PHPFUI/InstaDoc

deprecated AppIdentityCredentials supports authorization on Google App Engine. It can be used to authorize requests using the AuthTokenMiddleware or AuthTokenSubscriber, but will only succeed if being run on App Engine: Example:

use Google\Auth\Credentials\AppIdentityCredentials; use Google\Auth\Middleware\AuthTokenMiddleware; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; $gae = new AppIdentityCredentials('https://www.googleapis.com/auth/books'); $middleware = new AuthTokenMiddleware($gae); $stack = HandlerStack::create(); $stack->push($middleware); $client = new Client([ 'handler' => $stack, 'base_uri' => 'https://www.googleapis.com/books/v1', 'auth' => 'google_auth' ]); $res = $client->get('volumes?q=Henry+David+Thoreau&country=US');

CloneableInstantiable

Constants

public Google\Auth\UpdateMetadataInterface::AUTH_METADATA_KEY = 'authorization'

public Google\Auth\GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN = 'googleapis.com'

public Google\Auth\CredentialsLoader::ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'

public Google\Auth\CredentialsLoader::MTLS_CERT_ENV_VAR = 'GOOGLE_API_USE_CLIENT_CERTIFICATE'

public Google\Auth\CredentialsLoader::MTLS_WELL_KNOWN_PATH = '.secureConnect/context_aware_metadata.json'

public Google\Auth\CredentialsLoader::NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'

public Google\Auth\CredentialsLoader::QUOTA_PROJECT_ENV_VAR = 'GOOGLE_CLOUD_QUOTA_PROJECT'

public Google\Auth\CredentialsLoader::TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'

public Google\Auth\CredentialsLoader::WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'

Methods

public __construct( $scope = [])

param string|string[] $scope One or more scopes.

public fetchAuthToken(?callable $httpHandler = NULL)

Implements FetchAuthTokenInterface#fetchAuthToken.

Fetches the auth tokens using the AppIdentityService if available. As the AppIdentityService uses protobufs to fetch the access token, the GuzzleHttp\ClientInterface instance passed in will not be used.

param callable|null $httpHandler callback which delivers psr7 request
return
array { A set of auth related metadata, containing the following
```
@type string $access_token @type string $expiration_time 
```
}

public static Google\Auth\CredentialsLoader::fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

return array|null JSON key | null

public static Google\Auth\CredentialsLoader::fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

windows: %APPDATA%/gcloud/application_default_credentials.json
others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

return array|null JSON key | null

public getCacheKey()

Caching is handled by the underlying AppIdentityService, return empty string to prevent caching.

return string

public getClientName(?callable $httpHandler = NULL)

Get the client name from AppIdentityService.

Subsequent calls to this method will return a cached value.

param callable|null $httpHandler Not used in this implementation.
return string
throws \Exception If AppEngine SDK or mock is not available.

public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()

Gets a callable which returns the default device certification.

throws \UnexpectedValueException
return callable|null

public getLastReceivedToken()

return array{access_token: string, expires_at: int}|null

public getProjectId(?callable $httpHandler = NULL)

Get the project ID from AppIdentityService.

Returns null if AppIdentityService is unavailable.

param callable|null $httpHandler Not used by this type.
return string|null

public Google\Auth\CredentialsLoader::getUniverseDomain() : string

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

return string

public Google\Auth\CredentialsLoader::getUpdateMetadataFunc()

export a callback function which updates runtime metadata.

return callable updateMetadata function
deprecated

public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)

Create a new Credentials instance.

deprecated
This method is being deprecated because of a potential security risk. This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side. If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can create the {@see \ServiceAccountCredentials} explicitly:
```
use Google\Auth\Credentials\ServiceAccountCredentials; $creds = new ServiceAccountCredentials($scopes, $json); 
```
If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment. Regardless of the method used, it is always your responsibility to validate configurations received from external sources.
see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
param string|string[] $scope
param array $jsonKey
param string|string[] $defaultScope
return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials

public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
param array $httpClientOptions (optional) Array of request options to apply.
param callable|null $httpHandler (optional) http client to fetch the token.
param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
return \GuzzleHttp\Client

public static Google\Auth\CredentialsLoader::makeInsecureCredentials()

