Google.Apis.Auth

Google JSON Web Signature as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount.

Validates a Google-issued Json Web Token (JWT). Will throw a if the passed value is not valid JWT signed by Google.

Follows the procedure to validate a JWT ID token. Google certificates are cached, and refreshed once per hour. This can be overridden by setting to true. The JWT to validate. Optional. The to use for JWT expiration verification. Defaults to the system clock. Optional. If true forces new certificates to be downloaded from Google. Defaults to false. The JWT payload, if the JWT is valid. Throws an otherwise. Thrown when passed a JWT that is not a valid JWT signed by Google.

Settings used when validating a JSON Web Signature.

Create a new instance.

The trusted audience client IDs; or null to suppress audience validation.

The required GSuite domain of the user; or null to suppress hosted domain validation.

Optional. The to use for JWT expiration verification. Defaults to the system clock.

Optional. If true forces new certificates to be downloaded from Google. Defaults to false.

Clock tolerance for the issued-at check. Causes a JWT to pass validation up to this duration before it is really valid; this is to allow for possible local-client clock skew. Defaults to 30 seconds.

Clock tolerance for the expiration check. Causes a JWT to pass validation up to this duration after it really expired; this is to allow for possible local-client clock skew. Defaults to zero seconds.

CertificateCache for testing purposes. If null, the default CertificateCache will be used.

Validates a Google-issued Json Web Token (JWT). Will throw a if the specified JWT fails any validation check.

Follows the procedure to validate a JWT ID token. Issued-at validation and expiry validation is performed using the clock on this local client, so local clock inaccuracies can lead to incorrect validation results. Use and to allow for local clock inaccuracy IssuedAtClockTolerance defaults to 30 seconds; it is very unlikely a JWT will be issued that isn't already valid. ExpirationTimeClockTolerance defaults to zero seconds; in some use-cases it may be useful to set this to a negative value to help ensure that passing local validation means it will pass server validation. Regardless of whether local validation passed, code must always correctly handle an invalid JWT error from the server. Google certificates are cached, and refreshed once per hour. This can be overridden by setting to true. The JWT to validate. Specifies how to carry out the validation. The payload of the verified token. If the token does not pass verification.

The header as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingheader.

The payload as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset, https://developers.google.com/identity/protocols/OpenIDConnect, and https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

A space-delimited list of the permissions the application requests or null.

The email address of the user for which the application is requesting delegated access.

The hosted GSuite domain of the user. Provided only if the user belongs to a hosted domain.

The user's email address. This may not be unique and is not suitable for use as a primary key. Provided only if your scope included the string "email".

True if the user's e-mail address has been verified; otherwise false.

The user's full name, in a displayable form. Might be provided when: (1) The request scope included the string "profile"; or (2) The ID token is returned from a token refresh. When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.

Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.

Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.

The URL of the user's profile picture. Might be provided when: (1) The request scope included the string "profile"; or (2) The ID token is returned from a token refresh. When picture claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.

End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA.

An exception that is thrown when a Json Web Token (JWT) is invalid.

Initializes a new InvalidJwtException instanc e with the specified error message.

The error message that explains why the JWT was invalid.

JSON Web Signature (JWS) implementation as specified in http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11.

Verifies that the given token is a valid, not expired, signed token.

The token to verify. The options to use for verification. May be null in which case default options will be used. The cancellation token for the operation. The payload contained by the token. If the token is invalid or expired. The type of the payload to return, so user code can validate additional claims. Should extend . Payload information will be deserialized using .

Header as specified in http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#section-4.1.

Gets or set the algorithm header parameter that identifies the cryptographic algorithm used to secure the JWS or null.

Gets or sets the JSON Web Key URL header parameter that is an absolute URL that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key that was used to digitally sign the JWS or null.

Gets or sets JSON Web Key header parameter that is a public key that corresponds to the key used to digitally sign the JWS or null.

Gets or sets key ID header parameter that is a hint indicating which specific key owned by the signer should be used to validate the digital signature or null.

Gets or sets X.509 URL header parameter that is an absolute URL that refers to a resource for the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS or null.

Gets or sets X.509 certificate thumb print header parameter that provides a base64url encoded SHA-1 thumb-print (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match the certificate or null.

Gets or sets X.509 certificate chain header parameter contains the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS or null.

Gets or sets array listing the header parameter names that define extensions that are used in the JWS header that MUST be understood and processed or null.

JWS Payload.

JSON Web Token (JWT) implementation as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08.

JWT Header as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.

Gets or sets type header parameter used to declare the type of this object or null.

Gets or sets content type header parameter used to declare structural information about the JWT or null.

JWT Payload as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.1.

Gets or sets issuer claim that identifies the principal that issued the JWT or null.

Gets or sets subject claim identifying the principal that is the subject of the JWT or null.

Gets or sets audience claim that identifies the audience that the JWT is intended for (should either be a string or list) or null.

Gets or sets the target audience claim that identifies the audience that an OIDC token generated from this JWT is intended for. Maybe be null. Multiple target audiences are not supported. null.

Gets or sets expiration time claim that identifies the expiration time (in seconds) on or after which the token MUST NOT be accepted for processing or null.

Gets or sets not before claim that identifies the time (in seconds) before which the token MUST NOT be accepted for processing or null.

Gets or sets issued at claim that identifies the time (in seconds) at which the JWT was issued or null.

Gets or sets JWT ID claim that provides a unique identifier for the JWT or null.

The nonce value specified by the client during the authorization request. Must be present if a nonce was specified in the authorization request, otherwise this will not be present.

Gets or sets type claim that is used to declare a type for the contents of this JWT Claims Set or null.

Gets the audience property as a list.

Represents a credential that simply wraps an access token. The origin of said access token is not relevant, but that means that the credential cannot refresh the access token when it has expired.

Represents an access token that can be used to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers.

Constructs an based on a given token and headers.

The token to build this instance for. May be null. The collection of headers that may accompany the token. May be null.

An access token that can be used to authorize a request.

Extra headers, if any, that should be included in the request.

Adds the headers in this object to the given header collection.

The header collection to add the headers to.

Adds the headers in this object to the given request.

The request to add the headers to.

Builder class for to simplify common scenarios.

The GCP project ID used for quota and billing purposes. May be null.

Builds and instance of with the given token and the value set on this builder.

The token to build the for. An .

Thread-safe OAuth 2.0 authorization code flow for an installed application that persists end-user credentials.

Incremental authorization (https://developers.google.com/+/web/api/rest/oauth) is currently not supported for Installed Apps.

Constructs a new authorization code installed application with the given flow and code receiver.

Gets the authorization code flow.

Gets the code receiver which is responsible for receiving the authorization code.

Determines the need for retrieval of a new authorization code, based on the given token and the authorization code flow.

Helper class to wrap non PKCE flows so that does not need to know whether its flow supports PKCE or not.

AWS credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-aws.

Helper class for querying the AWS Metadata Server. It will fetch and use the sesion token if required.

Helper class to obtain the AWS region.

The region obtained from stripping the last character of the zone value return by the metadata server. For instance, if the metadata server returned zone us-east-1d, then this value will be us-east-1. Will never be null, but may be empty if the metadata server returned a single character value.

Fetches the AWS instance region as per https://google.aip.dev/auth/4117#determining-the-subject-token-in-aws.

Attempts to fetch the region from environment variables. Returns null if the environment variables are not set.

Attempts to fetch the region from the metadata server. Returns null if the region URL is null or empty.

Represents AWS security credentials which are used to sign the subject token.

The access key ID. Won't be null or empty.

The secret access key. Won't be null or empty.

The credential token. May be null but won't be empty.

Fetches the AWS security credentials as per https://google.aip.dev/auth/4117#determining-the-subject-token-in-aws.

Attempts to fetch the security credentials from environment variables. Returns null if the environment variables are not set.

