PHPFUI/InstaDoc
 
Copied!

Authenticates requests using Google's Service Account credentials via JWT Access.

This class allows authorizing requests for service accounts directly from credentials from a json key file downloaded from the developer console (via 'Generate new Json Key'). It is not part of any OAuth2 flow, rather it creates a JWT and sends that as a credential.

CloneableInstantiable
Constants
public Google\Auth\UpdateMetadataInterface::AUTH_METADATA_KEY = 'authorization'
public Google\Auth\GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN = 'googleapis.com'
public Google\Auth\CredentialsLoader::ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
public Google\Auth\CredentialsLoader::MTLS_CERT_ENV_VAR = 'GOOGLE_API_USE_CLIENT_CERTIFICATE'
public Google\Auth\CredentialsLoader::MTLS_WELL_KNOWN_PATH = '.secureConnect/context_aware_metadata.json'
public Google\Auth\CredentialsLoader::NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'
public Google\Auth\CredentialsLoader::QUOTA_PROJECT_ENV_VAR = 'GOOGLE_CLOUD_QUOTA_PROJECT'
public Google\Auth\CredentialsLoader::TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'
public Google\Auth\CredentialsLoader::WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
public Google\Auth\GetQuotaProjectInterface::X_GOOG_USER_PROJECT_HEADER = 'X-Goog-User-Project'
Properties
public $projectId = NULL
 
  • var string
Methods
public __construct( $jsonKey, $scope = NULL)
 

Create a new ServiceAccountJwtAccessCredentials.

  • param string|array $jsonKey JSON credential file path or JSON credentials as an associative array
  • param string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
public fetchAuthToken(?callable $httpHandler = NULL)
 

Implements FetchAuthTokenInterface#fetchAuthToken.

  • param callable|null $httpHandler
  • return null|array{access_token: string} A set of auth related metadata
public static Google\Auth\CredentialsLoader::fromEnv()
 

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::fromWellKnownFile()
 

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

  • return array|null JSON key | null
public getCacheKey()
 

Return the cache key for the credentials.

The format for the Cache Key one of the following: ClientEmail.Scope ClientEmail.Audience

  • return string
public getClientName(?callable $httpHandler = NULL)
 

Get the client name from the keyfile.

In this case, it returns the keyfile's client_email key.

  • param callable|null $httpHandler Not used by this credentials type.
  • return string
public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()
 

Gets a callable which returns the default device certification.

  • throws \UnexpectedValueException
  • return callable|null
public getLastReceivedToken()
 
  • return array
public getPrivateKey()
 

Get the private key from the keyfile.

In this case, it returns the keyfile's private_key key, needed for JWT signing.

  • return string
public getProjectId(?callable $httpHandler = NULL)
 

Get the project ID from the service account keyfile.

Returns null if the project ID does not exist in the keyfile.

  • param callable|null $httpHandler Not used by this credentials type.
  • return string|null
public getQuotaProject()
 

Get the quota project used for this API request

  • return string|null
public Google\Auth\CredentialsLoader::getUniverseDomain() : string
 

Get the universe domain from the credential. Defaults to "googleapis.com" for all credential types which do not support universe domain.

  • return string
public Google\Auth\CredentialsLoader::getUpdateMetadataFunc()
 

export a callback function which updates runtime metadata.

  • return callable updateMetadata function
  • deprecated
public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)
 

Create a new Credentials instance.

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information {@see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}

  • param string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
  • param array $jsonKey the JSON credentials.
  • param string|string[] $defaultScope The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.
  • return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials
public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
 

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

  • param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
  • param array $httpClientOptions (optional) Array of request options to apply.
  • param callable|null $httpHandler (optional) http client to fetch the token.
  • param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
  • return \GuzzleHttp\Client
public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
 

Create a new instance of InsecureCredentials.

  • return \InsecureCredentials
public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()
 

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

  • return string|null
public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()
 

Determines whether or not the default device certificate should be loaded.

  • return bool
public signBlob( $stringToSign, $forceOpenssl = false)
 

Sign a string using the service account private key.

  • param string $stringToSign
  • param bool $forceOpenssl Whether to use OpenSSL regardless of whether phpseclib is installed. Defaults to false.
  • return string
public updateMetadata( $metadata, $authUri = NULL, ?callable $httpHandler = NULL)
 

Updates metadata with the authorization token.

  • param array $metadata metadata hashmap
  • param string $authUri optional auth uri
  • param callable|null $httpHandler callback which delivers psr7 request
  • return array updated metadata hashmap
Properties
protected $auth = NULL
 

The OAuth2 instance used to conduct authorization.

  • var \OAuth2
protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'
 
  • var string The header key for the observability metrics.
protected $quotaProject = NULL
 

The quota project associated with the JSON credentials

  • var string
Methods
protected Google\Auth\CredentialsLoader::applyServiceApiUsageMetrics( $metadata)
 
  • param array $metadata The metadata to update and return.
  • return array The updated metadata.
protected Google\Auth\CredentialsLoader::applyTokenEndpointMetrics( $metadata, $authRequestType)
 
  • param array $metadata The metadata to update and return.
  • param string $authRequestType The auth request type. Possible values are 'at', 'it', 'mds'.
  • return array The updated metadata.
protected getCredType() : string
protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string
 
  • param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
  • param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
  • return string The header value for the observability metrics.
protected static Google\Auth\CredentialsLoader::getVersion() : string
Constants
private Google\Auth\Credentials\ServiceAccountJwtAccessCredentials::CRED_TYPE = 'jwt'
 

Used in observability metric headers

  • var string
Properties
protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'
 
  • var string The header key for the observability metrics.
Methods
public static Google\Auth\CredentialsLoader::fromEnv()
 

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::fromWellKnownFile()
 

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()
 

Gets a callable which returns the default device certification.

  • throws \UnexpectedValueException
  • return callable|null
protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string
 
  • param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
  • param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
  • return string The header value for the observability metrics.
protected static Google\Auth\CredentialsLoader::getVersion() : string
public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)
 

Create a new Credentials instance.

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information {@see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}

  • param string|string[] $scope the scope of the access request, expressed either as an Array or as a space-delimited String.
  • param array $jsonKey the JSON credentials.
  • param string|string[] $defaultScope The default scope to use if no user-defined scopes exist, expressed either as an Array or as a space-delimited string.
  • return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials
public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
 

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

  • param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
  • param array $httpClientOptions (optional) Array of request options to apply.
  • param callable|null $httpHandler (optional) http client to fetch the token.
  • param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
  • return \GuzzleHttp\Client
public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
 

Create a new instance of InsecureCredentials.

  • return \InsecureCredentials
public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()
 

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

  • return string|null
public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()
 

Determines whether or not the default device certificate should be loaded.

  • return bool
© 2025 Bruce Wells
Search Namespaces \ Classes
Configuration