Google.Apis.Auth

Google JSON Web Signature as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount.

Validates a Google-issued Json Web Token (JWT). Will throw a if the passed value is not valid JWT signed by Google.

Follows the procedure to validate a JWT ID token. Google certificates are cached, and refreshed once per hour. This can be overridden by setting to true. The JWT to validate. Optional. The to use for JWT expiration verification. Defaults to the system clock. Optional. If true forces new certificates to be downloaded from Google. Defaults to false. The JWT payload, if the JWT is valid. Throws an otherwise. Thrown when passed a JWT that is not a valid JWT signed by Google.

Settings used when validating a JSON Web Signature.

Create a new instance.

The trusted audience client IDs; or null to suppress audience validation.

The required GSuite domain of the user; or null to suppress hosted domain validation.

Optional. The to use for JWT expiration verification. Defaults to the system clock.

Optional. If true forces new certificates to be downloaded from Google. Defaults to false.

Clock tolerance for the issued-at check. Causes a JWT to pass validation up to this duration before it is really valid; this is to allow for possible local-client clock skew. Defaults to 30 seconds.

Clock tolerance for the expiration check. Causes a JWT to pass validation up to this duration after it really expired; this is to allow for possible local-client clock skew. Defaults to zero seconds.

CertificateCache for testing purposes. If null, the default CertificateCache will be used.

Validates a Google-issued Json Web Token (JWT). Will throw a if the specified JWT fails any validation check.

Follows the procedure to validate a JWT ID token. Issued-at validation and expiry validation is performed using the clock on this local client, so local clock inaccuracies can lead to incorrect validation results. Use and to allow for local clock inaccuracy IssuedAtClockTolerance defaults to 30 seconds; it is very unlikely a JWT will be issued that isn't already valid. ExpirationTimeClockTolerance defaults to zero seconds; in some use-cases it may be useful to set this to a negative value to help ensure that passing local validation means it will pass server validation. Regardless of whether local validation passed, code must always correctly handle an invalid JWT error from the server. Google certificates are cached, and refreshed once per hour. This can be overridden by setting to true. The JWT to validate. Specifies how to carry out the validation. The payload of the verified token. If the token does not pass verification.

The header as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingheader.

The payload as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset, https://developers.google.com/identity/protocols/OpenIDConnect, and https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

A space-delimited list of the permissions the application requests or null.

The email address of the user for which the application is requesting delegated access.

The hosted GSuite domain of the user. Provided only if the user belongs to a hosted domain.

The user's email address. This may not be unique and is not suitable for use as a primary key. Provided only if your scope included the string "email".

True if the user's e-mail address has been verified; otherwise false.

The user's full name, in a displayable form. Might be provided when: (1) The request scope included the string "profile"; or (2) The ID token is returned from a token refresh. When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.

Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.

Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.

The URL of the user's profile picture. Might be provided when: (1) The request scope included the string "profile"; or (2) The ID token is returned from a token refresh. When picture claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present.

End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA.

An exception that is thrown when a Json Web Token (JWT) is invalid.

Initializes a new InvalidJwtException instanc e with the specified error message.

The error message that explains why the JWT was invalid.

JSON Web Signature (JWS) implementation as specified in http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11.

Verifies that the given token is a valid, not expired, signed token.

The token to verify. The options to use for verification. May be null in which case default options will be used. The cancellation token for the operation. The payload contained by the token. If the token is invalid or expired.

Header as specified in http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#section-4.1.

Gets or set the algorithm header parameter that identifies the cryptographic algorithm used to secure the JWS or null.

Gets or sets the JSON Web Key URL header parameter that is an absolute URL that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key that was used to digitally sign the JWS or null.

Gets or sets JSON Web Key header parameter that is a public key that corresponds to the key used to digitally sign the JWS or null.

Gets or sets key ID header parameter that is a hint indicating which specific key owned by the signer should be used to validate the digital signature or null.

Gets or sets X.509 URL header parameter that is an absolute URL that refers to a resource for the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS or null.

Gets or sets X.509 certificate thumb print header parameter that provides a base64url encoded SHA-1 thumb-print (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match the certificate or null.

Gets or sets X.509 certificate chain header parameter contains the X.509 public key certificate or certificate chain corresponding to the key used to digitally sign the JWS or null.

Gets or sets array listing the header parameter names that define extensions that are used in the JWS header that MUST be understood and processed or null.

JWS Payload.

JSON Web Token (JWT) implementation as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08.

JWT Header as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-5.

Gets or sets type header parameter used to declare the type of this object or null.

Gets or sets content type header parameter used to declare structural information about the JWT or null.

JWT Payload as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.1.

Gets or sets issuer claim that identifies the principal that issued the JWT or null.

Gets or sets subject claim identifying the principal that is the subject of the JWT or null.

Gets or sets audience claim that identifies the audience that the JWT is intended for (should either be a string or list) or null.

Gets or sets the target audience claim that identifies the audience that an OIDC token generated from this JWT is intended for. Maybe be null. Multiple target audiences are not supported. null.

Gets or sets expiration time claim that identifies the expiration time (in seconds) on or after which the token MUST NOT be accepted for processing or null.

