Class DelegatedCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.GoogleCredentials
google.registry.config.DelegatedCredentials
All Implemented Interfaces:
com.google.auth.oauth2.QuotaProjectIdProvider, Serializable

public class DelegatedCredentials extends com.google.auth.oauth2.GoogleCredentials
OAuth2 credentials for accessing Google Workspace APIs with domain-wide delegation. It fetches access tokens using JSON Web Tokens (JWT) signed by a user-provided ServiceAccountSigner.

This class accepts the application-default-credential as ServiceAccountSigner, avoiding the need for exported private keys. In this case, the default credential user itself (project-id@appspot.gserviceaccount.com on AppEngine) must have domain-wide delegation to the Workspace APIs. The default credential user also must have the Token Creator role to itself.

If the user provides a credential S that carries its own private key, such as ServiceAccountCredentials, this class can use S to impersonate another service account D and gain delegated access as D, as long as S has the Token Creator role to D. This usage is documented here for future reference.

As of October 2022, the functionalities described above are not implemented in the GCP Java Auth library, although they are available in the Python library. We have filed a feature request. This class is a stop-gap implementation.

The main body of this class is adapted from ServiceAccountCredentials with cosmetic changes. The important changes include the removal of all uses of the private key and the signing of the JWT (in signAssertion(com.google.api.client.json.JsonFactory, com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebToken.Payload)). We choose not to extend ServiceAccountCredentials because it would add dependency to the non-public details of that class.

See Also:
  • Nested Class Summary

    Nested classes/interfaces inherited from class com.google.auth.oauth2.GoogleCredentials

    com.google.auth.oauth2.GoogleCredentials.Builder

    Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

    com.google.auth.oauth2.OAuth2Credentials.CredentialsChangedListener
  • Field Summary

    Fields inherited from class com.google.auth.oauth2.GoogleCredentials

    quotaProjectId

    Fields inherited from class com.google.auth.Credentials

    GOOGLE_DEFAULT_UNIVERSE
  • Method Summary

    Modifier and Type
    Method
    Description
    protected static <T> T
    getFromServiceLoader(Class<? extends T> clazz, T defaultInstance)
     
    com.google.auth.oauth2.AccessToken
    Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).

    Methods inherited from class com.google.auth.oauth2.GoogleCredentials

    create, create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, fromStream, fromStream, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, getUniverseDomain, hashCode, isExplicitUniverseDomain, newBuilder, toBuilder, toString, toStringHelper

    Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

    addChangeListener, getAccessToken, getAuthenticationType, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

    Methods inherited from class com.google.auth.Credentials

    blockingGetToCallback, getRequestMetadata

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait
  • Method Details

    • refreshAccessToken

      public com.google.auth.oauth2.AccessToken refreshAccessToken() throws IOException
      Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
      Overrides:
      refreshAccessToken in class com.google.auth.oauth2.OAuth2Credentials
      Throws:
      IOException
    • getFromServiceLoader

      protected static <T> T getFromServiceLoader(Class<? extends T> clazz, T defaultInstance)