REST Resource: projects.locations.authConfigs

Resource: AuthConfig

The AuthConfig resource use to hold channels and connection config data.

JSON representation
{
  "name": string,
  "displayName": string,
  "description": string,
  "certificateId": string,
  "credentialType": enum (CredentialType),
  "creatorEmail": string,
  "createTime": string,
  "lastModifierEmail": string,
  "updateTime": string,
  "visibility": enum (AuthConfigVisibility),
  "state": enum (State),
  "reason": string,
  "expiryNotificationDuration": [
    string
  ],
  "validTime": string,
  "overrideValidTime": string,

  // Union field credential can be only one of the following:
  "encryptedCredential": string,
  "decryptedCredential": {
    object (Credential)
  }
  // End of list of possible types for union field credential.
}
Fields
name

string

Resource name of the auth config. For more information, see Manage authentication profiles.

projects/{project}/locations/{location}/authConfigs/{authConfig}

.

displayName

string

Required. The name of the auth config.

description

string

A description of the auth config.

certificateId

string

Certificate id for client certificate

credentialType

enum (CredentialType)

Credential type of the encrypted credential.

creatorEmail

string

The creator's email address. Generated based on the End User Credentials/LOAS role of the user making the call.

createTime

string (Timestamp format)

Output only. The timestamp when the auth config is created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

lastModifierEmail

string

The last modifier's email address. Generated based on the End User Credentials/LOAS role of the user making the call.

updateTime

string (Timestamp format)

Output only. The timestamp when the auth config is modified.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

visibility

enum (AuthConfigVisibility)

The visibility of the auth config.

state

enum (State)

The status of the auth config.

reason

string

The reason / details of the current status.

expiryNotificationDuration[]

string (Duration format)

User can define the time to receive notification after which the auth config becomes invalid. Support up to 30 days. Support granularity in hours.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

validTime

string (Timestamp format)

The time until the auth config is valid. Empty or max value is considered the auth config won't expire.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

overrideValidTime

string (Timestamp format)

User provided expiry time to override. For the example of Salesforce, username/password credentials can be valid for 6 months depending on the instance settings.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Union field credential.

credential can be only one of the following:

encryptedCredential

string (bytes format)

Auth credential encrypted by Cloud KMS. Can be decrypted as Credential with proper KMS key.

A base64-encoded string.

decryptedCredential

object (Credential)

Raw auth credentials.

Credential

Defines parameters for a single, canonical credential.

JSON representation
{
  "credentialType": enum (CredentialType),

  // Union field credential_value can be only one of the following:
  "usernameAndPassword": {
    object (UsernameAndPassword)
  },
  "oauth2AuthorizationCode": {
    object (OAuth2AuthorizationCode)
  },
  "oauth2ClientCredentials": {
    object (OAuth2ClientCredentials)
  },
  "oauth2ResourceOwnerCredentials": {
    object (OAuth2ResourceOwnerCredentials)
  },
  "jwt": {
    object (Jwt)
  },
  "authToken": {
    object (AuthToken)
  },
  "serviceAccountCredentials": {
    object (ServiceAccountCredentials)
  },
  "oidcToken": {
    object (OidcToken)
  }
  // End of list of possible types for union field credential_value.
}
Fields
credentialType

enum (CredentialType)

Credential type associated with auth config.

Union field credential_value. According to the credential_type, the credential value can be specified in one of the following proto. credential_value can be only one of the following:
usernameAndPassword

object (UsernameAndPassword)

Username and password credential

oauth2AuthorizationCode

object (OAuth2AuthorizationCode)

The api_key and oauth2_implicit are not covered in v1 and will be picked up once v1 is implemented. ApiKey api_key = 3; OAuth2 authorization code credential

oauth2ClientCredentials

object (OAuth2ClientCredentials)

OAuth2Implicit oauth2_implicit = 5; OAuth2 client credentials

oauth2ResourceOwnerCredentials

object (OAuth2ResourceOwnerCredentials)

OAuth2 resource owner credentials

jwt

object (Jwt)

JWT credential

authToken

object (AuthToken)

Auth token credential

serviceAccountCredentials

object (ServiceAccountCredentials)

Service account credential

oidcToken

object (OidcToken)

Google OIDC ID Token

CredentialType

Each type only applies to a certain number of services. For example, types with OAuth prefix only works for connecting REST endpoints.

