class Google::Auth::BearerTokenCredentials
Implementation of Bearer Token authentication scenario.
Bearer tokens are strings representing an authorization grant. They can be OAuth2
(“ya.29”) tokens, JWTs, IDTokens
– anything that is sent as a ‘Bearer` in an `Authorization` header.
Not all ‘authentication’ strings can be used with this class, e.g. an API key cannot since API keys are sent in a ‘x-goog-api-key` header or as a query parameter.
This class should be used when the end-user is managing the authentication token separately, e.g. with a separate service. This means that tasks like tracking the lifetime of and refreshing the token are outside the scope of this class.
There is no JSON representation for this type of credentials. If the end-user has credentials in JSON format they should typically use the corresponding credentials type, e.g. ServiceAccountCredentials
with the service account JSON.
Constants
- AUTH_METADATA_KEY
-
@private Authorization header name
Attributes
@return [String] The token to be sent as a part of Bearer claim
@return [Time, nil] The token expiration time provided by the end-user.
@return [String] The token to be sent as a part of Bearer claim
@return [String] The universe domain of the universe
this token is for
Public Class Methods
Source
# File lib/googleauth/bearer_token.rb, line 69 def make_creds options = {} new options end
Create the BearerTokenCredentials
.
@param [Hash] options The credentials options @option options [String] :token The bearer token to use. @option options [Time, Numeric, nil] :expires_at The token expiration time provided by the end-user.
Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch. If `expires_at` is `nil`, it is treated as "token never expires".
@option options [String] :universe_domain The universe domain of the universe
this token is for (defaults to googleapis.com)
@return [Google::Auth::BearerTokenCredentials]
Source
# File lib/googleauth/bearer_token.rb, line 83 def initialize options = {} raise ArgumentError, "Bearer token must be provided" if options[:token].nil? || options[:token].empty? @token = options[:token] @expires_at = case options[:expires_at] when Time options[:expires_at] when Numeric Time.at options[:expires_at] end @universe_domain = options[:universe_domain] || "googleapis.com" end
Initialize the BearerTokenCredentials
.
@param [Hash] options The credentials options @option options [String] :token The bearer token to use. @option options [Time, Numeric, nil] :expires_at The token expiration time provided by the end-user.
Optional, for the end-user's convenience. Can be a Time object, a number of seconds since epoch. If `expires_at` is `nil`, it is treated as "token never expires".
@option options [String] :universe_domain The universe domain of the universe
this token is for (defaults to googleapis.com)
Public Instance Methods
Source
# File lib/googleauth/bearer_token.rb, line 114 def duplicate options = {} self.class.new( token: options[:token] || @token, expires_at: options[:expires_at] || @expires_at, universe_domain: options[:universe_domain] || @universe_domain ) end
Creates a duplicate of these credentials.
@param [Hash] options Additional options for configuring the credentials @option options [String] :token The bearer token to use. @option options [Time, Numeric] :expires_at The token expiration time. Can be a Time
object or a number of seconds since epoch.
@option options [String] :universe_domain The universe domain (defaults to googleapis.com) @return [Google::Auth::BearerTokenCredentials]
Source
# File lib/googleauth/bearer_token.rb, line 101 def expires_within? seconds return false if @expires_at.nil? # Treat nil expiration as "never expires" Time.now + seconds >= @expires_at end
Determines if the credentials object has expired.
@param [Numeric] seconds The optional timeout in seconds. @return [Boolean] True if the token has expired, false otherwise, or
if the expires_at was not provided.
Protected Instance Methods
Source
# File lib/googleauth/bearer_token.rb, line 133 def fetch_access_token! _options = {} if @expires_at && Time.now >= @expires_at raise "Bearer token has expired." end nil end
BearerTokenCredentials
do not support fetching a new token.
If the token has an expiration time and is expired, this method will raise an error.
@param [Hash] _options Options for fetching a new token (not used). @return [nil] Always returns nil. @raise [StandardError] If the token is expired.
Private Instance Methods
Source
# File lib/googleauth/bearer_token.rb, line 143 def token_type :bearer_token end