Attempts to fetch the security credentials from the metadata server. Returns null if the credential URL is null or empty.

Partial representation of a metadata server security credentials response as defined by https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials

Partial implementation of AWS signed request, enough to support signing of a, usually, AWS GetCallerIdentity request. The signed request is sent to Google's subject token service as the subject token to be exchanged for access tokens. Google STS triggers the request as specified by the signed request to verify the callers identity.

Metadata server URL used to obtained the region that should be included as part of the subject token.

STS server will use this URL to validate the subject token included on the STS request. This URL will be included as part of the subject token.

Metadata server URL from which to obtain the security credentials that will be used to sign the subject token.

If present, a session token fetched from this URL should be used when making requests to the metadata server.

Metadata server URL used to obtained the region that should be included as part of the subject token.

STS server will use this URL to validate the subject token included on the STS request. This URL will be included as part of the subject token.

Metadata server URL from which to obtain the security credentials that will be used to sign the subject token.

If present, a session token fetched from this URL should be used when making requests to the metadata server.

Returns the value of the given environment variable. Returns null if the variable is unset or if it's set to the empty string.

Helper class to use with some of the formatting required for AWS canonical requests: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

OAuth 2.0 helper for accessing protected resources using the Bearer token as specified in http://tools.ietf.org/html/rfc6750.

Thread-safe OAuth 2.0 method for accessing protected resources using the Authorization header as specified in http://tools.ietf.org/html/rfc6750#section-2.1.

Obsolete. Thread-safe OAuth 2.0 method for accessing protected resources using an access_token query parameter as specified in http://tools.ietf.org/html/rfc6750#section-2.3. This access method is being made obsolete. Please read here for more up to date information: `https://developers.google.com/identity/protocols/oauth2/index.html#4.-send-the-access-token-to-an-api.`. Please use instead.

Client credential details for installed and web applications.

Gets or sets the client identifier.

Gets or sets the client Secret.

The metadata server url. This can be overridden (for the purposes of Compute environment detection and auth token retrieval) using the GCE_METADATA_HOST environment variable.

Caches result from first call to IsRunningOnComputeEngine

Originally 1000ms was used without a retry. This proved inadequate; even 2000ms without a retry occasionally failed. We have observed that after a timeout, the next attempt succeeds very quickly (sub-50ms) which suggests that this should be fine.

The Metadata flavor header name.

The Metadata header response indicating Google.

Caches the task that fetches the default service account email from the metadata server. The default service account email can be cached because changing the service account associated to a Compute instance requires a machine shutdown.

HttpClient used to call APIs internally authenticated as this ComputeCredential. For instance, to perform IAM API calls for signing blobs of data.

Lazy to build one HtppClient only if it is needed.

Gets the OIDC Token URL.

The explicitly set universe domain. May be null, in which case the universe domain will be fetched from the metadata server.

An initializer class for the Compute credential. It uses as the token server URL (optionally overriding the host using the GCE_METADATA_HOST environment variable).

Gets the OIDC Token URL.

The universe domain this credential belongs to. May be null, in which case the GCE universe domain will be used.

Constructs a new initializer using the default compute token URL and the default OIDC token URL.

Constructs a new initializer using the given token URL and the default OIDC token URL.

Constructs a new initializer using the given token URL and OIDC token URL (optionally overriding the host using the GCE_METADATA_HOST environment variable).

Constructs a new Compute credential instance.

Returns a task whose result, when completed, is the default service account email associated to this Compute credential.

This value is cached, because for changing the default service account associated to a Compute VM, the machine needs to be turned off. This means that the operation is only asynchronous when calling for the first time. Note that if, when fetching this value, an exception is thrown, the exception is cached and will be rethrown by the task returned by any future call to this method. You can create a new instance if that happens so fetching the service account default email is re-attempted.

Signs the provided blob using the private key associated with the service account this ComputeCredential represents.

The blob to sign. Cancellation token to cancel the operation. The base64 encoded signature. When the signing request fails. When the signing response is not valid JSON. The private key associated with the Compute service account is not known locally by a ComputeCredential. Signing happens by executing a request to the IAM Credentials API which increases latency and counts towards IAM Credentials API quotas. Aditionally, the first time a ComputeCredential is used to sign data, a request to the metadata server is made to to obtain the email of the default Compute service account.

Detects if application is running on Google Compute Engine. This is achieved by attempting to contact GCE metadata server, that is only available on GCE. The check is only performed the first time you call this method, subsequent invocations used cached result of the first call.

Provides the Application Default Credential from the environment. An instance of this class represents the per-process state used to get and cache the credential and allows overriding the state and environment for testing purposes.

Environment variable override which stores the default application credentials file path.

Well known file which stores the default application credentials.

Environment variable which contains the Application Data settings.

Environment variable which contains the location of home directory on UNIX systems.

GCloud configuration directory in Windows, relative to %APPDATA%.

Help link to the application default credentials feature.

GCloud configuration directory on Linux/Mac, relative to $HOME.

Caches result from first call to GetApplicationDefaultCredentialAsync

Constructs a new default credential provider.

Returns the Application Default Credentials. Subsequent invocations return cached value from first invocation. See for details.

Creates a new default credential.

Creates a default credential from a stream that contains JSON credential data.

Creates a default credential from a string that contains JSON credential data.

Creates a default credential from JSON data.

Creates a user credential from JSON data.

Creates a from JSON data.

Creates an external account credential from JSON data.

Returns platform-specific well known credential file path. This file is created by gcloud auth login

Gets the environment variable. This method is protected so it could be overriden for testing purposes only.

Opens file as a stream. This method is protected so it could be overriden for testing purposes only.

Exception thrown when the subject token cannot be obtained for a given external account credential.

Base class for external account credentials.

Initializer for .

The STS audience which contains the resource name for the workload identity pool or the workforce pool and the provider identifier in that pool.

The STS subject token type based on the OAuth 2.0 token exchange spec.

This is the URL for the service account impersonation request. If this is not set, the STS-returned access token should be directly used without impersonation.

The GCP project number to be used for Workforce Identity Pools external credentials.

If this external account credential represents a Workforce Identity Pool enabled identity and this values is not specified, then an API key needs to be used alongside this credential to call Google APIs.

The Client ID.

Client ID and client secret are currently only required if the token info endpoint needs to be called with the generated GCP access token. When provided, STS will be called with additional basic authentication using ClientId as username and ClientSecret as password.

The client secret.

The universe domain this credential belongs to. May be null, in which case the default universe domain will be used.

The STS audience which contains the resource name for the workload identity pool or the workforce pool and the provider identifier in that pool.

The STS subject token type based on the OAuth 2.0 token exchange spec.

This is the URL for the service account impersonation request. If this is not set, the STS-returned access token should be directly used without impersonation.

The GCP project number to be used for Workforce Pools external credentials.

If this external account credential represents a Workforce Pool enabled identity and this values is not specified, then an API key needs to be used alongside this credential to call Google APIs.

The Client ID.

Client ID and Client secret are currently only required if the token info endpoint needs to be called with the generated GCP access token. When provided, STS will be called with additional basic authentication using ClientId as username and ClientSecret as password.

The client secret.

The universe domain this credential belogns to. Won't be null.

Returns true if this credential allows explicit scopes to be set via this library. Returns false otherwise.

If is set, returns a based on this one, but with set to null. Otherwise returns a based on this one.

If is set, returns an whose source credential is . Otherwise returns null.

If is set, returns a based on this one, but with set to null. Otherwise returns a based on this one.

If is set, returns an whose source credential is . Otherwise returns null.

Gets the subject token to be exchanged for the access token.

Throws as does not support domain wide delegation.

File-sourced credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-file-sourced-credentials.

The file from which to obtain the subject token.

If set, the subject token file content will be parsed as JSON and the value in the field with name will be returned as the subject token.

The file path from which to obtain the subject token.

If set, the subject token file content will be parsed as JSON and the value in the field with name will be returned as the subject token.

