...

Package google

import "golang.org/x/oauth2/google"
Overview
Index
Examples
Subdirectories

Overview ▾

Package google provides support for making OAuth2 authorized and authenticated HTTP requests to Google APIs. It supports the Web server flow, client-side credentials, service accounts, Google Compute Engine service accounts, Google App Engine service accounts and workload identity federation from non-Google cloud platforms.

A brief overview of the package follows. For more information, please read https://developers.google.com/accounts/docs/OAuth2 and https://developers.google.com/accounts/docs/application-default-credentials. For more information on using workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation.

OAuth2 Configs

Two functions in this package return golang.org/x/oauth2.Config values from Google credential data. Google supports two JSON formats for OAuth2 credentials: one is handled by ConfigFromJSON, the other by JWTConfigFromJSON. The returned Config can be used to obtain a TokenSource or create an http.Client.

Workload and Workforce Identity Federation

For information on how to use Workload and Workforce Identity Federation, see golang.org/x/oauth2/google/externalaccount.

Credentials

The Credentials type represents Google credentials, including Application Default Credentials.

Use FindDefaultCredentials to obtain Application Default Credentials. FindDefaultCredentials looks in some well-known places for a credentials file, and will call AppEngineTokenSource or ComputeTokenSource as needed.

Application Default Credentials also support workload identity federation to access Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally.

DefaultClient and DefaultTokenSource are convenience methods. They first call FindDefaultCredentials, then use the credentials to construct an http.Client or an oauth2.TokenSource.

Use CredentialsFromJSON to obtain credentials from either of the two JSON formats described in OAuth2 Configs, above. The TokenSource in the returned value is the same as the one obtained from the oauth2.Config returned from ConfigFromJSON or JWTConfigFromJSON, but the Credentials may contain additional information that is useful is some circumstances.

Example (ServiceAccount)

Code:

// Your credentials should be obtained from the Google
// Developer Console (https://console.developers.google.com).
conf := &jwt.Config{
    Email: "xxx@developer.gserviceaccount.com",
    // The contents of your RSA private key or your PEM file
    // that contains a private key.
    // If you have a p12 file instead, you
    // can use `openssl` to export the private key into a pem file.
    //
    //    $ openssl pkcs12 -in key.p12 -passin pass:notasecret -out key.pem -nodes
    //
    // The field only supports PEM containers with no passphrase.
    // The openssl command will convert p12 keys to passphrase-less PEM containers.
    PrivateKey: []byte("-----BEGIN RSA PRIVATE KEY-----..."),
    Scopes: []string{
        "https://www.googleapis.com/auth/bigquery",
        "https://www.googleapis.com/auth/blogger",
    },
    TokenURL: google.JWTTokenURL,
    // If you would like to impersonate a user, you can
    // create a transport with a subject. The following GET
    // request will be made on the behalf of user@example.com.
    // Optional.
    Subject: "user@example.com",
}
// Initiate an http.Client, the following GET request will be
// authorized and authenticated on the behalf of user@example.com.
client := conf.Client(oauth2.NoContext)
client.Get("...")

Example (WebServer)

Code:

// Your credentials should be obtained from the Google
// Developer Console (https://console.developers.google.com).
conf := &oauth2.Config{
    ClientID:     "YOUR_CLIENT_ID",
    ClientSecret: "YOUR_CLIENT_SECRET",
    RedirectURL:  "YOUR_REDIRECT_URL",
    Scopes: []string{
        "https://www.googleapis.com/auth/bigquery",
        "https://www.googleapis.com/auth/blogger",
    },
    Endpoint: google.Endpoint,
}
// Redirect user to Google's consent page to ask for permission
// for the scopes specified above.
url := conf.AuthCodeURL("state")
fmt.Printf("Visit the URL for the auth dialog: %v", url)

// Handle the exchange code to initiate a transport.
tok, err := conf.Exchange(oauth2.NoContext, "authorization-code")
if err != nil {
    log.Fatal(err)
}
client := conf.Client(oauth2.NoContext, tok)
client.Get("...")

