PHPFUI/InstaDoc
 
Copied!

IMPORTANT: This class does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used.

When the credential configuration is accepted from an untrusted source, you should validate it before creating this class.

  • see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
CloneableInstantiable
Constants
public Google\Auth\UpdateMetadataInterface::AUTH_METADATA_KEY = 'authorization'
public Google\Auth\GetUniverseDomainInterface::DEFAULT_UNIVERSE_DOMAIN = 'googleapis.com'
public Google\Auth\CredentialsLoader::ENV_VAR = 'GOOGLE_APPLICATION_CREDENTIALS'
public Google\Auth\CredentialsLoader::MTLS_CERT_ENV_VAR = 'GOOGLE_API_USE_CLIENT_CERTIFICATE'
public Google\Auth\CredentialsLoader::MTLS_WELL_KNOWN_PATH = '.secureConnect/context_aware_metadata.json'
public Google\Auth\CredentialsLoader::NON_WINDOWS_WELL_KNOWN_PATH_BASE = '.config'
public Google\Auth\CredentialsLoader::QUOTA_PROJECT_ENV_VAR = 'GOOGLE_CLOUD_QUOTA_PROJECT'
public Google\Auth\CredentialsLoader::TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token'
public Google\Auth\CredentialsLoader::WELL_KNOWN_PATH = 'gcloud/application_default_credentials.json'
Methods
public __construct(array|string|?null $scope, array|string $jsonKey, ?string $targetAudience = NULL, array|string|?null $defaultScope = NULL)
 

Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that has be created with the --impersonate-service-account flag.

  • param string|string[]|null $scope The scope of the access request, expressed either as an array or as a space-delimited string.
  • param string|array $jsonKey JSON credential file path or JSON array credentials { JSON credentials as an associative array. 
    @type string                         $service_account_impersonation_url The URL to the service account
@type string|FetchAuthTokenInterface $source_credentials The source credentials to impersonate
@type int                            $lifetime The lifetime of the impersonated credentials
@type string[]                       $delegates The delegates to impersonate
    }
  • param string|null $targetAudience The audience to request an ID token.
  • param string|string[]|null $defaultScope The scopes to be used if no "scopes" field exists in the $jsonKey.
public fetchAuthToken(?callable $httpHandler = NULL)
 
  • param callable|null $httpHandler
  • return array { A set of auth related metadata, containing the following 
    @type string $access_token
@type int $expires_in
@type string $scope
@type string $token_type
@type string $id_token
    }
public static Google\Auth\CredentialsLoader::fromEnv()
 

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::fromWellKnownFile()
 

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

  • return array|null JSON key | null
public getCacheKey()
 

Returns the Cache Key for the credentials The cache key is the same as the UserRefreshCredentials class

  • return string
public getClientName(?callable $unusedHttpHandler = NULL)
 

Get the client name from the keyfile

In this implementation, it will return the issuers email from the oauth token.

  • param callable|null $unusedHttpHandler not used by this credentials type.
  • return string Token issuer email
public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()
 

Gets a callable which returns the default device certification.

  • throws \UnexpectedValueException
  • return callable|null
public getLastReceivedToken()
 
  • return array
public getUniverseDomain() : string
public Google\Auth\CredentialsLoader::getUpdateMetadataFunc()
 

export a callback function which updates runtime metadata.

  • return callable updateMetadata function
  • deprecated
public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)
 

Create a new Credentials instance.

  • deprecated This method is being deprecated because of a potential security risk. This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side. If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can create the {@see \ServiceAccountCredentials} explicitly: 
    use Google\Auth\Credentials\ServiceAccountCredentials;
$creds = new ServiceAccountCredentials($scopes, $json);
    If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment. Regardless of the method used, it is always your responsibility to validate configurations received from external sources.
  • see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
  • param string|string[] $scope
  • param array $jsonKey
  • param string|string[] $defaultScope
  • return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials
public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
 

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

  • param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
  • param array $httpClientOptions (optional) Array of request options to apply.
  • param callable|null $httpHandler (optional) http client to fetch the token.
  • param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
  • return \GuzzleHttp\Client
public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
 

Create a new instance of InsecureCredentials.

