Package com.google.auth.oauth2

Class OAuth2Credentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
All Implemented Interfaces:
Serializable
Direct Known Subclasses:
DownscopedCredentials, GoogleCredentials, IdTokenCredentials, OAuth2CredentialsWithRefresh
public class OAuth2Credentials extends Credentials
Base type for Credentials using OAuth2.
See Also:

  • Constructor Details

    • OAuth2Credentials

      protected OAuth2Credentials()
      Default constructor.

    • OAuth2Credentials

      protected OAuth2Credentials(AccessToken accessToken)
      Constructor with explicit access token.
      Parameters:
      accessToken - initial or temporary access token

    • OAuth2Credentials

      protected OAuth2Credentials(AccessToken accessToken, Duration refreshMargin, Duration expirationMargin)

  • Method Details

    • create

      public static OAuth2Credentials create(AccessToken accessToken)
      Returns the credentials instance from the given access token.
      Parameters:
      accessToken - the access token
      Returns:
      the credentials instance

    • getAuthenticationType

      public String getAuthenticationType()
      Specified by:
      getAuthenticationType in class Credentials

    • hasRequestMetadata

      public boolean hasRequestMetadata()
      Specified by:
      hasRequestMetadata in class Credentials

    • hasRequestMetadataOnly

      public boolean hasRequestMetadataOnly()
      Specified by:
      hasRequestMetadataOnly in class Credentials

    • getAccessToken

      public final AccessToken getAccessToken()
      Returns the cached access token.

      If not set, you should call refresh() to fetch and cache an access token.

      Returns:
      The cached access token.

    • getRequestMetadata

      public void getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
      Overrides:
      getRequestMetadata in class Credentials

    • getRequestMetadata

      public Map<String,List<String>> getRequestMetadata(URI uri) throws IOException
      Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
      Specified by:
      getRequestMetadata in class Credentials
      Throws:
      IOException

    • refresh

      public void refresh() throws IOException
      Request a new token regardless of the current token state. If the current token is not expired, it will still be returned during the refresh.
      Specified by:
      refresh in class Credentials
      Throws:
      IOException

    • refreshIfExpired

      public void refreshIfExpired() throws IOException
      Refresh these credentials only if they have expired or are expiring imminently.
      Throws:
      IOException - during token refresh.

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Method to refresh the access token according to the specific type of credentials.

      Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

      Returns:
      never
      Throws:
      IllegalStateException - always. OAuth2Credentials does not support refreshing the access token. An instance with a new access token or a derived type that supports refreshing should be used instead.
      IOException

    • getAdditionalHeaders

      protected Map<String,List<String>> getAdditionalHeaders()
      Provide additional headers to return as request metadata.
      Returns:
      additional headers

    • addChangeListener

      public final void addChangeListener(OAuth2Credentials.CredentialsChangedListener listener)
      Adds a listener that is notified when the Credentials data changes.

      This is called when token content changes, such as when the access token is refreshed. This is typically used by code caching the access token.

      Parameters:
      listener - the listener to be added

    • removeChangeListener

      public final void removeChangeListener(OAuth2Credentials.CredentialsChangedListener listener)
      Removes a listener that was added previously.
      Parameters:
      listener - The listener to be removed.

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • getRequestMetadataInternal

      @Nullable protected Map<String,List<String>> getRequestMetadataInternal()

    • toString

      public String toString()
      Returns a string representation of this credential, including request metadata and access token.

      Security Warning: The output of this method includes the request metadata which contains the raw Bearer access token, and the raw access token value. Do not log this output in production environments as it may expose sensitive credentials.

      Overrides:
      toString in class Object

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class Object

    • newInstance

      protected static HttpTransportFactory newInstance(String className) throws IOException, ClassNotFoundException
      Best-effort safe mechanism to attempt to instantiate an HttpTransportFactory from a class name.

      This method attempts to avoid Arbitrary Code Execution (ACE) vulnerabilities by:

      1. Checking if the class name matches the default or ServiceLoader-provided factory, and returning that instance if so.
      2. If not, loading the class using reflection without running static initializers.
      3. Verifying that the loaded class is assignable to HttpTransportFactory.
      4. Only after verification, instantiating the class using its default constructor.
      Parameters:
      className - The fully qualified name of the class to instantiate.
      Returns:
      An instance of HttpTransportFactory.
      Throws:
      IOException - If the class cannot be loaded, is the wrong type, or cannot be instantiated.
      ClassNotFoundException - If the class cannot be found.

    • getFromServiceLoader

      public static <T> T getFromServiceLoader(Class<? extends T> clazz, T defaultInstance)
      Returns the first service provider from the given service loader.
      Type Parameters:
      T - The type of the service provider.
      Parameters:
      clazz - The class of the service provider to load.
      defaultInstance - The default instance to return if no service providers are found.
      Returns:
      The first service provider from the service loader, or the defaultInstance if no service providers are found.

    • newBuilder

      public static OAuth2Credentials.Builder newBuilder()

    • toBuilder

      public OAuth2Credentials.Builder toBuilder()