Package com.google.auth.oauth2

Class GoogleCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.GoogleCredentials
All Implemented Interfaces:
QuotaProjectIdProvider, Serializable
Direct Known Subclasses:
CloudShellCredentials, ComputeEngineCredentials, ExternalAccountAuthorizedUserCredentials, ExternalAccountCredentials, GdchCredentials, ImpersonatedCredentials, ServiceAccountCredentials, UserCredentials
public class GoogleCredentials extends OAuth2Credentials implements QuotaProjectIdProvider
Base type for credentials for authorizing calls to Google APIs using OAuth2.
See Also:

  • Field Details

    • quotaProjectId

      protected final String quotaProjectId

  • Constructor Details

    • GoogleCredentials

      protected GoogleCredentials()
      Default constructor.

    • GoogleCredentials

      @Deprecated protected GoogleCredentials(AccessToken accessToken, String quotaProjectId)
      Deprecated.
      Constructor with an explicit access token and quotaProjectId.

      Deprecated, please use the GoogleCredentials(Builder) constructor whenever possible.

      Parameters:
      accessToken - initial or temporary access token
      quotaProjectId - a quotaProjectId, a project id to be used for billing purposes

    • GoogleCredentials

      @Deprecated public GoogleCredentials(AccessToken accessToken)
      Deprecated.
      Constructor with explicit access token.
      Parameters:
      accessToken - initial or temporary access token

    • GoogleCredentials

      protected GoogleCredentials(GoogleCredentials.Builder builder)
      Constructor that relies on a GoogleCredentials.Builder to provide all the necessary field values for initialization.
      Parameters:
      builder - an instance of a builder

    • GoogleCredentials

      @Deprecated protected GoogleCredentials(AccessToken accessToken, Duration refreshMargin, Duration expirationMargin)
      Deprecated.
      Constructor with explicit access token and refresh margins.

      Deprecated, please use the GoogleCredentials(Builder) constructor whenever possible.

      Parameters:
      accessToken - initial or temporary access token

  • Method Details

    • create

      public static GoogleCredentials create(AccessToken accessToken)
      Returns the credentials instance from the given access token.
      Parameters:
      accessToken - the access token
      Returns:
      the credentials instance

    • create

      public static GoogleCredentials create(String universeDomain, AccessToken accessToken)
      Returns the credentials instance from the given access token and universe domain.
      Parameters:
      universeDomain - the universe domain
      accessToken - the access token
      Returns:
      the credentials instance

    • getApplicationDefault

      public static GoogleCredentials getApplicationDefault() throws IOException
      Returns the Application Default Credentials.

      Returns the Application Default Credentials which are used to identify and authorize the whole application. The following are searched (in order) to find the Application Default Credentials:

      1. Credentials file pointed to by the GOOGLE_APPLICATION_CREDENTIALS environment variable
      2. Credentials provided by the Google Cloud SDK.
        1. gcloud auth application-default login for user account credentials.
        2. gcloud auth application-default login --impersonate-service-account for impersonated service account credentials.
      3. Google App Engine built-in credentials
      4. Google Cloud Shell built-in credentials
      5. Google Compute Engine built-in credentials
      Returns:
      the credentials instance.
      Throws:
      IOException - if the credentials cannot be created in the current environment.

    • getApplicationDefault

      public static GoogleCredentials getApplicationDefault(HttpTransportFactory transportFactory) throws IOException
      Returns the Application Default Credentials.

      Returns the Application Default Credentials which are used to identify and authorize the whole application. The following are searched (in order) to find the Application Default Credentials:

      1. Credentials file pointed to by the GOOGLE_APPLICATION_CREDENTIALS environment variable
      2. Credentials provided by the Google Cloud SDK gcloud auth application-default login command
      3. Google App Engine built-in credentials
      4. Google Cloud Shell built-in credentials
      5. Google Compute Engine built-in credentials
      Parameters:
      transportFactory - HTTP transport factory, creates the transport used to get access tokens.
      Returns:
      the credentials instance.
      Throws:
      IOException - if the credentials cannot be created in the current environment.

    • fromStream

      @ObsoleteApi("This method is obsolete because of a potential security risk. Use the credential specific load method instead") public static GoogleCredentials fromStream(InputStream credentialsStream) throws IOException
      This method is obsolete because of a potential security risk. Use the credential specific load method instead

      Important: This method does not validate the credential configuration. A security risk holds when a credential configuration is accepted from a source that is not under your control and used without validation on your side.

      If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific `fromStream()` method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can use: GoogleCredentials credentials = ServiceAccountCredentials.fromStream(json); . See ServiceAccountCredentials.fromStream(InputStream, HttpTransportFactory).

      If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment.

      Regardless of the method used, it is always your responsibility to validate configurations received from external sources.

      See the for more details.

      Returns credentials defined by a JSON file stream.

      The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

      Parameters:
      credentialsStream - the stream with the credential definition.
      Returns:
      the credential defined by the credentialsStream.
      Throws:
      IOException - if the credential cannot be created from the stream.

    • fromStream

      @ObsoleteApi("This method is obsolete because of a potential security risk. Use the credential specific load method instead") public static GoogleCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) throws IOException
      This method is obsolete because of a potential security risk. Use the credential specific load method instead

      Important: This method does not validate the credential configuration. A security risk holds when a credential configuration is accepted from a source that is not under your control and used without validation on your side.

      If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific `fromStream()` method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can use: GoogleCredentials credentials = ServiceAccountCredentials.fromStream(json); . See ServiceAccountCredentials.fromStream(InputStream, HttpTransportFactory).

      If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment.

      Regardless of the method used, it is always your responsibility to validate configurations received from external sources.

      See the for more details.

