src/auth/computeclient.ts
constructor(options: ComputeOptions)
|
||||||
|
Defined in src/auth/computeclient.ts:40
|
||||||
|
Google Compute Engine service account credentials. Retrieve access token from the metadata server. See: https://developers.google.com/compute/docs/authentication
Parameters :
|
| scopes |
Type : string[]
|
|
Defined in src/auth/computeclient.ts:40
|
| Optional _clientId |
Type : string
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:390
|
| Optional _clientSecret |
Type : string
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:393
|
| Optional apiKey |
Type : string
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:395
|
| eagerRefreshThresholdMillis |
Type : number
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:399
|
| forceRefreshOnFailure |
Type : boolean
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:401
|
| Optional projectId |
Type : string
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:397
|
| createScopedRequired |
createScopedRequired()
|
|
Defined in src/auth/computeclient.ts:63
|
|
Indicates whether the credential requires scopes to be created by calling createdScoped before use.
Returns :
boolean
Boolean indicating if scope is required. |
| generateAuthUrl | ||||||||||
generateAuthUrl(opts: GenerateAuthUrlOpts)
|
||||||||||
|
Inherited from
OAuth2Client
|
||||||||||
|
Defined in
OAuth2Client:489
|
||||||||||
|
Generates URL for consent page landing.
Parameters :
Returns :
string
URL to consent page. |
| generateCodeVerifier |
generateCodeVerifier()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:506
|
|
Returns :
void
|
| Async generateCodeVerifierAsync |
generateCodeVerifierAsync()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:522
|
|
Convenience method to automatically generate a code_verifier, and it's resulting SHA256. If used, this must be paired with a S256 code_challenge_method. For a full example see: https://github.com/googleapis/google-auth-library-nodejs/blob/master/samples/oauth2-codeVerifier.js
Returns :
Promise<CodeVerifierResults>
|
| getAccessToken | ||||||
getAccessToken(callback?: GetAccessTokenCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:697
|
||||||
|
Parameters :
Returns :
Promise | void
|
| getAccessToken | ||||||
getAccessToken(callback: GetAccessTokenCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:696
|
||||||
|
Parameters :
Returns :
void
|
| getAccessToken |
getAccessToken()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:695
|
|
Get a non-expired access token, after refreshing if necessary
Returns :
Promise<GetAccessTokenResponse>
|
| getFederatedSignonCerts | ||||||
getFederatedSignonCerts(callback?: GetFederatedSignonCertsCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:1046
|
||||||
|
Parameters :
Returns :
Promise | void
|
| getFederatedSignonCerts |
getFederatedSignonCerts()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:1044
|
|
Gets federated sign-on certificates to use for verifying identity tokens. Returns certs as array structure, where keys are key ids, and values are certificates in either PEM or JWK format.
Returns :
Promise<FederatedSignonCertsResponse>
|
| getFederatedSignonCerts | ||||||
getFederatedSignonCerts(callback: GetFederatedSignonCertsCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:1045
|
||||||
|
Parameters :
Returns :
void
|
| Async getFederatedSignonCertsAsync |
getFederatedSignonCertsAsync()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:1059
|
|
Returns :
Promise<FederatedSignonCertsResponse>
|
| Async getRequestHeaders | ||||||||
getRequestHeaders(url?: string)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:764
|
||||||||
|
The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields. In OAuth2Client, the result has the form:
{ Authorization: 'Bearer
Parameters :
Returns :
Promise<Headers>
|
| getRequestMetadata | ||||||||
getRequestMetadata(url?: string | null)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:735
|
||||||||
|
Obtain the set of headers required to authenticate a request.
Parameters :
Returns :
Promise<RequestMetadataResponse>
|
| getRequestMetadata | |||||||||
getRequestMetadata(url: string | null, callback: RequestMetadataCallback)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:736
|
|||||||||
|
Parameters :
Returns :
void
|
| getRequestMetadata | |||||||||
getRequestMetadata(url: string | null, callback?: RequestMetadataCallback)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:740
|
|||||||||
|
Parameters :
Returns :
Promise | void
|
| Static getRevokeTokenUrl | ||||||||
getRevokeTokenUrl(token: string)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:829
|
||||||||
|
Generates an URL to revoke the given token.
