Class GoogleCredential

Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like ServiceAccountCredential, ComputeCredential or UserCredential) in a unified way.

See GetApplicationDefaultAsync(CancellationToken) for the credential retrieval logic.

Inheritance
System.Object
GoogleCredential
Implements
Google.Apis.Http.IConfigurableHttpClientInitializer
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class GoogleCredential : ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IOidcTokenProvider, IBlobSigner

Properties

IsCreateScopedRequired

Returns true only if this credential supports explicit scopes to be set via this library but no explicit scopes have been set. A credential with explicit scopes set may be created by calling CreateScoped(IEnumerable<String>).

For accessing Google services, credentials need to be scoped. Credentials have some default scoping, but this library supports explicit scopes to be set for certain credentials.

  1. ComputeCredential is scoped by default. This library doesn't currently support explicit scopes to be set on a ComputeCredential.
  2. UserCredential is scoped by default, as scopes were obtained during the consent screen. It's not possible to change the default scopes of a UserCredential.
  3. ServiceAccountCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. It's possible to create a ServiceAccountCredential with explicit scopes set by calling CreateScoped(IEnumerable<String>)
  4. ImpersonatedCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. Note that the scopes of an SourceCredential have no bearings on the ImpersonatedCredential scopes. It's possible to create an ImpersonatedCredential with explicit scopes set by calling CreateScoped(IEnumerable<String>)

Declaration
public virtual bool IsCreateScopedRequired { get; }
Property Value
Type Description
System.Boolean

QuotaProject

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Declaration
public string QuotaProject { get; }
Property Value
Type Description
System.String

UnderlyingCredential

Gets the underlying credential instance being wrapped.

Declaration
public ICredential UnderlyingCredential { get; }
Property Value
Type Description
ICredential

Methods

CreateScoped(IEnumerable<String>)

If this library supports setting explicit scopes on this credential, this method will creates a copy of the credential with the specified scopes. Otherwise, it returns the same instance. See IsCreateScopedRequired for more information.

Declaration
public virtual GoogleCredential CreateScoped(IEnumerable<string> scopes)
Parameters
Type Name Description
System.Collections.Generic.IEnumerable<System.String> scopes
Returns
Type Description
GoogleCredential

CreateScoped(String[])

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

Declaration
public GoogleCredential CreateScoped(params string[] scopes)
Parameters
Type Name Description
System.String[] scopes
Returns
Type Description
GoogleCredential

CreateWithHttpClientFactory(IHttpClientFactory)

Creates a copy of this credential with the specified HTTP client factory.

Declaration
public virtual GoogleCredential CreateWithHttpClientFactory(IHttpClientFactory factory)
Parameters
Type Name Description
Google.Apis.Http.IHttpClientFactory factory

The HTTP client factory to be used by the new credential. May be null, in which case the default HttpClientFactory will be used.
Returns
Type Description
GoogleCredential

CreateWithQuotaProject(String)

Creates a copy of this credential with the specified quota project.

Declaration
public virtual GoogleCredential CreateWithQuotaProject(string quotaProject)
Parameters
Type Name Description
System.String quotaProject

The quota project to use for the copy. May be null.
Returns
Type Description
GoogleCredential

A copy of this credential with QuotaProject set to quotaProject.

CreateWithUser(String)

If the credential supports Domain Wide Delegation, this method creates a copy of the credential with the specified user. Otherwise, it throws System.InvalidOperationException. At the moment only ServiceAccountCredential supports Domain Wide Delegation.

Declaration
public virtual GoogleCredential CreateWithUser(string user)
Parameters
Type Name Description
System.String user

The user that the returned credential will be a delegate for.
Returns
Type Description
GoogleCredential

A copy of this credential with the user set to user.
Exceptions
Type Condition
System.InvalidOperationException

When the credential type doesn't support Domain Wide Delegation.

FromAccessToken(String, IAccessMethod)

Create a GoogleCredential directly from the provided access token. The access token will not be automatically refreshed.

Declaration
public static GoogleCredential FromAccessToken(string accessToken, IAccessMethod accessMethod = null)
Parameters
Type Name Description
System.String accessToken

The access token to use within this credential.
IAccessMethod accessMethod

Optional. The IAccessMethod to use within this credential. If null, will default to BearerToken.AuthorizationHeaderAccessMethod.
Returns
Type Description
GoogleCredential

A credential based on the provided access token.

FromComputeCredential(ComputeCredential)

Create a GoogleCredential from a ComputeCredential. In general, do not use this method. Call GetApplicationDefault() or GetApplicationDefaultAsync(CancellationToken), which will provide the most suitable credentials for the current platform.

Declaration
public static GoogleCredential FromComputeCredential(ComputeCredential computeCredential = null)
Parameters
Type Name Description
ComputeCredential computeCredential

Optional. The compute credential to use in the returned GoogleCredential. If null, then a new ComputeCredential will be instantiated, using the default ComputeCredential.Initializer.
Returns
Type Description
GoogleCredential

A GoogleCredential with an underlying ComputeCredential.

FromFile(String)

Loads credential from the specified file containing JSON credential data.

The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromFile(string path)
Parameters
Type Name Description
System.String path

The path to the credential file.
Returns
Type Description
GoogleCredential

The loaded credentials.

FromFileAsync(String, CancellationToken)

Loads credential from the specified file containing JSON credential data.

The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static Task<GoogleCredential> FromFileAsync(string path, CancellationToken cancellationToken)
Parameters
Type Name Description
System.String path

The path to the credential file.
System.Threading.CancellationToken cancellationToken

Cancellation token for the operation.
Returns
Type Description
System.Threading.Tasks.Task<GoogleCredential>

The loaded credentials.

