• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..28-Jun-2022-

src/H28-Jun-2022-6,8643,328

COPYINGH A D21-Jun-202211.1 KiB203169

LICENSEH A D21-Jun-202210 KiB204169

README.mdH A D21-Jun-202210.3 KiB313234

SECURITY.mdH A D21-Jun-2022329 84

autoload.phpH A D21-Jun-20221.1 KiB3516

composer.jsonH A D21-Jun-20221.1 KiB4241

phpstan.neon.distH A D21-Jun-2022236 1110

README.md

1# Google Auth Library for PHP
2
3<dl>
4  <dt>Homepage</dt><dd><a href="http://www.github.com/google/google-auth-library-php">http://www.github.com/google/google-auth-library-php</a></dd>
5  <dt>Reference Docs</dt><dd><a href="https://googleapis.github.io/google-auth-library-php/main/">https://googleapis.github.io/google-auth-library-php/main/</a></dd>
6  <dt>Authors</dt>
7    <dd><a href="mailto:temiola@google.com">Tim Emiola</a></dd>
8    <dd><a href="mailto:stanleycheung@google.com">Stanley Cheung</a></dd>
9    <dd><a href="mailto:betterbrent@google.com">Brent Shaffer</a></dd>
10  <dt>Copyright</dt><dd>Copyright © 2015 Google, Inc.</dd>
11  <dt>License</dt><dd>Apache 2.0</dd>
12</dl>
13
14## Description
15
16This is Google's officially supported PHP client library for using OAuth 2.0
17authorization and authentication with Google APIs.
18
19### Installing via Composer
20
21The recommended way to install the google auth library is through
22[Composer](http://getcomposer.org).
23
24```bash
25# Install Composer
26curl -sS https://getcomposer.org/installer | php
27```
28
29Next, run the Composer command to install the latest stable version:
30
31```bash
32composer.phar require google/auth
33```
34
35## Application Default Credentials
36
37This library provides an implementation of
38[application default credentials][application default credentials] for PHP.
39
40The Application Default Credentials provide a simple way to get authorization
41credentials for use in calling Google APIs.
42
43They are best suited for cases when the call needs to have the same identity
44and authorization level for the application independent of the user. This is
45the recommended approach to authorize calls to Cloud APIs, particularly when
46you're building an application that uses Google Compute Engine.
47
48#### Download your Service Account Credentials JSON file
49
50To use `Application Default Credentials`, You first need to download a set of
51JSON credentials for your project. Go to **APIs & Services** > **Credentials** in
52the [Google Developers Console][developer console] and select
53**Service account** from the **Add credentials** dropdown.
54
55> This file is your *only copy* of these credentials. It should never be
56> committed with your source code, and should be stored securely.
57
58Once downloaded, store the path to this file in the
59`GOOGLE_APPLICATION_CREDENTIALS` environment variable.
60
61```php
62putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
63```
64
65> PHP's `putenv` function is just one way to set an environment variable.
66> Consider using `.htaccess` or apache configuration files as well.
67
68#### Enable the API you want to use
69
70Before making your API call, you must be sure the API you're calling has been
71enabled. Go to **APIs & Auth** > **APIs** in the
72[Google Developers Console][developer console] and enable the APIs you'd like to
73call. For the example below, you must enable the `Drive API`.
74
75#### Call the APIs
76
77As long as you update the environment variable below to point to *your* JSON
78credentials file, the following code should output a list of your Drive files.
79
80```php
81use Google\Auth\ApplicationDefaultCredentials;
82use GuzzleHttp\Client;
83use GuzzleHttp\HandlerStack;
84
85// specify the path to your application credentials
86putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
87
88// define the scopes for your API call
89$scopes = ['https://www.googleapis.com/auth/drive.readonly'];
90
91// create middleware
92$middleware = ApplicationDefaultCredentials::getMiddleware($scopes);
93$stack = HandlerStack::create();
94$stack->push($middleware);
95
96// create the HTTP client
97$client = new Client([
98  'handler' => $stack,
99  'base_uri' => 'https://www.googleapis.com',
100  'auth' => 'google_auth'  // authorize all requests
101]);
102
103// make the request
104$response = $client->get('drive/v2/files');
105
106// show the result!
107print_r((string) $response->getBody());
108```
109
110##### Guzzle 5 Compatibility
111
112If you are using [Guzzle 5][Guzzle 5], replace the `create middleware` and
113`create the HTTP Client` steps with the following:
114
115```php
116// create the HTTP client
117$client = new Client([
118  'base_url' => 'https://www.googleapis.com',
119  'auth' => 'google_auth'  // authorize all requests
120]);
121
122// create subscriber
123$subscriber = ApplicationDefaultCredentials::getSubscriber($scopes);
124$client->getEmitter()->attach($subscriber);
125```
126
127#### Call using an ID Token
128If your application is running behind Cloud Run, or using Cloud Identity-Aware
129Proxy (IAP), you will need to fetch an ID token to access your application. For
130this, use the static method `getIdTokenMiddleware` on
131`ApplicationDefaultCredentials`.
132
133```php
134use Google\Auth\ApplicationDefaultCredentials;
135use GuzzleHttp\Client;
136use GuzzleHttp\HandlerStack;
137
138// specify the path to your application credentials
139putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
140
141// Provide the ID token audience. This can be a Client ID associated with an IAP application,