Index ▾

Constants
Variables
func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource
func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource
func ConfigFromJSON(jsonKey []byte, scope ...string) (*oauth2.Config, error)
func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error)
func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error)
func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error)
func JWTAccessTokenSourceWithScope(jsonKey []byte, scope ...string) (oauth2.TokenSource, error)
func JWTConfigFromJSON(jsonKey []byte, scope ...string) (*jwt.Config, error)
type AuthenticationError
    func (e *AuthenticationError) Error() string
    func (e *AuthenticationError) Temporary() bool
    func (e *AuthenticationError) Unwrap() error
type Credentials
    func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error)
    func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error)
    func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error)
    func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsParams) (*Credentials, error)
    func (c *Credentials) GetUniverseDomain() (string, error)
    func (c *Credentials) UniverseDomain() string
type CredentialsParams
type DefaultCredentials
type SDKConfig
    func NewSDKConfig(account string) (*SDKConfig, error)
    func (c *SDKConfig) Client(ctx context.Context) *http.Client
    func (c *SDKConfig) Scopes() []string
    func (c *SDKConfig) TokenSource(ctx context.Context) oauth2.TokenSource

Package files

appengine.go default.go doc.go error.go google.go jwt.go sdk.go

Constants

JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow. 

const JWTTokenURL = "https://oauth2.googleapis.com/token"

MTLSTokenURL is Google's OAuth 2.0 default mTLS endpoint. 

const MTLSTokenURL = "https://oauth2.mtls.googleapis.com/token"

Variables

Endpoint is Google's OAuth 2.0 default endpoint. 

var Endpoint = oauth2.Endpoint{
    AuthURL:       "https://accounts.google.com/o/oauth2/auth",
    TokenURL:      "https://oauth2.googleapis.com/token",
    DeviceAuthURL: "https://oauth2.googleapis.com/device/code",
    AuthStyle:     oauth2.AuthStyleInParams,
}

func AppEngineTokenSource 

func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource

AppEngineTokenSource returns a token source that fetches tokens from either the current application's service account or from the metadata server, depending on the App Engine environment. See below for environment-specific details. If you are implementing a 3-legged OAuth 2.0 flow on App Engine that involves user accounts, see oauth2.Config instead.

The current version of this library requires at least Go 1.17 to build, so first generation App Engine runtimes (<= Go 1.9) are unsupported. Previously, on first generation App Engine runtimes, AppEngineTokenSource returned a token source that fetches tokens issued to the current App Engine application's service account. The provided context must have come from appengine.NewContext.

Second generation App Engine runtimes (>= Go 1.11) and App Engine flexible: AppEngineTokenSource is DEPRECATED on second generation runtimes and on the flexible environment. It delegates to ComputeTokenSource, and the provided context and scopes are not used. Please use DefaultTokenSource (or ComputeTokenSource, which DefaultTokenSource will use in this case) instead.

func ComputeTokenSource 

func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource

ComputeTokenSource returns a token source that fetches access tokens from Google Compute Engine (GCE)'s metadata server. It's only valid to use this token source if your program is running on a GCE instance. If no account is specified, "default" is used. If no scopes are specified, a set of default scopes are automatically granted. Further information about retrieving access tokens from the GCE metadata server can be found at https://cloud.google.com/compute/docs/authentication.

Example

Code:

client := &http.Client{
    Transport: &oauth2.Transport{
        // Fetch from Google Compute Engine's metadata server to retrieve
        // an access token for the provided account.
        // If no account is specified, "default" is used.
        // If no scopes are specified, a set of default scopes
        // are automatically granted.
        Source: google.ComputeTokenSource("", "https://www.googleapis.com/auth/bigquery"),
    },
}
client.Get("...")

func ConfigFromJSON 

func ConfigFromJSON(jsonKey []byte, scope ...string) (*oauth2.Config, error)

ConfigFromJSON uses a Google Developers Console client_credentials.json file to construct a config. client_credentials.json can be downloaded from https://console.developers.google.com, under "Credentials". Download the Web application credentials in the JSON format and provide the contents of the file as jsonKey.

func DefaultClient 

func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error)

DefaultClient returns an HTTP Client that uses the DefaultTokenSource to obtain authentication credentials.

Example

Code:

client, err := google.DefaultClient(oauth2.NoContext,
    "https://www.googleapis.com/auth/devstorage.full_control")
if err != nil {
    log.Fatal(err)
}
client.Get("...")

func DefaultTokenSource 

func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error)

DefaultTokenSource returns the token source for "Application Default Credentials". It is a shortcut for FindDefaultCredentials(ctx, scope).TokenSource.

func JWTAccessTokenSourceFromJSON 

func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error)

JWTAccessTokenSourceFromJSON uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests, and returns a TokenSource that does not use any OAuth2 flow but instead creates a JWT and sends that as the access token. The audience is typically a URL that specifies the scope of the credentials.

