Class GoogleCredential
Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like ServiceAccountCredential, ComputeCredential or UserCredential) in a unified way.
See GetApplicationDefaultAsync(CancellationToken) for the credential retrieval logic.
Implements
Inherited Members
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class GoogleCredential : ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IOidcTokenProvider, IBlobSigner, IHttpExecuteInterceptorProperties
IsCreateScopedRequired
Returns true only if this credential supports explicit scopes to be set
via this library but no explicit scopes have been set.
A credential with explicit scopes set
may be created by calling CreateScoped(IEnumerable<string>).
For accessing Google services, credentials need to be scoped. Credentials have some default scoping, but this library supports explicit scopes to be set for certain credentials.
- ComputeCredential is scoped by default but in some environments it may be scoped explicitly, for instance when running on GKE with Workload Identity or on AppEngine Flex. It's possible to create a ComputeCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>). If running on an environment that does not accept explicit scoping, for instance GCE where scopes are set on the VM, explicit scopes will be ignored.
- UserCredential is scoped by default, as scopes were obtained during the consent screen. It's not possible to change the default scopes of a UserCredential.
- ServiceAccountCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. It's possible to create a ServiceAccountCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>)
- ImpersonatedCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. Note that the scopes of an SourceCredential have no bearings on the ImpersonatedCredential scopes. It's possible to create an ImpersonatedCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>)
Declaration
public virtual bool IsCreateScopedRequired { get; }Property Value
| Type | Description |
|---|---|
| bool |
QuotaProject
The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.
Declaration
public string QuotaProject { get; }Property Value
| Type | Description |
|---|---|
| string |
UnderlyingCredential
Gets the underlying credential instance being wrapped.
Declaration
public ICredential UnderlyingCredential { get; }Property Value
| Type | Description |
|---|---|
| ICredential |
Methods
CreateScoped(IEnumerable<string>)
If this library supports setting explicit scopes on this credential, this method will creates a copy of the credential with the specified scopes. Otherwise, it returns the same instance. See IsCreateScopedRequired for more information.
Declaration
public virtual GoogleCredential CreateScoped(IEnumerable<string> scopes)Parameters
| Type | Name | Description |
|---|---|---|
| IEnumerable<string> | scopes |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
CreateScoped(params string[])
If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.
Declaration
public GoogleCredential CreateScoped(params string[] scopes)Parameters
| Type | Name | Description |
|---|---|---|
| string[] | scopes |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
CreateWithEnvironmentQuotaProject()
Creates a copy of this credential with the ambient quota project as set in QuotaProjectEnvironmentVariable. If QuotaProjectEnvironmentVariable is not set, or if it is set to the empty value, this method returns this instance.
Declaration
public GoogleCredential CreateWithEnvironmentQuotaProject()Returns
| Type | Description |
|---|---|
| GoogleCredential |
Remarks
The ADC quota project value will be overwritten only if the environment variable is present and set to a non-empty value. If the environment variable is not present or if it is present but unset, the credential returned will maintain whatever quota project value it already had, i.e. the credential's quota project value will not be unset.
CreateWithHttpClientFactory(IHttpClientFactory)
Creates a copy of this credential with the specified HTTP client factory.
Declaration
public virtual GoogleCredential CreateWithHttpClientFactory(IHttpClientFactory factory)Parameters
| Type | Name | Description |
|---|---|---|
| IHttpClientFactory | factory | The HTTP client factory to be used by the new credential. May be null, in which case the default Google.Apis.Http.HttpClientFactory will be used. |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
CreateWithQuotaProject(string)
Creates a copy of this credential with the specified quota project.
Declaration
public virtual GoogleCredential CreateWithQuotaProject(string quotaProject)Parameters
| Type | Name | Description |
|---|---|---|
| string | quotaProject | The quota project to use for the copy. May be null. |
Returns
| Type | Description |
|---|---|
| GoogleCredential | A copy of this credential with QuotaProject set to |
CreateWithUniverseDomain(string)
If the credential supports custom universe domains this method will create a copy of the credential with the specified universe domain set. Otherwise, it throws InvalidOperationException.
Declaration
public GoogleCredential CreateWithUniverseDomain(string universeDomain)Parameters
| Type | Name | Description |
|---|---|---|
| string | universeDomain | The universe domain to use for the credential. May be null, in which case the default universe domain will be used. |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
CreateWithUser(string)
If the credential supports Domain Wide Delegation, this method creates a copy of the credential with the specified user. Otherwise, it throws InvalidOperationException. At the moment only ServiceAccountCredential supports Domain Wide Delegation.
