Class GoogleCredential

Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like ServiceAccountCredential, ComputeCredential or UserCredential) in a unified way.

See GetApplicationDefaultAsync(CancellationToken) for the credential retrieval logic.

Inheritance
object
GoogleCredential
Implements
IConfigurableHttpClientInitializer
IHttpExecuteInterceptor
Inherited Members
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class GoogleCredential : ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IOidcTokenProvider, IBlobSigner, IHttpExecuteInterceptor

Properties

IsCreateScopedRequired

Returns true only if this credential supports explicit scopes to be set via this library but no explicit scopes have been set. A credential with explicit scopes set may be created by calling CreateScoped(IEnumerable<string>).

For accessing Google services, credentials need to be scoped. Credentials have some default scoping, but this library supports explicit scopes to be set for certain credentials.

  1. ComputeCredential is scoped by default but in some environments it may be scoped explicitly, for instance when running on GKE with Workload Identity or on AppEngine Flex. It's possible to create a ComputeCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>). If running on an environment that does not accept explicit scoping, for instance GCE where scopes are set on the VM, explicit scopes will be ignored.
  2. UserCredential is scoped by default, as scopes were obtained during the consent screen. It's not possible to change the default scopes of a UserCredential.
  3. ServiceAccountCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. It's possible to create a ServiceAccountCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>)
  4. ImpersonatedCredential is not scoped by default but when used without explicit scopes to access a Google service, the service's default scopes will be assumed. Note that the scopes of an SourceCredential have no bearings on the ImpersonatedCredential scopes. It's possible to create an ImpersonatedCredential with explicit scopes set by calling CreateScoped(IEnumerable<string>)
Declaration
public virtual bool IsCreateScopedRequired { get; }
Property Value
Type Description
bool

QuotaProject

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Declaration
public string QuotaProject { get; }
Property Value
Type Description
string

UnderlyingCredential

Gets the underlying credential instance being wrapped.

Declaration
public ICredential UnderlyingCredential { get; }
Property Value
Type Description
ICredential

Methods

CreateScoped(IEnumerable<string>)

If this library supports setting explicit scopes on this credential, this method will creates a copy of the credential with the specified scopes. Otherwise, it returns the same instance. See IsCreateScopedRequired for more information.

Declaration
public virtual GoogleCredential CreateScoped(IEnumerable<string> scopes)
Parameters
Type Name Description
IEnumerable<string> scopes
Returns
Type Description
GoogleCredential

CreateScoped(params string[])

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

Declaration
public GoogleCredential CreateScoped(params string[] scopes)
Parameters
Type Name Description
string[] scopes
Returns
Type Description
GoogleCredential

CreateWithEnvironmentQuotaProject()

Creates a copy of this credential with the ambient quota project as set in QuotaProjectEnvironmentVariable. If QuotaProjectEnvironmentVariable is not set, or if it is set to the empty value, this method returns this instance.

Declaration
public GoogleCredential CreateWithEnvironmentQuotaProject()
Returns
Type Description
GoogleCredential
Remarks

The ADC quota project value will be overwritten only if the environment variable is present and set to a non-empty value. If the environment variable is not present or if it is present but unset, the credential returned will maintain whatever quota project value it already had, i.e. the credential's quota project value will not be unset.

CreateWithHttpClientFactory(IHttpClientFactory)

Creates a copy of this credential with the specified HTTP client factory.

Declaration
public virtual GoogleCredential CreateWithHttpClientFactory(IHttpClientFactory factory)
Parameters
Type Name Description
IHttpClientFactory factory

The HTTP client factory to be used by the new credential. May be null, in which case the default Google.Apis.Http.HttpClientFactory will be used.
Returns
Type Description
GoogleCredential

CreateWithQuotaProject(string)

Creates a copy of this credential with the specified quota project.

Declaration
public virtual GoogleCredential CreateWithQuotaProject(string quotaProject)
Parameters
Type Name Description
string quotaProject

The quota project to use for the copy. May be null.
Returns
Type Description
GoogleCredential

A copy of this credential with QuotaProject set to quotaProject.

CreateWithUniverseDomain(string)

If the credential supports custom universe domains this method will create a copy of the credential with the specified universe domain set. Otherwise, it throws InvalidOperationException.

