google-auth-library

constructor

constructor(opts?: AuthClientOptions);

property credentials

credentials: Credentials;

property eagerRefreshThresholdMillis

eagerRefreshThresholdMillis: number;

property forceRefreshOnFailure

forceRefreshOnFailure: boolean;

property gaxios

readonly gaxios: any;

• Return the instance from the AuthClient.transporter.

property projectId

projectId?: string;

property quotaProjectId

quotaProjectId?: string;

• The quota project ID. The quota project can be used by client libraries for the billing purpose. See

property RETRY_CONFIG

static readonly RETRY_CONFIG: GaxiosOptions;

• Retry config for Auth-related requests.

  Remarks

  This is not a part of the default config as some downstream APIs would prefer if customers explicitly enable retries, such as GCS.

property transporter

transporter: Transporter;

property universeDomain

universeDomain: string;

method addSharedMetadataHeaders

protected addSharedMetadataHeaders: (headers: Headers) => Headers;

• Append additional headers, e.g., x-goog-user-project, shared across the classes inheriting AuthClient. This method should be used by any method that overrides getRequestMetadataAsync(), which is a shared helper for setting request information in both gRPC and HTTP API calls.

  Parameter headers

  object to append additional headers to.

method getAccessToken

abstract getAccessToken: () => Promise<{
    token?: string | null;
    res?: GaxiosResponse | null;
}>;

• A promise that resolves with the current GCP access token response. If the current credential is expired, a new one is retrieved.

method getRequestHeaders

abstract getRequestHeaders: (url?: string) => Promise<Headers>;

• The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

  The result has the form: { Authorization: 'Bearer <access_token_value>' }

  Parameter url

  The URI being authorized.

method request

abstract request: <T>(opts: GaxiosOptions) => GaxiosPromise<T>;

• Provides an alternative Gaxios request implementation with auth credentials

method setCredentials

setCredentials: (credentials: Credentials) => void;

• Sets the auth credentials.

constructor

constructor(
    options: AwsClientOptions | SnakeToCamelObject<AwsClientOptions>,
    additionalOptions?: AuthClientOptions
);

• Instantiates an AwsClient instance using the provided JSON object loaded from an external account credentials file. An error is thrown if the credential is not a valid AWS credential.

  Parameter options

  The external account options object typically loaded from the external account JSON credential file.

  Parameter additionalOptions

  **DEPRECATED, all options are available in the options parameter.** Optional additional behavior customization options. These currently customize expiration threshold time and whether to retry on 401/403 API request errors.

property AWS_EC2_METADATA_IPV4_ADDRESS

static AWS_EC2_METADATA_IPV4_ADDRESS: string;

• Deprecated

  AWS client no validates the EC2 metadata address.

property AWS_EC2_METADATA_IPV6_ADDRESS

static AWS_EC2_METADATA_IPV6_ADDRESS: string;

• Deprecated

  AWS client no validates the EC2 metadata address.

method retrieveSubjectToken

retrieveSubjectToken: () => Promise<string>;

• Triggered when an external subject token is needed to be exchanged for a GCP access token via GCP STS endpoint. This will call the AwsSecurityCredentialsSupplier to retrieve an AWS region and AWS Security Credentials, then use them to create a signed AWS STS request that can be exchanged for a GCP access token. A promise that resolves with the external subject token.

constructor

constructor(
    options:
        | BaseExternalAccountClientOptions
        | SnakeToCamelObject<BaseExternalAccountClientOptions>,
    additionalOptions?: AuthClientOptions
);

• Instantiate a BaseExternalAccountClient instance using the provided JSON object loaded from an external account credentials file.

  Parameter options

  The external account options object typically loaded from the external account JSON credential file. The camelCased options are aliases for the snake_cased options.

  Parameter additionalOptions

  **DEPRECATED, all options are available in the options parameter.** Optional additional behavior customization options. These currently customize expiration threshold time and whether to retry on 401/403 API request errors.

property audience

protected readonly audience: string;

property cloudResourceManagerURL

protected cloudResourceManagerURL: string | URL;

• Example 1

  new URL('https://cloudresourcemanager.googleapis.com/v1/projects/');

property credentialSourceType

protected credentialSourceType?: string;

property projectNumber

projectNumber: string;

property scopes

scopes?: string | string[];

• OAuth scopes for the GCP access token to use. When not provided, the default https://www.googleapis.com/auth/cloud-platform is used.