  • return \InsecureCredentials
public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()
 

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

  • return string|null
public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()
 

Determines whether or not the default device certificate should be loaded.

  • return bool
public signBlob( $stringToSign, $forceOpenSsl = false, $accessToken = NULL)
 

Sign a string using the default service account private key.

This implementation uses IAM's signBlob API.

  • see https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/signBlobSignBlob
  • param string $stringToSign The string to sign.
  • param bool $forceOpenSsl [optional] Does not apply to this credentials type.
  • param string $accessToken The access token to use to sign the blob. If provided, saves a call to the metadata server for a new access token. Defaults to null.
  • return string
  • throws \Exception
public Google\Auth\CredentialsLoader::updateMetadata( $metadata, $authUri = NULL, ?callable $httpHandler = NULL)
 

Updates metadata with the authorization token.

  • param array $metadata metadata hashmap
  • param string $authUri optional auth uri
  • param callable|null $httpHandler callback which delivers psr7 request
  • return array updated metadata hashmap
Properties
protected $impersonatedServiceAccountName = NULL
 
  • var string
protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'
 
  • var string The header key for the observability metrics.
protected Google\Auth\FetchAuthTokenInterface $sourceCredentials
Methods
protected Google\Auth\CredentialsLoader::applyServiceApiUsageMetrics( $metadata)
 
  • param array $metadata The metadata to update and return.
  • return array The updated metadata.
protected Google\Auth\CredentialsLoader::applyTokenEndpointMetrics( $metadata, $authRequestType)
 
  • param array $metadata The metadata to update and return.
  • param string $authRequestType The auth request type. Possible values are 'at', 'it', 'mds'.
  • return array The updated metadata.
protected getCredType() : string
protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string
 
  • param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
  • param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
  • return string The header value for the observability metrics.
protected static Google\Auth\CredentialsLoader::getVersion() : string
Constants
private Google\Auth\Credentials\ImpersonatedServiceAccountCredentials::CRED_TYPE = 'imp'
private Google\Auth\Credentials\ImpersonatedServiceAccountCredentials::IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
private Google\Auth\Credentials\ImpersonatedServiceAccountCredentials::ID_TOKEN_IMPERSONATION_URL = 'https://iamcredentials.UNIVERSE_DOMAIN/v1/projects/-/serviceAccounts/%s:generateIdToken'
Properties
private $cache = NULL
 
  • var ?\CacheItemPoolInterface
private $cacheConfig = NULL
 
  • var array
private array $delegates
 
  • var string[]
private $iam = NULL
 
  • var \Iam|null
private int $lifetime
private $maxKeyLength = 64
 
  • var int
private string $serviceAccountImpersonationUrl
private ?string $targetAudience
private array|string $targetScope
 
  • var string|string[]
Methods
private getCachedValue( $k)
 

Gets the cached value if it is present in the cache when that is available.

  • param mixed $k
  • return mixed
private getFullCacheKey( $key)
 
  • param null|string $key
  • return null|string
private getImpersonatedServiceAccountNameFromUrl(string $serviceAccountImpersonationUrl) : string
 

Helper function for extracting the Server Account Name from the URL saved in the account credentials file.

  • param mixed $serviceAccountImpersonationUrl string URL from "service_account_impersonation_url"
  • return string Service account email or ID.
private isIdTokenRequest() : bool
private setCachedValue( $k, $v)
 

Saves the value in the cache when that is available.

  • param mixed $k
  • param mixed $v
  • return mixed
Properties
protected static Google\Auth\CredentialsLoader::$metricMetadataKey = 'x-goog-api-client'
 
  • var string The header key for the observability metrics.
Methods
public static Google\Auth\CredentialsLoader::fromEnv()
 

Load a JSON key from the path specified in the environment.

