Chilkat.AuthGoogle Class Overview

Chilkat.AuthGoogle obtains OAuth 2.0 access tokens for Google Cloud Platform APIs and Google Apps APIs using a Google service account. It supports JSON private keys and P12 private keys, service account scopes, optional delegated user access, custom JWT claims, and access-token validity tracking.

What the Class Is Used For

Use Chilkat.AuthGoogle when an application needs to authenticate HTTP requests to Google Cloud Platform APIs or Google Apps APIs using a service account. The class builds and signs the service-account JWT, sends the token request, and stores the resulting access token in AccessToken.

Service Account Authentication Obtain access tokens using a Google service account rather than an interactive browser login.
JSON or P12 Key Use JsonKey or SetP12 to provide the private key material.
Scoped Access Set Scope to the space-delimited list of requested Google API permissions.
Use with Rest Use the resulting token or credential object with Chilkat.Rest when making authenticated Google API requests.

Use with Chilkat.Rest

AuthGoogle is used as a way to specify credentials for HTTP requests to Google Cloud Platform APIs and Google Apps APIs using a service account in the Chilkat.Rest class. The AuthGoogle object obtains the access token, and Chilkat.Rest performs the actual HTTP requests to the Google API endpoints.

Responsibility Handled By Description
Configure service-account identity AuthGoogle Uses the service account email and private key information from either a JSON key or P12 key configuration.
Request Google API permissions AuthGoogle Uses Scope to specify the Google API permissions requested by the application.
Obtain the access token AuthGoogle Calls ObtainAccessToken to fetch an access token and store it in AccessToken.
Send Google API requests Chilkat.Rest Sends HTTP requests to Google Cloud Platform or Google Apps APIs using the service-account access token.
Practical role: Think of AuthGoogle as the service-account credential object used to obtain and supply Google API access tokens for Chilkat.Rest requests.

Service Account vs 3-Legged OAuth2

Scenario Use This Class Why
Server-to-server Google API access using a service account Chilkat.AuthGoogle This class is designed for Google service account authentication.
Interactive user consent in a browser Chilkat.OAuth2 For 3-legged OAuth2, where the Google account owner must interactively grant permission in a browser, use the Chilkat OAuth2 class instead.
Important distinction: AuthGoogle is for service accounts. It is not the browser-based user-consent OAuth2 flow.

Typical Workflow

  1. Create a Chilkat.AuthGoogle object.
  2. Provide the service-account private key by setting JsonKey or by calling SetP12.
  3. If using a P12 key, set EmailAddress to the service account client email address.
  4. Set Scope to the space-delimited list of Google API permissions requested by the application.
  5. Optionally set SubEmailAddress for delegated access to a user.
  6. Optionally adjust ExpireNumSeconds, or leave it at the default maximum of 3600 seconds.
  7. Open or provide an existing socket connection to www.googleapis.com.
  8. Call ObtainAccessToken. On success, AccessToken contains the token.
  9. Use the token with Chilkat.Rest or other Chilkat HTTP request classes when calling Google APIs.
  10. Check Valid, NumSecondsRemaining, and LastErrorText as needed.

Core Concepts

Concept Meaning Important Members
Service Account A Google identity used by server-side applications to access Google APIs without interactive user login. JsonKey, EmailAddress, SetP12
Private Key The service-account key used to sign the JWT for the access token request. JsonKey, SetP12, GetP12
Scope A space-delimited list of requested Google API permissions. Scope
Delegated Access A service account may request delegated access for a specific user. SubEmailAddress
Access Token The bearer token used in authenticated Google API requests. ObtainAccessToken, AccessToken, Valid
JWT Claims Claims used when forming the signed JWT for the token request. AddClaims, Iat, ExpireNumSeconds

Properties

Property Purpose Guidance
AccessToken The access token used in Google API requests. Set automatically after a successful ObtainAccessToken call.
JsonKey JSON private key for obtaining an access token. Use when authenticating with a Google service-account JSON key. Set either JsonKey or a P12 key, but not both.
EmailAddress Client email address of the service account. Required when using a P12 key. If using a JSON key, the client_email is already included in the JSON key and this property is unused.
Scope Space-delimited list of requested permissions. Set this to the scopes required by the Google APIs being called.
SubEmailAddress User email address for delegated access. Set when the service account is requesting delegated access for a specific user.
ExpireNumSeconds Requested access token expiration time in seconds. Default is 3600. Maximum is 3600 seconds, or one hour.
Iat Overrides the JWT iat claim. Default is 0, which uses the current system date/time. Leave at the default unless an override is explicitly needed.
NumSecondsRemaining Seconds remaining before the access token expires. Returns 0 if the token is invalid or expired.
Valid Indicates whether AccessToken contains a valid, non-expired token obtained by ObtainAccessToken. Check before reusing a token.
LastErrorText Diagnostic information for the last method or property access. Check after failures or unexpected behavior. Diagnostic information may be available regardless of success or failure.

Private Key Options

Key Type How to Configure Important Details
JSON key Set JsonKey. The JSON key includes the service account client_email, so EmailAddress is unused.
P12 key Call SetP12 with a Pfx object. EmailAddress must be set to the service account client email address.
Choose one key type: An application must set either the P12 private key or the JSON private key, but not both.

Token Lifetime and Validity

Member Meaning Guidance
ExpireNumSeconds Requested token lifetime in seconds. Maximum is 3600. The default is 3600.
Valid True if the current access token is valid and non-expired. Use before reusing AccessToken.
NumSecondsRemaining Number of seconds remaining until the access token expires. A value of 0 means the token is invalid or expired.