property subjectTokenType

protected readonly subjectTokenType: string;

property supplierContext

protected supplierContext: ExternalAccountSupplierContext;

method getAccessToken

getAccessToken: () => Promise<GetAccessTokenResponse>;

• A promise that resolves with the current GCP access token response. If the current credential is expired, a new one is retrieved.

method getProjectId

getProjectId: () => Promise<string | null>;

• A promise that resolves with the project ID corresponding to the current workload identity pool or current workforce pool if determinable. For workforce pool credential, it returns the project ID corresponding to the workforcePoolUserProject. This is introduced to match the current pattern of using the Auth library: const projectId = await auth.getProjectId(); const url = https://dns.googleapis.com/dns/v1/projects/${projectId}; const res = await client.request({ url }); The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

method getRequestHeaders

getRequestHeaders: () => Promise<Headers>;

• The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

  The result has the form: { Authorization: 'Bearer <access_token_value>' }

method getServiceAccountEmail

getServiceAccountEmail: () => string | null;

• The service account email to be impersonated, if available.

method refreshAccessTokenAsync

protected refreshAccessTokenAsync: () => Promise<CredentialsWithResponse>;

• Forces token refresh, even if unexpired tokens are currently cached. External credentials are exchanged for GCP access tokens via the token exchange endpoint and other settings provided in the client options object. If the service_account_impersonation_url is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed. A promise that resolves with the fresh GCP access tokens.

method request

request: {
    <T>(opts: GaxiosOptions): GaxiosPromise<T>;
    <T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void;
};

• Provides a request implementation with OAuth 2.0 flow. In cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.

  Parameter opts

  Request options.

  Parameter callback

  callback. A promise that resolves with the HTTP response when no callback is provided.

method requestAsync

protected requestAsync: <T>(
    opts: GaxiosOptions,
    reAuthRetried?: boolean
) => Promise<GaxiosResponse<T>>;

• Authenticates the provided HTTP request, processes it and resolves with the returned response.

  Parameter opts

  The HTTP request options.

  Parameter reAuthRetried

  Whether the current attempt is a retry after a failed attempt due to an auth failure. A promise that resolves with the successful response.

method retrieveSubjectToken

abstract retrieveSubjectToken: () => Promise<string>;

• Triggered when a external subject token is needed to be exchanged for a GCP access token via GCP STS endpoint. This abstract method needs to be implemented by subclasses depending on the type of external credential used. A promise that resolves with the external subject token.

method setCredentials

setCredentials: (credentials: Credentials) => void;

• Provides a mechanism to inject GCP access tokens directly. When the provided credential expires, a new credential, using the external account options, is retrieved.

  Parameter credentials

  The Credentials object to set on the current client.

constructor

constructor(options?: ComputeOptions);

• Google Compute Engine service account credentials.

  Retrieve access token from the metadata server. See: https://cloud.google.com/compute/docs/access/authenticate-workloads#applications

property scopes

scopes: string[];

property serviceAccountEmail

readonly serviceAccountEmail: string;

method fetchIdToken

fetchIdToken: (targetAudience: string) => Promise<string>;

• Fetches an ID token.

  Parameter targetAudience

  the audience for the fetched ID token.

method refreshTokenNoCache

protected refreshTokenNoCache: (
    refreshToken?: string | null
) => Promise<GetTokenResponse>;

• Refreshes the access token.

  Parameter refreshToken

  Unused parameter

method wrapError

protected wrapError: (e: GaxiosError) => void;

property defaults

defaults: GaxiosOptions;

property instance

instance: Gaxios;

• A configurable, replacable Gaxios instance.

property USER_AGENT

static readonly USER_AGENT: string;

• Default user agent.

method configure

configure: (opts?: GaxiosOptions) => GaxiosOptions;

• Configures request options before making a request.

  Parameter opts

  GaxiosOptions options. Configured options.

method request

request: <T>(opts: GaxiosOptions) => GaxiosPromise<T>;

• Makes a request using Gaxios with given options.

  Parameter opts

  GaxiosOptions options.

  Parameter callback

  optional callback that contains GaxiosResponse object. GaxiosPromise, assuming no callback is passed.

constructor

constructor(
    authClient: AuthClient,
    credentialAccessBoundary: CredentialAccessBoundary,
    additionalOptions?: AuthClientOptions,
    quotaProjectId?: string
);

• Instantiates a downscoped client object using the provided source AuthClient and credential access boundary rules. To downscope permissions of a source AuthClient, a Credential Access Boundary that specifies which resources the new credential can access, as well as an upper bound on the permissions that are available on each resource, has to be defined. A downscoped client can then be instantiated using the source AuthClient and the Credential Access Boundary.