Gets or sets not before claim that identifies the time (in seconds) before which the token MUST NOT be accepted for processing or null.

Gets or sets issued at claim that identifies the time (in seconds) at which the JWT was issued or null.

Gets or sets JWT ID claim that provides a unique identifier for the JWT or null.

The nonce value specified by the client during the authorization request. Must be present if a nonce was specified in the authorization request, otherwise this will not be present.

Gets or sets type claim that is used to declare a type for the contents of this JWT Claims Set or null.

Gets the audience property as a list.

Represents an access token that can be used to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers.

Constructs an based on a given token and headers.

The token to build this instance for. May be null. The collection of headers that may accompany the token. May be null.

An access token that can be used to authorize a request.

Extra headers, if any, that should be included in the request.

Adds the headers in this object to the given header collection.

The header collection to add the headers to.

Adds the headers in this object to the given request.

The request to add the headers to.

Builder class for to simplify common scenarios.

The GCP project ID used for quota and billing purposes. May be null.

Builds and instance of with the given token and the value set on this builder.

The token to build the for. An .

Thread-safe OAuth 2.0 authorization code flow for an installed application that persists end-user credentials.

Incremental authorization (https://developers.google.com/+/web/api/rest/oauth) is currently not supported for Installed Apps.

Constructs a new authorization code installed application with the given flow and code receiver.

Gets the authorization code flow.

Gets the code receiver which is responsible for receiving the authorization code.

Determines the need for retrieval of a new authorization code, based on the given token and the authorization code flow.

OAuth 2.0 helper for accessing protected resources using the Bearer token as specified in http://tools.ietf.org/html/rfc6750.

Thread-safe OAuth 2.0 method for accessing protected resources using the Authorization header as specified in http://tools.ietf.org/html/rfc6750#section-2.1.

Obsolete. Thread-safe OAuth 2.0 method for accessing protected resources using an access_token query parameter as specified in http://tools.ietf.org/html/rfc6750#section-2.3. This access method is being made obsolete. Please read here for more up to date information: `https://developers.google.com/identity/protocols/oauth2/index.html#4.-send-the-access-token-to-an-api.`. Please use instead.

Client credential details for installed and web applications.

Gets or sets the client identifier.

Gets or sets the client Secret.

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved. More details about Compute Engine authentication is available at: https://cloud.google.com/compute/docs/authentication.

The metadata server url. This can be overridden (for the purposes of Compute environment detection and auth token retrieval) using the GCE_METADATA_HOST environment variable.

Caches result from first call to IsRunningOnComputeEngine

Originally 1000ms was used without a retry. This proved inadequate; even 2000ms without a retry occasionally failed. We have observed that after a timeout, the next attempt succeeds very quickly (sub-50ms) which suggests that this should be fine.

The Metadata flavor header name.

The Metadata header response indicating Google.

Gets the OIDC Token URL.

An initializer class for the Compute credential. It uses as the token server URL (optionally overriding the host using the GCE_METADATA_HOST environment variable).

Gets the OIDC Token URL.

Constructs a new initializer using the default compute token URL and the default OIDC token URL.

Constructs a new initializer using the given token URL and the default OIDC token URL.

Constructs a new initializer using the given token URL and OIDC token URL (optionally overriding the host using the GCE_METADATA_HOST environment variable).

Constructs a new Compute credential instance.

Constructs a new Compute credential instance.

Detects if application is running on Google Compute Engine. This is achieved by attempting to contact GCE metadata server, that is only available on GCE. The check is only performed the first time you call this method, subsequent invocations used cached result of the first call.

Provides the Application Default Credential from the environment. An instance of this class represents the per-process state used to get and cache the credential and allows overriding the state and environment for testing purposes.

Environment variable override which stores the default application credentials file path.

Well known file which stores the default application credentials.

Environment variable which contains the Application Data settings.

Environment variable which contains the location of home directory on UNIX systems.

GCloud configuration directory in Windows, relative to %APPDATA%.

Help link to the application default credentials feature.

GCloud configuration directory on Linux/Mac, relative to $HOME.

Caches result from first call to GetApplicationDefaultCredentialAsync

Constructs a new default credential provider.

Returns the Application Default Credentials. Subsequent invocations return cached value from first invocation. See for details.

Creates a new default credential.

Creates a default credential from a stream that contains JSON credential data.

Creates a default credential from a stream that contains JSON credential data.

Creates a default credential from a string that contains JSON credential data.

Creates a default credential from JSON data.

Creates a user credential from JSON data.

Creates a from JSON data.

Returns platform-specific well known credential file path. This file is created by gcloud auth login

Gets the environment variable. This method is protected so it could be overriden for testing purposes only.

Opens file as a stream. This method is protected so it could be overriden for testing purposes only.

Thread-safe OAuth 2.0 authorization code flow that manages and persists end-user credentials. This is designed to simplify the flow in which an end-user authorizes the application to access their protected data, and then the application has access to their data based on an access token and a refresh token to refresh that access token when it expires.

An initializer class for the authorization code flow.

