Allow directly specifying access_token to use in credentials

[salrashid123]

Allow specifying an access_token directly into a Credential
for reference, see:
googleapis/google-cloud-node#1346

I didn't see a credential type here that would allow for this:
https://developers.google.com/api-client-library/dotnet/reference/1.10.0/classGoogle_1_1Apis_1_1Auth_1_1OAuth2_1_1GoogleCredential#details

[jskeet]

Does the UserCredential class not do what you want?

https://developers.google.com/api-client-library/dotnet/reference/1.10.0/classGoogle_1_1Apis_1_1Auth_1_1OAuth2_1_1UserCredential

[salrashid123]

I doubt that'll do it. Usercredentials doesn't have a way to directly plugin an access token (its designed for webflows and processing full tokenresponses w/ refresh).
What asked here is for a credential to initialize with just a raw token
the analog in python is AccessTokenCredentials

[jskeet]

I don't see what you mean about UserCredentials not having a way to plug in an access token - it has a constructor that takes a TokenResponse... can't you just pass in a TokenResponse which is set to never expire (but has the token prepopulated), and an IAuthorizationCodeFlow that just throws if it's ever asked to refresh anything?

Assuming that works, we could certainly add a shortcut to create it, but I'd like to know whether it does work first. Are you able to try that out?

[salrashid123]

(sorry, didn't intend to close).
i tried to inject in raw token into the token response and then try to work it into UserCredentials but still no luck

[jskeet]

Okay - I'll give it a go myself when I get a chance. Unlikely to be in the next couple of days though.

[salrashid123]

got it working (i needed to fully specify the token w/ issue time and duration)

            // gcloud auth print-access-token
            var valid_token = "redacted";
            var invalid_token = "redacted";            
            var token = new Google.Apis.Auth.OAuth2.Responses.TokenResponse()
            {
                AccessToken = valid_token,
                ExpiresInSeconds = 3600,
                Issued = DateTime.Now
            };
            var fakeflow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
            {
                ClientSecrets = new ClientSecrets
                {
                    ClientId = "abc",
                    ClientSecret = "abc"
                }
            });
            UserCredential credential = new UserCredential(fakeflow, "blahblah", token);
            Console.WriteLine(credential.Token.AccessToken);
            var serviceInitializer = new BaseClientService.Initializer()
            {
                ApplicationName = "Storage Sample",
                HttpClientInitializer = credential
            };
            service = new StorageService(serviceInitializer);

[jskeet]

Great - although I'd have expected an ExpiresInSeconds value of something huge, so that it never tried to refresh at all. Or is the idea that you'd only use this token for a short time anyway?

[salrashid123]

These tokens will expire and are issued with 3600s shelf life by default. Its opaque so we would not know how long its currently valid for unless we query during initialization like the following:

curl https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=$(gcloud auth print-access-token)

(which we probably shoudn't do; its a round-trip)

I tried a couple of things:

1. If the token is invalid (old, totally expired): we'll see 401 error (invalid credentials)
2. if the token is within 60s of expiration (given issued, ExpiresInSeconds, IsExpired)...the code will attempt to refresh the token but will result in: "The access token has expired but we can't refresh it"

We can check the other language implementations but I think its fine with the logic and set it to (3600,Now); if it expires before that, you'll still see error#1.

Here's a reference implementation for python (its set to null):
oauth2client.client.AccessTokenCredentials
in .net, i had to specify the both Issued and Expired (if i didn't i'd end up seeing the error #2 even for valid creds)

[chrisdunelm]

Closing, as seems to be resolved.

[salrashid123]

@chrisdunelm I don't think this FR is implemented yet
(all did in #761 (comment) is hack a workaround/POC). it'd really need to get baked into the library directly.

for ref again, its there in java and heres's the one for node
googleapis/google-cloud-node#1346

[chrisdunelm]

@salrashid123 Thanks for the clarification. I'll take a look at this next week.

[chrisdunelm]

@salrashid123 Please can you confirm #1062 implements this feature as required?

[salrashid123]

look good; thanks
used the following to verify:

using Google.Cloud.Storage.V1;

//GoogleCredential credential = GoogleCredential.GetApplicationDefault();
GoogleCredential credential = GoogleCredential.FromAccessToken("__redacted___");

var client = StorageClient.Create(credential);
foreach (var obj in client.ListObjects("uspto-pair", ""))
        Console.WriteLine( "  " + obj.Name + "  ");

with a .csproj referencing your current git clone https://github.com/chrisdunelm/google-api-dotnet-client.git) directly

$ dotnet --info
.NET Command Line Tools (1.0.1)

Product Information:
 Version:            1.0.1
 Commit SHA-1 hash:  005db40cd1

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp1.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <ProjectReference Include="../Google.Apis.Core/Google.Apis.Core.csproj" />
    <ProjectReference Include="../Google.Apis/Google.Apis.csproj" />
    <ProjectReference Include="../Google.Apis.Auth/Google.Apis.Auth.csproj" />
    <ProjectReference Include="../Google.Apis.Auth.PlatformServices/Google.Apis.Auth.PlatformServices.csproj" />
    <PackageReference Include="Google.Cloud.Storage.V1" Version="1.0.0" />
  </ItemGroup>

</Project>

---

invalid and expired token gives

ERROR: Google.Apis.Requests.RequestError
Invalid Credentials [401]
Errors [
	Message[Invalid Credentials] Location[Authorization - header] Reason[authError] Domain[global]
]

---

[chrisdunelm]

@salrashid123 thanks for the testing and confirmation. I've just added an integration test in #1065.

[EmilAlipiev]

why does the GoogleAuthorizationCodeFlow requires ClientSecret ? If I have a token using Android application which doesnt have client secret, how can I provide it and why I cant use my existing Token?

var fakeflow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
ClientSecrets = new ClientSecrets
{
ClientId = "abc",
ClientSecret = "abc"
}
});

[chrisdunelm]

@EmilAlipiev GoogleAuthorizationCodeFlow is for when using oauth2 authentication. It requires a ClientSecret to identify the credentials to use.
If you already have an access-token, you can use GoogleCredential.FromAccessToken(...).

If this isn't what you're looking for, please can you explain in more detail what you're trying to do. Thanks.

[EmilAlipiev]

I created a SO question. please see the entire question there

[chrisdunelm]

As already answered in the SO question, we don't support Xamarin.