  Parameter authClient

  The source AuthClient to be downscoped based on the provided Credential Access Boundary rules.

  Parameter credentialAccessBoundary

  The Credential Access Boundary which contains a list of access boundary rules. Each rule contains information on the resource that the rule applies to, the upper bound of the permissions that are available on that resource and an optional condition to further restrict permissions.

  Parameter additionalOptions

  **DEPRECATED, set this in the provided authClient.** Optional additional behavior customization options.

  Parameter quotaProjectId

  **DEPRECATED, set this in the provided authClient.** Optional quota project id for setting up in the x-goog-user-project header.

method getAccessToken

getAccessToken: () => Promise<DownscopedAccessTokenResponse>;

method getRequestHeaders

getRequestHeaders: () => Promise<Headers>;

• The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

  The result has the form: { Authorization: 'Bearer <access_token_value>' }

method refreshAccessTokenAsync

protected refreshAccessTokenAsync: () => Promise<CredentialsWithResponse>;

• Forces token refresh, even if unexpired tokens are currently cached. GCP access tokens are retrieved from authclient object/source credential. Then GCP access tokens are exchanged for downscoped access tokens via the token exchange endpoint. A promise that resolves with the fresh downscoped access token.

method request

request: {
    <T>(opts: GaxiosOptions): GaxiosPromise<T>;
    <T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void;
};

• Provides a request implementation with OAuth 2.0 flow. In cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.

  Parameter opts

  Request options.

  Parameter callback

  callback. A promise that resolves with the HTTP response when no callback is provided.

method requestAsync

protected requestAsync: <T>(
    opts: GaxiosOptions,
    reAuthRetried?: boolean
) => Promise<GaxiosResponse<T>>;

• Authenticates the provided HTTP request, processes it and resolves with the returned response.

  Parameter opts

  The HTTP request options.

  Parameter reAuthRetried

  Whether the current attempt is a retry after a failed attempt due to an auth failure A promise that resolves with the successful response.

method setCredentials

setCredentials: (credentials: Credentials) => void;

• Provides a mechanism to inject Downscoped access tokens directly. The expiry_date field is required to facilitate determination of the token expiration which would make it easier for the token consumer to handle.

  Parameter credentials

  The Credentials object to set on the current client.

constructor

constructor();

method fromJSON

static fromJSON: (
    options: ExternalAccountClientOptions,
    additionalOptions?: AuthClientOptions
) => BaseExternalAccountClient | null;

• This static method will instantiate the corresponding type of external account credential depending on the underlying credential source.

  Parameter options

  The external account options object typically loaded from the external account JSON credential file.

  Parameter additionalOptions

  **DEPRECATED, all options are available in the options parameter.** Optional additional behavior customization options. These currently customize expiration threshold time and whether to retry on 401/403 API request errors. A BaseExternalAccountClient instance or null if the options provided do not correspond to an external account credential.

constructor

constructor(opts?: GoogleAuthOptions<T>);

• Configuration is resolved in the following order of precedence: - - -

  are passed to the .

  Parameter opts

property cachedCredential

cachedCredential: T | JSONClient | Compute;

property defaultScopes

defaultScopes?: string | string[];

• Scopes populated by the client library by default. We differentiate between these and user defined scopes when deciding whether to use a self-signed JWT.

property defaultServicePath

defaultServicePath?: string;

property DefaultTransporter

static DefaultTransporter: typeof DefaultTransporter;

• Export DefaultTransporter as a static property of the class.

property isGCE

readonly isGCE: boolean;

property jsonContent

jsonContent: JWTInput | ExternalAccountClientOptions;

property transporter

transporter?: Transporter;

property useJWTAccessWithScope

useJWTAccessWithScope?: boolean;

method authorizeRequest

authorizeRequest: (opts: {
    url?: string;
    uri?: string;
    headers?: Headers;
}) => Promise<{
    url?: string | undefined;
    uri?: string | undefined;
    headers?: Headers | undefined;
}>;

• Obtain credentials for a request, then attach the appropriate headers to the request options.

  Parameter opts

  Axios or Request options on which to attach the headers

method fromAPIKey

fromAPIKey: (apiKey: string, options?: AuthClientOptions) => JWT;

• Create a credentials instance using the given API key string.

  Parameter apiKey

  The API key string

  Parameter options

  An optional options object.

  Returns

  A JWT loaded from the key

method fromImpersonatedJSON

fromImpersonatedJSON: (json: ImpersonatedJWTInput) => Impersonated;

• Create a credentials instance using a given impersonated input options.