Enums
CREDENTIAL_TYPE_UNSPECIFIED Unspecified credential type
USERNAME_AND_PASSWORD Regular username/password pair.
API_KEY API key.
OAUTH2_AUTHORIZATION_CODE OAuth 2.0 Authorization Code Grant type.
OAUTH2_IMPLICIT OAuth 2.0 Implicit Grant type.
OAUTH2_CLIENT_CREDENTIALS OAuth 2.0 Client Credentials Grant type.
OAUTH2_RESOURCE_OWNER_CREDENTIALS OAuth 2.0 Resource owner Credentials Grant type.
JWT JWT Token.
AUTH_TOKEN Auth Token, e.g. bearer token.
SERVICE_ACCOUNT Service Account which can be used to generate token for authentication.
CLIENT_CERTIFICATE_ONLY Client Certificate only.
OIDC_TOKEN Google OIDC ID Token

UsernameAndPassword

Username and password pair.

JSON representation
{
  "username": string,
  "password": string
}
Fields
username

string

Username to be used

password

string

Password to be used

OAuth2AuthorizationCode

The OAuth type where the client sends request with the client id and requested scopes to auth endpoint. User sees a consent screen and auth code is received at specified redirect url afterwards. The auth code is then combined with the client id and secret and sent to the token endpoint in exchange for the access and refresh token. The refresh token can be used to fetch new access tokens.

JSON representation
{
  "clientId": string,
  "clientSecret": string,
  "scope": string,
  "authEndpoint": string,
  "authParams": {
    object (ParameterMap)
  },
  "tokenEndpoint": string,
  "tokenParams": {
    object (ParameterMap)
  },
  "accessToken": {
    object (AccessToken)
  },
  "authCode": string,
  "requestType": enum (RequestType),
  "applyReauthPolicy": boolean
}
Fields
clientId

string

The client's id.

clientSecret

string

The client's secret.

scope

string

A space-delimited list of requested scope permissions.

authEndpoint

string

The auth url endpoint to send the auth code request to.

authParams

object (ParameterMap)

The auth parameters sent along with the auth code request.

tokenEndpoint

string

The token url endpoint to send the token request to.

tokenParams

object (ParameterMap)

The token parameters sent along with the token request.

accessToken

object (AccessToken)

The access token received from the token endpoint.

authCode

string

The Auth Code that is used to initially retrieve the access token.

requestType

enum (RequestType)

Represent how to pass parameters to fetch access token

applyReauthPolicy

boolean

Indicates if the user has opted in Google Reauth Policy. If opted in, the refresh token will be valid for 20 hours, after which time users must re-authenticate in order to obtain a new one.

ParameterMap

A generic multi-map that holds key value pairs. They keys and values can be of any type, unless specified.

JSON representation
{
  "entries": [
    {
      object (ParameterMapEntry)
    }
  ],
  "keyType": enum (IntegrationParameterDataType),
  "valueType": enum (IntegrationParameterDataType)
}
Fields
entries[]

object (ParameterMapEntry)

A list of parameter map entries.

keyType

enum (IntegrationParameterDataType)

Option to specify key type for all entries of the map. If provided then field types for all entries must conform to this.

valueType

enum (IntegrationParameterDataType)

Option to specify value type for all entries of the map. If provided then field types for all entries must conform to this.

ParameterMapEntry

Entry is a pair of key and value.

JSON representation
{
  "key": {
    object (ParameterMapField)
  },
  "value": {
    object (ParameterMapField)
  }
}
Fields
key

object (ParameterMapField)

Key of the map entry.

value

object (ParameterMapField)

Value of the map entry.

ParameterMapField

Field represents either the key or value in an entry.

JSON representation
{

  // Union field value can be only one of the following:
  "referenceKey": string,
  "literalValue": {
    object (ValueType)
  }
  // End of list of possible types for union field value.
}
Fields

Union field value.

value can be only one of the following:

referenceKey

string

Referencing one of the Integration variables.

literalValue

object (ValueType)

Passing a literal value.

AccessToken

The access token represents the authorization of a specific application to access specific parts of a user's data.

JSON representation
{
  "accessToken": string,
  "accessTokenExpireTime": string,
  "tokenType": string,
  "refreshToken": string,
  "refreshTokenExpireTime": string
}
Fields
accessToken

string

The access token encapsulating the security identity of a process or thread.

accessTokenExpireTime

string (Timestamp format)

Required. The approximate time until the access token retrieved is valid.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

tokenType

string

Only support "bearer" token in v1 as bearer token is the predominant type used with OAuth 2.0.

refreshToken

string

If the access token will expire, use the refresh token to obtain another access token.

refreshTokenExpireTime

string (Timestamp format)

The approximate time until the refresh token retrieved is valid.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

RequestType

Represent how to pass parameters to fetch access token

Enums
REQUEST_TYPE_UNSPECIFIED Unspecified request type
REQUEST_BODY To pass all the parameters in post body.
QUERY_PARAMETERS To pass all the parameters as a part of query parameter.
ENCODED_HEADER To pass client id and client secret as base 64 encoding of clientId:client_password and rest parameters in post body.