Note that this is not a standard OAuth flow, but rather an optimization supported by a few Google services. Unless you know otherwise, you should use JWTConfigFromJSON instead.

func JWTAccessTokenSourceWithScope 

func JWTAccessTokenSourceWithScope(jsonKey []byte, scope ...string) (oauth2.TokenSource, error)

JWTAccessTokenSourceWithScope uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests, and returns a TokenSource that does not use any OAuth2 flow but instead creates a JWT and sends that as the access token. The scope is typically a list of URLs that specifies the scope of the credentials.

Note that this is not a standard OAuth flow, but rather an optimization supported by a few Google services. Unless you know otherwise, you should use JWTConfigFromJSON instead.

func JWTConfigFromJSON 

func JWTConfigFromJSON(jsonKey []byte, scope ...string) (*jwt.Config, error)

JWTConfigFromJSON uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests. Create a service account on "Credentials" for your project at https://console.developers.google.com to download a JSON key file.

Example

Code:

// Your credentials should be obtained from the Google
// Developer Console (https://console.developers.google.com).
// Navigate to your project, then see the "Credentials" page
// under "APIs & Auth".
// To create a service account client, click "Create new Client ID",
// select "Service Account", and click "Create Client ID". A JSON
// key file will then be downloaded to your computer.
data, err := ioutil.ReadFile("/path/to/your-project-key.json")
if err != nil {
    log.Fatal(err)
}
conf, err := google.JWTConfigFromJSON(data, "https://www.googleapis.com/auth/bigquery")
if err != nil {
    log.Fatal(err)
}
// Initiate an http.Client. The following GET request will be
// authorized and authenticated on the behalf of
// your service account.
client := conf.Client(oauth2.NoContext)
client.Get("...")

type AuthenticationError

AuthenticationError indicates there was an error in the authentication flow.

Use (*AuthenticationError).Temporary to check if the error can be retried. 

type AuthenticationError struct {
    // contains filtered or unexported fields
}

func (*AuthenticationError) Error 

func (e *AuthenticationError) Error() string

func (*AuthenticationError) Temporary 

func (e *AuthenticationError) Temporary() bool

Temporary indicates that the network error has one of the following status codes and may be retried: 500, 503, 408, or 429.

func (*AuthenticationError) Unwrap 

func (e *AuthenticationError) Unwrap() error

type Credentials

Credentials holds Google credentials, including "Application Default Credentials". For more details, see: https://developers.google.com/accounts/docs/application-default-credentials Credentials from external accounts (workload identity federation) are used to identify a particular application from an on-prem or non-Google Cloud platform including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). 

type Credentials struct {
    ProjectID   string // may be empty
    TokenSource oauth2.TokenSource

    // JSON contains the raw bytes from a JSON credentials file.
    // This field may be nil if authentication is provided by the
    // environment and not with a credentials file, e.g. when code is
    // running on Google Cloud Platform.
    JSON []byte

    // UniverseDomainProvider returns the default service domain for a given
    // Cloud universe. Optional.
    //
    // On GCE, UniverseDomainProvider should return the universe domain value
    // from Google Compute Engine (GCE)'s metadata server. See also [The attached service
    // account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).
    // If the GCE metadata server returns a 404 error, the default universe
    // domain value should be returned. If the GCE metadata server returns an
    // error other than 404, the error should be returned.
    UniverseDomainProvider func() (string, error)
    // contains filtered or unexported fields
}

func CredentialsFromJSON 

func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error)

CredentialsFromJSON invokes CredentialsFromJSONWithParams with the specified scopes.

Example

Code:

ctx := context.Background()
data, err := ioutil.ReadFile("/path/to/key-file.json")
if err != nil {
    log.Fatal(err)
}
creds, err := google.CredentialsFromJSON(ctx, data, "https://www.googleapis.com/auth/bigquery")
if err != nil {
    log.Fatal(err)
}
_ = creds // TODO: Use creds.

func CredentialsFromJSONWithParams 

func CredentialsFromJSONWithParams(ctx context.Context, jsonData []byte, params CredentialsParams) (*Credentials, error)

CredentialsFromJSONWithParams obtains Google credentials from a JSON value. The JSON can represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON), a Google Developers service account key file, a gcloud user credentials file (a.k.a. refresh token JSON), or the JSON configuration file for workload identity federation in non-Google cloud platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).

func FindDefaultCredentials 

func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error)

FindDefaultCredentials invokes FindDefaultCredentialsWithParams with the specified scopes.

func FindDefaultCredentialsWithParams 

func FindDefaultCredentialsWithParams(ctx context.Context, params CredentialsParams) (*Credentials, error)

FindDefaultCredentialsWithParams searches for "Application Default Credentials".

It looks for credentials in the following places, preferring the first location found:

  1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on how to generate the JSON configuration file for on-prem/non-Google cloud platforms.
  2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
  3. On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.

func (*Credentials) GetUniverseDomain 

func (c *Credentials) GetUniverseDomain() (string, error)

GetUniverseDomain returns the default service domain for a given Cloud universe. If present, UniverseDomainProvider will be invoked and its return value will be cached.

The default value is "googleapis.com".

func (*Credentials) UniverseDomain 

func (c *Credentials) UniverseDomain() string

UniverseDomain returns the default service domain for a given Cloud universe.

The default value is "googleapis.com".

Deprecated: Use instead (*Credentials).GetUniverseDomain(), which supports obtaining the universe domain when authenticating via the GCE metadata server. Unlike GetUniverseDomain, this method, UniverseDomain, will always return the default value when authenticating via the GCE metadata server. See also [The attached service account](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa).

type CredentialsParams

CredentialsParams holds user supplied parameters that are used together with a credentials file for building a Credentials object. 

type CredentialsParams struct {
    // Scopes is the list OAuth scopes. Required.
    // Example: https://www.googleapis.com/auth/cloud-platform
    Scopes []string

    // Subject is the user email used for domain wide delegation (see
    // https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).
    // Optional.
    Subject string

    // AuthHandler is the AuthorizationHandler used for 3-legged OAuth flow. Required for 3LO flow.
    AuthHandler authhandler.AuthorizationHandler

    // State is a unique string used with AuthHandler. Required for 3LO flow.
    State string

    // PKCE is used to support PKCE flow. Optional for 3LO flow.
    PKCE *authhandler.PKCEParams

    // The OAuth2 TokenURL default override. This value overrides the default TokenURL,
    // unless explicitly specified by the credentials config file. Optional.
    TokenURL string

    // EarlyTokenRefresh is the amount of time before a token expires that a new
    // token will be preemptively fetched. If unset the default value is 10
    // seconds.
    //
    // Note: This option is currently only respected when using credentials
    // fetched from the GCE metadata server.
    EarlyTokenRefresh time.Duration

    // UniverseDomain is the default service domain for a given Cloud universe.
    // Only supported in authentication flows that support universe domains.
    // This value takes precedence over a universe domain explicitly specified
    // in a credentials config file or by the GCE metadata server. Optional.
    UniverseDomain string
}

type DefaultCredentials

DefaultCredentials is the old name of Credentials.

Deprecated: use Credentials instead. 

type DefaultCredentials = Credentials

type SDKConfig

An SDKConfig provides access to tokens from an account already authorized via the Google Cloud SDK. 

type SDKConfig struct {
    // contains filtered or unexported fields
}

Example

Code:

// The credentials will be obtained from the first account that
// has been authorized with `gcloud auth login`.
conf, err := google.NewSDKConfig("")
if err != nil {
    log.Fatal(err)
}
// Initiate an http.Client. The following GET request will be
// authorized and authenticated on the behalf of the SDK user.
client := conf.Client(oauth2.NoContext)
client.Get("...")

func NewSDKConfig 

func NewSDKConfig(account string) (*SDKConfig, error)

NewSDKConfig creates an SDKConfig for the given Google Cloud SDK account. If account is empty, the account currently active in Google Cloud SDK properties is used. Google Cloud SDK credentials must be created by running `gcloud auth` before using this function. The Google Cloud SDK is available at https://cloud.google.com/sdk/.

func (*SDKConfig) Client 

func (c *SDKConfig) Client(ctx context.Context) *http.Client

Client returns an HTTP client using Google Cloud SDK credentials to authorize requests. The token will auto-refresh as necessary. The underlying http.RoundTripper will be obtained using the provided context. The returned client and its Transport should not be modified.

func (*SDKConfig) Scopes 

func (c *SDKConfig) Scopes() []string

Scopes are the OAuth 2.0 scopes the current account is authorized for.

func (*SDKConfig) TokenSource 

func (c *SDKConfig) TokenSource(ctx context.Context) oauth2.TokenSource

TokenSource returns an oauth2.TokenSource that retrieve tokens from Google Cloud SDK credentials using the provided context. It will returns the current access token stored in the credentials, and refresh it when it expires, but it won't update the credentials with the new access token.

Subdirectories

Name Synopsis
..
downscope Package downscope implements the ability to downscope, or restrict, the Identity and Access Management permissions that a short-lived Token can use.
externalaccount Package externalaccount provides support for creating workload identity federation and workforce identity federation token sources that can be used to access Google Cloud resources from external identity providers.