  Parameter json

  The impersonated input object.

  Returns

  JWT or UserRefresh Client with data

method fromJSON

fromJSON: (
    json: JWTInput | ImpersonatedJWTInput,
    options?: AuthClientOptions
) => JSONClient;

• Create a credentials instance using the given input options.

  Parameter json

  The input object.

  Parameter options

  The JWT or UserRefresh options for the client

  Returns

  JWT or UserRefresh Client with data

method fromStream

fromStream: {
    (inputStream: stream.Readable): Promise<JSONClient>;
    (inputStream: stream.Readable, callback: CredentialCallback): void;
    (
        inputStream: stream.Readable,
        options: AuthClientOptions
    ): Promise<JSONClient>;
    (
        inputStream: stream.Readable,
        options: AuthClientOptions,
        callback: CredentialCallback
    ): void;
};

• Create a credentials instance using the given input stream.

  Parameter inputStream

  The input stream.

  Parameter callback

  Optional callback.

method getAccessToken

getAccessToken: () => Promise<string | null | undefined>;

• Automatically obtain application default credentials, and return an access token for making requests.

method getApplicationDefault

getApplicationDefault: {
    (): Promise<ADCResponse>;
    (callback: ADCCallback): void;
    (options: AuthClientOptions): Promise<ADCResponse>;
    (options: AuthClientOptions, callback: ADCCallback): void;
};

• Obtains the default service-level credentials for the application.

  Parameter callback

  Optional callback.

  Returns

  Promise that resolves with the ADCResponse (if no callback was passed).

method getClient

getClient: () => Promise<Compute | JSONClient | T>;

• Automatically obtain an based on the provided configuration. If no options were passed, use Application Default Credentials.

method getCredentials

getCredentials: {
    (): Promise<CredentialBody>;
    (callback: (err: Error, credentials?: CredentialBody) => void): void;
};

• The callback function handles a credential object that contains the client_email and private_key (if exists). getCredentials first checks if the client is using an external account and uses the service account email in place of client_email. If that doesn't exist, it checks for these values from the user JSON. If the user JSON doesn't exist, and the environment is on GCE, it gets the client_email from the cloud metadata server.

  Parameter callback

  Callback that handles the credential object that contains a client_email and optional private key, or the error. returned

method getEnv

getEnv: () => Promise<GCPEnv>;

• Determine the compute environment in which the code is running.

method getIdTokenClient

getIdTokenClient: (targetAudience: string) => Promise<IdTokenClient>;

• Creates a client which will fetch an ID token for authorization.

  Parameter targetAudience

  the audience for the fetched ID token.

  Returns

  IdTokenClient for making HTTP calls authenticated with ID tokens.

method getProjectId

getProjectId: { (): Promise<string>; (callback: ProjectIdCallback): void };

• Obtains the default project ID for the application.

  Retrieves in the following order of precedence: - The projectId provided in this object's construction - GCLOUD_PROJECT or GOOGLE_CLOUD_PROJECT environment variable - GOOGLE_APPLICATION_CREDENTIALS JSON file - Cloud SDK: gcloud config config-helper --format json - GCE project ID from metadata server

method getRequestHeaders

getRequestHeaders: (url?: string) => Promise<Headers>;

• Obtain the HTTP headers that will provide authorization for a given request.

method getUniverseDomain

getUniverseDomain: () => Promise<string>;

• Retrieves, caches, and returns the universe domain in the following order of precedence: - The universe domain in GoogleAuth.clientOptions - An existing or ADC AuthClient's universe domain - gcpMetadata.universe, if Compute client

  Returns

  The universe domain

method getUniverseDomainFromMetadataServer

getUniverseDomainFromMetadataServer: () => Promise<string>;

• Retrieves a universe domain from the metadata server via gcpMetadata.universe.

  Returns

  a universe domain

method request

request: <T = any>(opts: GaxiosOptions) => Promise<GaxiosResponse<T>>;

• Automatically obtain application default credentials, and make an HTTP request using the given options.

  Parameter opts

  Axios request options for the HTTP request.

method setGapicJWTValues

setGapicJWTValues: (client: JWT) => void;

method sign

sign: (data: string, endpoint?: string) => Promise<string>;

• Sign the given data with the current private key, or go out to the IAM API to sign it.

  Parameter data

  The data to be signed.

  Parameter endpoint

  A custom endpoint to use.

  Example 1

  sign('data', 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/');

constructor

constructor(selector: string, token: string);

• IAM credentials.