Thread-safe OAuth 2.0 authorization code flow that manages and persists end-user credentials. This is designed to simplify the flow in which an end-user authorizes the application to access their protected data, and then the application has access to their data based on an access token and a refresh token to refresh that access token when it expires.

An initializer class for the authorization code flow.

Gets or sets the method for presenting the access token to the resource server. The default value is .

Gets the token server URL.

Gets or sets the authorization server URL.

Gets or sets the client secrets which includes the client identifier and its secret.

Gets or sets the client secrets stream which contains the client identifier and its secret.

The AuthorizationCodeFlow constructor is responsible for disposing the stream.

Gets or sets the data store used to store the token response.

Gets or sets the scopes which indicate the API access your application is requesting.

Gets or sets the factory for creating instance.

Get or sets the exponential back-off policy. Default value is UnsuccessfulResponse503, which means that exponential back-off is used on 503 abnormal HTTP responses. If the value is set to None, no exponential back-off policy is used, and it's up to user to configure the in an to set a specific back-off implementation (using ).

Gets or sets the clock. The clock is used to determine if the token has expired, if so we will try to refresh it. The default value is .

Constructs a new initializer.

Authorization server URL Token server URL

Constructs a new initializer from the given

Gets the token server URL.

Gets the authorization code server URL.

Gets the client secrets which includes the client identifier and its secret.

Gets the data store used to store the credentials.

Gets the scopes which indicate the API access your application is requesting.

Gets the HTTP client used to make authentication requests to the server.

Constructs a new flow using the initializer's properties.

Creates a for the given parameters.

Executes and stores and returns the received token.

Stores the token in the .

User identifier. Token to store. Cancellation token to cancel operation.

Retrieve a new token from the server using the specified request.

User identifier. Token request. Cancellation token to cancel operation. Token response with the new access token.

Google specific authorization code flow which inherits from .

The project ID associated with the credential using this flow.

Gets the token revocation URL.

Gets the include granted scopes indicator. Do not use, use instead.

Gets the include granted scopes indicator.

Gets the login_hint.

Gets the prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets the nonce.

Gets the user defined query parameters.

Constructs a new Google authorization code flow.

An initializer class for Google authorization code flow.

The project ID associated with the credential using this flow.

Gets or sets the token revocation URL.

Gets or sets the optional indicator for including granted scopes for incremental authorization.

Gets or sets the login_hint.

Gets or sets the prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets or sets the nonce.

Gets or sets the optional user defined query parameters.

Constructs a new initializer. Sets Authorization server URL to , and Token server URL to .

Constructs a new initializer from the given .

Constructs a new initializer.

Authorization server URL Token server URL Revocation server URL This is mainly for internal testing at Google, where we occasionally need to use alternative oauth endpoints. This is not for general use.

OAuth 2.0 authorization code flow that manages and persists end-user credentials.

Gets the method for presenting the access token to the resource server.

Gets the clock.

Gets the data store used to store the credentials.

Asynchronously loads the user's token using the flow's .

User identifier Cancellation token to cancel operation Token response

Asynchronously deletes the user's token using the flow's .

User identifier. Cancellation token to cancel operation.

Creates an authorization code request with the specified redirect URI.

Asynchronously exchanges an authorization code for an access token.

User identifier. Authorization code received from the authorization server. Redirect URI which is used in the token request. Cancellation token to cancel operation. Token response which contains the access token.

Asynchronously refreshes an access token using a refresh token.

User identifier. Refresh token which is used to get a new access token. Cancellation token to cancel operation. Token response which contains the access token and the input refresh token.

Asynchronously revokes the specified token. This method disconnects the user's account from the OAuth 2.0 application. It should be called upon removing the user account from the site.

If revoking the token succeeds, the user's credential is removed from the data store and the user MUST authorize the application again before the application can access the user's private resources. User identifier. Access token to be revoked. Cancellation token to cancel operation. true if the token was revoked successfully.

Indicates if a new token needs to be retrieved and stored regardless of normal circumstances.

Authorization flow that performs HTTP operations, for instance, for obtaining or refreshing tokens.

Return a new instance of the same type as this but that uses the given HTTP client factory.

The http client factory to be used by the new instance. May be null, in which case the default will be used. A new instance with the same type as this but that will use to obtain an to be used for token related operations.

Authorization flow that supports Proof Key for Code Exchange (PKCE) as described in https://www.rfc-editor.org/rfc/rfc7636.

If you are writing your own authorization flow to be used with make sure you implement this interface if you need to support PKCE. See https://developers.google.com/identity/protocols/oauth2/native-app for how Google supports PKCE.

Creates an authorization code request with the specified redirect URI.

The redirect URI for the authorization code request. The code verifier associated to the code challenge that should be included in the returned . Note this is an out parameter. An subclass instance that includes the code challenge and code challenge method associated with .

Asynchronously exchanges an authorization code for an access token.

User identifier. Authorization code received from the authorization server. The PKCE code verifier to include in the exchange request. When called by the authentication library, this will be the same value specified by the codeVerifier out parameter in an earlier call to CreateAuthorizationCodeRequest. Redirect URI which is used in the token request. Cancellation token to cancel operation. Token response which contains the access token.

Google authorization flow implementation that supports PKCE as described in https://www.rfc-editor.org/rfc/rfc7636 and https://developers.google.com/identity/protocols/oauth2/native-app.

Creates a new instance from the given initializer.

Google OAuth2 constants. Canonical source for these URLs is: https://accounts.google.com/.well-known/openid-configuration

The authorization code server URL.

The OpenID Connect authorization code server URL.

Use of this is not 100% compatible with using , so they are two distinct URLs. Internally within this library only this more up-to-date is used.

The approval URL (used in the Windows solution as a callback).

The authorization token server URL.

The OpenID Connect authorization token server URL.

Use of this is not 100% compatible with using , so they are two distinct URLs. Internally within this library only this more up-to-date is used.

The Compute Engine authorization token server URL

IP address instead of name to avoid DNS resolution

The path to the Google revocation endpoint.

The OpenID Connect Json Web Key Set (jwks) URL.

The IAP Json Web Key Set (jwks) URL.

Installed application localhost redirect URI.

IAM access token endpoint for service account.

IAM access token verb.

IAM access token endpoint format string. To use it insert the service account email.

IAM signBlob endpoint format string. To use it insert the service account email.

IAM ID token endpoint format string. To use it insert the service account email.

Scope needed for source credential in impersonated credential.

Name of the environment variable that will be checked for an ambient quota project ID. If set, this value will be applied to Application Default Credentials.

The default universe domain.

Key for a universe domain in a options.

The non empty value set on , if any; null otherwise.

The effective Compute Engine authorization token server URL. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine authorization token server URL for OIDC. This requires an audience parameter to be added. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine default service account email URL. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine universe domain URL. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine metadata token server URL (with no path). This takes account of the GCE_METADATA_HOST environment variable.

Throws with if is not the default universe domain.

Throws with if is not the default universe domain and is true.

OAuth 2.0 client secrets model as specified in https://cloud.google.com/console/.

Gets or sets the details for installed applications.

Gets or sets the details for web applications.

Gets the client secrets which contains the client identifier and client secret.

Loads the Google client secret from the input stream.

This method has been made obsolete in favour of which only differs in name.

Loads the Google client secret from the input stream.

Asynchronously loads the Google client secret from the input stream.

Loads the Google client secret from a JSON file.

Asynchronously loads the Google client secret from a JSON file.

Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like , or ) in a unified way. See for the credential retrieval logic.

Provider implements the logic for creating the application default credential.

The underlying credential being wrapped by this object.

Creates a new GoogleCredential.

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See for more details.

A task which completes with the application default credentials.

