The supported credential mechanisms.

Performs credentials discovery in the following order:

1. Read the default credentials from a file specified by the environment variable GOOGLE_APPLICATION_CREDENTIALS if it exists.
2. Read the platform equivalent of ~/.config/gcloud/application_default_credentials.json if it exists. The ~/.config component of the path can be overriden by the environment variable CLOUDSDK_CONFIG if it exists.
3. Retrieve the default service account application credentials if running on GCE. The environment variable NO_GCE_CHECK can be used to skip this check if set to a truthy value such as 1 or true.

The specified Scopes are used to authorize any service_account that is found with the appropriate OAuth2 scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

See: Application Default Credentials

Attempt to load either a service_account or authorized_user formatted file to obtain the credentials neccessary to perform a token refresh.

The specified Scopes are used to authorize any service_account that is found with the appropriate scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

See: cloudSDKConfigPath, defaultCredentialsPath.

Attempt to load either a service_account or authorized_user formatted file to obtain the credentials neccessary to perform a token refresh from the specified file.

The specified Scopes are used to authorize any service_account that is found with the appropriate scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

Save AuthorizedUser See: cloudSDKConfigPath, defaultCredentialsPath.

Save AuthorizedUser

Set the user to be impersonated for a service account with domain wide delegation. See https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Create new Installed Application credentials.

Since it is intended that the user opens the URL generated by formURL in a browser and the resulting OAuthCode is then received out-of-band, you must ensure that the scopes passed to formURL and the type of OAuthCode correctly match, otherwise an authorization error will occur.

For example, doing this via getLine and copy-paste:

{-# LANGUAGE ScopedTypeVariables #-}

import Data.Proxy     (Proxy (..))
import Data.Text      as T
import Data.Text.IO   as T
import System.Exit    (exitFailure)
import System.Info    (os)
import System.Process (rawSystem)

redirectPrompt :: AllowScopes (s :: [Symbol]) => OAuthClient -> proxy s -> IO (OAuthCode s)
redirectPrompt c p = do
  let url = formURL c p
  T.putStrLn $ "Opening URL " `T.append` url
  _ <- case os of
    "darwin" -> rawSystem "open"     [unpack url]
    "linux"  -> rawSystem "xdg-open" [unpack url]
    _        -> T.putStrLn "Unsupported OS" >> exitFailure
  T.putStrLn "Please input the authorisation code: "
  OAuthCode <$> T.getLine

This ensures the scopes passed to formURL and the type of OAuthCode s are correct.

Given an OAuthClient and a list of scopes to authorize, construct a URL that can be used to obtain the OAuthCode.

See: Forming the URL.

Apply the (by way of possible token refresh) a bearer token to the authentication header of a request.

Data store which ensures thread-safe access of credentials.

Construct storage containing the credentials which have not yet been exchanged or refreshed.

Retrieve auth from storage

An OAuthToken that can potentially be expired, with the original credentials that can be used to perform a refresh.

authToAuthorizedUser converts Auth into an AuthorizedUser by returning Right if there is a FromClient-constructed Credentials and a refreshed token; otherwise, returning Left with error message.

Perform the initial credentials exchange to obtain a valid OAuthToken suitable for authorizing requests.

Refresh an existing OAuthToken.

The NO_GCE_CHECK environment variable.

The environment variable name which is used to specify the directory containing the application_default_credentials.json generated by gcloud init.

The environment variable pointing the file with local Application Default Credentials.

An error thrown when attempting to readwrite AuthNAuthZ information.

A client identifier and accompanying secret used to obtain/refresh a token.

An OAuth bearer type token of the following form:

{
  \"token_type\": \"Bearer\",
  \"access_token\": \"eyJhbGci...\",
  \"refresh_token\": \"1/B3gq9K...\",
  \"expires_in\": 3600,
  ...
}

The _tokenAccess field will be inserted verbatim into the Authorization: Bearer ... header for all HTTP requests.

An OAuth client authorization code.

An OAuth2 scope.

An OAuth2 access token.

An OAuth2 refresh token.

An opaque client secret.

A service identifier.

A client identifier.