Declaration
public virtual GoogleCredential CreateWithUser(string user)Parameters
| Type | Name | Description |
|---|---|---|
| string | user | The user that the returned credential will be a delegate for. |
Returns
| Type | Description |
|---|---|
| GoogleCredential | A copy of this credential with the user set to |
Exceptions
| Type | Condition |
|---|---|
| InvalidOperationException | When the credential type doesn't support Domain Wide Delegation. |
FromAccessToken(string, IAccessMethod)
Create a GoogleCredential directly from the provided access token. The access token will not be automatically refreshed.
Declaration
public static GoogleCredential FromAccessToken(string accessToken, IAccessMethod accessMethod = null)Parameters
| Type | Name | Description |
|---|---|---|
| string | accessToken | The access token to use within this credential. |
| IAccessMethod | accessMethod | Optional. The IAccessMethod to use within this credential.
If |
Returns
| Type | Description |
|---|---|
| GoogleCredential | A credential based on the provided access token. |
FromComputeCredential(ComputeCredential)
Create a GoogleCredential from a ComputeCredential. In general, do not use this method. Call GetApplicationDefault() or GetApplicationDefaultAsync(CancellationToken), which will provide the most suitable credentials for the current platform.
Declaration
public static GoogleCredential FromComputeCredential(ComputeCredential computeCredential = null)Parameters
| Type | Name | Description |
|---|---|---|
| ComputeCredential | computeCredential | Optional. The compute credential to use in the returned GoogleCredential.
If |
Returns
| Type | Description |
|---|---|
| GoogleCredential | A GoogleCredential with an underlying ComputeCredential. |
FromFile(string)
Loads credential from the specified file containing JSON credential data.
The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.
Declaration
public static GoogleCredential FromFile(string path)Parameters
| Type | Name | Description |
|---|---|---|
| string | path | The path to the credential file. |
Returns
| Type | Description |
|---|---|
| GoogleCredential | The loaded credentials. |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
FromFileAsync(string, CancellationToken)
Loads credential from the specified file containing JSON credential data.
The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.
Declaration
public static Task<GoogleCredential> FromFileAsync(string path, CancellationToken cancellationToken)Parameters
| Type | Name | Description |
|---|---|---|
| string | path | The path to the credential file. |
| CancellationToken | cancellationToken | Cancellation token for the operation. |
Returns
| Type | Description |
|---|---|
| Task<GoogleCredential> | The loaded credentials. |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
FromJson(string)
Loads credential from a string containing JSON credential data.
The string can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.
Declaration
public static GoogleCredential FromJson(string json)Parameters
| Type | Name | Description |
|---|---|---|
| string | json |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
FromJsonParameters(JsonCredentialParameters)
Loads a credential from JSON credential parameters. Fields are a union of credential fields for all supported types. JsonCredentialParameters for more detailed information about supported types and corresponding fields.
Declaration
public static GoogleCredential FromJsonParameters(JsonCredentialParameters credentialParameters)Parameters
| Type | Name | Description |
|---|---|---|
| JsonCredentialParameters | credentialParameters |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
FromServiceAccountCredential(ServiceAccountCredential)
Creates a GoogleCredential wrapping a ServiceAccountCredential.
Declaration
public static GoogleCredential FromServiceAccountCredential(ServiceAccountCredential credential)Parameters
| Type | Name | Description |
|---|---|---|
| ServiceAccountCredential | credential |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
FromStream(Stream)
Loads credential from stream containing JSON credential data.
The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.
Declaration
public static GoogleCredential FromStream(Stream stream)Parameters
| Type | Name | Description |
|---|---|---|
| Stream | stream |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
FromStreamAsync(Stream, CancellationToken)
Loads credential from stream containing JSON credential data.
The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.
Declaration
public static Task<GoogleCredential> FromStreamAsync(Stream stream, CancellationToken cancellationToken)Parameters
| Type | Name | Description |
|---|---|---|
| Stream | stream | |
| CancellationToken | cancellationToken |
Returns
| Type | Description |
|---|---|
| Task<GoogleCredential> |
Remarks
Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.
GetApplicationDefault()
Synchronously returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for details on application default credentials.
This method will block until the credentials are available (or an exception is thrown). It is highly preferable to call GetApplicationDefaultAsync(CancellationToken) where possible.