Gets or sets the method for presenting the access token to the resource server. The default value is .

Gets the token server URL.

Gets or sets the authorization server URL.

Gets or sets the client secrets which includes the client identifier and its secret.

Gets or sets the client secrets stream which contains the client identifier and its secret.

The AuthorizationCodeFlow constructor is responsible for disposing the stream.

Gets or sets the data store used to store the token response.

Gets or sets the scopes which indicate the API access your application is requesting.

Gets or sets the factory for creating instance.

Get or sets the exponential back-off policy. Default value is UnsuccessfulResponse503, which means that exponential back-off is used on 503 abnormal HTTP responses. If the value is set to None, no exponential back-off policy is used, and it's up to user to configure the in an to set a specific back-off implementation (using ).

Gets or sets the clock. The clock is used to determine if the token has expired, if so we will try to refresh it. The default value is .

Constructs a new initializer.

Authorization server URL Token server URL

Gets the token server URL.

Gets the authorization code server URL.

Gets the client secrets which includes the client identifier and its secret.

Gets the data store used to store the credentials.

Gets the scopes which indicate the API access your application is requesting.

Gets the HTTP client used to make authentication requests to the server.

Constructs a new flow using the initializer's properties.

Stores the token in the .

User identifier. Token to store. Cancellation token to cancel operation.

Retrieve a new token from the server using the specified request.

User identifier. Token request. Cancellation token to cancel operation. Token response with the new access token.

Google specific authorization code flow which inherits from .

The project ID associated with the credential using this flow.

Gets the token revocation URL.

Gets the include granted scopes indicator. Do not use, use instead.

Gets the include granted scopes indicator.

Gets the login_hint.

Gets the prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets the nonce.

Gets the user defined query parameters.

Constructs a new Google authorization code flow.

An initializer class for Google authorization code flow.

The project ID associated with the credential using this flow.

Gets or sets the token revocation URL.

Gets or sets the optional indicator for including granted scopes for incremental authorization.

Gets or sets the login_hint.

Gets or sets the prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets or sets the nonce.

Gets or sets the optional user defined query parameters.

Constructs a new initializer. Sets Authorization server URL to , and Token server URL to .

Constructs a new initializer.

Authorization server URL Token server URL Revocation server URL This is mainly for internal testing at Google, where we occasionally need to use alternative oauth endpoints. This is not for general use.

OAuth 2.0 authorization code flow that manages and persists end-user credentials.

Gets the method for presenting the access token to the resource server.

Gets the clock.

Gets the data store used to store the credentials.

Asynchronously loads the user's token using the flow's .

User identifier Cancellation token to cancel operation Token response

Asynchronously deletes the user's token using the flow's .

User identifier. Cancellation token to cancel operation.

Creates an authorization code request with the specified redirect URI.

Asynchronously exchanges code with a token.

User identifier. Authorization code received from the authorization server. Redirect URI which is used in the token request. Cancellation token to cancel operation. Token response which contains the access token.

Asynchronously refreshes an access token using a refresh token.

User identifier. Refresh token which is used to get a new access token. Cancellation token to cancel operation. Token response which contains the access token and the input refresh token.

Asynchronously revokes the specified token. This method disconnects the user's account from the OAuth 2.0 application. It should be called upon removing the user account from the site.

If revoking the token succeeds, the user's credential is removed from the data store and the user MUST authorize the application again before the application can access the user's private resources. User identifier. Access token to be revoked. Cancellation token to cancel operation. true if the token was revoked successfully.

Indicates if a new token needs to be retrieved and stored regardless of normal circumstances.

Google OAuth2 constants. Canonical source for these URLs is: https://accounts.google.com/.well-known/openid-configuration

The authorization code server URL.

The OpenID Connect authorization code server URL.

Use of this is not 100% compatible with using , so they are two distinct URLs. Internally within this library only this more up-to-date is used.

The approval URL (used in the Windows solution as a callback).

The authorization token server URL.

The OpenID Connect authorization token server URL.

Use of this is not 100% compatible with using , so they are two distinct URLs. Internally within this library only this more up-to-date is used.

The Compute Engine authorization token server URL

IP address instead of name to avoid DNS resolution

The path to the Google revocation endpoint.

The OpenID Connect Json Web Key Set (jwks) URL.

The IAP Json Web Key Set (jwks) URL.

Installed application redirect URI.

Installed application localhost redirect URI.

The effective Compute Engine authorization token server URL. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine authorization token server URL for OIDC. This requires an audience parameter to be added. This takes account of the GCE_METADATA_HOST environment variable.

The effective Compute Engine metadata token server URL (with no path). This takes account of the GCE_METADATA_HOST environment variable.

OAuth 2.0 client secrets model as specified in https://cloud.google.com/console/.

Gets or sets the details for installed applications.

Gets or sets the details for web applications.

Gets the client secrets which contains the client identifier and client secret.

Loads the Google client secret from the input stream.

Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like , or ) in a unified way. See for the credential retrieval logic.

Provider implements the logic for creating the application default credential.

The underlying credential being wrapped by this object.

Creates a new GoogleCredential.

