public class GoogleCredential
extends com.google.api.client.auth.oauth2.Credential
There are three modes supported: access token only, refresh token flow, and service account flow (with or without impersonating a user).
If all you have is an access token, you simply pass the TokenResponse
to the credential
using Credential.setFromTokenResponse(TokenResponse)
. Google credential uses
BearerToken.authorizationHeaderAccessMethod()
as the access method. Sample usage:
public static GoogleCredential createCredentialWithAccessTokenOnly(TokenResponse tokenResponse) { return new GoogleCredential().setFromTokenResponse(tokenResponse); }
If you have a refresh token, it is similar to the case of access token only, but you additionally
need to pass the credential the client secrets using
GoogleCredential.Builder.setClientSecrets(GoogleClientSecrets)
or
GoogleCredential.Builder.setClientSecrets(String, String)
. Google credential uses
GoogleOAuthConstants.TOKEN_SERVER_URL
as the token server URL, and
ClientParametersAuthentication
with the client ID and secret as the client
authentication. Sample usage:
public static GoogleCredential createCredentialWithRefreshToken(HttpTransport transport, JsonFactory jsonFactory, GoogleClientSecrets clientSecrets, TokenResponse tokenResponse) { return new GoogleCredential.Builder().setTransport(transport) .setJsonFactory(jsonFactory) .setClientSecrets(clientSecrets) .build() .setFromTokenResponse(tokenResponse); }
The service account
flow is used when you want to access data owned by your client application. You download the
private key in a .p12
file from the Google APIs Console. Use
GoogleCredential.Builder.setServiceAccountId(String)
,
GoogleCredential.Builder.setServiceAccountPrivateKeyFromP12File(File)
, and
GoogleCredential.Builder.setServiceAccountScopes(Collection)
. Sample usage:
public static GoogleCredential createCredentialForServiceAccount( HttpTransport transport, JsonFactory jsonFactory, String serviceAccountId, Collection<String> serviceAccountScopes, File p12File) throws GeneralSecurityException, IOException { return new GoogleCredential.Builder().setTransport(transport) .setJsonFactory(jsonFactory) .setServiceAccountId(serviceAccountId) .setServiceAccountScopes(serviceAccountScopes) .setServiceAccountPrivateKeyFromP12File(p12File) .build(); }
You can also use the service account flow to impersonate a user in a domain that you own. This is
very similar to the service account flow above, but you additionally call
GoogleCredential.Builder.setServiceAccountUser(String)
. Sample usage:
public static GoogleCredential createCredentialForServiceAccountImpersonateUser( HttpTransport transport, JsonFactory jsonFactory, String serviceAccountId, Collection<String> serviceAccountScopes, File p12File, String serviceAccountUser) throws GeneralSecurityException, IOException { return new GoogleCredential.Builder().setTransport(transport) .setJsonFactory(jsonFactory) .setServiceAccountId(serviceAccountId) .setServiceAccountScopes(serviceAccountScopes) .setServiceAccountPrivateKeyFromP12File(p12File) .setServiceAccountUser(serviceAccountUser) .build(); }
If you need to persist the access token in a data store, use DataStoreFactory
and
GoogleCredential.Builder.addRefreshListener(CredentialRefreshListener)
with
DataStoreCredentialRefreshListener
.
If you have a custom request initializer, request execute interceptor, or unsuccessful response
handler, take a look at the sample usage for HttpExecuteInterceptor
and
HttpUnsuccessfulResponseHandler
, which are interfaces that this class also implements.
Modifier and Type | Class and Description |
---|---|
static class |
GoogleCredential.Builder
Google credential builder.
|
Modifier | Constructor and Description |
---|---|
|
GoogleCredential()
Constructor with the ability to access protected resources, but not refresh tokens.
|
protected |
GoogleCredential(GoogleCredential.Builder builder) |
Modifier and Type | Method and Description |
---|---|
GoogleCredential |
createDelegated(String user)
Beta For service accounts that need to delegate to a specific user, create a copy of the credential with the specified user. |
GoogleCredential |
createScoped(Collection<String> scopes)
Beta For credentials that require scopes, creates a copy of the credential with the specified scopes. |
boolean |
createScopedRequired()
Beta Indicates whether the credential requires scopes to be specified by calling createScoped before use. |
protected com.google.api.client.auth.oauth2.TokenResponse |
executeRefreshToken() |
static GoogleCredential |
fromStream(InputStream credentialStream)
Beta Return a credential defined by a Json file. |
static GoogleCredential |
fromStream(InputStream credentialStream,
com.google.api.client.http.HttpTransport transport,
com.google.api.client.json.JsonFactory jsonFactory)
Beta Return a credential defined by a Json file. |
static GoogleCredential |
getApplicationDefault()
Beta Returns the Application Default Credentials. |
static GoogleCredential |
getApplicationDefault(com.google.api.client.http.HttpTransport transport,
com.google.api.client.json.JsonFactory jsonFactory)
Beta Returns the Application Default Credentials. |
String |
getServiceAccountId()
Returns the service account ID (typically an e-mail address) or
null if not using the
service account flow. |
PrivateKey |
getServiceAccountPrivateKey()
Returns the private key to use with the service account flow or
null if not using
the service account flow. |
String |
getServiceAccountPrivateKeyId()
Beta Returns the ID of the private key to use with the service account flow or null if
not using the service account flow. |
String |
getServiceAccountProjectId()
Returns the service account Project ID or
null if not present, either because this is
not using the service account flow, or is using an older version of the service account
configuration. |
Collection<String> |
getServiceAccountScopes()
Returns a collection of OAuth scopes to use with the service account flow or
null
if not using the service account flow. |
String |
getServiceAccountScopesAsString()
Returns the space-separated OAuth scopes to use with the service account flow or
null if not using the service account flow. |
String |
getServiceAccountUser()
Returns the email address of the user the application is trying to impersonate in the service
account flow or
null for none or if not using the service account flow. |
GoogleCredential |
setAccessToken(String accessToken) |
GoogleCredential |
setExpirationTimeMilliseconds(Long expirationTimeMilliseconds) |
GoogleCredential |
setExpiresInSeconds(Long expiresIn) |
GoogleCredential |
setFromTokenResponse(com.google.api.client.auth.oauth2.TokenResponse tokenResponse) |
GoogleCredential |
setRefreshToken(String refreshToken) |
GoogleCredential.Builder |
toBuilder()
Beta Create a builder from this credential. |
getAccessToken, getClientAuthentication, getClock, getExpirationTimeMilliseconds, getExpiresInSeconds, getJsonFactory, getMethod, getRefreshListeners, getRefreshToken, getRequestInitializer, getTokenServerEncodedUrl, getTransport, handleResponse, initialize, intercept, refreshToken
public GoogleCredential()
To use with the ability to refresh tokens, use GoogleCredential.Builder
.
protected GoogleCredential(GoogleCredential.Builder builder)
builder
- Google credential builder@Beta public static GoogleCredential getApplicationDefault() throws IOException
Beta
Returns the Application Default Credentials which are credentials that identify and authorize the whole application. This is the built-in service account if running on Google Compute Engine or the credentials file from the path in the environment variable GOOGLE_APPLICATION_CREDENTIALS.
IOException
- if the credential cannot be created in the current environment.@Beta public static GoogleCredential getApplicationDefault(com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) throws IOException
Beta
Returns the Application Default Credentials which are credentials that identify and authorize the whole application. This is the built-in service account if running on Google Compute Engine or the credentials file from the path in the environment variable GOOGLE_APPLICATION_CREDENTIALS.
transport
- the transport for Http calls.jsonFactory
- the factory for Json parsing and formatting.IOException
- if the credential cannot be created in the current environment.@Beta public static GoogleCredential fromStream(InputStream credentialStream) throws IOException
Beta
credentialStream
- the stream with the credential definition.IOException
- if the credential cannot be created from the stream.@Beta public static GoogleCredential fromStream(InputStream credentialStream, com.google.api.client.http.HttpTransport transport, com.google.api.client.json.JsonFactory jsonFactory) throws IOException
Beta
credentialStream
- the stream with the credential definition.transport
- the transport for Http calls.jsonFactory
- the factory for Json parsing and formatting.IOException
- if the credential cannot be created from the stream.public GoogleCredential setAccessToken(String accessToken)
setAccessToken
in class com.google.api.client.auth.oauth2.Credential
public GoogleCredential setRefreshToken(String refreshToken)
setRefreshToken
in class com.google.api.client.auth.oauth2.Credential
public GoogleCredential setExpirationTimeMilliseconds(Long expirationTimeMilliseconds)
setExpirationTimeMilliseconds
in class com.google.api.client.auth.oauth2.Credential
public GoogleCredential setExpiresInSeconds(Long expiresIn)
setExpiresInSeconds
in class com.google.api.client.auth.oauth2.Credential
public GoogleCredential setFromTokenResponse(com.google.api.client.auth.oauth2.TokenResponse tokenResponse)
setFromTokenResponse
in class com.google.api.client.auth.oauth2.Credential
@Beta protected com.google.api.client.auth.oauth2.TokenResponse executeRefreshToken() throws IOException
executeRefreshToken
in class com.google.api.client.auth.oauth2.Credential
IOException
public final String getServiceAccountId()
null
if not using the
service account flow.public final String getServiceAccountProjectId()
null
if not present, either because this is
not using the service account flow, or is using an older version of the service account
configuration.public final Collection<String> getServiceAccountScopes()
null
if not using the service account flow.public final String getServiceAccountScopesAsString()
null
if not using the service account flow.public final PrivateKey getServiceAccountPrivateKey()
null
if not using
the service account flow.@Beta public final String getServiceAccountPrivateKeyId()
Beta
null
if
not using the service account flow.public final String getServiceAccountUser()
null
for none or if not using the service account flow.@Beta public boolean createScopedRequired()
Beta
@Beta public GoogleCredential createScoped(Collection<String> scopes)
Beta
@Beta public GoogleCredential createDelegated(String user)
Beta
@Beta public GoogleCredential.Builder toBuilder()
Beta
Copyright © 2010–2019 Google. All rights reserved.