Class ServiceCredential

This type of Google OAuth 2.0 credential enables access to protected resources using an access token when interacting server to server. For example, a service account credential could be used to access Google Cloud Storage from a web application without a user's involvement.

ServiceAccountCredential inherits from this class in order to support Service Accounts. More details available at: https://developers.google.com/accounts/docs/OAuth2ServiceAccount. ComputeCredential is another example of a class that inherits from this class in order to support Compute credentials. For more information about Compute authentication, see: https://cloud.google.com/compute/docs/authentication.

ExternalAccountCredential inherits from this class to support both Workload Identity Federation and Workforce Identity Federation. You can read more about these topics in https://cloud.google.com/iam/docs/workload-identity-federation and https://cloud.google.com/iam/docs/workforce-identity-federation respectively. Note that in the case of Workforce Identity Federation, the external account does not represent a service account but a user account, so, the fact that ExternalAccountCredential inherits from ServiceCredential might be construed as misleading. In reality ServiceCredential is not tied to a service account in terms of implementation, only in terms of name. For instance, a better name for this class might have been NoUserFlowCredential, and in that sense, it's correct that ExternalAccountCredential inherits from ServiceCredential even when representing a Workforce Identity Federation account.

Inheritance

object

ServiceCredential

ComputeCredential

ExternalAccountCredential

ImpersonatedCredential

ServiceAccountCredential

Implements

ICredential

IConfigurableHttpClientInitializer

ITokenAccessWithHeaders

ITokenAccess

IHttpExecuteInterceptor

IHttpUnsuccessfulResponseHandler

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace: Google.Apis.Auth.OAuth2

Assembly: Google.Apis.Auth.dll

Syntax

public abstract class ServiceCredential : ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler

Constructors

ServiceCredential(Initializer)

Constructs a new service account credential using the given initializer.

Declaration

public ServiceCredential(ServiceCredential.Initializer initializer)

Parameters

Type	Name	Description
ServiceCredential.Initializer	initializer

Fields

Logger

Logger for this class

Declaration

protected static readonly ILogger Logger

Field Value

Type	Description
ILogger

Properties

AccessMethod

Gets the method for presenting the access token to the resource server.

Declaration

public IAccessMethod AccessMethod { get; }

Property Value

Type	Description
IAccessMethod

Clock

Gets the clock used to refresh the token if it expires.

Declaration

public IClock Clock { get; }

Property Value

Type	Description
IClock

HttpClient

Gets the HTTP client used to make authentication requests to the server.

Declaration

public ConfigurableHttpClient HttpClient { get; }

Property Value

Type	Description
ConfigurableHttpClient

QuotaProject

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Declaration

public string QuotaProject { get; }

Property Value

Type	Description
string

Scopes

Scopes to request during the authorization grant. May be null or empty.

Declaration

public IEnumerable<string> Scopes { get; set; }

Property Value

Type	Description
IEnumerable<string>

Remarks

If the scopes are pre-granted through the environment, like in GCE where scopes are granted to the VM, scopes set here will be ignored.

Token

Gets the token response which contains the access token.

Declaration

public TokenResponse Token { get; set; }

Property Value

Type	Description
TokenResponse

TokenServerUrl

Gets the token server URL.

Declaration

public string TokenServerUrl { get; }

Property Value

Type	Description
string

Remarks

May be null for credential types that resolve token endpoints just before obtaining an access token. This is the case for ImpersonatedCredential where the SourceCredential is a ComputeCredential.

Methods

BuildCreateHttpClientArgs()

Builds HTTP client creation args from all this credential settings. These are used for initializing HttpClient.

Declaration

protected CreateHttpClientArgs BuildCreateHttpClientArgs()

Returns

Type	Description
CreateHttpClientArgs

GetAccessTokenForRequestAsync(string, CancellationToken)

Gets an access token to authorize a request. If the existing token expires soon, try to refresh it first. GetAccessTokenForRequestAsync(string, CancellationToken)

Declaration

public virtual Task<string> GetAccessTokenForRequestAsync(string authUri = null, CancellationToken cancellationToken = default)

Parameters

Type	Name	Description
string	authUri
CancellationToken	cancellationToken

Returns

Type	Description
Task<string>

GetAccessTokenWithHeadersForRequestAsync(string, CancellationToken)

Gets an access token to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers. Implementations should handle automatic refreshes of the token if they are supported. The authUri might be required by some credential types (e.g. the JWT access token) while other credential types migth just ignore it.

Declaration

public Task<AccessTokenWithHeaders> GetAccessTokenWithHeadersForRequestAsync(string authUri = null, CancellationToken cancellationToken = default)

Parameters

Type	Name	Description
string	authUri	The URI the returned token will grant access to.
CancellationToken	cancellationToken	The cancellation token.

Returns

Type	Description
Task<AccessTokenWithHeaders>	The access token with headers if any.

HandleResponseAsync(HandleUnsuccessfulResponseArgs)

Decorates unsuccessful responses, returns true if the response gets modified. See IHttpUnsuccessfulResponseHandler for more information.

Declaration

public Task<bool> HandleResponseAsync(HandleUnsuccessfulResponseArgs args)

Parameters

Type	Name	Description
HandleUnsuccessfulResponseArgs	args

Returns

Type	Description
Task<bool>

Initialize(ConfigurableHttpClient)

Initializes a HTTP client after it was created.

Declaration

public void Initialize(ConfigurableHttpClient httpClient)

Parameters

Type	Name	Description
ConfigurableHttpClient	httpClient

InterceptAsync(HttpRequestMessage, CancellationToken)

Invoked before the request is being sent.

Declaration

public Task InterceptAsync(HttpRequestMessage request, CancellationToken cancellationToken)

Parameters

Type	Name	Description
HttpRequestMessage	request	The HTTP request message.
CancellationToken	cancellationToken	Cancellation token to cancel the operation.

Returns

Type	Description
Task

RequestAccessTokenAsync(CancellationToken)

Requests a new token.

Declaration

public abstract Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)

Parameters

Type	Name	Description
CancellationToken	taskCancellationToken	Cancellation token to cancel operation.

Returns

Type	Description
Task<bool>	`true` if a new token was received successfully.

Implements

ICredential

Google.Apis.Http.IConfigurableHttpClientInitializer

ITokenAccessWithHeaders

ITokenAccess

Google.Apis.Http.IHttpExecuteInterceptor

Google.Apis.Http.IHttpUnsuccessfulResponseHandler