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See for more details.

A task which completes with the application default credentials.

Returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. The ambient credentials are determined as following order: The environment variable GOOGLE_APPLICATION_CREDENTIALS is checked. If this variable is specified, it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded. If you have installed the Google Cloud SDK on your machine and have run the command GCloud Auth Login, your identity can be used as a proxy to test code calling APIs from that machine. If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used. If all previous steps have failed, InvalidOperationException is thrown.

If the cancellation token is cancelled while the underlying operation is loading Application Default Credentials, the underlying operation will still be used for any further requests. No actual work is cancelled via this cancellation token; it just allows the returned task to transition to a cancelled state. Cancellation token for the operation. A task which completes with the application default credentials.

Synchronously returns the Application Default Credentials which are ambient credentials that identify and authorize the whole application. See for details on application default credentials. This method will block until the credentials are available (or an exception is thrown). It is highly preferable to call where possible.

The application default credentials.

Loads credential from stream containing JSON credential data. The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Loads credential from stream containing JSON credential data. The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Loads credential from the specified file containing JSON credential data. The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

The path to the credential file. The loaded credentials.

Loads credential from the specified file containing JSON credential data. The file can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

The path to the credential file. Cancellation token for the operation. The loaded credentials.

Loads credential from a string containing JSON credential data. The string can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

Create a directly from the provided access token. The access token will not be automatically refreshed.

The access token to use within this credential. Optional. The to use within this credential. If null, will default to . A credential based on the provided access token.

Create a from a . In general, do not use this method. Call or , which will provide the most suitable credentials for the current platform.

Optional. The compute credential to use in the returned . If null, then a new will be instantiated, using the default . A with an underlying .

Returns true only if this credential type has no scopes by default and requires a call to before use. Credentials need to have scopes in them before they can be used to access Google services. Some Credential types have scopes built-in, and some don't. This property indicates whether the Credential type has scopes built-in. has scopes built-in. Nothing additional is required. has scopes built-in, as they were obtained during the consent screen. Nothing additional is required. does not have scopes built-in by default. Caller should invoke to add scopes to the credential.

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

If the credential supports scopes, creates a copy with the specified scopes. Otherwise, it returns the same instance.

If the credential supports setting the user, creates a copy with the specified user. Otherwise, it throws . Only Service Credentials support this operation.

The user to set in the returned credential. This credential with the user set to . When the credential type doesn't support setting the user.

Creates a copy of this credential with the specified quota project.

The quota project to use for the copy. May be null. A copy of this credential with set to .

Gets the underlying credential instance being wrapped.

Creates a GoogleCredential wrapping a .

Wraps ServiceAccountCredential as GoogleCredential. We need this subclass because wrapping ServiceAccountCredential (unlike other wrapped credential types) requires special handling for IsCreateScopedRequired and CreateScoped members.

A helper utility to manage the authorization code flow.

This class is only suitable for client-side use, as it starts a local browser that requires user interaction. Do not use this class when executing on a web server, or any cases where the authenticating end-user is not able to do directly interact with a launched browser.

The folder which is used by the .

The reason that this is not 'private const' is that a user can change it and store the credentials in a different location.

Asynchronously authorizes the specified user. Requires user interaction; see remarks for more details.

In case no data store is specified, will be used by default. The client secrets. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Asynchronously authorizes the specified user. Requires user interaction; see remarks for more details.

In case no data store is specified, will be used by default. The client secrets stream. The authorization code flow constructor is responsible for disposing the stream. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Asynchronously reauthorizes the user. This method should be called if the users want to authorize after they revoked the token. Requires user interaction; see remarks for more details.

The current user credential. Its will be updated. Cancellation token to cancel an operation. The code receiver, if not specified a local server code receiver will be used.

The core logic for asynchronously authorizing the specified user. Requires user interaction; see remarks for more details.

The authorization code initializer. The scopes which indicate the Google API access your application is requesting. The user to authorize. Cancellation token to cancel an operation. The data store, if not specified a file data store will be used. The code receiver, if not specified a local server code receiver will be used. User credential.

Method of presenting the access token to the resource server as specified in http://tools.ietf.org/html/rfc6749#section-7

Intercepts a HTTP request right before the HTTP request executes by providing the access token.

Retrieves the original access token in the HTTP request, as provided in the method.

Authorization code flow for an installed application that persists end-user credentials.

Gets the authorization code flow.

Gets the code receiver.

Asynchronously authorizes the installed application to access user's protected data.

User identifier Cancellation token to cancel an operation The user's credential

OAuth 2.0 verification code receiver.

Gets the redirected URI.

Receives the authorization code.

The authorization code request URL Cancellation token The authorization code response

The main interface to represent credential in the client library. Service account, User account and Compute credential inherit from this interface to provide access token functionality. In addition this interface inherits from to be able to hook to http requests. More details are available in the specific implementations.

Represents a Google credential. Defines functionality that credential types that can be used as an underlying credential in should implement in contrast to that defines public functionality.

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Returns a new instance of the same type as this but with the given quota project value.

The quota project value for the new instance. A new instance with the same type as this but with set to .

