Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 428 Commits
.github		.github
.kokoro		.kokoro
.toys		.toys
integration		integration
lib		lib
samples		samples
spec		spec
test		test
.gitignore		.gitignore
.release-please-manifest.json		.release-please-manifest.json
.repo-metadata.json		.repo-metadata.json
.rspec		.rspec
.rubocop.yml		.rubocop.yml
.trampolinerc		.trampolinerc
.yardopts		.yardopts
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
Credentials.md		Credentials.md
Errors.md		Errors.md
Gemfile		Gemfile
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
googleauth.gemspec		googleauth.gemspec
release-please-config.json		release-please-config.json

Repository files navigation

Google Auth Library for Ruby

Homepage: http://www.github.com/googleapis/google-auth-library-ruby
Authors: Tim Emiola
Copyright: Copyright © 2015 Google, Inc.
License: Apache 2.0

Description

This is Google's officially supported ruby client library for using OAuth 2.0authorization and authentication with Google APIs.

Install

Be surehttps://rubygems.org/ is in your gem sources.

For normal client usage, this is sufficient:

$ gem install googleauth

Example Usage

require'googleauth'# Get the environment configured authorizationscopes=['https://www.googleapis.com/auth/cloud-platform','https://www.googleapis.com/auth/compute']authorization=Google::Auth.get_application_default(scopes)# Add the the access token obtained using the authorization to a hash, e.g# headers.some_headers={}authorization.apply(some_headers)

Application Default Credentials

This library provides an implementation ofapplication default credentials for Ruby.

The Application Default Credentials provide a simple way to get authorizationcredentials for use in calling Google APIs.

They are best suited for cases when the call needs to have the same identityand authorization level for the application independent of the user. This isthe recommended approach to authorize calls to Cloud APIs, particularly whenyou're building an application that uses Google Compute Engine.

User Credentials

The library also provides support for requesting and storing usercredentials (3-Legged OAuth2.) Two implementations are currently available,a generic authorizer useful for command line apps or custom integrations aswell as a web variant tailored toward Rack-based applications.

The authorizers are intended for authorization use cases. For sign-on,seeGoogle Identity Platform

Important notes

If you accept a credential configuration (credential JSON/File/Stream) from anexternal source for authentication to Google Cloud, you must validate it beforeproviding it to any Google API or library. Providing an unvalidated credentialconfiguration to Google APIs can compromise the security of your systems and data.For more information, refer toValidate credential configurations from externalsources.

Example (Web)

require'googleauth'require'googleauth/web_user_authorizer'require'googleauth/stores/redis_token_store'require'redis'client_id=Google::Auth::ClientId.from_file('/path/to/client_secrets.json')scope=['https://www.googleapis.com/auth/drive']token_store=Google::Auth::Stores::RedisTokenStore.new(redis:Redis.new)authorizer=Google::Auth::WebUserAuthorizer.new(client_id,scope,token_store,'/oauth2callback')get('/authorize')do# NOTE: Assumes the user is already authenticated to the appuser_id=request.session['user_id']credentials=authorizer.get_credentials(user_id,request)ifcredentials.nil?redirectauthorizer.get_authorization_url(login_hint:user_id,request:request)end# Credentials are valid, can call APIs# ...endget('/oauth2callback')dotarget_url=Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)redirecttarget_urlend

Example (Web with PKCE)

Proof Key for Code Exchange (PKCE) is anRFC that aims to prevent malicious operating system processes from hijacking an OAUTH 2.0 exchange. PKCE mitigates the above vulnerability by includingcode_challenge andcode_challenge_method parameters in the Authorization Request and acode_verifier parameter in the Access Token Request.

