Class: Google::Auth::BearerTokenCredentials

Inherits:

Object

• Object
• Google::Auth::BearerTokenCredentials

Includes:

BaseClient

Defined in:

lib/googleauth/bearer_token.rb

Overview

Implementation of Bearer Token authentication scenario.

Bearer tokens are strings representing an authorization grant. They can be OAuth2 ("ya.29") tokens, JWTs, IDTokens -- anything that is sent as a Bearer in an Authorization header.

Not all 'authentication' strings can be used with this class, e.g. an API key cannot since API keys are sent in a x-goog-api-key header or as a query parameter.

This class should be used when the end-user is managing the authentication token separately, e.g. with a separate service. This means that tasks like tracking the lifetime of and refreshing the token are outside the scope of this class.

There is no JSON representation for this type of credentials. If the end-user has credentials in JSON format they should typically use the corresponding credentials type, e.g. ServiceAccountCredentials with the service account JSON.

Instance Attribute Summary

• #expires_at ⇒ Time^? readonly

  The token expiration time provided by the end-user.

• #token ⇒ String (also: #bearer_token) readonly

  The token to be sent as a part of Bearer claim.

• #universe_domain ⇒ String

  The universe domain of the universe this token is for.

Attributes included from BaseClient

#logger

Class Method Summary

• .make_creds(options = {}) ⇒ Google::Auth::BearerTokenCredentials

  Create the BearerTokenCredentials.

Instance Method Summary

• #duplicate(options = {}) ⇒ Google::Auth::BearerTokenCredentials

  Creates a duplicate of these credentials.

• #expires_within?(seconds) ⇒ Boolean

  Determines if the credentials object has expired.

• #initialize(options = {}) ⇒ BearerTokenCredentials constructor

  Initialize the BearerTokenCredentials.

Methods included from BaseClient

#apply, #apply!, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ BearerTokenCredentials

Initialize the BearerTokenCredentials.

Parameters:

• options (Hash) (defaults to: {}) —

  The credentials options

Options Hash (options):

• :token (String) —

  The bearer token to use.

• :expires_at (Time, Numeric, nil) —

  The token expiration time provided by the end-user. Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch. If expires_at is nil, it is treated as "token never expires".

• :universe_domain (String) —

  The universe domain of the universe this token is for (defaults to googleapis.com)

Raises:

• (ArgumentError)

# File 'lib/googleauth/bearer_token.rb', line 83

def initialize options = {}
  raise ArgumentError, "Bearer token must be provided" if options[:token].nil? || options[:token].empty?
  @token = options[:token]
  @expires_at = case options[:expires_at]
                when Time
                  options[:expires_at]
                when Numeric
                  Time.at options[:expires_at]
                end

  @universe_domain = options[:universe_domain] || "googleapis.com"
end

Instance Attribute Details

#expires_at ⇒ Time^? (readonly)

Returns The token expiration time provided by the end-user.

Returns:

• (Time, nil) —

  The token expiration time provided by the end-user.

# File 'lib/googleauth/bearer_token.rb', line 52

def expires_at
  @expires_at
end

#token ⇒ String (readonly) Also known as: bearer_token

Returns The token to be sent as a part of Bearer claim.

Returns:

• (String) —

  The token to be sent as a part of Bearer claim

# File 'lib/googleauth/bearer_token.rb', line 47

def token
  @token
end

#universe_domain ⇒ String

Returns The universe domain of the universe this token is for.

Returns:

• (String) —

  The universe domain of the universe this token is for

# File 'lib/googleauth/bearer_token.rb', line 56

def universe_domain
  @universe_domain
end

Class Method Details

.make_creds(options = {}) ⇒ Google::Auth::BearerTokenCredentials

Create the BearerTokenCredentials.

Parameters:

• options (Hash) (defaults to: {}) —

  The credentials options

Options Hash (options):

• :token (String) —

  The bearer token to use.

• :expires_at (Time, Numeric, nil) —

  The token expiration time provided by the end-user. Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch. If expires_at is nil, it is treated as "token never expires".

• :universe_domain (String) —

  The universe domain of the universe this token is for (defaults to googleapis.com)

Returns:

• (Google::Auth::BearerTokenCredentials)

# File 'lib/googleauth/bearer_token.rb', line 69

def make_creds options = {}
  new options
end

Instance Method Details

#duplicate(options = {}) ⇒ Google::Auth::BearerTokenCredentials

Creates a duplicate of these credentials.

Parameters:

• options (Hash) (defaults to: {}) —

  Additional options for configuring the credentials

Options Hash (options):

• :token (String) —

  The bearer token to use.

• :expires_at (Time, Numeric) —

  The token expiration time. Can be a Time object or a number of seconds since epoch.

• :universe_domain (String) —

  The universe domain (defaults to googleapis.com)

Returns:

• (Google::Auth::BearerTokenCredentials)

# File 'lib/googleauth/bearer_token.rb', line 114

def duplicate options = {}
  self.class.new(
    token: options[:token] || @token,
    expires_at: options[:expires_at] || @expires_at,
    universe_domain: options[:universe_domain] || @universe_domain
  )
end

#expires_within?(seconds) ⇒ Boolean

Determines if the credentials object has expired.

Parameters:

• seconds (Numeric) —

  The optional timeout in seconds.

Returns:

• (Boolean) —

  True if the token has expired, false otherwise, or if the expires_at was not provided.

# File 'lib/googleauth/bearer_token.rb', line 101

def expires_within? seconds
  return false if @expires_at.nil? # Treat nil expiration as "never expires"
  Time.now + seconds >= @expires_at
end