Class ServiceAccountCredential

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.

Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details.

Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See GetAccessTokenForRequestAsync(string, CancellationToken) for explanation when JWT access token is used and when regular OAuth2 token is used.

Inheritance
object
ServiceCredential
ServiceAccountCredential
Implements
Google.Apis.Http.IHttpExecuteInterceptor
Google.Apis.Http.IHttpUnsuccessfulResponseHandler
Google.Apis.Http.IConfigurableHttpClientInitializer
Inherited Members
object.Equals(object)
object.Equals(object, object)
object.GetHashCode()
object.GetType()
object.MemberwiseClone()
object.ReferenceEquals(object, object)
object.ToString()
Namespace: Google.Apis.Auth.OAuth2
Assembly: Google.Apis.Auth.dll
Syntax
public class ServiceAccountCredential : ServiceCredential, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSigner

Constructors

ServiceAccountCredential(Initializer)

Constructs a new service account credential using the given initializer.

Declaration
public ServiceAccountCredential(ServiceAccountCredential.Initializer initializer)
Parameters
Type Name Description
ServiceAccountCredential.Initializer initializer

Fields

UnixEpoch

Unix epoch as a DateTime

Declaration
protected static readonly DateTime UnixEpoch
Field Value
Type Description
System.DateTime

Properties

Id

Gets the service account ID (typically an e-mail address).

Declaration
public string Id { get; }
Property Value
Type Description
string

Key

Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Declaration
public RSA Key { get; }
Property Value
Type Description
System.Security.Cryptography.RSA

KeyId

Gets the key id of the key which is used to sign the request.

Declaration
public string KeyId { get; }
Property Value
Type Description
string

ProjectId

The project ID associated with this credential.

Declaration
public string ProjectId { get; }
Property Value
Type Description
string

UseJwtAccessWithScopes

Gets the flag indicating whether Self-Signed JWT should be used when OAuth scopes are set. This flag will be ignored if this credential has User set, meaning it is used with domain-wide delegation. Self-Signed JWTs won't be used in that case.

Declaration
public bool UseJwtAccessWithScopes { get; }
Property Value
Type Description
bool

User

Gets the email address of the user the application is trying to impersonate in the service account flow or null.

Declaration
public string User { get; }
Property Value
Type Description
string

Methods

CreateSignature(byte[])

Creates a base64 encoded signature for the SHA-256 hash of the specified data.

Declaration
public string CreateSignature(byte[] data)
Parameters
Type Name Description
byte[] data

The data to hash and sign. Must not be null.
Returns
Type Description
string

The base-64 encoded signature.

FromServiceAccountData(Stream)

Creates a new ServiceAccountCredential instance from JSON credential data.

Declaration
public static ServiceAccountCredential FromServiceAccountData(Stream credentialData)
Parameters
Type Name Description
System.IO.Stream credentialData

The stream from which to read the JSON key data for a service account. Must not be null.
Returns
Type Description
ServiceAccountCredential

The credentials parsed from the service account key data.
Exceptions
Type Condition
System.InvalidOperationException

The credentialData does not contain valid JSON service account key data.

GetAccessTokenForRequestAsync(string, CancellationToken)

Gets an access token to authorize a request. An OAuth2 access token obtained from TokenServerUrl will be returned in the following two cases:

  1. If this credential has Scopes associated, but UseJwtAccessWithScopes is false;
  2. If this credential is used with domain-wide delegation, that is, the User is set; Otherwise, a locally signed JWT will be returned. The signed JWT will contain a "scope" claim with the scopes in Scopes if there are any, otherwise it will contain an "aud" claim with authUri. A cached token is used if possible and the token is only refreshed once it's close to its expiry.
Declaration
public override Task<string> GetAccessTokenForRequestAsync(string authUri = null, CancellationToken cancellationToken = default)
Parameters
Type Name Description
string authUri

The URI the returned token will grant access to. Should be specified if no Scopes have been specified for the credential.
System.Threading.CancellationToken cancellationToken

The cancellation token.
Returns
Type Description
System.Threading.Tasks.Task<TResult><string>

The access token.
Overrides

GetOidcTokenAsync(OidcTokenOptions, CancellationToken)

Returns an OIDC token for the given options.

Declaration
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)
Parameters
Type Name Description
OidcTokenOptions options

The options to create the token from.
System.Threading.CancellationToken cancellationToken

The cancellation token that may be used to cancel the request.
Returns
Type Description
System.Threading.Tasks.Task<TResult><OidcToken>

The OIDC token.

RequestAccessTokenAsync(CancellationToken)

Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Declaration
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)
Parameters
Type Name Description
System.Threading.CancellationToken taskCancellationToken

Cancellation token to cancel operation.
Returns
Type Description
System.Threading.Tasks.Task<TResult><bool>

true if a new token was received successfully.
Overrides

SignBlobAsync(byte[], CancellationToken)

Returns the base64 encoded signature of the given blob.

Declaration
public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)
Parameters
Type Name Description
byte[] blob

The blob to sign.
System.Threading.CancellationToken cancellationToken

The cancellation token.
Returns
Type Description
System.Threading.Tasks.Task<TResult><string>

The base64 encoded signature.

WithUseJwtAccessWithScopes(bool)

Constructs a new instance of the ServiceAccountCredential but with the given UseJwtAccessWithScopes value.

Declaration
public ServiceAccountCredential WithUseJwtAccessWithScopes(bool useJwtAccessWithScopes)
Parameters
Type Name Description
bool useJwtAccessWithScopes

A flag preferring use of self-signed JWTs over OAuth tokens when OAuth scopes are explicitly set.
Returns
Type Description
ServiceAccountCredential

A new instance of the ServiceAccountCredential but with the given UseJwtAccessWithScopes value.

Implements

Google.Apis.Http.IHttpExecuteInterceptor
Google.Apis.Http.IHttpUnsuccessfulResponseHandler
Google.Apis.Http.IConfigurableHttpClientInitializer