  Parameter selector

  the iam authority selector

  Parameter token

  the token

property selector

selector: string;

property token

token: string;

method getRequestHeaders

getRequestHeaders: () => {
    'x-goog-iam-authority-selector': string;
    'x-goog-iam-authorization-token': string;
};

• Acquire the HTTP headers required to make an authenticated request.

constructor

constructor(
    options:
        | IdentityPoolClientOptions
        | SnakeToCamelObject<IdentityPoolClientOptions>,
    additionalOptions?: AuthClientOptions
);

• Instantiate an IdentityPoolClient instance using the provided JSON object loaded from an external account credentials file. An error is thrown if the credential is not a valid file-sourced or url-sourced credential or a workforce pool user project is provided with a non workforce audience.

  Parameter options

  The external account options object typically loaded from the external account JSON credential file. The camelCased options are aliases for the snake_cased options.

  Parameter additionalOptions

  **DEPRECATED, all options are available in the options parameter.** Optional additional behavior customization options. These currently customize expiration threshold time and whether to retry on 401/403 API request errors.

method retrieveSubjectToken

retrieveSubjectToken: () => Promise<string>;

• Triggered when a external subject token is needed to be exchanged for a GCP access token via GCP STS endpoint. Gets a subject token by calling the configured SubjectTokenSupplier A promise that resolves with the external subject token.

constructor

constructor(options: IdTokenOptions);

• Google ID Token client

  Retrieve ID token from the metadata server. See: https://cloud.google.com/docs/authentication/get-id-token#metadata-server

property idTokenProvider

idTokenProvider: IdTokenProvider;

property targetAudience

targetAudience: string;

method getRequestMetadataAsync

protected getRequestMetadataAsync: (
    url?: string | null
) => Promise<RequestMetadataResponse>;

constructor

constructor(options?: ImpersonatedOptions);

• Impersonated service account credentials.

  Create a new access token by impersonating another service account.

  Impersonated Credentials allowing credentials issued to a user or service account to impersonate another. The source project using Impersonated Credentials must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role.

  Parameter options

  The configuration object.

  Parameter

  {object} [options.sourceClient] the source credential used as to acquire the impersonated credentials.

  Parameter

  {string} [options.targetPrincipal] the service account to impersonate.

  Parameter

  {string[]} [options.delegates] the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.

  Parameter

  {string[]} [options.targetScopes] scopes to request during the authorization grant.

  Parameter

  {number} [options.lifetime] number of seconds the delegated credential should be valid for up to 3600 seconds by default, or 43,200 seconds by extending the token's lifetime, see: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth

  Parameter

  {string} [options.endpoint] api endpoint override.

method fetchIdToken

fetchIdToken: (
    targetAudience: string,
    options?: FetchIdTokenOptions
) => Promise<string>;

• Generates an OpenID Connect ID token for a service account.

  Parameter targetAudience

  the audience for the fetched ID token.

  Parameter options

  the for the request an OpenID Connect ID token

method getTargetPrincipal

getTargetPrincipal: () => string;

• The service account email to be impersonated.

method refreshToken

protected refreshToken: () => Promise<GetTokenResponse>;

• Refreshes the access token.

method sign

sign: (blobToSign: string) => Promise<SignBlobResponse>;

• Signs some bytes.

  Parameter blobToSign

  String to sign. denoting the keyyID and signedBlob in base64 string

constructor

constructor(options: JWTOptions);

• JWT service account credentials.

  Retrieve access token using gtoken.

  Parameter email

  service account email address.

  Parameter keyFile

  path to private key file.

  Parameter key

  value of key

  Parameter scopes

  list of requested scopes or a single scope.

  Parameter subject

  impersonated account's email address.

  Parameter key_id

  the ID of the key

constructor

constructor(
    email?: string,
    keyFile?: string,
    key?: string,
    scopes?: string | string[],
    subject?: string,
    keyId?: string
);

property additionalClaims

additionalClaims?: {};

property defaultScopes

defaultScopes?: string | string[];

property defaultServicePath

defaultServicePath?: string;

property email

email?: string;

property gtoken

gtoken?: GoogleToken;

property key

key?: string;

property keyFile

keyFile?: string;

property keyId

keyId?: string;

property scope

scope?: string;

property scopes

scopes?: string | string[];

property subject

subject?: string;

property useJWTAccessWithScope

useJWTAccessWithScope?: boolean;

method authorize

authorize: {
    (): Promise<Credentials>;
    (callback: (err: Error, result?: Credentials) => void): void;
};

• Get the initial access token using gToken.