Represents an OIDC token provider.

Returns an OIDC token for the given options.

The options to create the token from. The cancellation token that may be used to cancel the request. The OIDC token.

Allows direct retrieval of access tokens to authenticate requests. This is necessary for workflows where you don't want to use to access the API. (e.g. gRPC that implemenents the entire HTTP2 stack internally).

Gets an access token to authorize a request. Implementations should handle automatic refreshes of the token if they are supported. The might be required by some credential types (e.g. the JWT access token) while other credential types migth just ignore it.

The URI the returned token will grant access to. The cancellation token. The access token.

Allows direct retrieval of access tokens to authenticate requests. The access tokens obtained can be accompanied by extra information that either describes the access token or is associated with it. This information should acompany the token as headers when the token is used to access a resource.

Gets an access token to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers. Implementations should handle automatic refreshes of the token if they are supported. The might be required by some credential types (e.g. the JWT access token) while other credential types migth just ignore it.

The URI the returned token will grant access to. The cancellation token. The access token with headers if any.

Holder for credential parameters read from JSON credential file. Fields are union of parameters for all supported credential types.

UserCredential is created by the GCloud SDK tool when the user runs GCloud Auth Login.

ServiceAccountCredential is downloaded by the user from Google Developers Console.

Type of the credential.

Project ID associated with this credential.

Project ID associated with this credential for the purposes of quota calculations and billing.

Client Id associated with UserCredential created by GCloud Auth Login.

Client Secret associated with UserCredential created by GCloud Auth Login.

Client Email associated with ServiceAccountCredential obtained from Google Developers Console

Private Key associated with ServiceAccountCredential obtained from Google Developers Console.

Private Key ID associated with ServiceAccountCredential obtained from Google Developers Console.

Refresh Token associated with UserCredential created by GCloud Auth Login.

OAuth 2.0 verification code receiver that runs a local server on a free port and waits for a call with the authorization verification code.

Describes the different strategies for the selection of the callback URI. 127.0.0.1 is recommended, but can't be done in non-admin Windows 7 and 8 at least.

Use heuristics to attempt to connect to the recommended URI 127.0.0.1 but use localhost if that fails.

Force 127.0.0.1 as the callback URI. No checks are performed.

Force localhost as the callback URI. No checks are performed.

The call back request path.

Close HTML tag to return the browser so it will close itself.

Create an instance of .

Create an instance of .

Custom close page response for this instance

Create an instance of .

Custom close page response for this instance The strategy to use to determine the callback URI

An extremely limited HTTP server that can only do exactly what is required for this use-case. It can only serve localhost; receive a single GET request; read only the query paremters; send back a fixed response. Nothing else.

Returns a random, unused port.

Localhost callback URI, expects a port parameter.

127.0.0.1 callback URI, expects a port parameter.

Represents an OIDC Token.

The this OIDC token is built from.

Gets the access token that should be included in headers when performing requests with this . This method will refresh the access token if the current one has expired.

The cancellation token to use for cancelling the operation. The valid access token associated to this .

Represents the OIDC token formats supported when the token is obtained using the GCE metadata server.

Specifies that the project and instance details should not be included in the payload of the JWT token returned by the GCE metadata server.

Specifies that the project and instance details should be included in the payload of the JWT token returned by the GCE metadata server.

Same as . License codes for images associated with the GCE instance the token is being obtained from will also be included in the payload of the JWT token returned by the GCE metadata server.

Options used to create an .

The target audience the generated token should be valid for. Must not be null.

The token format of the expected OIDC token when obtained from the GCE metadata server. This value will be ignored when the token provider is other then the GCE metadata server. for the meaning of each value. Defaults to .

Builds new from the given target audience.

The target audience to build these options from. Must no be null. A new set of options that can be used with a to obtain an .

Builds a new set of options with the same options as this one, except for the target audience.

The new target audience. Must not be null. A new set of options with the given target audience.

Builds a new set of options with the same options as this one, except for the token format.

The new token format. A new set of options with the given token format.

An incomplete ASN.1 decoder, only implements what's required to decode a Service Credential.

OAuth 2.0 verification code receiver that reads the authorization code from the user input.

Extension methods for requests.

Add a credential that is used for this request only. This will override a service-level credential (if there is one). Do not call more than once per request instance, as each call incrementally adds the provided credential. To perform identical requests but with distinct credentials, create a separate request instance for each credential.

The request type. The request which requires a credential. Must not be null. The credential to use for this request only. Must not be null.

OAuth 2.0 request URL for an authorization web page to allow the end user to authorize the application to access their protected resources and that returns an authorization code, as specified in http://tools.ietf.org/html/rfc6749#section-4.1.

Constructs a new authorization code request with the specified URI and sets response_type to code.

Creates a which is used to request the authorization code.

OAuth 2.0 request for an access token using an authorization code as specified in http://tools.ietf.org/html/rfc6749#section-4.1.3.

Gets or sets the authorization code received from the authorization server.

Gets or sets the redirect URI parameter matching the redirect URI parameter in the authorization request.

Constructs a new authorization code token request and sets grant_type to authorization_code.