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. The ambient credentials are determined as following order: The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified, it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded. If you have installed the Google Cloud SDK on your machine and have run the command GCloud Auth Login, your identity can be used as a proxy to test code calling APIs from that machine. If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used. If all previous steps have failed, InvalidOperationException is thrown.

If the cancellation token is cancelled while the underlying operation is loading Application Default Credentials, the underlying operation will still be used for any further requests. No actual work is cancelled via this cancellation token; it just allows the returned task to transition to a cancelled state. Cancellation token for the operation. A task which completes with the application default credentials.

Synchronously returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See for details on application default credentials. This method will block until the credentials are available (or an exception is thrown). It is highly preferable to call where possible.

The application default credentials.

Loads credential from stream containing JSON credential data. The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Loads credential from the specified file containing JSON credential data. The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

The path to the credential file. The loaded credentials.

The path to the credential file. Cancellation token for the operation. The loaded credentials.

Loads credential from a string containing JSON credential data. The string can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Loads a credential from JSON credential parameters. Fields are a union of credential fields for all supported types. for more detailed information about supported types and corresponding fields.

Create a directly from the provided access token. The access token will not be automatically refreshed.

The access token to use within this credential. Optional. The to use within this credential. If null, will default to . A credential based on the provided access token.

Create a from a . In general, do not use this method. Call or , which will provide the most suitable credentials for the current platform.

Optional. The compute credential to use in the returned . If null, then a new will be instantiated, using the default . A with an underlying .

Returns true only if this credential supports explicit scopes to be set via this library but no explicit scopes have been set. A credential with explicit scopes set may be created by calling . For accessing Google services, credentials need to be scoped. Credentials have some default scoping, but this library supports explicit scopes to be set for certain credentials. is scoped by default but in some environments it may be scoped explicitly, for instance when running on GKE with Workload Identity or on AppEngine Flex. It's possible to create a with explicit scopes set by calling . If running on an environment that does not accept explicit scoping, for instance GCE where scopes are set on the VM, explicit scopes will be ignored. is scoped by default, as scopes were obtained during the consent screen. It's not possible to change the default scopes of a . is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. It's possible to create a with explicit scopes set by calling is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. Note that the scopes of an have no bearings on the scopes. It's possible to create an with explicit scopes set by calling

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Gets the underlying credential instance being wrapped.

Returns the universe domain this credential belongs to.

For most credential types, this operation is synchronous and will always return a completed task. For , the universe domain is obtained from the metadata server, which requires an HTTP call. This value is obtained only once, the first time it is requested for any instance of . Once the universe has been fetched this method will always return a completed task. The task's result will never be null. Note that each will only apply to the call that provided it and not to subsequent calls. For instance, even if the first call to is cancelled, subsequent calls may still succeed.

Returns the universe domain this credential belongs to.

Because is truly async only once, at most, in the lifetime of an application, this method exists for convenience. It can always be safely used for all credential types except for . For , the universe domain is obtained from the metadata server, which requires an HTTP call. This value is obtained only once, the first time it is requested for any instance of . That first time, this method may block while waiting for the HTTP call to complete. After that, this method will always be safe to use. Will never return null.

If this library supports setting explicit scopes on this credential, this method will creates a copy of the credential with the specified scopes. Otherwise, it returns the same instance. See for more information.

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

If the credential supports Domain Wide Delegation, this method creates a copy of the credential with the specified user. Otherwise, it throws . At the moment only supports Domain Wide Delegation.

The user that the returned credential will be a delegate for. A copy of this credential with the user set to . When the credential type doesn't support Domain Wide Delegation.

Creates a copy of this credential with the specified quota project.

The quota project to use for the copy. May be null. A copy of this credential with set to .

Creates a copy of this credential with the ambient quota project as set in . If is not set, or if it is set to the empty value, this method returns this instance.

The ADC quota project value will be overwritten only if the environment variable is present and set to a non-empty value. If the environment variable is not present or if it is present but unset, the credential returned will maintain whatever quota project value it already had, i.e. the credential's quota project value will not be unset.

Creates a copy of this credential with the specified HTTP client factory.

The HTTP client factory to be used by the new credential. May be null, in which case the default will be used.

If the credential supports custom universe domains this method will create a copy of the credential with the specified universe domain set. Otherwise, it throws .

The universe domain to use for the credential. May be null, in which case the default universe domain will be used.

Allows this credential to impersonate the . Only and support impersonation, so this method will throw if this credential's is not of one of those supported types.

Initializer containing the configuration for the impersonated credential. For impersonation, a credential needs to be scoped to https://www.googleapis.com/auth/iam. When using a as the source credential, this is not a problem, since the credential can be scoped on demand. When using a the credential needs to have been obtained with the required scope, else, when attempting and impersonated request, you'll receive an authorization error.

Creates a GoogleCredential wrapping a .

A helper utility to manage the authorization code flow.

This class is only suitable for client-side use, as it starts a local browser that requires user interaction. Do not use this class when executing on a web server, or any cases where the authenticating end-user is not able to do directly interact with a launched browser.

The folder which is used by the .

The reason that this is not 'private const' is that a user can change it and store the credentials in a different location.

Asynchronously authorizes the specified user. Requires user interaction; see remarks for more details.

In case no data store is specified, will be used by default. The client secrets. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Asynchronously authorizes the specified user. Requires user interaction; see remarks for more details.

In case no data store is specified, will be used by default. The client secrets stream. The authorization code flow constructor is responsible for disposing the stream. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Asynchronously reauthorizes the user. This method should be called if the users want to authorize after they revoked the token. Requires user interaction; see remarks for more details.

The current user credential. Its will be updated. Cancellation token to cancel an operation. The code receiver, if not specified a local server code receiver will be used.

The core logic for asynchronously authorizing the specified user. Requires user interaction; see remarks for more details.

The authorization code initializer. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

The core logic for asynchronously authorizing the specified user. Requires user interaction; see remarks for more details.

The authorization code initializer. The scopes which indicate the Google API access your application is requesting. The user to authorize. If true, PKCE will be used by the authorization flow. Note that using PKCE is recommended for security reasons. See https://developers.google.com/identity/protocols/oauth2/native-app for more information. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Extension methods for .

Sets the given key/value pair as a request option.

This method exist mostly to handle the fact that HttpRequestMessage.Options are only available from .NET 5 and up.

Gets the value associated with the given key on the request options.

This method exist mostly to handle the fact that HttpRequestMessage.Options are only available from .NET 5 and up.

Method of presenting the access token to the resource server as specified in http://tools.ietf.org/html/rfc6749#section-7

Intercepts a HTTP request right before the HTTP request executes by providing the access token.

Retrieves the original access token in the HTTP request, as provided in the method.

Authorization code flow for an installed application that persists end-user credentials.

Gets the authorization code flow.

Gets the code receiver.

Asynchronously authorizes the installed application to access user's protected data.

User identifier Cancellation token to cancel an operation The user's credential

Represents a data blob signer.

Returns the base64 encoded signature of the given blob.

The blob to sign. The cancellation token. The base64 encoded signature.

OAuth 2.0 verification code receiver.

Gets the redirected URI.

Receives the authorization code.

The authorization code request URL Cancellation token The authorization code response

The main interface to represent credential in the client library. Service account, User account and Compute credential inherit from this interface to provide access token functionality. In addition this interface inherits from to be able to hook to http requests. More details are available in the specific implementations.

Represents a Google credential. Defines functionality that credential types that can be used as an underlying credential in should implement in contrast to that defines public functionality.

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Returns a new instance of the same type as this but with the given quota project value.

The quota project value for the new instance. A new instance with the same type as this but with set to .

Returns true if this credential scopes have been explicitly set via this library. Returns false otherwise.

Returns true if this credential allows explicit scopes to be set via this library. Returns false otherwise.

Returns the universe domain this credential belongs to.

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

If the credential supports domain wide delegation this method will create a copy of the credential with the specified user set. Otherwise, it throws .

Return a new instance of the same type as this but that uses the given HTTP client factory.