  Parameter callback

  Optional callback.

  Returns

  Promise that resolves with credentials

method createScoped

createScoped: (scopes?: string | string[]) => JWT;

• Creates a copy of the credential with the specified scopes.

  Parameter scopes

  List of requested scopes or a single scope. The cloned instance.

method fetchIdToken

fetchIdToken: (targetAudience: string) => Promise<string>;

• Fetches an ID token.

  Parameter targetAudience

  the audience for the fetched ID token.

method fromAPIKey

fromAPIKey: (apiKey: string) => void;

• Creates a JWT credentials instance using an API Key for authentication.

  Parameter apiKey

  The API Key in string form.

method fromJSON

fromJSON: (json: JWTInput) => void;

• Create a JWT credentials instance using the given input options.

  Parameter json

  The input object.

method fromStream

fromStream: {
    (inputStream: stream.Readable): Promise<void>;
    (inputStream: stream.Readable, callback: (err?: Error) => void): void;
};

• Create a JWT credentials instance using the given input stream.

  Parameter inputStream

  The input stream.

  Parameter callback

  Optional callback.

method getCredentials

getCredentials: () => Promise<CredentialBody>;

• Using the key or keyFile on the JWT client, obtain an object that contains the key and the client email.

method getRequestMetadataAsync

protected getRequestMetadataAsync: (
    url?: string | null
) => Promise<RequestMetadataResponse>;

• Obtains the metadata to be sent with the request.

  Parameter url

  the URI being authorized.

method refreshTokenNoCache

protected refreshTokenNoCache: (
    refreshToken?: string | null
) => Promise<GetTokenResponse>;

• Refreshes the access token.

  Parameter refreshToken

  ignored

constructor

constructor(
    email?: string,
    key?: string,
    keyId?: string,
    eagerRefreshThresholdMillis?: number
);

• JWTAccess service account credentials.

  Create a new access token by using the credential to create a new JWT token that's recognized as the access token.

  Parameter email

  the service account email address.

  Parameter key

  the private key that will be used to sign the token.

  Parameter keyId

  the ID of the private key used to sign the token.

property eagerRefreshThresholdMillis

eagerRefreshThresholdMillis: number;

property email

email?: string;

property key

key?: string;

property keyId

keyId?: string;

property projectId

projectId?: string;

method fromJSON

fromJSON: (json: JWTInput) => void;

• Create a JWTAccess credentials instance using the given input options.

  Parameter json

  The input object.

method fromStream

fromStream: {
    (inputStream: stream.Readable): Promise<void>;
    (inputStream: stream.Readable, callback: (err?: Error) => void): void;
};

• Create a JWTAccess credentials instance using the given input stream.

  Parameter inputStream

  The input stream.

  Parameter callback

  Optional callback.

method getCachedKey

getCachedKey: (url?: string, scopes?: string | string[]) => string;

• Ensures that we're caching a key appropriately, giving precedence to scopes vs. url

  Parameter url

  The URI being authorized.

  Parameter scopes

  The scope or scopes being authorized

  Returns

  A string that returns the cached key.

method getRequestHeaders

getRequestHeaders: (
    url?: string,
    additionalClaims?: Claims,
    scopes?: string | string[]
) => Headers;

• Get a non-expired access token, after refreshing if necessary.

  Parameter url

  The URI being authorized.

  Parameter additionalClaims

  An object with a set of additional claims to include in the payload.

  Returns

  An object that includes the authorization header.

constructor

constructor(env?: string, pay?: TokenPayload);

• Create a simple class to extract user ID from an ID Token

  Parameter env

  Envelope of the jwt

  Parameter pay

  Payload of the jwt

method getAttributes

getAttributes: () => {
    envelope: string | undefined;
    payload: TokenPayload | undefined;
};

• Returns attributes from the login ticket. This can contain various information about the user session.

  The envelope and payload

method getEnvelope

getEnvelope: () => string | undefined;

method getPayload

getPayload: () => TokenPayload | undefined;

method getUserId

getUserId: () => string | null;

• Create a simple class to extract user ID from an ID Token

  The user ID

constructor

constructor(options?: OAuth2ClientOptions);

• Handles OAuth2 flow for Google APIs.

  Parameter clientId

  The authentication client ID.

  Parameter clientSecret

  The authentication client secret.

  Parameter redirectUri

  The URI to redirect to after completing the auth request.