Declaration
public static GoogleCredential GetApplicationDefault()Returns
| Type | Description |
|---|---|
| GoogleCredential | The application default credentials. |
GetApplicationDefaultAsync()
Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for more details.
Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync()Returns
| Type | Description |
|---|---|
| Task<GoogleCredential> | A task which completes with the application default credentials. |
GetApplicationDefaultAsync(CancellationToken)
Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application.
The ambient credentials are determined as following order:
- The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified, it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded.
- If you have installed the Google Cloud SDK on your machine and have run the command GCloud Auth Login, your identity can be used as a proxy to test code calling APIs from that machine.
- If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used.
-
If all previous steps have failed,
InvalidOperationExceptionis thrown.
Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync(CancellationToken cancellationToken)Parameters
| Type | Name | Description |
|---|---|---|
| CancellationToken | cancellationToken | Cancellation token for the operation. |
Returns
| Type | Description |
|---|---|
| Task<GoogleCredential> | A task which completes with the application default credentials. |
Remarks
If the cancellation token is cancelled while the underlying operation is loading Application Default Credentials, the underlying operation will still be used for any further requests. No actual work is cancelled via this cancellation token; it just allows the returned task to transition to a cancelled state.
GetOidcTokenAsync(OidcTokenOptions, CancellationToken)
Returns an OIDC token for the given options.
Declaration
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)Parameters
| Type | Name | Description |
|---|---|---|
| OidcTokenOptions | options | The options to create the token from. |
| CancellationToken | cancellationToken | The cancellation token that may be used to cancel the request. |
Returns
| Type | Description |
|---|---|
| Task<OidcToken> | The OIDC token. |
GetUniverseDomain()
Returns the universe domain this credential belongs to.
Declaration
public string GetUniverseDomain()Returns
| Type | Description |
|---|---|
| string |
Remarks
Because GetUniverseDomainAsync(CancellationToken) is truly async only once, at most, in the lifetime of an application, this method exists for convenience. It can always be safely used for all credential types except for ComputeCredential. For ComputeCredential, the universe domain is obtained from the metadata server, which requires an HTTP call. This value is obtained only once, the first time it is requested for any instance of ComputeCredential. That first time, this method may block while waiting for the HTTP call to complete. After that, this method will always be safe to use. Will never return null.
GetUniverseDomainAsync(CancellationToken)
Returns the universe domain this credential belongs to.
Declaration
public Task<string> GetUniverseDomainAsync(CancellationToken cancellationToken)Parameters
| Type | Name | Description |
|---|---|---|
| CancellationToken | cancellationToken |
Returns
| Type | Description |
|---|---|
| Task<string> |
Remarks
For most credential types, this operation is synchronous and will always
return a completed task.
For ComputeCredential, the universe domain is obtained from the
metadata server, which requires an HTTP call. This value is obtained only once,
the first time it is requested for any instance of ComputeCredential.
Once the universe has been fetched this method will always return a completed task.
The task's result will never be null.
Note that each cancellationToken will only apply to the call
that provided it and not to subsequent calls. For instance, even if the first call
to GetUniverseDomainAsync(CancellationToken) is cancelled, subsequent
calls may still succeed.
Impersonate(Initializer)
Allows this credential to impersonate the TargetPrincipal. Only ServiceAccountCredential and UserCredential support impersonation, so this method will throw InvalidOperationException if this credential's UnderlyingCredential is not of one of those supported types.
Declaration
public GoogleCredential Impersonate(ImpersonatedCredential.Initializer initializer)Parameters
| Type | Name | Description |
|---|---|---|
| ImpersonatedCredential.Initializer | initializer | Initializer containing the configuration for the impersonated credential. |
Returns
| Type | Description |
|---|---|
| GoogleCredential |
Remarks
For impersonation, a credential needs to be scoped to https://www.googleapis.com/auth/iam. When using a ServiceAccountCredential as the source credential, this is not a problem, since the credential can be scoped on demand. When using a UserCredential the credential needs to have been obtained with the required scope, else, when attempting and impersonated request, you'll receive an authorization error.
SignBlobAsync(byte[], CancellationToken)
Returns the base64 encoded signature of the given blob.
Declaration
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)Parameters
| Type | Name | Description |
|---|---|---|
| byte[] | blob | The blob to sign. |
| CancellationToken | cancellationToken | The cancellation token. |
Returns
| Type | Description |
|---|---|
| Task<string> | The base64 encoded signature. |