require'googleauth'require'googleauth/web_user_authorizer'require'googleauth/stores/redis_token_store'require'redis'client_id=Google::Auth::ClientId.from_file('/path/to/client_secrets.json')scope=['https://www.googleapis.com/auth/drive']token_store=Google::Auth::Stores::RedisTokenStore.new(redis:Redis.new)authorizer=Google::Auth::WebUserAuthorizer.new(client_id,scope,token_store,'/oauth2callback')get('/authorize')do# NOTE: Assumes the user is already authenticated to the appuser_id=request.session['user_id']# User needs to take care of generating the code_verifier and storing it in# the session.request.session['code_verifier'] ||=Google::Auth::WebUserAuthorizer.generate_code_verifierauthorizer.code_verifier=request.session['code_verifier']credentials=authorizer.get_credentials(user_id,request)ifcredentials.nil?redirectauthorizer.get_authorization_url(login_hint:user_id,request:request)end# Credentials are valid, can call APIs# ...endget('/oauth2callback')dotarget_url=Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)redirecttarget_urlend

Example (Command Line) [Deprecated]

The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to thisOOB Migration guide.

require'googleauth'require'googleauth/stores/file_token_store'OOB_URI='urn:ietf:wg:oauth:2.0:oob'scope='https://www.googleapis.com/auth/drive'client_id=Google::Auth::ClientId.from_file('/path/to/client_secrets.json')token_store=Google::Auth::Stores::FileTokenStore.new(:file=>'/path/to/tokens.yaml')authorizer=Google::Auth::UserAuthorizer.new(client_id,scope,token_store)user_id=ENV['USER']credentials=authorizer.get_credentials(user_id)ifcredentials.nil?url=authorizer.get_authorization_url(base_url:OOB_URI)puts"Open#{url} in your browser and enter the resulting code:"code=getscredentials=authorizer.get_and_store_credentials_from_code(user_id:user_id,code:code,base_url:OOB_URI)end# OK to use credentials

Example (Service Account)

scope='https://www.googleapis.com/auth/androidpublisher'authorizer=Google::Auth::ServiceAccountCredentials.make_creds(json_key_io:File.open('/path/to/service_account_json_key.json'),scope:scope)authorizer.fetch_access_token!

You can also use a JSON keyfile by setting theGOOGLE_APPLICATION_CREDENTIALS environment variable.

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_json_key.json

require'googleauth'require'google/apis/drive_v3'Drive= ::Google::Apis::DriveV3drive=Drive::DriveService.newscope='https://www.googleapis.com/auth/drive'authorizer=Google::Auth::ServiceAccountCredentials.from_env(scope:scope)drive.authorization=authorizerlist_files=drive.list_files()

3-Legged OAuth with a Service Account

This is similar to regular service account authorization (seethis answer for more details on the differences), but you'll need to indicate which user your service account is impersonating by manually updating thesub field.

scope='https://www.googleapis.com/auth/androidpublisher'authorizer=Google::Auth::ServiceAccountCredentials.make_creds(json_key_io:File.open('/path/to/service_account_json_key.json'),scope:scope)authorizer.update!(sub:"email-to-impersonate@your-domain.com")authorizer.fetch_access_token!

Example (Environment Variables)

export GOOGLE_ACCOUNT_TYPE=service_accountexport GOOGLE_CLIENT_ID=000000000000000000000export GOOGLE_CLIENT_EMAIL=xxxx@xxxx.iam.gserviceaccount.comexport GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"

require'googleauth'require'google/apis/drive_v3'Drive= ::Google::Apis::DriveV3drive=Drive::DriveService.new# Auths with ENV vars:# "GOOGLE_CLIENT_ID",# "GOOGLE_CLIENT_EMAIL",# "GOOGLE_ACCOUNT_TYPE",# "GOOGLE_PRIVATE_KEY"auth= ::Google::Auth::ServiceAccountCredentials.make_creds(scope:'https://www.googleapis.com/auth/drive')drive.authorization=authlist_files=drive.list_files()

Storage

Authorizers require a storage instance to manage long term persistence ofaccess and refresh tokens. Two storage implementations are included:

Google::Auth::Stores::FileTokenStore
Google::Auth::Stores::RedisTokenStore

Custom storage implementations can also be used. Seetoken_store.rb for additional details.

Supported Ruby Versions

This library is supported on Ruby 3.0+.

Google provides official support for Ruby versions that are actively supportedby Ruby Core—that is, Ruby versions that are either in normal maintenance orin security maintenance, and not end of life. Older versions of Rubymaystill work, but are unsupported and not recommended. Seehttps://www.ruby-lang.org/en/downloads/branches/ for details about the Rubysupport schedule.