Parameters :
Returns :
string
|
| getToken | |||||||||
getToken(options: GetTokenOptions, callback: GetTokenCallback)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:554
|
|||||||||
|
Parameters :
Returns :
void
|
| getToken | |||||||||
getToken(codeOrOptions: string | GetTokenOptions, callback?: GetTokenCallback)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:555
|
|||||||||
|
Parameters :
Returns :
Promise | void
|
| getToken | |||||||||
getToken(code: string, callback: GetTokenCallback)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:553
|
|||||||||
|
Parameters :
Returns :
void
|
| getToken | ||||||||
getToken(code: string)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:551
|
||||||||
|
Gets the access token for the given code.
Parameters :
Returns :
Promise<GetTokenResponse>
|
| getToken | ||||||
getToken(options: GetTokenOptions)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:552
|
||||||
|
Parameters :
Returns :
Promise<GetTokenResponse>
|
| Async getTokenInfo | ||||||||
getTokenInfo(accessToken: string)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:1020
|
||||||||
|
Obtains information about the provisioned access token. Especially useful if you want to check the scopes that were provisioned to a given token.
Parameters :
Returns :
Promise<TokenInfo>
|
| refreshAccessToken | ||||||
refreshAccessToken(callback?: RefreshAccessTokenCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:669
|
||||||
|
Parameters :
Returns :
Promise | void
|
| refreshAccessToken | ||||||
refreshAccessToken(callback: RefreshAccessTokenCallback)
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:668
|
||||||
|
Parameters :
Returns :
void
|
| refreshAccessToken |
refreshAccessToken()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:667
|
|
Retrieves the access token using refresh token
Returns :
Promise<RefreshAccessTokenResponse>
|
| request | |||||||||
request(opts: GaxiosOptions, callback?: BodyResponseCallback
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:899
|
|||||||||
Type parameters :
|
|||||||||
|
Parameters :
Returns :
GaxiosPromise | void
|
| request | |||||||||
request(opts: GaxiosOptions, callback: BodyResponseCallback
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:898
|
|||||||||
Type parameters :
|
|||||||||
|
Parameters :
Returns :
void
|
| request | ||||||||
request(opts: GaxiosOptions)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:897
|
||||||||
Type parameters :
|
||||||||
|
Provides a request implementation with OAuth 2.0 flow. If credentials have a refresh_token, in cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.
Parameters :
Returns :
GaxiosPromise<T>
Request object |
| revokeCredentials | ||||||
revokeCredentials(callback?: BodyResponseCallback
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:869
|
||||||
|
Parameters :
Returns :
GaxiosPromise | void
|
| revokeCredentials | ||||||
revokeCredentials(callback: BodyResponseCallback
|
||||||
|
Inherited from
OAuth2Client
|
||||||
|
Defined in
OAuth2Client:866
|
||||||
|
Parameters :
Returns :
void
|
| revokeCredentials |
revokeCredentials()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:865
|
|
Revokes access token and clears the credentials object
Returns :
GaxiosPromise<RevokeCredentialsResult>
|
| revokeToken | |||||||||
revokeToken(token: string, callback?: BodyResponseCallback
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:844
|
|||||||||
|
Parameters :
Returns :
GaxiosPromise | void
|
| revokeToken | ||||||||
revokeToken(token: string)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:839
|
||||||||
|
Revokes the access given to token.
Parameters :
Returns :
GaxiosPromise<RevokeCredentialsResult>
|
| revokeToken | |||||||||
revokeToken(token: string, callback: BodyResponseCallback
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:840
|
|||||||||
|
Parameters :
Returns :
void
|
| verifyIdToken | |||||||||
verifyIdToken(options: VerifyIdTokenOptions, callback?: (err?: Error | null,login?: LoginTicket) => void)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:975
|
|||||||||
|
Parameters :
Returns :
void | Promise
|
| verifyIdToken | |||||||||
verifyIdToken(options: VerifyIdTokenOptions, callback: (err: Error | null,login: LoginTicket) => void)
|
|||||||||
|
Inherited from
OAuth2Client
|
|||||||||
|
Defined in
OAuth2Client:971
|
|||||||||
|
Parameters :
Returns :
void
|
| verifyIdToken | ||||||||
verifyIdToken(options: VerifyIdTokenOptions)
|
||||||||
|
Inherited from
OAuth2Client
|
||||||||
|
Defined in
OAuth2Client:970
|
||||||||
|
Verify id token is token by checking the certs and audience
Parameters :
Returns :
Promise<LoginTicket>
|
| verifySignedJwtWithCerts |
verifySignedJwtWithCerts()
|
|
Inherited from
OAuth2Client
|
|
Defined in
OAuth2Client:1123
|
|
Returns :
void
|
| Async verifySignedJwtWithCertsAsync | ||||||||||||||||||||||||
verifySignedJwtWithCertsAsync(jwt: string, certs: Certificates, requiredAudience: string | string[], issuers?: string[], maxExpiry?: number)
|
||||||||||||||||||||||||
|
Inherited from
OAuth2Client
|
||||||||||||||||||||||||
|
Defined in
OAuth2Client:1141
|
||||||||||||||||||||||||
|
Verify the id token is signed with the correct certificate and is from the correct audience.