The http client factory to be used by the new instance. May be null in which case the default will be used. A new instance with the same type as this but that will use to obtain an to be used for token and other operations.

If the credential supports custom universe domains this method will create a copy of the credential with the specified universe domain set. Otherwise, it throws .

The universe domain to use for the credential. May be null, in which case the default universe domain will be used.

Allows a service account or user credential to impersonate a service account. See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials and https://cloud.google.com/iam/docs/impersonating-service-accounts for more information.

An initializer class for the impersonated credential.

Gets the service account to impersonate.

Gets the chained list of delegate service accounts. May be null or empty.

Gets or sets for how long the delegated credential should be valid. Defaults to 1 hour or 3600 seconds.

Constructs a new initializer.

The principal that will be impersonated. Must not be null, as it will be used to build the URL to obtaing the impersonated access token from.

Constructus a new initializer.

The URL to obtain the impersonated access token from. The target principal, if known, that will be impersonated. May be null. Because the is all that is needed for obtaining the impersonated access token, is just informational when the constructor overload is used.

The id token URL. If this credential does not have a custom access token URL, the id token is supported through the IAM API. The id token URL is built using the universe domain and the target principal.

The blob signing URL. If this credential does not have a custom access token URL, blob signing is supported through the IAM API. The blob signing URL is built using the universe domain and the target principal.

Gets the source credential used to acquire the impersonated credentials.

Gets the service account to impersonate.

Gets the chained list of delegate service accounts. May be empty.

Gets the lifetime of the delegated credential. This is how long the delegated credential should be valid from the time of the first request made with this credential.

Whether the effective access token URL is custom or not. If the impersonated credential has a custom access token URL we don't know how the OIDC URL and blob signing URL may look like, so we cannot support those operations.

The effective token URL to be used by this credential, which may be a custom token URL or the IAM API access token endpoint URL which is built using the universe domain and the target principal of this credential.

Constructs a new impersonated credential using the given initializer.

Signs the provided blob using the private key associated with the impersonated service account.

The blob to sign. Cancellation token to cancel operation. The base64 encoded signature. When signing request fails. When signing response is not a valid JSON.

Returns the token URL to be used by this credential, which may be a custom token URL or the IAM API access token endpoint URL which is built using the universe domain and the target principal of this credential. A custom access token URL could be present in external credentials configuration.

Determines whether the effective access token URL is custom or not. If the impersonated credential has a custom access token URL we don't know how the OIDC URL and blob signing URL may look like, so we cannot support those operations.

Gets the id token URL if this credential supports id token emission. Throws otherwise.

Get's the blob signing URL if this credential supports blob signing. Throws otherwise.

If the impersonated credential has a custom access token URL we don't know how the OIDC URL and blob signing URL may look like, so we cannot support those operations. A custom access token URL could be present in external credentials configuration.

Attempts to extract the target principal ID from the impersonation URL which is possible if the URL looks like https://host/segment-1/.../segment-n/target-principal-ID:generateAccessToken. It's OK if we can't though as for fetching the impersonated access token we have the impersonation URL as a whole. It's just a nice to have, as the user may be able to execute extra operations with the impersonated credential, like signing a blob of fetching its OIDC token.

Represents an OIDC token provider.

Returns an OIDC token for the given options.

The options to create the token from. The cancellation token that may be used to cancel the request. The OIDC token.

Allows direct retrieval of access tokens to authenticate requests. This is necessary for workflows where you don't want to use to access the API. (e.g. gRPC that implemenents the entire HTTP2 stack internally).

Gets an access token to authorize a request. Implementations should handle automatic refreshes of the token if they are supported. The might be required by some credential types (e.g. the JWT access token) while other credential types migth just ignore it.

The URI the returned token will grant access to. The cancellation token. The access token.

Allows direct retrieval of access tokens to authenticate requests. The access tokens obtained can be accompanied by extra information that either describes the access token or is associated with it. This information should acompany the token as headers when the token is used to access a resource.

Gets an access token to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers. Implementations should handle automatic refreshes of the token if they are supported. The might be required by some credential types (e.g. the JWT access token) while other credential types migth just ignore it.

The URI the returned token will grant access to. The cancellation token. The access token with headers if any.

Holder for credential parameters read from JSON credential file. Fields are union of parameters for all supported credential types.

UserCredential is created by the GCloud SDK tool when the user runs GCloud Auth Login.

ServiceAccountCredential is downloaded by the user from Google Developers Console.

ImpersonatedCredential is created by the GCloud SDK tool when the user runs GCloud Auth ADC Login using the --impersonate-service-account flag.

See https://cloud.google.com/iam/docs/workload-identity-federation on how to create external account credentials.

Type of the credential.

Project ID associated with this credential.

Project ID associated with this credential for the purposes of quota calculations and billing.

Universe domain that this credential may be used in.

Client Id associated with UserCredential created by GCloud Auth Login or with an external account credential.

Client Secret associated with UserCredential created by GCloud Auth Login or with an external account credential.

Client Email associated with ServiceAccountCredential obtained from Google Developers Console

Private Key associated with ServiceAccountCredential obtained from Google Developers Console.

Private Key ID associated with ServiceAccountCredential obtained from Google Developers Console.

The token endpoint for a service account credential.

Note that this is different from which is the STS token exchange endpoint associated with an external account credential.

Refresh Token associated with UserCredential created by GCloud Auth Login.

This is the URL for the service account impersonation request associated with a source credential or with an external account credential. If this credential is an external account credential and this is not set, the STS returned access token should be directly used without impersonation. If this credential is not an external account credential and this is set, then a credential source needs to be specified.

Delegates chain associated to the impersonated credential.

The source credential associated to the impersonated credential.

The STS audience associated with an external account credential.

The STS subject token type associated with an external account credential.

The STS token exchange endpoint associated with an external account credential.

Note that this is different from which is the the token endpoint for a service account credential.

The GCP project number to be used for Workforce Pools external credentials.

If this external account credential represents a Workforce Pool enabled identity and this values is not specified, then an API key needs to be used alongside this credential to call Google APIs.

The credential source associated with an external account credential.

Holder for the credential source parameters associated to an external account credentials.

The environment identifier for AWS external accounts.

For AWS credentials this is the metadata server URL used to determine the AWS region that should be included as part of the subject token.

For URL-sourced credentials this is the URL from which to obtain the subject token from. For AWS credentials this is the URL for the metadata server from which to obtain the security credentials that will be used to sign the subject token.

For AWS credentials, the STS server will use this URL to validate the subject token included on the STS request. This URL will be included as part of the subject token.

For AWS credentials, if present, a session token fetched from this URL should be used when making requests to the metadata server.

For URL-sourced credentilas this are headers to be included on the request to obtain the subject token.

For file-sourced credentials this is the path to the file containing the subject token.

For URL and file sourced credentials, indicates the format in which the subject token will be returned.

Holder for the subject token format.

For URL and file sourced credentials, indicates the format in which the subject token is returned. Supported values are text and json. Defaults to text.

For URL and file sourced credentials, if the subject token is returned within a JSON, this indicates the field in which it can be found.

OAuth 2.0 verification code receiver that runs a local server on a free port and waits for a call with the authorization verification code.

Describes the different strategies for the selection of the callback URI. 127.0.0.1 is recommended, but can't be done in non-admin Windows 7 and 8 at least.

Use heuristics to attempt to connect to the recommended URI 127.0.0.1 but use localhost if that fails.

Force 127.0.0.1 as the callback URI. No checks are performed.

Force localhost as the callback URI. No checks are performed.

The call back request path.

Close HTML tag to return the browser so it will close itself.

Create an instance of .

Custom close page response for this instance

Create an instance of .

Custom close page response for this instance The strategy to use to determine the callback URI

An extremely limited HTTP server that can only do exactly what is required for this use-case. It can only serve localhost; receive a single GET request; read only the query paremters; send back a fixed response. Nothing else.