OAuth 2.0 request URL for an authorization web page to allow the end user to authorize the application to access their protected resources, as specified in http://tools.ietf.org/html/rfc6749#section-3.1.

Gets or sets the response type which must be code for requesting an authorization code or token for requesting an access token (implicit grant), or space separated registered extension values. See http://tools.ietf.org/html/rfc6749#section-3.1.1 for more details

Gets or sets the client identifier.

Gets or sets the URI that the authorization server directs the resource owner's user-agent back to the client after a successful authorization grant, as specified in http://tools.ietf.org/html/rfc6749#section-3.1.2 or null for none.

Gets or sets space-separated list of scopes, as specified in http://tools.ietf.org/html/rfc6749#section-3.3 or null for none.

Gets or sets the state (an opaque value used by the client to maintain state between the request and callback, as mentioned in http://tools.ietf.org/html/rfc6749#section-3.1.2.2 or null for none.

Gets the authorization server URI.

Constructs a new authorization request with the specified URI.

Authorization server URI

Service account assertion token request as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Gets or sets the JWT (including signature).

Constructs a new refresh code token request and sets grant_type to urn:ietf:params:oauth:grant-type:jwt-bearer.

Google-specific implementation of the OAuth 2.0 URL for an authorization web page to allow the end user to authorize the application to access their protected resources and that returns an authorization code, as specified in https://developers.google.com/accounts/docs/OAuth2WebServer.

Gets or sets the access type. Set online to request on-line access or offline to request off-line access or null for the default behavior. The default value is offline.

Gets of sets prompt for consent behaviour. Value can be null, "none", "consent", or "select_account". See OpenIDConnect documentation for details.

Gets or sets prompt for consent behavior auto to request auto-approval orforce to force the approval UI to show, or null for the default behavior.

Gets or sets the login hint. Sets email address or sub identifier. When your application knows which user it is trying to authenticate, it may provide this parameter as a hint to the Authentication Server. Passing this hint will either pre-fill the email box on the sign-in form or select the proper multi-login session, thereby simplifying the login flow.

Gets or sets the include granted scopes to determine if this authorization request should use incremental authorization (https://developers.google.com/+/web/api/rest/oauth#incremental-auth). If true and the authorization request is granted, the authorization will include any previous authorizations granted to this user/application combination for other scopes.

Currently unsupported for installed apps.

Gets or sets the nonce; a random value generated by your app that enables replay protection. See https://developers.google.com/identity/protocols/OpenIDConnect for more details.

Gets or sets a collection of user defined query parameters to facilitate any not explicitly supported by the library which will be included in the resultant authentication URL.

The name of this parameter is used only for the constructor and will not end up in the resultant query string.

Constructs a new authorization code request with the given authorization server URL. This constructor sets the to offline.

Google OAuth 2.0 request to revoke an access token as specified in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke.

Gets the URI for token revocation.

Gets or sets the token to revoke.

Creates a which is used to request the authorization code.

OAuth 2.0 request to refresh an access token using a refresh token as specified in http://tools.ietf.org/html/rfc6749#section-6.

Gets or sets the Refresh token issued to the client.

Constructs a new refresh code token request and sets grant_type to refresh_token.

OAuth 2.0 request for an access token as specified in http://tools.ietf.org/html/rfc6749#section-4.

Gets or sets space-separated list of scopes as specified in http://tools.ietf.org/html/rfc6749#section-3.3.

Gets or sets the Grant type. Sets authorization_code or password or client_credentials or refresh_token or absolute URI of the extension grant type.

Gets or sets the client Identifier.

Gets or sets the client Secret.

Extension methods to .

Executes the token request in order to receive a . In case the token server returns an error, a is thrown.

The token request. The HTTP client used to create an HTTP request. The token server URL. Cancellation token to cancel operation. The clock which is used to set the property. Token response with the new access token.

Authorization Code response for the redirect URL after end user grants or denies authorization as specified in http://tools.ietf.org/html/rfc6749#section-4.1.2. Check that is not null or empty to verify the end-user granted authorization.

Gets or sets the authorization code generated by the authorization server.

Gets or sets the state parameter matching the state parameter in the authorization request.

Gets or sets the error code (e.g. "invalid_request", "unauthorized_client", "access_denied", "unsupported_response_type", "invalid_scope", "server_error", "temporarily_unavailable") as specified in http://tools.ietf.org/html/rfc6749#section-4.1.2.1.

Gets or sets the human-readable text which provides additional information used to assist the client developer in understanding the error occurred.

Gets or sets the URI identifying a human-readable web page with provides information about the error.

Constructs a new authorization code response URL from the specified dictionary.

Constructs a new authorization code response URL from the specified query string.

Initializes this instance from the input dictionary.

Constructs a new empty authorization code response URL.

OAuth 2.0 model for a unsuccessful access token response as specified in http://tools.ietf.org/html/rfc6749#section-5.2.

Gets or sets error code (e.g. "invalid_request", "invalid_client", "invalid_grant", "unauthorized_client", "unsupported_grant_type", "invalid_scope") as specified in http://tools.ietf.org/html/rfc6749#section-5.2.