Parameters :
Returns :
{}
Returns a promise resolving to LoginTicket on verification. |
import arrify = require('arrify');
import {GaxiosError} from 'gaxios';
import * as gcpMetadata from 'gcp-metadata';
import * as messages from '../messages';
import {CredentialRequest, Credentials} from './credentials';
import {GetTokenResponse, OAuth2Client, RefreshOptions} from './oauth2client';
export interface ComputeOptions extends RefreshOptions {
/**
* The service account email to use, or 'default'. A Compute Engine instance
* may have multiple service accounts.
*/
serviceAccountEmail?: string;
/**
* The scopes that will be requested when acquiring service account
* credentials. Only applicable to modern App Engine and Cloud Function
* runtimes as of March 2019.
*/
scopes?: string | string[];
}
export class Compute extends OAuth2Client {
private serviceAccountEmail: string;
scopes: string[];
/**
* Google Compute Engine service account credentials.
*
* Retrieve access token from the metadata server.
* See: https://developers.google.com/compute/docs/authentication
*/
constructor(options: ComputeOptions = {}) {
super(options);
// Start with an expired refresh token, which will automatically be
// refreshed before the first API call is made.
this.credentials = {expiry_date: 1, refresh_token: 'compute-placeholder'};
this.serviceAccountEmail = options.serviceAccountEmail || 'default';
this.scopes = arrify(options.scopes);
}
/**
* Indicates whether the credential requires scopes to be created by calling
* createdScoped before use.
* @deprecated
* @return Boolean indicating if scope is required.
*/
createScopedRequired() {
// On compute engine, scopes are specified at the compute instance's
// creation time, and cannot be changed. For this reason, always return
// false.
messages.warn(messages.COMPUTE_CREATE_SCOPED_DEPRECATED);
return false;
}
/**
* Refreshes the access token.
* @param refreshToken Unused parameter
*/
protected async refreshTokenNoCache(
refreshToken?: string | null
): Promise<GetTokenResponse> {
const tokenPath = `service-accounts/${this.serviceAccountEmail}/token`;
let data: CredentialRequest;
try {
const instanceOptions: gcpMetadata.Options = {
property: tokenPath,
};
if (this.scopes.length > 0) {
instanceOptions.params = {
scopes: this.scopes.join(','),
};
}
data = await gcpMetadata.instance(instanceOptions);
} catch (e) {
e.message = `Could not refresh access token: ${e.message}`;
this.wrapError(e);
throw e;
}
const tokens = data as Credentials;
if (data && data.expires_in) {
tokens.expiry_date = new Date().getTime() + data.expires_in * 1000;
delete (tokens as CredentialRequest).expires_in;
}
this.emit('tokens', tokens);
return {tokens, res: null};
}
protected wrapError(e: GaxiosError) {
const res = e.response;
if (res && res.status) {
e.code = res.status.toString();
if (res.status === 403) {
e.message =
'A Forbidden error was returned while attempting to retrieve an access ' +
'token for the Compute Engine built-in service account. This may be because the Compute ' +
'Engine instance does not have the correct permission scopes specified: ' +
e.message;
} else if (res.status === 404) {
e.message =
'A Not Found error was returned while attempting to retrieve an access' +
'token for the Compute Engine built-in service account. This may be because the Compute ' +
'Engine instance does not have any permission scopes specified: ' +
e.message;
}
}
}
}