Class DelegatedCredentials

All Implemented Interfaces:, Serializable

public class DelegatedCredentials extends
OAuth2 credentials for accessing Google Workspace APIs with domain-wide delegation. It fetches access tokens using JSON Web Tokens (JWT) signed by a user-provided ServiceAccountSigner.

This class accepts the application-default-credential as ServiceAccountSigner, avoiding the need for exported private keys. In this case, the default credential user itself ( on AppEngine) must have domain-wide delegation to the Workspace APIs. The default credential user also must have the Token Creator role to itself.

If the user provides a credential S that carries its own private key, such as ServiceAccountCredentials, this class can use S to impersonate another service account D and gain delegated access as D, as long as S has the Token Creator role to D. This usage is documented here for future reference.

As of October 2022, the functionalities described above are not implemented in the GCP Java Auth library, although they are available in the Python library. We have filed a feature request. This class is a stop-gap implementation.

The main body of this class is adapted from ServiceAccountCredentials with cosmetic changes. The important changes include the removal of all uses of the private key and the signing of the JWT (in signAssertion(,, We choose not to extend ServiceAccountCredentials because it would add dependency to the non-public details of that class.

See Also:
  • Nested Class Summary

    Nested classes/interfaces inherited from class

    Nested classes/interfaces inherited from class
  • Field Summary

    Fields inherited from class


    Fields inherited from class

  • Method Summary

    Modifier and Type
    protected static <T> T
    getFromServiceLoader(Class<? extends T> clazz, T defaultInstance)

    Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).

    Methods inherited from class

    create, create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, fromStream, fromStream, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, getUniverseDomain, hashCode, isExplicitUniverseDomain, newBuilder, toBuilder, toString, toStringHelper

    Methods inherited from class

    addChangeListener, getAccessToken, getAuthenticationType, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

    Methods inherited from class

    blockingGetToCallback, getRequestMetadata

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait
  • Method Details

    • refreshAccessToken

      public refreshAccessToken() throws IOException
      Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).
      refreshAccessToken in class
    • getFromServiceLoader

      protected static <T> T getFromServiceLoader(Class<? extends T> clazz, T defaultInstance)