Class ServiceAccountCredential
Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.
Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details.
Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See GetAccessTokenForRequestAsync(String, CancellationToken) for explanation when JWT access token is used and when regular OAuth2 token is used.
Implements
Inherited Members
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class ServiceAccountCredential : ServiceCredential, ICredential, IConfigurableHttpClientInitializer, ITokenAccess, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler
Constructors
ServiceAccountCredential(ServiceAccountCredential.Initializer)
Constructs a new service account credential using the given initializer.
Declaration
public ServiceAccountCredential(ServiceAccountCredential.Initializer initializer)
Parameters
Type | Name | Description |
---|---|---|
ServiceAccountCredential.Initializer | initializer |
Fields
UnixEpoch
Unix epoch as a DateTime
Declaration
protected static readonly DateTime UnixEpoch
Field Value
Type | Description |
---|---|
System.DateTime |
Properties
Id
Gets the service account ID (typically an e-mail address).
Declaration
public string Id { get; }
Property Value
Type | Description |
---|---|
System.String |
Key
Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.
Declaration
public RSA Key { get; }
Property Value
Type | Description |
---|---|
System.Security.Cryptography.RSA |
ProjectId
The project ID associated with this credential.
Declaration
public string ProjectId { get; }
Property Value
Type | Description |
---|---|
System.String |
Scopes
Gets the service account scopes.
Declaration
public IEnumerable<string> Scopes { get; }
Property Value
Type | Description |
---|---|
System.Collections.Generic.IEnumerable<System.String> |
User
Gets the email address of the user the application is trying to impersonate in the service account flow
or null
.
Declaration
public string User { get; }
Property Value
Type | Description |
---|---|
System.String |
Methods
CreateSignature(Byte[])
Creates a base64 encoded signature for the SHA-256 hash of the specified data.
Declaration
public string CreateSignature(byte[] data)
Parameters
Type | Name | Description |
---|---|---|
System.Byte[] | data | The data to hash and sign. Must not be null. |
Returns
Type | Description |
---|---|
System.String | The base-64 encoded signature. |
FromServiceAccountData(Stream)
Creates a new ServiceAccountCredential instance from JSON credential data.
Declaration
public static ServiceAccountCredential FromServiceAccountData(Stream credentialData)
Parameters
Type | Name | Description |
---|---|---|
System.IO.Stream | credentialData | The stream from which to read the JSON key data for a service account. Must not be null. |
Returns
Type | Description |
---|---|
ServiceAccountCredential | The credentials parsed from the service account key data. |
Exceptions
Type | Condition |
---|---|
System.InvalidOperationException | The |
GetAccessTokenForRequestAsync(String, CancellationToken)
Gets an access token to authorize a request.
If authUri
is set and this credential has no scopes associated
with it, a locally signed JWT access token for given authUri
is returned. Otherwise, an OAuth2 access token obtained from token server will be returned.
A cached token is used if possible and the token is only refreshed once it's close to its expiry.
Declaration
public override Task<string> GetAccessTokenForRequestAsync(string authUri = null, CancellationToken cancellationToken = default(CancellationToken))
Parameters
Type | Name | Description |
---|---|---|
System.String | authUri | The URI the returned token will grant access to. |
System.Threading.CancellationToken | cancellationToken | The cancellation token. |
Returns
Type | Description |
---|---|
System.Threading.Tasks.Task<System.String> | The access token. |
Overrides
RequestAccessTokenAsync(CancellationToken)
Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.
Declaration
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
Parameters
Type | Name | Description |
---|---|---|
System.Threading.CancellationToken | taskCancellationToken | Cancellation token to cancel operation. |
Returns
Type | Description |
---|---|
System.Threading.Tasks.Task<System.Boolean> |
|