Returns a random, unused port.

Open a browser and navigate to a URL.

URL to navigate to true if browser was launched successfully, false otherwise

Localhost callback URI, expects a port parameter.

127.0.0.1 callback URI, expects a port parameter.

Represents an OIDC Token.

The this OIDC token is built from.

Gets the access token that should be included in headers when performing requests with this . This method will refresh the access token if the current one has expired.

The cancellation token to use for cancelling the operation. The valid access token associated to this .

Represents the OIDC token formats supported when the token is obtained using the GCE metadata server.

Specifies that the project and instance details should not be included in the payload of the JWT token returned by the GCE metadata server.

Specifies that the project and instance details should be included in the payload of the JWT token returned by the GCE metadata server.

Same as . License codes for images associated with the GCE instance the token is being obtained from will also be included in the payload of the JWT token returned by the GCE metadata server.

Options used to create an .

The target audience the generated token should be valid for. Must not be null.

The token format of the expected OIDC token when obtained from the GCE metadata server. This value will be ignored when the token provider is other then the GCE metadata server. for the meaning of each value. Defaults to .

Builds new from the given target audience.

The target audience to build these options from. Must no be null. A new set of options that can be used with a to obtain an .

Builds a new set of options with the same options as this one, except for the target audience.

The new target audience. Must not be null. A new set of options with the given target audience.

Builds a new set of options with the same options as this one, except for the token format.

The new token format. A new set of options with the given token format.

An incomplete ASN.1 decoder, only implements what's required to decode a Service Credential.

Extension methods for requests.

Add a credential that is used for this request only. This will override a service-level credential (if there is one). Do not call more than once per request instance, as each call incrementally adds the provided credential. To perform identical requests but with distinct credentials, create a separate request instance for each credential.

The request type. The request which requires a credential. Must not be null. The credential to use for this request only. Must not be null.

OAuth 2.0 request URL for an authorization web page to allow the end user to authorize the application to access their protected resources and that returns an authorization code, as specified in http://tools.ietf.org/html/rfc6749#section-4.1.

Constructs a new authorization code request with the specified URI and sets response_type to code.

Creates a which is used to request the authorization code.

OAuth 2.0 request for an access token using an authorization code as specified in http://tools.ietf.org/html/rfc6749#section-4.1.3.

Gets or sets the authorization code received from the authorization server.

Gets or sets the redirect URI parameter matching the redirect URI parameter in the authorization request.

Gets or sets the code verifier matching the code challenge in the authorization request. See https://developers.google.com/identity/protocols/oauth2/native-app#exchange-authorization-code for more information.

Constructs a new authorization code token request and sets grant_type to authorization_code.

OAuth 2.0 request URL for an authorization web page to allow the end user to authorize the application to access their protected resources, as specified in http://tools.ietf.org/html/rfc6749#section-3.1.

Gets or sets the response type which must be code for requesting an authorization code or token for requesting an access token (implicit grant), or space separated registered extension values. See http://tools.ietf.org/html/rfc6749#section-3.1.1 for more details

Gets or sets the client identifier.

Gets or sets the URI that the authorization server directs the resource owner's user-agent back to the client after a successful authorization grant, as specified in http://tools.ietf.org/html/rfc6749#section-3.1.2 or null for none.

Gets or sets space-separated list of scopes, as specified in http://tools.ietf.org/html/rfc6749#section-3.3 or null for none.

Gets or sets the state (an opaque value used by the client to maintain state between the request and callback, as mentioned in http://tools.ietf.org/html/rfc6749#section-3.1.2.2 or null for none.

Gets the authorization server URI.

Constructs a new authorization request with the specified URI.

Authorization server URI

Service account assertion token request as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Gets or sets the JWT (including signature).

Constructs a new refresh code token request and sets grant_type to urn:ietf:params:oauth:grant-type:jwt-bearer.

Google-specific implementation of the OAuth 2.0 URL for an authorization web page to allow the end user to authorize the application to access their protected resources and that returns an authorization code, as specified in https://developers.google.com/accounts/docs/OAuth2WebServer.

Gets or sets the access type. Set online to request on-line access or offline to request off-line access or null for the default behavior. The default value is offline.

Gets of sets prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets or sets prompt for consent behavior auto to request auto-approval orforce to force the approval UI to show, or null for the default behavior.

Gets or sets the login hint. Sets email address or sub identifier. When your application knows which user it is trying to authenticate, it may provide this parameter as a hint to the Authentication Server. Passing this hint will either pre-fill the email box on the sign-in form or select the proper multi-login session, thereby simplifying the login flow.

Gets or sets the include granted scopes to determine if this authorization request should use incremental authorization (https://developers.google.com/+/web/api/rest/oauth#incremental-auth). If true and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes.

Currently unsupported for installed apps.

Gets or sets the nonce; a random value generated by your app that enables replay protection. See https://developers.google.com/identity/protocols/OpenIDConnect for more details.

Gets or sets the code challenge. See https://developers.google.com/identity/protocols/oauth2/native-app#create-the-code-challenge for more information.

Gets or sets the code challenge method. See https://developers.google.com/identity/protocols/oauth2/native-app#create-the-code-challenge for more information.

Gets or sets a collection of user defined query parameters to facilitate any not explicitly supported by the library which will be included in the resultant authentication URL.

The name of this parameter is used only for the constructor and will not end up in the resultant query string.

Constructs a new authorization code request with the given authorization server URL. This constructor sets the to offline.

Google OAuth 2.0 request to revoke an access token as specified in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke.

Gets the URI for token revocation.

Gets or sets the token to revoke.

Creates a which is used to request the authorization code.

Gets or sets the chained list of delegate service accounts.

Gets or sets the payload to be signed.

Access token request for impersonated credential as specified in https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth.

Gets or sets the scopes to request during the authorization grant.

Gets or sets how long the delegated credential should be valid. Its format is the number of seconds followed by a letter "s", for example "300s".

OIDC token request for impersonated credential as specified in https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth.

Gets or sets the audience of the requested OIDC token.

Gets or sets whether email address should be included in the requested OIDC token.

Gets or sets the chained list of delegate service accounts.

OAuth 2.0 request to refresh an access token using a refresh token as specified in http://tools.ietf.org/html/rfc6749#section-6.

Gets or sets the Refresh token issued to the client.

Constructs a new refresh code token request and sets grant_type to refresh_token.

Serializes to JSON and posts it to .

Serializes to JSON and posts it to . Deserializes the JSON response into .

Serializes to JSON and posts it to . Builds a instance from the HTTP response. for more information.

Creates and HTTP form from and posts it to . If is not null, its value is included as the Authorization header of the request. Builds a instance from the HTTP response. for more information.

Builder for .

Gets the grant type for this request. Only urn:ietf:params:oauth:grant-type:token-exchange is currently supported.

The audience for which the requested token is intended. For instance: "//iam.googleapis.com/projects/my-project-id/locations/global/workloadIdentityPools/my-pool-id/providers/my-provider-id"

The list of desired scopes for the requested token.

The type of the requested security token. Only urn:ietf:params:oauth:token-type:access_token is currently supported.

In terms of Google 3PI support, this is the 3PI credential.

The subject token type.

Client ID and client secret are not part of STS token exchange spec. But in the context of Google 3PI they are used to perform basic authorization for token exchange.

The GCP project number to be used for Workforce Pools external credentials. To be included in the request as part of options.

OAuth 2.0 subject token exchange request as defined in https://datatracker.ietf.org/doc/html/rfc8693#section-2.1. This is only a partial definition of the spec as required to support Google WIF.

Gets the grant type for this request. Only urn:ietf:params:oauth:grant-type:token-exchange is currently supported.

The audience for which the requested token is intended. For instance: "//iam.googleapis.com/projects/my-project-id/locations/global/workloadIdentityPools/my-pool-id/providers/my-provider-id"

The space-delimited list of desired scopes for the requested token as defined in http://tools.ietf.org/html/rfc6749#section-3.3.