Declaration
public GoogleCredential CreateWithUniverseDomain(string universeDomain)
Parameters
Type Name Description
string universeDomain

The universe domain to use for the credential. May be null, in which case the default universe domain will be used.
Returns
Type Description
GoogleCredential

CreateWithUser(string)

If the credential supports Domain Wide Delegation, this method creates a copy of the credential with the specified user. Otherwise, it throws InvalidOperationException. At the moment only ServiceAccountCredential supports Domain Wide Delegation.

Declaration
public virtual GoogleCredential CreateWithUser(string user)
Parameters
Type Name Description
string user

The user that the returned credential will be a delegate for.
Returns
Type Description
GoogleCredential

A copy of this credential with the user set to user.
Exceptions
Type Condition
InvalidOperationException

When the credential type doesn't support Domain Wide Delegation.

FromAccessToken(string, IAccessMethod)

Create a GoogleCredential directly from the provided access token. The access token will not be automatically refreshed.

Declaration
public static GoogleCredential FromAccessToken(string accessToken, IAccessMethod accessMethod = null)
Parameters
Type Name Description
string accessToken

The access token to use within this credential.
IAccessMethod accessMethod

Optional. The IAccessMethod to use within this credential. If null, will default to BearerToken.AuthorizationHeaderAccessMethod.
Returns
Type Description
GoogleCredential

A credential based on the provided access token.

FromComputeCredential(ComputeCredential)

Create a GoogleCredential from a ComputeCredential. In general, do not use this method. Call GetApplicationDefault() or GetApplicationDefaultAsync(CancellationToken), which will provide the most suitable credentials for the current platform.

Declaration
public static GoogleCredential FromComputeCredential(ComputeCredential computeCredential = null)
Parameters
Type Name Description
ComputeCredential computeCredential

Optional. The compute credential to use in the returned GoogleCredential. If null, then a new ComputeCredential will be instantiated, using the default ComputeCredential.Initializer.
Returns
Type Description
GoogleCredential

A GoogleCredential with an underlying ComputeCredential.

FromFile(string)

Loads credential from the specified file containing JSON credential data.

The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromFile(string path)
Parameters
Type Name Description
string path

The path to the credential file.
Returns
Type Description
GoogleCredential

The loaded credentials.
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

FromFileAsync(string, CancellationToken)

Loads credential from the specified file containing JSON credential data.

The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static Task<GoogleCredential> FromFileAsync(string path, CancellationToken cancellationToken)
Parameters
Type Name Description
string path

The path to the credential file.
CancellationToken cancellationToken

Cancellation token for the operation.
Returns
Type Description
Task<GoogleCredential>

The loaded credentials.
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

FromJson(string)

Loads credential from a string containing JSON credential data.

The string can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromJson(string json)
Parameters
Type Name Description
string json
Returns
Type Description
GoogleCredential
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

FromJsonParameters(JsonCredentialParameters)

Loads a credential from JSON credential parameters. Fields are a union of credential fields for all supported types. JsonCredentialParameters for more detailed information about supported types and corresponding fields.

Declaration
public static GoogleCredential FromJsonParameters(JsonCredentialParameters credentialParameters)
Parameters
Type Name Description
JsonCredentialParameters credentialParameters
Returns
Type Description
GoogleCredential
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

FromServiceAccountCredential(ServiceAccountCredential)

Creates a GoogleCredential wrapping a ServiceAccountCredential.

Declaration
public static GoogleCredential FromServiceAccountCredential(ServiceAccountCredential credential)
Parameters
Type Name Description
ServiceAccountCredential credential
Returns
Type Description
GoogleCredential

FromStream(Stream)

Loads credential from stream containing JSON credential data.

The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static GoogleCredential FromStream(Stream stream)
Parameters
Type Name Description
Stream stream
Returns
Type Description
GoogleCredential
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

FromStreamAsync(Stream, CancellationToken)

Loads credential from stream containing JSON credential data.

The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Declaration
public static Task<GoogleCredential> FromStreamAsync(Stream stream, CancellationToken cancellationToken)
Parameters
Type Name Description
Stream stream
CancellationToken cancellationToken
Returns
Type Description
Task<GoogleCredential>
Remarks

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

GetApplicationDefault()

Synchronously returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for details on application default credentials.

This method will block until the credentials are available (or an exception is thrown). It is highly preferable to call GetApplicationDefaultAsync(CancellationToken) where possible.