Gets or sets a human-readable text which provides additional information used to assist the client developer in understanding the error occurred.

Gets or sets the URI identifying a human-readable web page with provides information about the error.

Constructs a new empty token error response.

Constructs a new token error response from the given authorization code response.

OAuth 2.0 model for a successful access token response as specified in http://tools.ietf.org/html/rfc6749#section-5.1.

Gets or sets the access token issued by the authorization server.

Gets or sets the token type as specified in http://tools.ietf.org/html/rfc6749#section-7.1.

Gets or sets the lifetime in seconds of the access token.

Gets or sets the refresh token which can be used to obtain a new access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

Gets or sets the scope of the access token as specified in http://tools.ietf.org/html/rfc6749#section-3.3.

Gets or sets the id_token, which is a JSON Web Token (JWT) as specified in http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

The date and time that this token was issued, expressed in the system time zone. This property only exists for backward compatibility; it can cause inappropriate behavior around time zone transitions (e.g. daylight saving transitions).

The date and time that this token was issued, expressed in UTC.

This should be set by the CLIENT after the token was received from the server.

Returns true if the token is expired or it's going to expire soon.

If a token response doens't have at least one of or set then it's considered expired. If is null, the token is also considered expired.

Returns true if the token is expired or it's so close to expiring that it shouldn't be used.

If a token response doens't have at least one of or set then it's considered expired. If is null, the token is also considered expired.

Asynchronously parses a instance from the specified .

The http response from which to parse the token. The clock used to set the value of the token. The logger used to output messages incase of error. The response was not successful or there is an error parsing the response into valid instance. A task containing the parsed form the response message.

Token response exception which is thrown in case of receiving a token error when an authorization code or an access token is expected.

The error information.

HTTP status code of error, or null if unknown.

Constructs a new token response exception from the given error.

Constructs a new token response exception from the given error nad optional HTTP status code.

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved. Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details. Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See for explanation when JWT access token is used and when regular OAuth2 token is used.

An initializer class for the service account credential.

Gets the service account ID (typically an e-mail address).

The project ID associated with this credential.

Gets or sets the email address of the user the application is trying to impersonate in the service account flow or null.

Gets the scopes which indicate API access your application is requesting.

Gets or sets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Gets or sets the service account key ID.

Constructs a new initializer using the given id.

Constructs a new initializer using the given id and the token server URL.

Extracts the from the given PKCS8 private key.

Extracts a from the given certificate.

Unix epoch as a DateTime

Gets the service account ID (typically an e-mail address).

The project ID associated with this credential.

Gets the email address of the user the application is trying to impersonate in the service account flow or null.

Gets the service account scopes.

Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Gets the key id of the key which is used to sign the request.

true if this credential has any scopes associated with it.

Constructs a new service account credential using the given initializer.

Creates a new instance from JSON credential data.

The stream from which to read the JSON key data for a service account. Must not be null. The does not contain valid JSON service account key data. The credentials parsed from the service account key data.

Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Cancellation token to cancel operation. true if a new token was received successfully.

Gets an access token to authorize a request. If is set and this credential has no scopes associated with it, a locally signed JWT access token for given is returned. Otherwise, an OAuth2 access token obtained from token server will be returned. A cached token is used if possible and the token is only refreshed once it's close to its expiry.

The URI the returned token will grant access to. The cancellation token. The access token.

Creates a JWT access token than can be used in request headers instead of an OAuth2 token. This is achieved by signing a special JWT using this service account's private key. The URI for which the access token will be valid. The issue time of the JWT. The expiry time of the JWT.

Signs JWT token using the private key and returns the serialized assertion.

the JWT payload to sign.

Creates a base64 encoded signature for the SHA-256 hash of the specified data.

The data to hash and sign. Must not be null. The base-64 encoded signature.

Creates a serialized header as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingheader.

Creates a claim set as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset.

This type of Google OAuth 2.0 credential enables access to protected resources using an access token when interacting server to server. For example, a service account credential could be used to access Google Cloud Storage from a web application without a user's involvement. ServiceAccountCredential inherits from this class in order to support Service Account. More details available at: https://developers.google.com/accounts/docs/OAuth2ServiceAccount. is another example for a class that inherits from this class in order to support Compute credentials. For more information about Compute authentication, see: https://cloud.google.com/compute/docs/authentication.

Logger for this class

An initializer class for the service credential.

Gets the token server URL.

Gets or sets the clock used to refresh the token when it expires. The default value is .

Gets or sets the method for presenting the access token to the resource server. The default value is .

Gets or sets the factory for creating a instance.

Get or sets the exponential back-off policy. Default value is UnsuccessfulResponse503, which means that exponential back-off is used on 503 abnormal HTTP responses. If the value is set to None, no exponential back-off policy is used, and it's up to the user to configure the in an to set a specific back-off implementation (using ).

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Constructs a new initializer using the given token server URL.

Gets the token server URL.

Gets the clock used to refresh the token if it expires.

Gets the method for presenting the access token to the resource server.

Gets the HTTP client used to make authentication requests to the server.

Gets the token response which contains the access token.