      Returns credentials defined by a JSON file stream.

      The stream can contain a Service Account key file in JSON format from the Google Developers Console or a stored user credential using the format supported by the Cloud SDK.

      Parameters:
      credentialsStream - the stream with the credential definition.
      Returns:
      the credential defined by the credentialsStream.
      Throws:
      IOException - if the credential cannot be created from the stream.

    • createWithQuotaProject

      public GoogleCredentials createWithQuotaProject(String quotaProject)
      Creates a credential with the provided quota project.
      Parameters:
      quotaProject - the quota project to set on the credential
      Returns:
      credential with the provided quota project

    • getUniverseDomain

      public String getUniverseDomain() throws IOException
      Gets the universe domain for the credential.
      Overrides:
      getUniverseDomain in class Credentials
      Returns:
      An explicit universe domain if it was explicitly provided, invokes the super implementation otherwise
      Throws:
      IOException

    • isExplicitUniverseDomain

      protected boolean isExplicitUniverseDomain()
      Gets the flag indicating whether universeDomain was explicitly set by the developer.

      If subclass has a requirement to give priority to developer-set universeDomain, this property must be used to check if the universeDomain value was provided by the user. It could be a default otherwise.

      Returns:
      true if universeDomain value was provided by the developer, false otherwise

    • getAdditionalHeaders

      protected Map<String,List<String>> getAdditionalHeaders()
      Description copied from class: OAuth2Credentials
      Provide additional headers to return as request metadata.
      Overrides:
      getAdditionalHeaders in class OAuth2Credentials
      Returns:
      additional headers

    • toStringHelper

      protected com.google.common.base.MoreObjects.ToStringHelper toStringHelper()
      A helper for overriding the toString() method. This allows inheritance of super class fields. Extending classes can override this implementation and call super implementation and add more fields. Same cannot be done with overriding the toString() directly.
      Returns:
      an instance of the ToStringHelper that has public fields added

    • toString

      public String toString()
      Description copied from class: OAuth2Credentials
      Returns a string representation of this credential, including request metadata and access token.

      Security Warning: The output of this method includes the request metadata which contains the raw Bearer access token, and the raw access token value. Do not log this output in production environments as it may expose sensitive credentials.

      Overrides:
      toString in class OAuth2Credentials

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class OAuth2Credentials

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class OAuth2Credentials

    • newBuilder

      public static GoogleCredentials.Builder newBuilder()

    • toBuilder

      public GoogleCredentials.Builder toBuilder()
      Overrides:
      toBuilder in class OAuth2Credentials

    • getQuotaProjectId

      public String getQuotaProjectId()
      Specified by:
      getQuotaProjectId in interface QuotaProjectIdProvider
      Returns:
      the quota project ID used for quota and billing purposes

    • getProjectId

      public String getProjectId()
      The projectId value for a Credential type. Since not all GoogleCredentials subclass have a projectId associated, the projectId may be null. A subset of GoogleCredentials subclasses will override to return their projectId.
      Returns:
      the project id for a Credential type

    • createScopedRequired

      public boolean createScopedRequired()
      Indicates whether the credentials require scopes to be specified via a call to createScoped(java.util.Collection<java.lang.String>) before use.
      Returns:
      Whether the credentials require scopes to be specified.

    • createScoped

      public GoogleCredentials createScoped(Collection<String> scopes)
      If the credentials support scopes, creates a copy of the identity with the specified scopes, invalidates the existing scoped access token; otherwise, return the same instance.
      Parameters:
      scopes - Collection of scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createScoped

      public GoogleCredentials createScoped(Collection<String> scopes, Collection<String> defaultScopes)
      If the credentials support scopes, creates a copy of the identity with the specified scopes and default scopes; otherwise, returns the same instance. This is mainly used by client libraries.
      Parameters:
      scopes - Collection of scopes to request.
      defaultScopes - Collection of default scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createScoped

      public GoogleCredentials createScoped(String... scopes)
      If the credentials support scopes, creates a copy of the identity with the specified scopes; otherwise, returns the same instance.
      Parameters:
      scopes - Collection of scopes to request.
      Returns:
      GoogleCredentials with requested scopes.

    • createWithCustomRetryStrategy

      public GoogleCredentials createWithCustomRetryStrategy(boolean defaultRetriesEnabled)
      If the credentials support automatic retries, creates a copy of the identity with the provided retry strategy
      Parameters:
      defaultRetriesEnabled - a flag enabling or disabling default retries
      Returns:
      GoogleCredentials with the new default retries configuration.

    • createDelegated

      public GoogleCredentials createDelegated(String user)
      If the credentials support domain-wide delegation, creates a copy of the identity so that it impersonates the specified user; otherwise, returns the same instance.
      Parameters:
      user - User to impersonate.
      Returns:
      GoogleCredentials with a delegated user.

    • getCredentialInfo

      public Map<String,String> getCredentialInfo()
      Provides additional information regarding credential initialization source
      • credential source - Initialized via the GOOGLE_APPLICATION_CREDENTIALS env var or well known file type
      • credential name - The user-friendly name of the credential created
      • principal - Identity used for the credential
      Unknown field values (i.e. null) are not included in the mapping (e.g. ComputeCredentials may not know the principal value until after a call to MDS is made and the field will be excluded if `getCredentialInfo` is called prior to retrieving that value). A new map of the fields is created on every time this method is called as fields may be updated throughout the Credential lifecycle. This mapping is intended to provide information about the Credential that is created via ADC. Some fields may not be known if a Credential is directly created (e.g. `ServiceAccountCredential.fromStream(InputStream)` may not know the source of the file stream). These fields are populated on a best effort basis.
      Returns:
      ImmutableMap of information regarding how the Credential was initialized