Namespace Google.Apis.Auth.OAuth2 (1.60.0)

Classes

AccessTokenWithHeaders

Represents an access token that can be used to authorize a request. The token might be accompanied by extra information that should be sent in the form of headers.

AccessTokenWithHeaders.Builder

Builder class for AccessTokenWithHeaders to simplify common scenarios.

AuthorizationCodeInstalledApp

Thread-safe OAuth 2.0 authorization code flow for an installed application that persists end-user credentials.

AwsExternalAccountCredential

AWS credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-aws.

BearerToken

OAuth 2.0 helper for accessing protected resources using the Bearer token as specified in http://tools.ietf.org/html/rfc6750.

BearerToken.AuthorizationHeaderAccessMethod

Thread-safe OAuth 2.0 method for accessing protected resources using the Authorization header as specified in http://tools.ietf.org/html/rfc6750#section-2.1.

BearerToken.QueryParameterAccessMethod

Obsolete. Thread-safe OAuth 2.0 method for accessing protected resources using an access_token query parameter as specified in http://tools.ietf.org/html/rfc6750#section-2.3. This access method is being made obsolete. Please read here for more up to date information: https://developers.google.com/identity/protocols/oauth2/index.html#4.-send-the-access-token-to-an-api.. Please use BearerToken.AuthorizationHeaderAccessMethod instead.

ClientSecrets

Client credential details for installed and web applications.

ComputeCredential

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.

More details about Compute Engine authentication is available at: https://cloud.google.com/compute/docs/authentication.

ComputeCredential.Initializer

An initializer class for the Compute credential. It uses ComputeTokenUrl as the token server URL (optionally overriding the host using the GCE_METADATA_HOST environment variable).

ExternalAccountCredential

Base class for external account credentials.

FileSourcedExternalAccountCredential

File-sourced credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-file-sourced-credentials.

GoogleAuthConsts

Google OAuth2 constants. Canonical source for these URLs is: https://accounts.google.com/.well-known/openid-configuration

GoogleClientSecrets

OAuth 2.0 client secrets model as specified in https://cloud.google.com/console/.

GoogleCredential

Credential for authorizing calls using OAuth 2.0. It is a convenience wrapper that allows handling of different types of credentials (like ServiceAccountCredential, ComputeCredential or UserCredential) in a unified way.

See GetApplicationDefaultAsync(CancellationToken) for the credential retrieval logic.

GoogleWebAuthorizationBroker

A helper utility to manage the authorization code flow.

ImpersonatedCredential

Allows a service account or user credential to impersonate a service account. See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials and https://cloud.google.com/iam/docs/impersonating-service-accounts for more information.

ImpersonatedCredential.Initializer

An initializer class for the impersonated credential.

JsonCredentialParameters

Holder for credential parameters read from JSON credential file. Fields are union of parameters for all supported credential types.

JsonCredentialParameters.CredentialSource

Holder for the credential source parameters associated to an external account credentials.

JsonCredentialParameters.CredentialSource.SubjectTokenFormat

Holder for the subject token format.

LocalServerCodeReceiver

OAuth 2.0 verification code receiver that runs a local server on a free port and waits for a call with the authorization verification code.

OidcToken

Represents an OIDC Token.

OidcTokenOptions

Options used to create an OidcToken.

RequestExtensions

Extension methods for requests.

ServiceAccountCredential

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.

Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details.

Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See GetAccessTokenForRequestAsync(string, CancellationToken) for explanation when JWT access token is used and when regular OAuth2 token is used.

ServiceAccountCredential.Initializer

An initializer class for the service account credential.

ServiceCredential

This type of Google OAuth 2.0 credential enables access to protected resources using an access token when interacting server to server. For example, a service account credential could be used to access Google Cloud Storage from a web application without a user's involvement.

ServiceAccountCredential inherits from this class in order to support Service Accounts. More details available at: https://developers.google.com/accounts/docs/OAuth2ServiceAccount. ComputeCredential is another example of a class that inherits from this class in order to support Compute credentials. For more information about Compute authentication, see: https://cloud.google.com/compute/docs/authentication.

ExternalAccountCredential inherits from this class to support both Workload Identity Federation and Workforce Identity Federation. You can read more about these topics in https://cloud.google.com/iam/docs/workload-identity-federation and https://cloud.google.com/iam/docs/workforce-identity-federation respectively. Note that in the case of Workforce Identity Federation, the external account does not represent a service account but a user account, so, the fact that ExternalAccountCredential inherits from ServiceCredential might be construed as misleading. In reality ServiceCredential is not tied to a service account in terms of implementation, only in terms of name. For instance, a better name for this class might have been NoUserFlowCredential, and in that sense, it's correct that ExternalAccountCredential inherits from ServiceCredential even when representing a Workforce Identity Federation account.

ServiceCredential.Initializer

An initializer class for the service credential.

SubjectTokenException

Exception thrown when the subject token cannot be obtained for a given external account credential.

UrlSourcedExternalAccountCredential

URL-sourced credentials as described in https://google.aip.dev/auth/4117#determining-the-subject-token-in-microsoft-azure-and-url-sourced-credentials.

UserCredential

OAuth 2.0 credential for accessing protected resources using an access token, as well as optionally refreshing the access token when it expires using a refresh token.

Interfaces

IAccessMethod

Method of presenting the access token to the resource server as specified in http://tools.ietf.org/html/rfc6749#section-7

IAuthorizationCodeInstalledApp

Authorization code flow for an installed application that persists end-user credentials.

IBlobSigner

Represents a data blob signer.

ICodeReceiver

OAuth 2.0 verification code receiver.

ICredential

The main interface to represent credential in the client library. Service account, User account and Compute credential inherit from this interface to provide access token functionality. In addition this interface inherits from IConfigurableHttpClientInitializer to be able to hook to http requests. More details are available in the specific implementations.

IOidcTokenProvider

Represents an OIDC token provider.

ITokenAccess

Allows direct retrieval of access tokens to authenticate requests. This is necessary for workflows where you don't want to use BaseClientService to access the API. (e.g. gRPC that implemenents the entire HTTP2 stack internally).

ITokenAccessWithHeaders

Allows direct retrieval of access tokens to authenticate requests. The access tokens obtained can be accompanied by extra information that either describes the access token or is associated with it. This information should acompany the token as headers when the token is used to access a resource.

Enums

LocalServerCodeReceiver.CallbackUriChooserStrategy

Describes the different strategies for the selection of the callback URI. 127.0.0.1 is recommended, but can't be done in non-admin Windows 7 and 8 at least.

OidcTokenFormat

Represents the OIDC token formats supported when the token is obtained using the GCE metadata server.