The type of the requested security token. Only urn:ietf:params:oauth:token-type:access_token is currently supported.

In terms of Google 3PI support, this is the 3PI credential.

The subject token type.

Google specific STS token request options. May be null.

Authentication header to be included in the request. May be null.

OAuth 2.0 request for an access token as specified in http://tools.ietf.org/html/rfc6749#section-4.

Gets or sets space-separated list of scopes as specified in http://tools.ietf.org/html/rfc6749#section-3.3.

Gets or sets the Grant type. Sets authorization_code or password or client_credentials or refresh_token or absolute URI of the extension grant type.

Gets or sets the client Identifier.

Gets or sets the client Secret.

Extension methods to .

Executes the token request in order to receive a . In case the token server returns an error, a is thrown.

The token request. The HTTP client used to create an HTTP request. The token server URL. Cancellation token to cancel operation. The clock which is used to set the property. Token response with the new access token.

Authorization Code response for the redirect URL after end user grants or denies authorization as specified in http://tools.ietf.org/html/rfc6749#section-4.1.2. Check that is not null or empty to verify the end-user granted authorization.

Gets or sets the authorization code generated by the authorization server.

Gets or sets the state parameter matching the state parameter in the authorization request.

Gets or sets the error code (e.g. "invalid_request", "unauthorized_client", "access_denied", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable") as specified in http://tools.ietf.org/html/rfc6749#section-4.1.2.1.

Gets or sets the human-readable text which provides additional information used to assist the client developer in understanding the error occurred.

Gets or sets the URI identifying a human-readable web page with provides information about the error.

Contains any extra parameters in the authorization code response URL query string.

Constructs a new authorization code response URL from the specified dictionary.

Constructs a new authorization code response URL from the specified query string.

Initializes this instance from the input dictionary.

Constructs a new empty authorization code response URL.

Gets or sets the signed blob.

OAuth 2.0 model for a unsuccessful access token response as specified in http://tools.ietf.org/html/rfc6749#section-5.2.

Gets or sets error code (e.g. "invalid_request", "invalid_client", "invalid_grant", "unauthorized_client", "unsupported_grant_type", "invalid_scope") as specified in http://tools.ietf.org/html/rfc6749#section-5.2.

Gets or sets a human-readable text which provides additional information used to assist the client developer in understanding the error occurred.

Gets or sets the URI identifying a human-readable web page with provides information about the error.

Constructs a new empty token error response.

Constructs a new token error response from the given authorization code response.

OAuth 2.0 model for a successful access token response as specified in http://tools.ietf.org/html/rfc6749#section-5.1.

Gets or sets the access token issued by the authorization server.

Gets or sets the token type as specified in http://tools.ietf.org/html/rfc6749#section-7.1.

Gets or sets the lifetime in seconds of the access token.

Gets or sets the refresh token which can be used to obtain a new access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

Gets or sets the scope of the access token as specified in http://tools.ietf.org/html/rfc6749#section-3.3.

Gets or sets the id_token, which is a JSON Web Token (JWT) as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

The date and time that this token was issued, expressed in the system time zone. This property only exists for backward compatibility; it can cause inappropriate behavior around time zone transitions (e.g. daylight saving transitions).

The date and time that this token was issued, expressed in UTC.

This should be set by the CLIENT after the token was received from the server.

Access token for impersonated credentials.

ID token for impersonated credentials.

Access token expiration time for impersonated credentials. It has the RFC3339 format: "yyyy-MM-dd'T'HH:mm:sssssssss'Z'". For example: 2020-05-13T16:00:00.045123456Z.

Returns true if the token represented by this token response should be refreshed. Note that this may be true for valid tokens, in which case a pre-emptive refresh is adviced even if the current token may be used while it continues to be valid.

See for information on when a token is considered valid. A valid token is considered stale if it's close to expiring, but not so much as to be unusable.

The start of the refresh window for this token, if known. Otherwise, null.

At the start of token refresh window, the token is still usable, but efforts should be made to obtain a fresher one.

The start of the expiry window for this token, if known. Otherwise, null.

A token that's within its expiry window, may still be usable, but doing so may run into clock skew related issues.

Returns true if the token is expired or it's going to expire soon.

If a token response doens't have at least one of or set then it's considered expired. If is null, the token is also considered expired.

See for information on when a token is considered valid. A valid token is considered stale if it's close to expiring, but not so much as to be unusable.

Returns true if the token represented by this token response is valid, that is, it may be used for authentication and authorizations purposes.

A token is considered valid if all of the following are true: At least one of and is not null. is not null. The token has not expired and will not expire in the very near future. That is if plus is in the not so near future.

Asynchronously parses a instance from the specified .

The http response from which to parse the token. The clock used to set the value of the token. The logger used to output messages incase of error. The response was not successful or there is an error parsing the response into valid instance. A task containing the parsed form the response message.

Token response exception which is thrown in case of receiving a token error when an authorization code or an access token is expected.

The error information.

HTTP status code of error, or null if unknown.

Constructs a new token response exception from the given error.

Constructs a new token response exception from the given error nad optional HTTP status code.

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved. Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details. Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See for explanation when JWT access token is used and when regular OAuth2 token is used.

An initializer class for the service account credential.

Gets the service account ID (typically an e-mail address).

The project ID associated with this credential.

Gets or sets the email address of the user the application is trying to impersonate in the service account flow or null.

Gets or sets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Gets or sets the service account key ID.

Gets or sets the flag preferring use of self-signed JWTs over OAuth tokens when OAuth scopes are explicitly set.

The universe domain this credential belongs to. Won't be null.

Constructs a new initializer using the given id.

Constructs a new initializer using the given id and the token server URL.

Extracts the from the given PKCS8 private key.

Extracts a from the given certificate.

Unix epoch as a DateTime

Gets the service account ID (typically an e-mail address).

The project ID associated with this credential.

Gets the email address of the user the application is trying to impersonate in the service account flow or null.

Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Gets the key id of the key which is used to sign the request.

Gets the flag indicating whether Self-Signed JWT should be used when OAuth scopes are set. This flag will be ignored if this credential has set, meaning it is used with domain-wide delegation. Self-Signed JWTs won't be used in that case.

The universe domain this credential belongs to. Won't be null.

Constructs a new service account credential using the given initializer.

Creates a new instance from JSON credential data.

The stream from which to read the JSON key data for a service account. Must not be null. The does not contain valid JSON service account key data. The credentials parsed from the service account key data.

Constructs a new instance of the but with the given value.

A flag preferring use of self-signed JWTs over OAuth tokens when OAuth scopes are explicitly set. A new instance of the but with the given value.

Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Cancellation token to cancel operation. true if a new token was received successfully.

Gets an access token to authorize a request. An OAuth2 access token obtained from will be returned in the following two cases: 1. If this credential has associated, but is false; 2. If this credential is used with domain-wide delegation, that is, the is set; Otherwise, a locally signed JWT will be returned. The signed JWT will contain a "scope" claim with the scopes in if there are any, otherwise it will contain an "aud" claim with . A cached token is used if possible and the token is only refreshed once it's close to its expiry.

The URI the returned token will grant access to. Should be specified if no have been specified for the credential. The cancellation token. The access token.

Creates a JWT access token than can be used in request headers instead of an OAuth2 token. This is achieved by signing a special JWT using this service account's private key. The URI for which the access token will be valid. The issue time of the JWT. The expiry time of the JWT.

Signs JWT token using the private key and returns the serialized assertion.

the JWT payload to sign.

Creates a base64 encoded signature for the SHA-256 hash of the specified data.

The data to hash and sign. Must not be null. The base-64 encoded signature.

Creates a serialized header as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingheader.

Creates a claim set as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset.