FromJson(String)

Loads credential from a string containing JSON credential data.

The string can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromJson(string json)
Parameters
Type Name Description
System.String json
Returns
Type Description
GoogleCredential

FromServiceAccountCredential(ServiceAccountCredential)

Creates a GoogleCredential wrapping a ServiceAccountCredential.

Declaration
public static GoogleCredential FromServiceAccountCredential(ServiceAccountCredential credential)
Parameters
Type Name Description
ServiceAccountCredential credential
Returns
Type Description
GoogleCredential

FromStream(Stream)

Loads credential from stream containing JSON credential data.

The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromStream(Stream stream)
Parameters
Type Name Description
System.IO.Stream stream
Returns
Type Description
GoogleCredential

FromStreamAsync(Stream, CancellationToken)

Loads credential from stream containing JSON credential data.

The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static Task<GoogleCredential> FromStreamAsync(Stream stream, CancellationToken cancellationToken)
Parameters
Type Name Description
System.IO.Stream stream
System.Threading.CancellationToken cancellationToken
Returns
Type Description
System.Threading.Tasks.Task<GoogleCredential>

GetApplicationDefault()

Synchronously returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for details on application default credentials.

This method will block until the credentials are available (or an exception is thrown). It is highly preferable to call GetApplicationDefaultAsync(CancellationToken) where possible.

Declaration
public static GoogleCredential GetApplicationDefault()
Returns
Type Description
GoogleCredential

The application default credentials.

GetApplicationDefaultAsync()

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for more details.

Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync()
Returns
Type Description
System.Threading.Tasks.Task<GoogleCredential>

A task which completes with the application default credentials.

GetApplicationDefaultAsync(CancellationToken)

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application.

The ambient credentials are determined as following order:

  1. The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified, it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded.
  2. If you have installed the Google Cloud SDK on your machine and have run the command GCloud Auth Login, your identity can be used as a proxy to test code calling APIs from that machine.
  3. If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used.
  4. If all previous steps have failed, InvalidOperationException is thrown.

Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync(CancellationToken cancellationToken)
Parameters
Type Name Description
System.Threading.CancellationToken cancellationToken

Cancellation token for the operation.
Returns
Type Description
System.Threading.Tasks.Task<GoogleCredential>

A task which completes with the application default credentials.
Remarks

If the cancellation token is cancelled while the underlying operation is loading Application Default Credentials, the underlying operation will still be used for any further requests. No actual work is cancelled via this cancellation token; it just allows the returned task to transition to a cancelled state.

GetOidcTokenAsync(OidcTokenOptions, CancellationToken)

Returns an OIDC token for the given options.

Declaration
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default(CancellationToken))
Parameters
Type Name Description
OidcTokenOptions options

The options to create the token from.
System.Threading.CancellationToken cancellationToken

The cancellation token that may be used to cancel the request.
Returns
Type Description
System.Threading.Tasks.Task<OidcToken>

The OIDC token.

Impersonate(ImpersonatedCredential.Initializer)

Allows this credential to impersonate the TargetPrincipal. Only ServiceAccountCredential and UserCredential support impersonation, so this method will throw System.InvalidOperationException if this credential's UnderlyingCredential is not of one of those supported types.

Declaration
public GoogleCredential Impersonate(ImpersonatedCredential.Initializer initializer)
Parameters
Type Name Description
ImpersonatedCredential.Initializer initializer

Initializer containing the configuration for the impersonated credential.
Returns
Type Description
GoogleCredential
Remarks

For impersonation, a credential needs to be scoped to https://www.googleapis.com/auth/iam. When using a ServiceAccountCredential as the source credential, this is not a problem, since the credential can be scoped on demand. When using a UserCredential the credential needs to have been obtained with the required scope, else, when attempting and impersonated request, you'll receive an authorization error.

SignBlobAsync(Byte[], CancellationToken)

Returns the base64 encoded signature of the given blob.

Declaration
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default(CancellationToken))
Parameters
Type Name Description
System.Byte[] blob

The blob to sign.
System.Threading.CancellationToken cancellationToken

The cancellation token.
Returns
Type Description
System.Threading.Tasks.Task<System.String>

The base64 encoded signature.

Explicit Interface Implementations

ITokenAccess.GetAccessTokenForRequestAsync(String, CancellationToken)

Declaration
Task<string> ITokenAccess.GetAccessTokenForRequestAsync(string authUri, CancellationToken cancellationToken)
Parameters
Type Name Description
System.String authUri
System.Threading.CancellationToken cancellationToken
Returns
Type Description
System.Threading.Tasks.Task<System.String>

ITokenAccessWithHeaders.GetAccessTokenWithHeadersForRequestAsync(String, CancellationToken)

Declaration
Task<AccessTokenWithHeaders> ITokenAccessWithHeaders.GetAccessTokenWithHeadersForRequestAsync(string authUri, CancellationToken cancellationToken)
Parameters
Type Name Description
System.String authUri
System.Threading.CancellationToken cancellationToken
Returns
Type Description
System.Threading.Tasks.Task<AccessTokenWithHeaders>

IConfigurableHttpClientInitializer.Initialize(ConfigurableHttpClient)

Declaration
void IConfigurableHttpClientInitializer.Initialize(ConfigurableHttpClient httpClient)
Parameters
Type Name Description
Google.Apis.Http.ConfigurableHttpClient httpClient

Implements

Google.Apis.Http.IConfigurableHttpClientInitializer