source: vendor/google/auth/src/Credentials/UserRefreshCredentials.php@ e3d4e0a

Last change on this file since e3d4e0a was e3d4e0a, checked in by Vlado 222039 <vlado.popovski@…>, 7 days ago

Upload project files
  • Property mode set to 100644
File size: 6.1 KB
Line 
1<?php
2/*
3 * Copyright 2015 Google Inc.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18namespace Google\Auth\Credentials;
19
20use Google\Auth\CredentialsLoader;
21use Google\Auth\GetQuotaProjectInterface;
22use Google\Auth\OAuth2;
23use InvalidArgumentException;
24use LogicException;
25
26/**
27 * Authenticates requests using User Refresh credentials.
28 *
29 * This class allows authorizing requests from user refresh tokens.
30 *
31 * This the end of the result of a 3LO flow. E.g, the end result of
32 * 'gcloud auth login' saves a file with these contents in well known
33 * location
34 *
35 * @see [Application Default Credentials](http://goo.gl/mkAHpZ)
36 */
37class UserRefreshCredentials extends CredentialsLoader implements GetQuotaProjectInterface
38{
39 /**
40 * Used in observability metric headers
41 *
42 * @var string
43 */
44 private const CRED_TYPE = 'u';
45
46 /**
47 * The OAuth2 instance used to conduct authorization.
48 *
49 * @var OAuth2
50 */
51 protected $auth;
52
53 /**
54 * The quota project associated with the JSON credentials
55 *
56 * @var string
57 */
58 protected $quotaProject;
59
60 /**
61 * Whether this is an ID token request or an access token request. Used when
62 * building the metric header.
63 */
64 private bool $isIdTokenRequest = false;
65
66 /**
67 * Create a new UserRefreshCredentials.
68 *
69 * @param string|string[]|null $scope the scope of the access request, expressed
70 * either as an Array or as a space-delimited String.
71 * @param string|array<mixed> $jsonKey JSON credential file path or JSON credentials
72 * as an associative array
73 * @param string|null $targetAudience The audience for the ID token.
74 */
75 public function __construct(
76 $scope,
77 $jsonKey,
78 string $targetAudience = null
79 ) {
80 if (is_string($jsonKey)) {
81 if (!file_exists($jsonKey)) {
82 throw new InvalidArgumentException('file does not exist or is unreadable');
83 }
84 $json = file_get_contents($jsonKey);
85 if (!$jsonKey = json_decode((string) $json, true)) {
86 throw new LogicException('invalid json for auth config');
87 }
88 }
89 if (!array_key_exists('client_id', $jsonKey)) {
90 throw new InvalidArgumentException(
91 'json key is missing the client_id field'
92 );
93 }
94 if (!array_key_exists('client_secret', $jsonKey)) {
95 throw new InvalidArgumentException(
96 'json key is missing the client_secret field'
97 );
98 }
99 if (!array_key_exists('refresh_token', $jsonKey)) {
100 throw new InvalidArgumentException(
101 'json key is missing the refresh_token field'
102 );
103 }
104 if ($scope && $targetAudience) {
105 throw new InvalidArgumentException(
106 'Scope and targetAudience cannot both be supplied'
107 );
108 }
109 $additionalClaims = [];
110 if ($targetAudience) {
111 $additionalClaims = ['target_audience' => $targetAudience];
112 $this->isIdTokenRequest = true;
113 }
114 $this->auth = new OAuth2([
115 'clientId' => $jsonKey['client_id'],
116 'clientSecret' => $jsonKey['client_secret'],
117 'refresh_token' => $jsonKey['refresh_token'],
118 'scope' => $scope,
119 'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI,
120 'additionalClaims' => $additionalClaims,
121 ]);
122 if (array_key_exists('quota_project_id', $jsonKey)) {
123 $this->quotaProject = (string) $jsonKey['quota_project_id'];
124 }
125 }
126
127 /**
128 * @param callable|null $httpHandler
129 * @param array<mixed> $metricsHeader [optional] Metrics headers to be inserted
130 * into the token endpoint request present.
131 * This could be passed from ImersonatedServiceAccountCredentials as it uses
132 * UserRefreshCredentials as source credentials.
133 *
134 * @return array<mixed> {
135 * A set of auth related metadata, containing the following
136 *
137 * @type string $access_token
138 * @type int $expires_in
139 * @type string $scope
140 * @type string $token_type
141 * @type string $id_token
142 * }
143 */
144 public function fetchAuthToken(?callable $httpHandler = null, array $metricsHeader = [])
145 {
146 return $this->auth->fetchAuthToken(
147 $httpHandler,
148 $this->applyTokenEndpointMetrics($metricsHeader, $this->isIdTokenRequest ? 'it' : 'at')
149 );
150 }
151
152 /**
153 * Return the Cache Key for the credentials.
154 * The format for the Cache key is one of the following:
155 * ClientId.Scope
156 * ClientId.Audience
157 *
158 * @return string
159 */
160 public function getCacheKey()
161 {
162 $scopeOrAudience = $this->auth->getScope();
163 if (!$scopeOrAudience) {
164 $scopeOrAudience = $this->auth->getAudience();
165 }
166
167 return $this->auth->getClientId() . '.' . $scopeOrAudience;
168 }
169
170 /**
171 * @return array<mixed>
172 */
173 public function getLastReceivedToken()
174 {
175 return $this->auth->getLastReceivedToken();
176 }
177
178 /**
179 * Get the quota project used for this API request
180 *
181 * @return string|null
182 */
183 public function getQuotaProject()
184 {
185 return $this->quotaProject;
186 }
187
188 /**
189 * Get the granted scopes (if they exist) for the last fetched token.
190 *
191 * @return string|null
192 */
193 public function getGrantedScope()
194 {
195 return $this->auth->getGrantedScope();
196 }
197
198 protected function getCredType(): string
199 {
200 return self::CRED_TYPE;
201 }
202}
Note: See TracBrowser for help on using the repository browser.