The supported credential mechanisms.

Performs credentials discovery in the following order:

1. Read the default credentials from a file specified by the environment variable GOOGLE_APPLICATION_CREDENTIALS if it exists.
2. Read the platform equivalent of ~/.config/gcloud/application_default_credentials.json if it exists. The ~/.config component of the path can be overriden by the environment variable CLOUDSDK_CONFIG if it exists.
3. Retrieve the default service account application credentials if running on GCE. The environment variable NO_GCE_CHECK can be used to skip this check if set to a truthy value such as 1 or true.

The specified Scopes are used to authorize any service_account that is found with the appropriate OAuth2 scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

See: Application Default Credentials

Attempt to load either a service_account or authorized_user formatted file to obtain the credentials neccessary to perform a token refresh.

The specified Scopes are used to authorize any service_account that is found with the appropriate scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

See: cloudSDKConfigPath, defaultCredentialsPath.

Attempt to load either a service_account or authorized_user formatted file to obtain the credentials neccessary to perform a token refresh from the specified file.

The specified Scopes are used to authorize any service_account that is found with the appropriate scopes, otherwise they are not used. See the top-level module of each individual gogol-* library for a list of available scopes, such as Network.Google.Compute.computeScope.

Create new Installed Application credentials.

Since it is intended that the user opens the URL generated by formURL in a browser and the resulting OAuthCode is then received out-of-band, you must ensure that the scopes passed to formURL and the type of OAuthCode correctly match, otherwise an authorization error will occur.

For example, doing this via getLine and copy-paste:

{-# LANGUAGE ScopedTypeVariables #-}

import Data.Proxy     (Proxy (..))
import System.Exit    (exitFailure)
import System.Info    (os)
import System.Process (rawSystem)

import qualified Data.ByteString            as BS
import qualified Data.ByteString.Lazy.Char8 as LBS8

redirectPrompt :: forall s. OAuthClient -> proxy s -> IO (OAuthCode s)
redirectPrompt c p = do
    let url = LBS8.unpack (formURL c (Proxy :: Proxy s))
    putStrLn $ "Opening URL " ++ url
    case os of
        "darwin" -> rawSystem "open"     [url]
        "linux"  -> rawSystem "xdg-open" [url]
        _        -> putStrLn "Unsupported OS" >> exitFailure
    putStrLn "Please input the authorisation code: "
    OAuthCode . LBS.fromStrict <$> BS.getLine

This ensures the scopes passed to formURL and the type of OAuthCode s are correct.

Given an OAuthClient and a list of scopes to authorize, construct a URL that can be used to obtain the OAuthCode.

See: Forming the URL.

Apply the (by way of possible token refresh) a bearer token to the authentication header of a request.

Data store which ensures thread-safe access of credentials.

Construct storage containing the credentials which have not yet been exchanged or refreshed.

An OAuthToken that can potentially be expired, with the original credentials that can be used to perform a refresh.

Perform the initial credentials exchange to obtain a valid OAuthToken suitable for authorizing requests.

Refresh an existing OAuthToken using

The NO_GCE_CHECK environment variable.

The environment variable name which is used to specify the directory containing the application_default_credentials.json generated by gcloud init.

The environment variable pointing the file with local Application Default Credentials.

An error thrown when attempting to read AuthN/AuthZ information.

A client identifier and accompanying secret used to obtain/refresh a token.

An OAuth bearer type token of the following form:

{
  \"token_type\": \"Bearer\",
  \"access_token\": \"eyJhbGci...\",
  \"refresh_token\": \"1/B3gq9K...\",
  \"expires_in\": 3600,
  ...
}

The _tokenAccess field will be inserted verbatim into the Authorization: Bearer ... header for all HTTP requests.

An OAuth client authorization code.