This type of Google OAuth 2.0 credential enables access to protected resources using an access token when interacting server to server. For example, a service account credential could be used to access Google Cloud Storage from a web application without a user's involvement. inherits from this class in order to support Service Accounts. More details available at: https://developers.google.com/accounts/docs/OAuth2ServiceAccount. is another example of a class that inherits from this class in order to support Compute credentials. For more information about Compute authentication, see: https://cloud.google.com/compute/docs/authentication. inherits from this class to support both Workload Identity Federation and Workforce Identity Federation. You can read more about these topics in https://cloud.google.com/iam/docs/workload-identity-federation and https://cloud.google.com/iam/docs/workforce-identity-federation respectively. Note that in the case of Workforce Identity Federation, the external account does not represent a service account but a user account, so, the fact that inherits from might be construed as misleading. In reality is not tied to a service account in terms of implementation, only in terms of name. For instance, a better name for this class might have been NoUserFlowCredential, and in that sense, it's correct that inherits from even when representing a Workforce Identity Federation account.

Logger for this class

An initializer class for the service credential.

Gets the token server URL.

Gets or sets the clock used to refresh the token when it expires. The default value is .

Gets or sets the method for presenting the access token to the resource server. The default value is .

Gets or sets the factory for creating a instance.

Get or sets the exponential back-off policy. Default value is UnsuccessfulResponse503, which means that exponential back-off is used on 503 abnormal HTTP responses. If the value is set to None, no exponential back-off policy is used, and it's up to the user to configure the in an to set a specific back-off implementation (using ).

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Scopes to request during the authorization grant. May be null or empty.

If the scopes are pre-granted through the environement, like in GCE where scopes are granted to the VM, scopes set here will be ignored.

Initializers to be sent to the to be set on the that will be used by the credential to perform token operations.

Constructs a new initializer using the given token server URL.

Gets the token server URL.

May be null for credential types that resolve token endpoints just before obtaining an access token. This is the case for where the is a .

Gets the clock used to refresh the token if it expires.

Gets the method for presenting the access token to the resource server.

Gets the HTTP client used to make authentication requests to the server.

Scopes to request during the authorization grant. May be null or empty.

If the scopes are pre-granted through the environment, like in GCE where scopes are granted to the VM, scopes set here will be ignored.

Returns true if this credential scopes have been explicitly set via this library. Returns false otherwise.

Initializers to be sent to the to be set on the that will be used by the credential to perform token operations.

Gets the token response which contains the access token.

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Constructs a new service account credential using the given initializer.

Builds HTTP client creation args from this credential settings.

Decorates unsuccessful responses, returns true if the response gets modified. See IHttpUnsuccessfulResponseHandler for more information.

Gets an access token to authorize a request. If the existing token expires soon, try to refresh it first.

Requests a new token.

Cancellation token to cancel operation. true if a new token was received successfully.

Encapsulation of token refresh behaviour. This isn't entirely how we'd design the code now (in terms of the callback in particular) but it fits in with the exposed API surface of ServiceCredential and UserCredential.

Creates a manager which executes the given refresh action when required.

The refresh action which will populate the Token property when successful. The clock to consult for timeouts. The logger to use to record refreshes.

URL-sourced credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-microsoft-azure-and-url-sourced-credentials.

The URL from which to obtain the subject token.

Headers to include in the request for the subject token. May be null or empty.

If set, the subject token response will be parsed as JSON and the value in the field with name will be returned as the subject token.

The URL from which to obtain the subject token.

Headers to include in the request for the subject token. May be empty. Will not be null.

If set, the subject token response will be parsed as JSON and the value in the field with name will be returned as the subject token.

OAuth 2.0 credential for accessing protected resources using an access token, as well as optionally refreshing the access token when it expires using a refresh token.

Logger for this class.

Gets or sets the token response which contains the access token.

Gets the authorization code flow.

Gets the user identity.

Constructs a new credential instance.

Authorization code flow. User identifier. An initial token for the user.

Constructs a new credential instance.

Authorization code flow. User identifier. An initial token for the user. The ID of the project associated to this credential for the purposes of quota calculation and billing. Can be null.

Default implementation is to try to refresh the access token if there is no access token or if we are 1 minute away from expiration. If token server is unavailable, it will try to use the access token even if has expired. If successful, it will call .

Refreshes the token by calling to . Then it updates the with the new token instance.

Cancellation token to cancel an operation. true if the token was refreshed.

Asynchronously revokes the token by calling .

Cancellation token to cancel an operation. true if the token was revoked successfully.

Thread safe OAuth 2.0 authorization code flow for a web application that persists end-user credentials.

The state key. As part of making the request for authorization code we save the original request to verify that this server create the original request.

The length of the random number which will be added to the end of the state parameter.

AuthResult which contains the user's credentials if it was loaded successfully from the store. Otherwise it contains the redirect URI for the authorization server.

Gets or sets the user's credentials or null in case the end user needs to authorize.

Gets or sets the redirect URI to for the user to authorize against the authorization server or null in case the was loaded from the data store.

Gets the authorization code flow.

Gets the OAuth2 callback redirect URI.

Gets the state which is used to navigate back to the page that started the OAuth flow.

Constructs a new authorization code installed application with the given flow and code receiver.

Asynchronously authorizes the web application to access user's protected data.

User identifier Cancellation token to cancel an operation Auth result object which contains the user's credential or redirect URI for the authorization server

Determines the need for retrieval of a new authorization code, based on the given token and the authorization code flow.

Auth Utility methods for web development.

Extracts the redirect URI from the state OAuth2 parameter.

If the data store is not null, this method verifies that the state parameter which was returned from the authorization server is the same as the one we set before redirecting to the authorization server. The data store which contains the original state parameter. User identifier. The authorization state parameter which we got back from the authorization server. Redirect URI to the address which initializes the authorization code flow.

Represents a signed token, could be a or a but this not only holds the payload and headers, but also the signature itself. It's meant to help with signed token verification and with obtaining token information.

Options to use when verifying signed JWTs.

Creates a new instance of with default values for all options (or null for those whose default is unset).

Creates a new instance of by copying over all the values from .

The option set to build this instance from.

Trusted audiences for the token. All the audiences the token is intended for should be in the trusted audiences list. If the list is empty, the token audience won't be verified.

The URL from where to obtain certificates from. May be null, in which case, default certificate locations will be used: For RS256 signed certificates, https://www.googleapis.com/oauth2/v3/certs will be used. For ES256 signed certificates, https://www.gstatic.com/iap/verify/public_key-jwk will be used.

List of trusted issuers to verify the token issuer against. The token issuer must be contained in this list. May be null, in which case the token issuer won't be verified.

Forces certificate refresh. Internal to be used only for backward compatibility.

Clock tolerance for the issued-at check. Causes a JWT to pass validation up to this duration before it is really valid; this is to allow for possible local-client clock skew. Defaults to zero. Internal to be used only for backward compatibility.

Clock tolerance for the expiration check. Causes a JWT to pass validation up to this duration after it really expired; this is to allow for possible local-client clock skew. Defaults to zero. Internal to be used only for backward compatibility.

Clock for testing purposes. Defaults to . Must not be null.

CertificateCache for testing purposes. If null, the true CertificateCache will be used.

Returns a task which can be cancelled by the given cancellation token, but otherwise observes the original task's state. This does *not* cancel any work that the original task was doing, and should be used carefully.

Decodes the provided URL safe base 64 string.

The URL safe base 64 string to decode. The UTF8 decoded string.

Decodes the provided URL safe base 64 string.

The URL safe base 64 string to decode. The UTF8 byte representation of the decoded string.

Encodes the provided UTF8 string into an URL safe base64 string.

Value to encode. The URL safe base64 string.

Encodes the byte array into an URL safe base64 string.

Byte array to encode. The URL safe base64 string.

Encodes the base64 string into an URL safe string.

The base64 string to make URL safe. The URL safe base64 string.