Create a new instance of InsecureCredentials.

return \InsecureCredentials

public static onAppEngine()

Determines if this an App Engine instance, by accessing the SERVER_SOFTWARE environment variable (prod) or the APPENGINE_RUNTIME environment variable (dev).

return bool true if this an App Engine Instance, false otherwise

public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

return string|null

public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

return bool

public signBlob( $stringToSign, $forceOpenSsl = false)

Sign a string using AppIdentityService.

param string $stringToSign The string to sign.
param bool $forceOpenSsl [optional] Does not apply to this credentials type.
return string The signature, base64-encoded.
throws \Exception If AppEngine SDK or mock is not available.

public Google\Auth\CredentialsLoader::updateMetadata( $metadata, $authUri = NULL, ?callable $httpHandler = NULL)

Updates metadata with the authorization token.

param array $metadata metadata hashmap
param string $authUri optional auth uri
param callable|null $httpHandler callback which delivers psr7 request
return array updated metadata hashmap

Properties

protected $lastReceivedToken = NULL

Result of fetchAuthToken.

var array

protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'

var string The header key for the observability metrics.

Methods

protected Google\Auth\CredentialsLoader::applyServiceApiUsageMetrics( $metadata)

param array $metadata The metadata to update and return.
return array The updated metadata.

protected Google\Auth\CredentialsLoader::applyTokenEndpointMetrics( $metadata, $authRequestType)

param array $metadata The metadata to update and return.
param string $authRequestType The auth request type. Possible values are 'at', 'it', 'mds'.
return array The updated metadata.

protected Google\Auth\CredentialsLoader::getCredType() : string

protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string

param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
return string The header value for the observability metrics.

protected static Google\Auth\CredentialsLoader::getVersion() : string

Properties

private $clientName = NULL

var string

private $scope = NULL

Array of OAuth2 scopes to be requested.

var string[]

Methods

private checkAppEngineContext()

return void

Properties

protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'

var string The header key for the observability metrics.

Methods

public static Google\Auth\CredentialsLoader::fromEnv()

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

return array|null JSON key | null

public static Google\Auth\CredentialsLoader::fromWellKnownFile()

Load a JSON key from a well known path.

The well known path is OS dependent:

windows: %APPDATA%/gcloud/application_default_credentials.json
others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

return array|null JSON key | null

public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()

Gets a callable which returns the default device certification.

throws \UnexpectedValueException
return callable|null

protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string

param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
return string The header value for the observability metrics.

protected static Google\Auth\CredentialsLoader::getVersion() : string

public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)

Create a new Credentials instance.

deprecated
This method is being deprecated because of a potential security risk. This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side. If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can create the {@see \ServiceAccountCredentials} explicitly:
```
use Google\Auth\Credentials\ServiceAccountCredentials; $creds = new ServiceAccountCredentials($scopes, $json); 
```
If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment. Regardless of the method used, it is always your responsibility to validate configurations received from external sources.
see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
param string|string[] $scope
param array $jsonKey
param string|string[] $defaultScope
return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
param array $httpClientOptions (optional) Array of request options to apply.
param callable|null $httpHandler (optional) http client to fetch the token.
param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
return \GuzzleHttp\Client

public static Google\Auth\CredentialsLoader::makeInsecureCredentials()

Create a new instance of InsecureCredentials.

return \InsecureCredentials

public static onAppEngine()

Determines if this an App Engine instance, by accessing the SERVER_SOFTWARE environment variable (prod) or the APPENGINE_RUNTIME environment variable (dev).

return bool true if this an App Engine Instance, false otherwise

public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

return string|null

public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()

Determines whether or not the default device certificate should be loaded.

return bool