public class ServiceAccountCredential : ServiceCredential, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, IGoogleCredential, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccessGoogle OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.
Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details.
Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See GetAccessTokenForRequestAsync(String, CancellationToken) for explanation when JWT access token is used and when regular OAuth2 token is used.
Implements
IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccessNamespace
Google.Apis.Auth.OAuth2Assembly
Google.Apis.Auth.dll
Constructors
ServiceAccountCredential(ServiceAccountCredential.Initializer)
public ServiceAccountCredential(ServiceAccountCredential.Initializer initializer)Constructs a new service account credential using the given initializer.
| Parameter | |
|---|---|
| Name | Description |
initializer | ServiceAccountCredential.Initializer |
Fields
UnixEpoch
protected static readonly DateTime UnixEpochUnix epoch as a DateTime
| Field Value | |
|---|---|
| Type | Description |
DateTime | |
Properties
Id
public string Id { get; }Gets the service account ID (typically an e-mail address).
| Property Value | |
|---|---|
| Type | Description |
String | |
Key
public System.Security.Cryptography.RSA Key { get; }Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.
| Property Value | |
|---|---|
| Type | Description |
System.Security.Cryptography.RSA | |
KeyId
public string KeyId { get; }Gets the key id of the key which is used to sign the request.
| Property Value | |
|---|---|
| Type | Description |
String | |
ProjectId
public string ProjectId { get; }The project ID associated with this credential.
| Property Value | |
|---|---|
| Type | Description |
String | |
Scopes
public IEnumerable<string> Scopes { get; }Gets the service account scopes.
| Property Value | |
|---|---|
| Type | Description |
IEnumerable<String> | |
User
public string User { get; }Gets the email address of the user the application is trying to impersonate in the service account flow
or null.
| Property Value | |
|---|---|
| Type | Description |
String | |
Methods
CreateSignature(Byte[])
public string CreateSignature(byte[] data)Creates a base64 encoded signature for the SHA-256 hash of the specified data.
| Parameter | |
|---|---|
| Name | Description |
data | Byte[]The data to hash and sign. Must not be null. |
| Returns | |
|---|---|
| Type | Description |
String | The base-64 encoded signature. |
FromServiceAccountData(Stream)
public static ServiceAccountCredential FromServiceAccountData(Stream credentialData)Creates a new ServiceAccountCredential instance from JSON credential data.
| Parameter | |
|---|---|
| Name | Description |
credentialData | StreamThe stream from which to read the JSON key data for a service account. Must not be null. |
| Returns | |
|---|---|
| Type | Description |
ServiceAccountCredential | The credentials parsed from the service account key data. |
GetAccessTokenForRequestAsync(String, CancellationToken)
public override Task<string> GetAccessTokenForRequestAsync(string authUri = null, CancellationToken cancellationToken = null)Gets an access token to authorize a request.
If authUri is set and this credential has no scopes associated
with it, a locally signed JWT access token for given authUri
is returned. Otherwise, an OAuth2 access token obtained from token server will be returned.
A cached token is used if possible and the token is only refreshed once it's close to its expiry.
| Parameters | |
|---|---|
| Name | Description |
authUri | StringThe URI the returned token will grant access to. |
cancellationToken | CancellationTokenThe cancellation token. |
| Returns | |
|---|---|
| Type | Description |
Task<String> | The access token. |
GetOidcTokenAsync(OidcTokenOptions, CancellationToken)
public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = null)Returns an OIDC token for the given options.
| Parameters | |
|---|---|
| Name | Description |
options | OidcTokenOptionsThe options to create the token from. |
cancellationToken | CancellationTokenThe cancellation token that may be used to cancel the request. |
| Returns | |
|---|---|
| Type | Description |
Task<OidcToken> | The OIDC token. |
RequestAccessTokenAsync(CancellationToken)
public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.
| Parameter | |
|---|---|
| Name | Description |
taskCancellationToken | CancellationTokenCancellation token to cancel operation. |
| Returns | |
|---|---|
| Type | Description |
Task<Boolean> |
|