OAuth2ClientCredentials

For client credentials grant, the client sends a POST request with grant_type as 'client_credentials' to the authorization server. The authorization server will respond with a JSON object containing the access token.

JSON representation
{
  "clientId": string,
  "clientSecret": string,
  "tokenEndpoint": string,
  "scope": string,
  "tokenParams": {
    object (ParameterMap)
  },
  "accessToken": {
    object (AccessToken)
  },
  "requestType": enum (RequestType)
}
Fields
clientId

string

The client's ID.

clientSecret

string

The client's secret.

tokenEndpoint

string

The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token.

scope

string

A space-delimited list of requested scope permissions.

tokenParams

object (ParameterMap)

Token parameters for the auth request.

accessToken

object (AccessToken)

Access token fetched from the authorization server.

requestType

enum (RequestType)

Represent how to pass parameters to fetch access token

OAuth2ResourceOwnerCredentials

For resource owner credentials grant, the client will ask the user for their authorization credentials (ususally a username and password) and send a POST request to the authorization server. The authorization server will respond with a JSON object containing the access token.

JSON representation
{
  "clientId": string,
  "clientSecret": string,
  "username": string,
  "password": string,
  "tokenEndpoint": string,
  "scope": string,
  "tokenParams": {
    object (ParameterMap)
  },
  "accessToken": {
    object (AccessToken)
  },
  "requestType": enum (RequestType)
}
Fields
clientId

string

The client's ID.

clientSecret

string

The client's secret.

username

string

The user's username.

password

string

The user's password.

tokenEndpoint

string

The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token.

scope

string

A space-delimited list of requested scope permissions.

tokenParams

object (ParameterMap)

Token parameters for the auth request.

accessToken

object (AccessToken)

Access token fetched from the authorization server.

requestType

enum (RequestType)

Represent how to pass parameters to fetch access token

Jwt

Represents JSON web token(JWT), which is a compact, URL-safe means of representing claims to be transferred between two parties, enabling the claims to be digitally signed or integrity protected.

JSON representation
{
  "jwtHeader": string,
  "jwtPayload": string,
  "secret": string,
  "jwt": string
}
Fields
jwtHeader

string

Identifies which algorithm is used to generate the signature.

jwtPayload

string

Contains a set of claims. The JWT specification defines seven Registered Claim Names which are the standard fields commonly included in tokens. Custom claims are usually also included, depending on the purpose of the token.

secret

string

User's pre-shared secret to sign the token.

jwt

string

The token calculated by the header, payload and signature.

AuthToken

The credentials to authenticate a user agent with a server that is put in HTTP Authorization request header.

JSON representation
{
  "type": string,
  "token": string
}
Fields
type

string

Authentication type, e.g. "Basic", "Bearer", etc.

token

string

The token for the auth type.

ServiceAccountCredentials

Represents the service account which can be used to generate access token for authenticating the service call.

JSON representation
{
  "serviceAccount": string,
  "scope": string
}
Fields
serviceAccount

string

name of the service account that has the permission to make the request.

scope

string

A space-delimited list of requested scope permissions.

OidcToken

OIDC Token

JSON representation
{
  "serviceAccountEmail": string,
  "audience": string,
  "token": string,
  "tokenExpireTime": string
}
Fields
serviceAccountEmail

string

The service account email to be used as the identity for the token.

audience

string

Audience to be used when generating OIDC token. The audience claim identifies the recipients that the JWT is intended for.

token

string

ID token obtained for the service account

tokenExpireTime

string (Timestamp format)

The approximate time until the token retrieved is valid.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AuthConfigVisibility

Enum for the visibility of the auth config.

Enums
AUTH_CONFIG_VISIBILITY_UNSPECIFIED Visibility not specified.
PRIVATE Profile visible to the creator only.
CLIENT_VISIBLE Profile visible within the client.

State

The status of the auth config.

Enums
STATE_UNSPECIFIED Status not specified.
VALID Valid Auth config.
INVALID General invalidity, if it doesn't fits in the detailed issue below.
SOFT_DELETED Auth config soft deleted.
EXPIRED Auth config expired.
UNAUTHORIZED Auth config unauthorized.
UNSUPPORTED Auth config not supported.

Methods

create

Creates an auth config record.

delete

Deletes an auth config.

get

Gets a complete auth config.

list

Lists all auth configs that match the filter.

patch

Updates an auth config.