Declaration
public static GoogleCredential GetApplicationDefault()
Returns
Type Description
GoogleCredential

The application default credentials.

GetApplicationDefaultAsync()

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See GetApplicationDefaultAsync(CancellationToken) for more details.

Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync()
Returns
Type Description
Task<GoogleCredential>

A task which completes with the application default credentials.

GetApplicationDefaultAsync(CancellationToken)

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application.

The ambient credentials are determined as following order:

  1. The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified, it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded.
  2. If you have installed the Google Cloud SDK on your machine and have run the command GCloud Auth Login, your identity can be used as a proxy to test code calling APIs from that machine.
  3. If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used.
  4. If all previous steps have failed, InvalidOperationException is thrown.
Declaration
public static Task<GoogleCredential> GetApplicationDefaultAsync(CancellationToken cancellationToken)
Parameters
Type Name Description
CancellationToken cancellationToken

Cancellation token for the operation.
Returns
Type Description
Task<GoogleCredential>

A task which completes with the application default credentials.
Remarks

If the cancellation token is cancelled while the underlying operation is loading Application Default Credentials, the underlying operation will still be used for any further requests. No actual work is cancelled via this cancellation token; it just allows the returned task to transition to a cancelled state.

GetOidcTokenAsync(OidcTokenOptions, CancellationToken)

Returns an OIDC token for the given options.

Declaration
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)
Parameters
Type Name Description
OidcTokenOptions options

The options to create the token from.
CancellationToken cancellationToken

The cancellation token that may be used to cancel the request.
Returns
Type Description
Task<OidcToken>

The OIDC token.

GetUniverseDomain()

Returns the universe domain this credential belongs to.

Declaration
public string GetUniverseDomain()
Returns
Type Description
string
Remarks

Because GetUniverseDomainAsync(CancellationToken) is truly async only once, at most, in the lifetime of an application, this method exists for convenience. It can always be safely used for all credential types except for ComputeCredential. For ComputeCredential, the universe domain is obtained from the metadata server, which requires an HTTP call. This value is obtained only once, the first time it is requested for any instance of ComputeCredential. That first time, this method may block while waiting for the HTTP call to complete. After that, this method will always be safe to use. Will never return null.

GetUniverseDomainAsync(CancellationToken)

Returns the universe domain this credential belongs to.

Declaration
public Task<string> GetUniverseDomainAsync(CancellationToken cancellationToken)
Parameters
Type Name Description
CancellationToken cancellationToken
Returns
Type Description
Task<string>
Remarks

For most credential types, this operation is synchronous and will always return a completed task. For ComputeCredential, the universe domain is obtained from the metadata server, which requires an HTTP call. This value is obtained only once, the first time it is requested for any instance of ComputeCredential. Once the universe has been fetched this method will always return a completed task. The task's result will never be null. Note that each cancellationToken will only apply to the call that provided it and not to subsequent calls. For instance, even if the first call to GetUniverseDomainAsync(CancellationToken) is cancelled, subsequent calls may still succeed.

Impersonate(Initializer)

Allows this credential to impersonate the TargetPrincipal. Only ServiceAccountCredential and UserCredential support impersonation, so this method will throw InvalidOperationException if this credential's UnderlyingCredential is not of one of those supported types.

Declaration
public GoogleCredential Impersonate(ImpersonatedCredential.Initializer initializer)
Parameters
Type Name Description
ImpersonatedCredential.Initializer initializer

Initializer containing the configuration for the impersonated credential.
Returns
Type Description
GoogleCredential
Remarks

For impersonation, a credential needs to be scoped to https://www.googleapis.com/auth/iam. When using a ServiceAccountCredential as the source credential, this is not a problem, since the credential can be scoped on demand. When using a UserCredential the credential needs to have been obtained with the required scope, else, when attempting and impersonated request, you'll receive an authorization error.

SignBlobAsync(byte[], CancellationToken)

Returns the base64 encoded signature of the given blob.

Declaration
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)
Parameters
Type Name Description
byte[] blob

The blob to sign.
CancellationToken cancellationToken

The cancellation token.
Returns
Type Description
Task<string>

The base64 encoded signature.

Implements

Google.Apis.Http.IConfigurableHttpClientInitializer
Google.Apis.Http.IHttpExecuteInterceptor