Load a JSON key from the path specified in the environment variable GOOGLE_APPLICATION_CREDENTIALS. Return null if GOOGLE_APPLICATION_CREDENTIALS is not specified.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::fromWellKnownFile()
 

Load a JSON key from a well known path.

The well known path is OS dependent:

  • windows: %APPDATA%/gcloud/application_default_credentials.json
  • others: $HOME/.config/gcloud/application_default_credentials.json

If the file does not exist, this returns null.

  • return array|null JSON key | null
public static Google\Auth\CredentialsLoader::getDefaultClientCertSource()
 

Gets a callable which returns the default device certification.

  • throws \UnexpectedValueException
  • return callable|null
protected static Google\Auth\CredentialsLoader::getMetricsHeader( $credType = '', $authRequestType = '') : string
 
  • param string $credType [Optional] The credential type. Empty value will not add any credential type to the header. Should be one of 'sa', 'jwt', 'imp', 'mds', 'u'.
  • param string $authRequestType [Optional] The auth request type. Empty value will not add any auth request type to the header. Should be one of 'at', 'it', 'mds'.
  • return string The header value for the observability metrics.
protected static Google\Auth\CredentialsLoader::getVersion() : string
public static Google\Auth\CredentialsLoader::makeCredentials( $scope, array $jsonKey, $defaultScope = NULL)
 

Create a new Credentials instance.

  • deprecated This method is being deprecated because of a potential security risk. This method does not validate the credential configuration. The security risk occurs when a credential configuration is accepted from a source that is not under your control and used without validation on your side. If you know that you will be loading credential configurations of a specific type, it is recommended to use a credential-type-specific method. This will ensure that an unexpected credential type with potential for malicious intent is not loaded unintentionally. You might still have to do validation for certain credential types. Please follow the recommendation for that method. For example, if you want to load only service accounts, you can create the {@see \ServiceAccountCredentials} explicitly: 
    use Google\Auth\Credentials\ServiceAccountCredentials;
$creds = new ServiceAccountCredentials($scopes, $json);
    If you are loading your credential configuration from an untrusted source and have not mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon as possible to prevent security risks to your environment. Regardless of the method used, it is always your responsibility to validate configurations received from external sources.
  • see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
  • param string|string[] $scope
  • param array $jsonKey
  • param string|string[] $defaultScope
  • return \ServiceAccountCredentials|\UserRefreshCredentials|\ImpersonatedServiceAccountCredentials|\ExternalAccountCredentials
public static Google\Auth\CredentialsLoader::makeHttpClient(Google\Auth\FetchAuthTokenInterface $fetcher, array $httpClientOptions = [], ?callable $httpHandler = NULL, ?callable $tokenCallback = NULL)
 

Create an authorized HTTP Client from an instance of FetchAuthTokenInterface.

  • param \FetchAuthTokenInterface $fetcher is used to fetch the auth token
  • param array $httpClientOptions (optional) Array of request options to apply.
  • param callable|null $httpHandler (optional) http client to fetch the token.
  • param callable|null $tokenCallback (optional) function to be called when a new token is fetched.
  • return \GuzzleHttp\Client
public static Google\Auth\CredentialsLoader::makeInsecureCredentials()
 

Create a new instance of InsecureCredentials.

  • return \InsecureCredentials
public static Google\Auth\CredentialsLoader::quotaProjectFromEnv()
 

Fetch a quota project from the environment variable GOOGLE_CLOUD_QUOTA_PROJECT. Return null if GOOGLE_CLOUD_QUOTA_PROJECT is not specified.

  • return string|null
public static Google\Auth\CredentialsLoader::shouldLoadClientCertSource()
 

Determines whether or not the default device certificate should be loaded.

  • return bool
© 2026 Bruce Wells
Search Namespaces \ Classes
Configuration