tessl/pypi-google-auth
Google Authentication Library providing comprehensive authentication mechanisms for Google APIs and services including OAuth 2.0, JWT, and service account credentials
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-google-auth@2.40.0index.mddocs/
Google Auth Library
A comprehensive Python library for authenticating to Google APIs and services. Provides server-to-server authentication mechanisms including OAuth 2.0, JWT, and service account credentials with built-in token management, automatic refresh capabilities, and secure credential storage. Designed for high reusability across Google Cloud applications, client libraries, and any Python application requiring authentication with Google services.
Package Information
- Package Name: google-auth
- Language: Python
- Installation:
pip install google-auth
Core Imports
import google.auth
from google.auth import credentials
from google.oauth2 import service_accountFor specific credential types:
from google.auth import default
from google.oauth2 import credentials as oauth2_credentials
from google.auth import jwt
from google.auth.transport import requestsBasic Usage
import google.auth
from google.auth.transport import requests
# Use Application Default Credentials
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform']
)
# Create an authenticated HTTP session
authed_session = requests.AuthorizedSession(credentials)
# Make authenticated requests
response = authed_session.get('https://www.googleapis.com/compute/v1/projects')Architecture
The library follows a modular design with clear separation of concerns:
- Core Credentials: Base credential interfaces and implementations (
google.auth.credentials) - OAuth2 Components: OAuth2-specific flows and service accounts (
google.oauth2.*) - Transport Layer: HTTP transport adapters for requests, urllib3, gRPC (
google.auth.transport.*) - Cryptographic Utilities: Token signing and verification (
google.auth.crypt,google.auth.jwt) - Platform Integration: Compute Engine, App Engine, external account support
- Async Support: Full async implementations using aiohttp (
google.auth.aio.*)
This design enables flexible authentication across different environments while maintaining consistent interfaces for credential management and token handling.
Capabilities
Application Default Credentials
Automatically detects and loads the most appropriate credentials for the current environment, following Google Cloud's standard credential discovery flow.
def default(
scopes=None,
request=None,
quota_project_id=None,
default_scopes=None
):
"""
Construct credentials from Application Default Credentials.
Args:
scopes (Sequence[str]): The list of scopes for the credentials
request (google.auth.transport.Request): HTTP transport for credential refresh
quota_project_id (str): Project for quota and billing
default_scopes (Sequence[str]): Default scopes from client library
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]:
The constructed credentials and project ID
"""
def load_credentials_from_file(
filename,
scopes=None,
default_scopes=None,
quota_project_id=None,
request=None
):
"""
Load Google credentials from a file.
Args:
filename (str): Path to credentials file
scopes (Sequence[str]): Scopes for the credentials
default_scopes (Sequence[str]): Default scopes from client library
quota_project_id (str): Project for quota and billing
request (google.auth.transport.Request): HTTP transport
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]:
Loaded credentials and project ID
"""
def load_credentials_from_dict(
info,
scopes=None,
default_scopes=None,
quota_project_id=None,
request=None
):
"""
Load Google credentials from a dictionary.
Args:
info (Mapping[str, str]): Credential information dictionary
scopes (Sequence[str]): Scopes for the credentials
default_scopes (Sequence[str]): Default scopes from client library
quota_project_id (str): Project for quota and billing
request (google.auth.transport.Request): HTTP transport
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]:
Loaded credentials and project ID
"""Application Default Credentials
Service Account Credentials
Server-to-server authentication using service account keys and JWT tokens, supporting both OAuth2 flows and self-signed JWTs.
class Credentials(google.auth.credentials.Scoped):
"""Service account credentials for server-to-server authentication."""
def __init__(
self,
signer,
service_account_email,
token_uri,
scopes=None,
default_scopes=None,
subject=None,
project_id=None,
quota_project_id=None,
additional_claims=None,
always_use_jwt_access=False,
universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN,
trust_boundary=None,
**kwargs
): ...
@classmethod
def from_service_account_file(
cls,
filename,
**kwargs
): ...