The ID of the project associated to this credential for the purposes of quota calculation and billing. May be null.

Constructs a new service account credential using the given initializer.

Decorates unsuccessful responses, returns true if the response gets modified. See IHttpUnsuccessfulResponseHandler for more information.

Gets an access token to authorize a request. If the existing token expires soon, try to refresh it first.

Requests a new token.

Cancellation token to cancel operation. true if a new token was received successfully.

Encapsulation of token refresh behaviour. This isn't entirely how we'd design the code now (in terms of the callback in particular) but it fits in with the exposed API surface of ServiceCredential and UserCredential.

Creates a manager which executes the given refresh action when required.

The refresh action which will populate the Token property when successful. The clock to consult for timeouts. The logger to use to record refreshes.

OAuth 2.0 credential for accessing protected resources using an access token, as well as optionally refreshing the access token when it expires using a refresh token.

Logger for this class.

Gets or sets the token response which contains the access token.

Gets the authorization code flow.

Gets the user identity.

Constructs a new credential instance.

Authorization code flow. User identifier. An initial token for the user.

Constructs a new credential instance.

Authorization code flow. User identifier. An initial token for the user. The ID of the project associated to this credential for the purposes of quota calculation and billing. Can be null.

Default implementation is to try to refresh the access token if there is no access token or if we are 1 minute away from expiration. If token server is unavailable, it will try to use the access token even if has expired. If successful, it will call .

Refreshes the token by calling to . Then it updates the with the new token instance.

Cancellation token to cancel an operation. true if the token was refreshed.

Asynchronously revokes the token by calling .

Cancellation token to cancel an operation. true if the token was revoked successfully.

Thread safe OAuth 2.0 authorization code flow for a web application that persists end-user credentials.

The state key. As part of making the request for authorization code we save the original request to verify that this server create the original request.

The length of the random number which will be added to the end of the state parameter.

AuthResult which contains the user's credentials if it was loaded successfully from the store. Otherwise it contains the redirect URI for the authorization server.

Gets or sets the user's credentials or null in case the end user needs to authorize.

Gets or sets the redirect URI to for the user to authorize against the authorization server or null in case the was loaded from the data store.

Gets the authorization code flow.

Gets the OAuth2 callback redirect URI.

Gets the state which is used to navigate back to the page that started the OAuth flow.

Constructs a new authorization code installed application with the given flow and code receiver.

Asynchronously authorizes the web application to access user's protected data.

User identifier Cancellation token to cancel an operation Auth result object which contains the user's credential or redirect URI for the authorization server

Determines the need for retrieval of a new authorization code, based on the given token and the authorization code flow.

Auth Utility methods for web development.

Extracts the redirect URI from the state OAuth2 parameter.

If the data store is not null, this method verifies that the state parameter which was returned from the authorization server is the same as the one we set before redirecting to the authorization server. The data store which contains the original state parameter. User identifier. The authorization state parameter which we got back from the authorization server. Redirect URI to the address which initializes the authorization code flow.

Represents a signed token, could be a or a but this not only holds the payload and headers, but also the signature itself. It's meant to help with signed token verification and with obtaining token information.

Options to use when verifying signed JWTs.

Creates a new instance of with default values for all options (or null for those whose default is unset).

Creates a new instance of by copying over all the values from .

The option set to build this instance from.

Trusted audiences for the token. All the audiences the token is intended for should be in the trusted audiences list. If the list is empty, the token audience won't be verified.

The URL from where to obtain certificates from. May be null, in which case, default certificate locations will be used: For RS256 signed certificates, https://www.googleapis.com/oauth2/v3/certs will be used. For ES256 signed certificates, https://www.gstatic.com/iap/verify/public_key-jwk will be used.

List of trusted issuers to verify the token issuer against. The token issuer must be contained in this list. May be null, in which case the token issuer won't be verified.

Forces certificate refresh. Internal to be used only for backward compatibility.

Clock tolerance for the issued-at check. Causes a JWT to pass validation up to this duration before it is really valid; this is to allow for possible local-client clock skew. Defaults to zero. Internal to be used only for backward compatibility.

Clock tolerance for the expiration check. Causes a JWT to pass validation up to this duration after it really expired; this is to allow for possible local-client clock skew. Defaults to zero. Internal to be used only for backward compatibility.

Clock for testing purposes. Defaults to . Must not be null.

CertificateCache for testing purposes. If null, the true CertificateCache will be used.

Returns a task which can be cancelled by the given cancellation token, but otherwise observes the original task's state. This does *not* cancel any work that the original task was doing, and should be used carefully.

Decodes the provided URL safe base 64 string.

The URL safe base 64 string to decode. The UTF8 decoded string.

Decodes the provided URL safe base 64 string.

The URL safe base 64 string to decode. The UTF8 byte representation of the decoded string.

Encodes the provided UTF8 string into an URL safe base64 string.

Value to encode. The URL safe base64 string.

Encodes the byte array into an URL safe base64 string.

Byte array to encode. The URL safe base64 string.

Encodes the base64 string into an URL safe string.

The base64 string to make URL safe. The URL safe base64 string.