google.auth.credentials module¶
Interfaces for credentials.
- class Credentials[source]¶
Bases:
object
Base class for all credentials.
All credentials have a
token
that is used for authentication and may also optionally set anexpiry
to indicate when the token will no longer be valid.Most credentials will be
invalid
untilrefresh()
is called. Credentials can do this automatically before the first HTTP request inbefore_request()
.Although the token and expiration will change as the credentials are
refreshed
and used, credentials should be considered immutable. Various credentials will accept configuration such as private keys, scopes, and other options. These options are not changeable after construction. Some classes will provide mechanisms to copy the credentials with modifications such asScopedCredentials.with_scopes()
.- expiry¶
When the token expires and is no longer valid. If this is None, the token is assumed to never expire.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.
- property valid¶
Checks the validity of the credentials.
This is True if the credentials have a
token
and the token is notexpired
.
- property quota_project_id¶
Project to use for quota and billing purposes.
- abstract refresh(request)[source]¶
Refreshes the access token.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises:
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
- before_request(request, method, url, headers)[source]¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
- class CredentialsWithQuotaProject[source]¶
Bases:
Credentials
Abstract base for credentials supporting
with_quota_project
factory- with_quota_project(quota_project_id)[source]¶
Returns a copy of these credentials with a modified quota project.
- Parameters:
quota_project_id (str) – The project to use for quota and billing purposes
- Returns:
A new credentials instance.
- Return type:
- apply(headers, token=None)¶
Apply the token to the authentication header.
- before_request(request, method, url, headers)¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.
- property quota_project_id¶
Project to use for quota and billing purposes.
- abstract refresh(request)¶
Refreshes the access token.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises:
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
- class CredentialsWithTokenUri[source]¶
Bases:
Credentials
Abstract base for credentials supporting
with_token_uri
factory- with_token_uri(token_uri)[source]¶
Returns a copy of these credentials with a modified token uri.
- Parameters:
token_uri (str) – The uri to use for fetching/exchanging tokens
- Returns:
A new credentials instance.
- Return type:
- apply(headers, token=None)¶
Apply the token to the authentication header.
- before_request(request, method, url, headers)¶
Performs credential-specific before request logic.
Refreshes the credentials if necessary, then calls
apply()
to apply the token to the authentication header.- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
method (str) – The request’s HTTP method or the RPC method being invoked.
url (str) – The request’s URI or the RPC service’s URI.
headers (Mapping) – The request’s headers.
- property expired¶
Checks if the credentials are expired.
Note that credentials can be invalid but not expired because Credentials with
expiry
set to None is considered to never expire.
- property quota_project_id¶
Project to use for quota and billing purposes.
- abstract refresh(request)¶
Refreshes the access token.
- Parameters:
request (google.auth.transport.Request) – The object used to make HTTP requests.
- Raises:
google.auth.exceptions.RefreshError – If the credentials could not be refreshed.
- class AnonymousCredentials[source]¶
Bases:
Credentials
Credentials that do not provide any authentication information.
These are useful in the case of services that support anonymous access or local service emulators that do not use credentials.
- property expired¶
Returns False, anonymous credentials never expire.
- property valid¶
Returns True, anonymous credentials are always valid.
- apply(headers, token=None)[source]¶
Anonymous credentials do nothing to the request.
The optional
token
argument is not supported.- Raises:
ValueError – If a token was specified.
- before_request(request, method, url, headers)[source]¶
Anonymous credentials do nothing to the request.
- property quota_project_id¶
Project to use for quota and billing purposes.
- class ReadOnlyScoped[source]¶
Bases:
object
Interface for credentials whose scopes can be queried.
OAuth 2.0-based credentials allow limiting access using scopes as described in RFC6749 Section 3.3. If a credential class implements this interface then the credentials either use scopes in their implementation.
Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with
requires_scopes
:if credentials.requires_scopes: # Scoping is required. credentials = credentials.with_scopes(scopes=['one', 'two'])
Credentials that require scopes must either be constructed with scopes:
credentials = SomeScopedCredentials(scopes=['one', 'two'])
Or must copy an existing instance using
with_scopes()
:scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])
Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is.
- abstract property requires_scopes¶
True if these credentials require scopes to obtain an access token.
- class Scoped[source]¶
Bases:
ReadOnlyScoped
Interface for credentials whose scopes can be replaced while copying.
OAuth 2.0-based credentials allow limiting access using scopes as described in RFC6749 Section 3.3. If a credential class implements this interface then the credentials either use scopes in their implementation.
Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with
requires_scopes
:if credentials.requires_scopes: # Scoping is required. credentials = credentials.create_scoped(['one', 'two'])
Credentials that require scopes must either be constructed with scopes:
credentials = SomeScopedCredentials(scopes=['one', 'two'])
Or must copy an existing instance using
with_scopes()
:scoped_credentials = credentials.with_scopes(scopes=['one', 'two'])
Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is.
- abstract with_scopes(scopes, default_scopes=None)[source]¶
Create a copy of these credentials with the specified scopes.
- Parameters:
scopes (
Sequence
[str
]) – The list of scopes to attach to the current credentials.- Raises:
NotImplementedError – If the credentials’ scopes can not be changed. This can be avoided by checking
requires_scopes
before calling this method.
- has_scopes(scopes)¶
Checks if the credentials have the given scopes.
- abstract property requires_scopes¶
True if these credentials require scopes to obtain an access token.
- with_scopes_if_required(credentials, scopes, default_scopes=None)[source]¶
Creates a copy of the credentials with scopes if scoping is required.
This helper function is useful when you do not know (or care to know) the specific type of credentials you are using (such as when you use
google.auth.default()
). This function will callScoped.with_scopes()
if the credentials are scoped credentials and if the credentials require scoping. Otherwise, it will return the credentials as-is.- Parameters:
credentials (google.auth.credentials.Credentials) – The credentials to scope if necessary.
default_scopes (
Sequence
[str
]) – Default scopes passed by a Google client library. Use ‘scopes’ for user-defined scopes.
- Returns:
- Either a new set of scoped
credentials, or the passed in credentials instance if no scoping was required.
- Return type: