Package google-auth-library (8.2.0)

Classes

AuthClient

AwsClient

AWS external account client. This is used for AWS workloads, where AWS STS GetCallerIdentity serialized signed requests are exchanged for GCP access token.

BaseExternalAccountClient

Base external account client. This is used to instantiate AuthClients for exchanging external account credentials for GCP access token and authorizing requests to GCP APIs. The base class implements common logic for exchanging various type of external credentials for GCP access token. The logic of determining and retrieving the external credential based on the environment and credential_source will be left for the subclasses.

Compute

DefaultTransporter

DownscopedClient

Defines a set of Google credentials that are downscoped from an existing set of Google OAuth2 credentials. This is useful to restrict the Identity and Access Management (IAM) permissions that a short-lived credential can use. The common pattern of usage is to have a token broker with elevated access generate these downscoped credentials from higher access source credentials and pass the downscoped short-lived access tokens to a token consumer via some secure authenticated channel for limited access to Google Cloud Storage resources.

ExternalAccountClient

Dummy class with no constructor. Developers are expected to use fromJSON.

GoogleAuth

IAMAuth

IdentityPoolClient

Defines the Url-sourced and file-sourced external account clients mainly used for K8s and Azure workloads.

IdTokenClient

Impersonated

JWT

JWTAccess

LoginTicket

OAuth2Client

PluggableAuthClient

PluggableAuthClient enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token to be exchanged for a Google access token.

To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set to '1'. This is for security reasons.

Both OIDC and SAML are supported. The executable must adhere to a specific response format defined below.

The executable must print out the 3rd party token to STDOUT in JSON format. When an output_file is specified in the credential configuration, the executable must also handle writing the JSON response to this file.

 OIDC response sample: { "version": 1, "success": true, "token\_type": "urn:ietf:params:oauth:token-type:id\_token", "id\_token": "HEADER.PAYLOAD.SIGNATURE", "expiration\_time": 1620433341 }

SAML2 response sample: { "version": 1, "success": true, "token\_type": "urn:ietf:params:oauth:token-type:saml2", "saml\_response": "...", "expiration\_time": 1620433341 }

Error response sample: { "version": 1, "success": false, "code": "401", "message": "Error message." } 

The "expiration_time" field in the JSON response is only required for successful responses when an output file was specified in the credential configuration

The auth libraries will populate certain environment variables that will be accessible by the executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE, GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.

Please see this repositories README for a complete executable request/response specification.

UserRefreshClient

Interfaces

AuthClient

AwsClientOptions

AWS credentials JSON interface. This is used for AWS workloads.

BaseExternalAccountClientOptions

Base external account credentials json interface.

Certificates

Claims

CodeVerifierResults

The results from the generateCodeVerifierAsync method. To learn more, See the sample: https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js

ComputeOptions

CredentialAccessBoundary

Defines an upper bound of permissions available for a GCP credential.

CredentialBody

CredentialRequest

Credentials

GenerateAuthUrlOpts

GetTokenOptions

GoogleAuthOptions

IdentityPoolClientOptions

Url-sourced/file-sourced credentials json interface. This is used for K8s and Azure workloads.

IdTokenProvider

ImpersonatedOptions

JWTInput

JWTOptions

OAuth2ClientOptions

PluggableAuthClientOptions

Defines the credential source portion of the configuration for PluggableAuthClient.

Command is the only required field. If timeout_millis is not specified, the library will default to a 30-second timeout.

 Sample credential source for Pluggable Auth Client: { ... "credential\_source": { "executable": { "command": "/path/to/get/credentials.sh --arg1=value1 --arg2=value2", "timeout\_millis": 5000, "output\_file": "/path/to/generated/cached/credentials" } } } 

ProjectIdCallback

RefreshOptions

RequestMetadata

TokenInfo

TokenPayload

UserRefreshClientOptions

VerifyIdTokenOptions

Enums

CodeChallengeMethod

GCPEnv

Variables

auth

auth: GoogleAuth

Type Aliases

ExternalAccountClientOptions

export declare type ExternalAccountClientOptions = IdentityPoolClientOptions | AwsClientOptions | PluggableAuthClientOptions;