Methods

Method Purpose Important Details
ObtainAccessToken Sends the HTTP request to fetch the access token. Requires an existing connection to www.googleapis.com. On success, the token is stored in AccessToken.
AddClaims Adds additional custom claims to the JWT claims set. Use when the token request requires extra JWT claims.
SetP12 Sets the P12 private key used for obtaining an access token. Use when authenticating with a P12 service-account key. Do not also set JsonKey.
GetP12 Returns the private key in a Pfx object. Available only if the private key was previously set by SetP12.
LoadTaskCaller Loads the caller of the task's async method. Used in asynchronous workflows after a task completes.

Clock Accuracy Requirement

Service-account authentication uses JWT time claims. The computer's system date and time must be accurate when requesting a token. If the local clock is too far off, Google can reject the request.

Invalid JWT error: If the computer date/time is not accurately set, the token request may fail with a 400 response indicating that the JWT must be short-lived and within a reasonable timeframe. Check the iat and exp values and use an accurate system clock.

Method and Property Summary by Category

Category Members Purpose
Credentials JsonKey, SetP12, GetP12, EmailAddress Provide service-account identity and private key material.
Permissions and delegation Scope, SubEmailAddress Request Google API permissions and optional delegated user access.
JWT options Iat, ExpireNumSeconds, AddClaims Control JWT timing and add optional custom claims.
Token request ObtainAccessToken Fetch a Google API access token using the configured service-account credentials.
Token state AccessToken, Valid, NumSecondsRemaining Store and inspect the current access token.
Async workflow LoadTaskCaller Load the caller object from a completed asynchronous task.
Diagnostics LastErrorText Read diagnostic information after failed or unexpected operations.

Security Notes

Item Security Guidance
JSON key or P12 key Treat service-account private keys as secrets. Do not expose them in client-side code, public repositories, logs, or error messages.
AccessToken Treat access tokens as bearer credentials. Anyone with the token may be able to call the allowed Google APIs until it expires.
Scope Request only the permissions required by the application.
SubEmailAddress Use delegated access only when the service account is authorized for that scenario and the application intentionally acts on behalf of a user.

Diagnostics and Troubleshooting

Problem Area Member What to Check
Token request fails ObtainAccessToken, LastErrorText Confirm the connection is to www.googleapis.com, credentials are correct, the scope is valid, and diagnostics are checked.
Invalid JWT time error Iat, ExpireNumSeconds Make sure the computer's system clock is accurate. Leave Iat at the default unless an override is explicitly required.
Using JSON key but setting email manually JsonKey, EmailAddress When using a JSON key, the client email is already included in the JSON key, and EmailAddress is unused.
Using P12 key without an email address SetP12, EmailAddress When using a P12 key, set EmailAddress to the service account client email address.
Access token expired Valid, NumSecondsRemaining Check whether the current token is still valid. If not, obtain a new access token.
Google API request is unauthorized Scope, AccessToken Confirm the requested scope allows the API operation and that the token is being sent with the REST request.
Need operation details after failure LastErrorText Check diagnostic text after failed or unexpected token-generation, credential, connection, or async behavior.

Common Pitfalls

Pitfall Better Approach
Using AuthGoogle for browser-based OAuth2 consent. Use Chilkat.OAuth2 for 3-legged OAuth2 flows that require interactive user permission in a browser.
Setting both JSON and P12 private keys. Set either JsonKey or a P12 key with SetP12, but not both.
Using a P12 key without setting EmailAddress. Set EmailAddress when authenticating with a P12 key.
Overriding Iat unnecessarily. Leave Iat at 0 so Chilkat uses the current system date/time.
Requesting a token lifetime greater than one hour. Keep ExpireNumSeconds at or below 3600.
Assuming an access token remains valid indefinitely. Use Valid and NumSecondsRemaining to check token state.
Ignoring diagnostics after token request failure. Check LastErrorText and the Google token response details.

Best Practices

Recommendation Reason
Use AuthGoogle for service-account authentication. It is designed for Google Cloud Platform API and Google Apps API calls using a service account.
Use Chilkat.OAuth2 for 3-legged OAuth2. Interactive browser-based permission grants require the OAuth2 class instead.
Prefer JSON keys when the service account key is supplied in JSON format. The JSON key already contains the client email and key metadata needed by the service account.
Protect service-account private keys and access tokens. Both can authorize access to Google APIs.
Set Scope to the minimum permissions needed. Narrow scopes reduce the impact of credential exposure or misuse.
Keep the system clock accurate. JWT token requests depend on valid iat and expiration timing.
Check Valid before reusing an access token. Expired tokens should be replaced by calling ObtainAccessToken again.
Check LastErrorText after failures. It provides useful diagnostic detail for failed or unexpected authentication behavior.

Summary

Chilkat.AuthGoogle is the Chilkat credential class for obtaining Google API access tokens using a service account. It supports JSON and P12 private keys, scoped permissions, optional delegated access, token lifetime control, custom JWT claims, and token validity checks.

The most important practical guidance is to use this class for service-account authentication with Google Cloud Platform APIs and Google Apps APIs, use Chilkat.OAuth2 for browser-based 3-legged OAuth2, set either JsonKey or a P12 key but not both, keep the system clock accurate, protect private keys and access tokens, and use the obtained token with Chilkat.Rest for authenticated Google API requests.