@classmethod
def from_service_account_info(
cls,
info,
**kwargs
): ...OAuth2 User Credentials
OAuth2 flows for user authentication including authorization code flow, refresh tokens, and user consent management.
class Credentials(google.auth.credentials.ReadOnlyScoped):
"""OAuth2 credentials for user authentication."""
def __init__(
self,
token,
refresh_token=None,
id_token=None,
token_uri=None,
client_id=None,
client_secret=None,
scopes=None,
default_scopes=None,
quota_project_id=None,
expiry=None,
rapt_token=None,
refresh_handler=None,
enable_reauth_refresh=False,
granted_scopes=None,
trust_boundary=None,
universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN,
account=None,
**kwargs
): ...JWT Credentials
JSON Web Token-based authentication for service-to-service communication without OAuth2 flows.
class Credentials(
google.auth.credentials.Signing,
google.auth.credentials.CredentialsWithQuotaProject
):
"""JWT-based credentials for service authentication."""
def __init__(
self,
signer,
issuer,
subject,
audience,
additional_claims=None,
**kwargs
): ...
def encode(signer, payload, header=None, key_id=None):
"""
Encode a JWT token.
Args:
signer (google.auth.crypt.Signer): The signer used to sign the JWT
payload (Mapping[str, str]): JWT payload claims
header (Mapping[str, str]): Additional JWT header fields
key_id (str): Key ID to add to JWT header (overrides signer key_id)
Returns:
bytes: Encoded JWT token
"""
def decode(token, certs=None, verify=True, audience=None, clock_skew_in_seconds=0):
"""
Decode and verify a JWT token.
Args:
token (str): The encoded JWT
certs (Union[str, bytes, Mapping[str, Union[str, bytes]]]): Certificate used to validate JWT signature
verify (bool): Whether to perform signature and claim validation
audience (Union[str, list]): The audience claim that this JWT should contain
clock_skew_in_seconds (int): The number of seconds of clock skew to tolerate
Returns:
Mapping[str, str]: Decoded JWT payload
"""Transport Adapters
HTTP transport implementations for making authenticated requests across different HTTP libraries.
class Request(google.auth.transport.Request):
"""Requests-based HTTP transport."""
def __init__(self, session=None): ...
class AuthorizedSession(requests.Session):
"""Requests session with automatic credential refresh."""
def __init__(self, credentials, **kwargs): ...External Account Credentials
Workload identity and external identity provider integration for multi-cloud and hybrid scenarios.
class Credentials(google.auth.credentials.Scoped):
"""External account credentials for workload identity."""
def __init__(
self,
audience,
subject_token_type,
token_url,
**kwargs
): ...Cryptographic Utilities
Token signing and verification utilities supporting RSA and ECDSA algorithms.
class RSASigner(google.auth.crypt.Signer):
"""RSA-based token signer."""
def __init__(self, key): ...
def sign(self, message): ...
class ES256Signer(google.auth.crypt.Signer):
"""ECDSA P-256 token signer."""
def __init__(self, key): ...
def sign(self, message): ...Async Support
Full async implementations using aiohttp for non-blocking authentication flows.
class Request(google.auth.transport.Request):
"""Async HTTP transport using aiohttp."""
def __init__(self, session=None): ...
async def __call__(self, *args, **kwargs): ...
class AuthorizedSession(aiohttp.ClientSession):
"""Async session with automatic credential refresh."""
def __init__(self, credentials, **kwargs): ...Types
class TokenState(enum.Enum):
"""Token freshness states."""
FRESH = 1
STALE = 2
INVALID = 3
class Credentials:
"""Base credentials interface."""
token: Optional[str]
expiry: Optional[datetime.datetime]
@property
def token_state(self) -> TokenState: ...
@property
def valid(self) -> bool: ...
@property
def expired(self) -> bool: ...
def refresh(self, request: Request) -> None: ...
class Scoped:
"""Interface for credentials supporting OAuth2 scopes."""
def with_scopes(self, scopes: Sequence[str]) -> 'Credentials': ...
class CredentialsWithQuotaProject:
"""Interface for credentials with quota project support."""
def with_quota_project(self, quota_project_id: str) -> 'Credentials': ...
Request = Callable[[str, str, Optional[bytes], Optional[Mapping[str, str]]], Any]