  Parameter opts

  optional options for overriding the given parameters.

constructor

constructor(clientId?: string, clientSecret?: string, redirectUri?: string);

property apiKey

apiKey?: string;

property endpoints

readonly endpoints: Readonly<OAuth2ClientEndpoints>;

property GOOGLE_TOKEN_INFO_URL

protected static readonly GOOGLE_TOKEN_INFO_URL: string;

• Deprecated

  use instance's OAuth2Client.endpoints

property issuers

readonly issuers: string[];

property refreshHandler

refreshHandler?: GetRefreshHandlerCallback;

property refreshTokenPromises

protected refreshTokenPromises: Map<string, Promise<GetTokenResponse>>;

method generateAuthUrl

generateAuthUrl: (opts?: GenerateAuthUrlOpts) => string;

• Generates URL for consent page landing.

  Parameter opts

  Options. URL to consent page.

method generateCodeVerifier

generateCodeVerifier: () => void;

method generateCodeVerifierAsync

generateCodeVerifierAsync: () => Promise<CodeVerifierResults>;

• Convenience method to automatically generate a code_verifier, and its resulting SHA256. If used, this must be paired with a S256 code_challenge_method.

  For a full example see: https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js

method getAccessToken

getAccessToken: {
    (): Promise<GetAccessTokenResponse>;
    (callback: GetAccessTokenCallback): void;
};

• Get a non-expired access token, after refreshing if necessary

  Parameter callback

  Callback to call with the access token

method getFederatedSignonCerts

getFederatedSignonCerts: {
    (): Promise<FederatedSignonCertsResponse>;
    (callback: GetFederatedSignonCertsCallback): void;
};

• Gets federated sign-on certificates to use for verifying identity tokens. Returns certs as array structure, where keys are key ids, and values are certificates in either PEM or JWK format.

  Parameter callback

  Callback supplying the certificates

method getFederatedSignonCertsAsync

getFederatedSignonCertsAsync: () => Promise<FederatedSignonCertsResponse>;

method getIapPublicKeys

getIapPublicKeys: {
    (): Promise<IapPublicKeysResponse>;
    (callback: GetIapPublicKeysCallback): void;
};

• Gets federated sign-on certificates to use for verifying identity tokens. Returns certs as array structure, where keys are key ids, and values are certificates in either PEM or JWK format.

  Parameter callback

  Callback supplying the certificates

method getIapPublicKeysAsync

getIapPublicKeysAsync: () => Promise<IapPublicKeysResponse>;

method getRequestHeaders

getRequestHeaders: (url?: string) => Promise<Headers>;

• The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

  In OAuth2Client, the result has the form: { Authorization: 'Bearer <access_token_value>' }

  Parameter url

  The optional url being authorized

method getRequestMetadataAsync

protected getRequestMetadataAsync: (
    url?: string | URL | null
) => Promise<RequestMetadataResponse>;

method getRevokeTokenUrl

static getRevokeTokenUrl: (token: string) => string;

• Generates an URL to revoke the given token.

  Parameter token

  The existing token to be revoked.

  Deprecated

  use instance method OAuth2Client.getRevokeTokenURL

method getRevokeTokenURL

getRevokeTokenURL: (token: string) => URL;

• Generates a URL to revoke the given token.

  Parameter token

  The existing token to be revoked.

method getToken

getToken: {
    (code: string): Promise<GetTokenResponse>;
    (options: GetTokenOptions): Promise<GetTokenResponse>;
    (code: string, callback: GetTokenCallback): void;
    (options: GetTokenOptions, callback: GetTokenCallback): void;
};

• Gets the access token for the given code.

  Parameter code

  The authorization code.

  Parameter callback

  Optional callback fn.

method getTokenInfo

getTokenInfo: (accessToken: string) => Promise<TokenInfo>;

• Obtains information about the provisioned access token. Especially useful if you want to check the scopes that were provisioned to a given token.

  Parameter accessToken

  Required. The Access Token for which you want to get user info.

method isTokenExpiring

protected isTokenExpiring: () => boolean;

• Returns true if a token is expired or will expire within eagerRefreshThresholdMillismilliseconds. If there is no expiry time, assumes the token is not expired or expiring.

method refreshAccessToken

refreshAccessToken: {
    (): Promise<RefreshAccessTokenResponse>;
    (callback: RefreshAccessTokenCallback): void;
};

• Retrieves the access token using refresh token

  Parameter callback

  callback

method refreshToken

protected refreshToken: (
    refreshToken?: string | null
) => Promise<GetTokenResponse>;

• Refreshes the access token.

