Class ServiceAccountCredential (1.60.0)

public class ServiceAccountCredential : ServiceCredential, IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSigner

Google OAuth 2.0 credential for accessing protected resources using an access token. The Google OAuth 2.0 Authorization Server supports server-to-server interactions such as those between a web application and Google Cloud Storage. The requesting application has to prove its own identity to gain access to an API, and an end-user doesn't have to be involved.

Take a look in https://developers.google.com/accounts/docs/OAuth2ServiceAccount for more details.

Since version 1.9.3, service account credential also supports JSON Web Token access token scenario. In this scenario, instead of sending a signed JWT claim to a token server and exchanging it for an access token, a locally signed JWT claim bound to an appropriate URI is used as an access token directly. See GetAccessTokenForRequestAsync(string, CancellationToken) for explanation when JWT access token is used and when regular OAuth2 token is used.

Inheritance

object > ServiceCredential > ServiceAccountCredential

Implements

IHttpExecuteInterceptor, IHttpUnsuccessfulResponseHandler, IOidcTokenProvider, ICredential, IConfigurableHttpClientInitializer, ITokenAccessWithHeaders, ITokenAccess, IBlobSigner

Inherited Members

ServiceCredential.Logger

ServiceCredential.TokenServerUrl

ServiceCredential.Clock

ServiceCredential.AccessMethod

ServiceCredential.HttpClient

ServiceCredential.Scopes

ServiceCredential.Token

ServiceCredential.QuotaProject

ServiceCredential.BuildCreateHttpClientArgs()

ServiceCredential.Initialize(ConfigurableHttpClient)

ServiceCredential.InterceptAsync(HttpRequestMessage, CancellationToken)

ServiceCredential.HandleResponseAsync(HandleUnsuccessfulResponseArgs)

ServiceCredential.GetAccessTokenWithHeadersForRequestAsync(string, CancellationToken)

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace

Google Apis Auth OAuth2

Assembly

Google.Apis.Auth.dll

Constructors

ServiceAccountCredential(Initializer)

public ServiceAccountCredential(ServiceAccountCredential.Initializer initializer)

Constructs a new service account credential using the given initializer.

Parameter
Name	Description
`initializer`	`ServiceAccountCredentialInitializer`

Fields

UnixEpoch

protected static readonly DateTime UnixEpoch

Unix epoch as a DateTime

Field Value
Type	Description
`DateTime`

Properties

Id

public string Id { get; }

Gets the service account ID (typically an e-mail address).

Property Value
Type	Description
`string`

Key

public RsaKey Key { get; }

Gets the key which is used to sign the request, as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#computingsignature.

Property Value
Type	Description
`RsaKey`

KeyId

public string KeyId { get; }

Gets the key id of the key which is used to sign the request.

Property Value
Type	Description
`string`

ProjectId

public string ProjectId { get; }

The project ID associated with this credential.

Property Value
Type	Description
`string`

UseJwtAccessWithScopes

public bool UseJwtAccessWithScopes { get; }

Gets the flag indicating whether Self-Signed JWT should be used when OAuth scopes are set. This flag will be ignored if this credential has User set, meaning it is used with domain-wide delegation. Self-Signed JWTs won't be used in that case.

Property Value
Type	Description
`bool`

User

public string User { get; }

Gets the email address of the user the application is trying to impersonate in the service account flow or null.

Property Value
Type	Description
`string`

Methods

CreateSignature(byte[])

public string CreateSignature(byte[] data)

Creates a base64 encoded signature for the SHA-256 hash of the specified data.

Parameter
Name	Description
`data`	`byte` The data to hash and sign. Must not be null.

Returns
Type	Description
`string`	The base-64 encoded signature.

FromServiceAccountData(Stream)

public static ServiceAccountCredential FromServiceAccountData(Stream credentialData)

Creates a new ServiceAccountCredential instance from JSON credential data.

Parameter
Name	Description
`credentialData`	`Stream` The stream from which to read the JSON key data for a service account. Must not be null.

Returns
Type	Description
`ServiceAccountCredential`	The credentials parsed from the service account key data.

Exceptions
Type	Description
`System.InvalidOperationException`	The `credentialData` does not contain valid JSON service account key data.

GetAccessTokenForRequestAsync(string, CancellationToken)

public override Task<string> GetAccessTokenForRequestAsync(string authUri = null, CancellationToken cancellationToken = default)

Gets an access token to authorize a request. An OAuth2 access token obtained from TokenServerUrl will be returned in the following two cases:

If this credential has Scopes associated, but UseJwtAccessWithScopes is false;
If this credential is used with domain-wide delegation, that is, the User is set; Otherwise, a locally signed JWT will be returned. The signed JWT will contain a "scope" claim with the scopes in Scopes if there are any, otherwise it will contain an "aud" claim with authUri. A cached token is used if possible and the token is only refreshed once it's close to its expiry.

Parameters
Name	Description
`authUri`	`string` The URI the returned token will grant access to. Should be specified if no Scopes have been specified for the credential.
`cancellationToken`	`CancellationToken` The cancellation token.

Returns
Type	Description
`Taskstring`	The access token.

Overrides

ServiceCredential.GetAccessTokenForRequestAsync(string, CancellationToken)

GetOidcTokenAsync(OidcTokenOptions, CancellationToken)

public Task<OidcToken> GetOidcTokenAsync(OidcTokenOptions options, CancellationToken cancellationToken = default)

Returns an OIDC token for the given options.

Parameters
Name	Description
`options`	`OidcTokenOptions` The options to create the token from.
`cancellationToken`	`CancellationToken` The cancellation token that may be used to cancel the request.

Returns
Type	Description
`TaskOidcToken`	The OIDC token.

RequestAccessTokenAsync(CancellationToken)

public override Task<bool> RequestAccessTokenAsync(CancellationToken taskCancellationToken)

Requests a new token as specified in https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest.

Parameter
Name	Description
`taskCancellationToken`	`CancellationToken` Cancellation token to cancel operation.

Returns
Type	Description
`Taskbool`	`true` if a new token was received successfully.

Overrides

ServiceCredential.RequestAccessTokenAsync(CancellationToken)

SignBlobAsync(byte[], CancellationToken)

public Task<string> SignBlobAsync(byte[] blob, CancellationToken cancellationToken = default)

Returns the base64 encoded signature of the given blob.

Parameters
Name	Description
`blob`	`byte` The blob to sign.
`cancellationToken`	`CancellationToken` The cancellation token.

Returns
Type	Description
`Taskstring`	The base64 encoded signature.

WithUseJwtAccessWithScopes(bool)

public ServiceAccountCredential WithUseJwtAccessWithScopes(bool useJwtAccessWithScopes)

Constructs a new instance of the ServiceAccountCredential but with the given UseJwtAccessWithScopes value.

Parameter
Name	Description
`useJwtAccessWithScopes`	`bool` A flag preferring use of self-signed JWTs over OAuth tokens when OAuth scopes are explicitly set.

Returns
Type	Description
`ServiceAccountCredential`	A new instance of the ServiceAccountCredential but with the given UseJwtAccessWithScopes value.

Extension Method

Utilities.ThrowIfNull<T>(T, string)