, t.Success, t.Err

 }

-func (t *testAuth) AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request) {

+func (t *testAuth) AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request) error {

 	t.Called = true

 	t.User = user

 	t.Then = then

+	return nil

 }

 func TestLogin(t *testing.T) {

@@ -2,7 +2,6 @@ package session

 import (

 	"errors"

-	"fmt"

 	"net/http"

 	"github.com/openshift/origin/pkg/auth/api"

@@ -44,7 +43,7 @@ func (a *SessionAuthenticator) AuthenticateRequest(req *http.Request) (api.UserI

 	}, true, nil

 }

-func (a *SessionAuthenticator) AuthenticationSucceeded(user api.UserInfo, w http.ResponseWriter, req *http.Request) error {

+func (a *SessionAuthenticator) AuthenticationSucceeded(user api.UserInfo, state string, w http.ResponseWriter, req *http.Request) error {

 	session, err := a.store.Get(req, a.name)

 	if err != nil {

 		return err

@@ -62,7 +61,3 @@ func (a *SessionAuthenticator) InvalidateAuthentication(context api.UserInfo, w

 	session.Values()[UserNameKey] = ""

 	return a.store.Save(w, req)

 }

-

-func (a *SessionAuthenticator) String() string {

-	return fmt.Sprintf("SessionAuthenticator{name=%v}", a.name)

-}

@@ -14,13 +14,15 @@ import (

 	"github.com/openshift/origin/pkg/auth/authenticator/bearertoken"

 	authfile "github.com/openshift/origin/pkg/auth/authenticator/file"

 	"github.com/openshift/origin/pkg/auth/authenticator/requestheader"

+	"github.com/openshift/origin/pkg/auth/oauth/external"

+	"github.com/openshift/origin/pkg/auth/oauth/external/github"

+	"github.com/openshift/origin/pkg/auth/oauth/external/google"

 	"github.com/openshift/origin/pkg/auth/oauth/handlers"

 	"github.com/openshift/origin/pkg/auth/oauth/registry"

 	authnregistry "github.com/openshift/origin/pkg/auth/oauth/registry"

 	"github.com/openshift/origin/pkg/auth/server/login"

 	"github.com/openshift/origin/pkg/auth/server/session"

-	"github.com/openshift/origin/pkg/auth/oauth/callbackhandlers/googlecallback"

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 	oauthetcd "github.com/openshift/origin/pkg/oauth/registry/etcd"

 	"github.com/openshift/origin/pkg/oauth/server/osinserver"

@@ -34,18 +36,11 @@ const (

 )

 type AuthConfig struct {

+	MasterAddr     string

 	SessionSecrets []string

 	EtcdHelper     tools.EtcdHelper

 }

-func getGoogleClientId() string {

-	return env("ORIGIN_GOOGLE_CLIENT_ID", "")

-}

-

-func getGoogleClientSecret() string {

-	return env("ORIGIN_GOOGLE_CLIENT_SECRET", "")

-}

-

 // InstallAPI starts an OAuth2 server and registers the supported REST APIs

 // into the provided mux, then returns an array of strings indicating what

 // endpoints were started (these are format strings that will expect to be sent

@@ -54,11 +49,20 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 	oauthEtcd := oauthetcd.New(c.EtcdHelper)

 	authRequestHandler := c.getAuthenticationRequestHandler()

-	authHandler := c.getAuthenticationHandler()

+

+	// Check if the authentication handler wants to be told when we authenticated

+	success, ok := authRequestHandler.(handlers.AuthenticationSuccessHandler)

+	if !ok {

+		success = emptySuccess{}

+	}

+	authHandler := c.getAuthenticationHandler(mux, success, emptyError{})

 	storage := registrystorage.New(oauthEtcd, oauthEtcd, oauthEtcd, registry.NewUserConversion())

 	config := osinserver.NewDefaultServerConfig()

+	grantChecker := registry.NewClientAuthorizationGrantChecker(oauthEtcd)

+	grantHandler := emptyGrant{}

+

 	server := osinserver.New(

 		config,

 		storage,

@@ -68,8 +72,8 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 				authRequestHandler,

 			),

 			handlers.NewGrantCheck(

-				registry.NewClientAuthorizationGrantChecker(oauthEtcd),

-				emptyGrant{},

+				grantChecker,

+				grantHandler,

 			),

 		},

 		osinserver.AccessHandlers{

@@ -77,14 +81,11 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 		},

 	)

 	server.Install(mux, OpenShiftOAuthAPIPrefix)

-	glog.Infof("oauth server configured as: %v", server)

-

-	mux.Handle(OpenShiftOAuthCallbackPrefix+"/google", &googlecallback.OauthCallbackHandler{oauthetcd.New(c.EtcdHelper), getGoogleClientId(), getGoogleClientSecret()})

-

-	// Check if the authentication handler wants to be told when we authenticated

-	successHandler, _ := authRequestHandler.(handlers.AuthenticationSucceeded)

-	login := login.NewLogin(emptyCsrf{}, &callbackPasswordAuthenticator{emptyPasswordAuth{}, successHandler}, login.DefaultLoginFormRenderer)

-	login.Install(mux, OpenShiftLoginPrefix)

+	// glog.Infof("oauth server configured as: %#v", server)

+	// glog.Infof("auth handler: %#v", authHandler)

+	// glog.Infof("auth request handler: %#v", authRequestHandler)

+	// glog.Infof("grant checker: %#v", grantChecker)

+	// glog.Infof("grant handler: %#v", grantHandler)

 	return []string{

 		fmt.Sprintf("Started OAuth2 API at %%s%s", OpenShiftOAuthAPIPrefix),

@@ -92,16 +93,38 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 	}

 }

-func (c *AuthConfig) getAuthenticationHandler() handlers.AuthenticationHandler {