  Parameter refresh_token

  Existing refresh token.

method refreshTokenNoCache

protected refreshTokenNoCache: (
    refreshToken?: string | null
) => Promise<GetTokenResponse>;

method request

request: {
    <T>(opts: GaxiosOptions): GaxiosPromise<T>;
    <T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void;
};

• Provides a request implementation with OAuth 2.0 flow. If credentials have a refresh_token, in cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.

  Parameter opts

  Request options.

  Parameter callback

  callback. Request object

method requestAsync

protected requestAsync: <T>(
    opts: GaxiosOptions,
    reAuthRetried?: boolean
) => Promise<GaxiosResponse<T>>;

method revokeCredentials

revokeCredentials: {
    (): GaxiosPromise<RevokeCredentialsResult>;
    (callback: BodyResponseCallback<RevokeCredentialsResult>): void;
};

• Revokes access token and clears the credentials object

  Parameter callback

  callback

method revokeToken

revokeToken: {
    (token: string): GaxiosPromise<RevokeCredentialsResult>;
    (
        token: string,
        callback: BodyResponseCallback<RevokeCredentialsResult>
    ): void;
};

• Revokes the access given to token.

  Parameter token

  The existing token to be revoked.

  Parameter callback

  Optional callback fn.

method verifyIdToken

verifyIdToken: {
    (options: VerifyIdTokenOptions): Promise<LoginTicket>;
    (
        options: VerifyIdTokenOptions,
        callback: (err: Error, login?: LoginTicket) => void
    ): void;
};

• Verify id token is token by checking the certs and audience

  Parameter options

  that contains all options.

  Parameter callback

  Callback supplying GoogleLogin if successful

method verifySignedJwtWithCerts

verifySignedJwtWithCerts: () => void;

method verifySignedJwtWithCertsAsync

verifySignedJwtWithCertsAsync: (
    jwt: string,
    certs: Certificates | PublicKeys,
    requiredAudience?: string | string[],
    issuers?: string[],
    maxExpiry?: number
) => Promise<LoginTicket>;

• Verify the id token is signed with the correct certificate and is from the correct audience.

  Parameter jwt

  The jwt to verify (The ID Token in this case).

  Parameter certs

  The array of certs to test the jwt against.

  Parameter requiredAudience

  The audience to test the jwt against.

  Parameter issuers

  The allowed issuers of the jwt (Optional).

  Parameter maxExpiry

  The max expiry the certificate can be (Optional). Returns a promise resolving to LoginTicket on verification.

method getAccessToken

getAccessToken: () => Promise<GetAccessTokenResponse>;

• A required method of the base class. Always will return an empty object.

  Returns

  {}

method getRequestHeaders

getRequestHeaders: () => Promise<Headers>;

• A required method of the base class. Always will return an empty object.

  Returns

  {}

method request

request: <T>(opts: GaxiosOptions) => Promise<import('gaxios').GaxiosResponse<T>>;

• Creates a request without any authentication headers or checks.

  Parameter opts

  Returns

  The response of the request.

  Remarks

  In testing environments it may be useful to change the provided AuthClient.transporter for any desired request overrides/handling.

constructor

constructor(
    options: PluggableAuthClientOptions,
    additionalOptions?: AuthClientOptions
);

• Instantiates a PluggableAuthClient instance using the provided JSON object loaded from an external account credentials file. An error is thrown if the credential is not a valid pluggable auth credential.

  Parameter options

  The external account options object typically loaded from the external account JSON credential file.

  Parameter additionalOptions

  **DEPRECATED, all options are available in the options parameter.** Optional additional behavior customization options. These currently customize expiration threshold time and whether to retry on 401/403 API request errors.

method retrieveSubjectToken

retrieveSubjectToken: () => Promise<string>;

• Triggered when an external subject token is needed to be exchanged for a GCP access token via GCP STS endpoint. This uses the options.credential_source object to figure out how to retrieve the token using the current environment. In this case, this calls a user provided executable which returns the subject token. The logic is summarized as: 1. Validated that the executable is allowed to run. The GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment must be set to 1 for security reasons. 2. If an output file is specified by the user, check the file location for a response. If the file exists and contains a valid response, return the subject token from the file. 3. Call the provided executable and return response. A promise that resolves with the external subject token.

constructor

constructor(clientId?: string, clientSecret?: string, refreshToken?: string);

• User Refresh Token credentials.

  Parameter clientId

  The authentication client ID.

  Parameter clientSecret

  The authentication client secret.

  Parameter refreshToken

  The authentication refresh token.