142// Or the URL associated with a CloudRun App
143//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
144//    $targetAudience = 'https://service-1234-uc.a.run.app';
145$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';
146
147// create middleware
148$middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience);
149$stack = HandlerStack::create();
150$stack->push($middleware);
151
152// create the HTTP client
153$client = new Client([
154  'handler' => $stack,
155  'auth' => 'google_auth',
156  // Cloud Run, IAP, or custom resource URL
157  'base_uri' => 'https://YOUR_PROTECTED_RESOURCE',
158]);
159
160// make the request
161$response = $client->get('/');
162
163// show the result!
164print_r((string) $response->getBody());
165```
166
167For invoking Cloud Run services, your service account will need the
168[`Cloud Run Invoker`](https://cloud.google.com/run/docs/authenticating/service-to-service)
169IAM permission.
170
171For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID
172used when you set up your protected resource as the target audience. See how to
173[secure your IAP app with signed headers](https://cloud.google.com/iap/docs/signed-headers-howto).
174
175#### Call using a specific JSON key
176If you want to use a specific JSON key instead of using `GOOGLE_APPLICATION_CREDENTIALS` environment variable, you can
177 do this:
178
179```php
180use Google\Auth\CredentialsLoader;
181use Google\Auth\Middleware\AuthTokenMiddleware;
182use GuzzleHttp\Client;
183use GuzzleHttp\HandlerStack;
184
185// Define the Google Application Credentials array
186$jsonKey = ['key' => 'value'];
187
188// define the scopes for your API call
189$scopes = ['https://www.googleapis.com/auth/drive.readonly'];
190
191// Load credentials
192$creds = CredentialsLoader::makeCredentials($scopes, $jsonKey);
193
194// optional caching
195// $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);
196
197// create middleware
198$middleware = new AuthTokenMiddleware($creds);
199$stack = HandlerStack::create();
200$stack->push($middleware);
201
202// create the HTTP client
203$client = new Client([
204  'handler' => $stack,
205  'base_uri' => 'https://www.googleapis.com',
206  'auth' => 'google_auth'  // authorize all requests
207]);
208
209// make the request
210$response = $client->get('drive/v2/files');
211
212// show the result!
213print_r((string) $response->getBody());
214
215```
216
217#### Call using Proxy-Authorization Header
218If your application is behind a proxy such as [Google Cloud IAP][iap-proxy-header],
219and your application occupies the `Authorization` request header,
220you can include the ID token in a `Proxy-Authorization: Bearer`
221header instead. If a valid ID token is found in a `Proxy-Authorization` header,
222IAP authorizes the request with it. After authorizing the request, IAP passes
223the Authorization header to your application without processing the content.
224For this, use the static method `getProxyIdTokenMiddleware` on
225`ApplicationDefaultCredentials`.
226
227```php
228use Google\Auth\ApplicationDefaultCredentials;
229use GuzzleHttp\Client;
230use GuzzleHttp\HandlerStack;
231
232// specify the path to your application credentials
233putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
234
235// Provide the ID token audience. This can be a Client ID associated with an IAP application
236//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
237$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';
238
239// create middleware
240$middleware = ApplicationDefaultCredentials::getProxyIdTokenMiddleware($targetAudience);
241$stack = HandlerStack::create();
242$stack->push($middleware);
243
244// create the HTTP client
245$client = new Client([
246  'handler' => $stack,
247  'auth' => ['username', 'pass'], // auth option handled by your application
248  'proxy_auth' => 'google_auth',
249]);
250
251// make the request
252$response = $client->get('/');
253
254// show the result!
255print_r((string) $response->getBody());
256```
257
258[iap-proxy-header]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
259
260#### Verifying JWTs
261
262If you are [using Google ID tokens to authenticate users][google-id-tokens], use
263the `Google\Auth\AccessToken` class to verify the ID token:
264
265```php
266use Google\Auth\AccessToken;
267
268$auth = new AccessToken();
269$auth->verify($idToken);
270```
271
272If your app is running behind [Google Identity-Aware Proxy][iap-id-tokens]
273(IAP), you can verify the ID token coming from the IAP server by pointing to the
274appropriate certificate URL for IAP. This is because IAP signs the ID
275tokens with a different key than the Google Identity service:
276
277```php
278use Google\Auth\AccessToken;
279
280$auth = new AccessToken();
281$auth->verify($idToken, [
282  'certsLocation' => AccessToken::IAP_CERT_URL
283]);
284```
285
286[google-id-tokens]: https://developers.google.com/identity/sign-in/web/backend-auth
287[iap-id-tokens]: https://cloud.google.com/iap/docs/signed-headers-howto
288
289## License
290
291This library is licensed under Apache 2.0. Full license text is
292available in [COPYING][copying].
293
294## Contributing
295
296See [CONTRIBUTING][contributing].
297
298## Support
299
300Please
301[report bugs at the project on Github](https://github.com/google/google-auth-library-php/issues). Don't
302hesitate to
303[ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-php)
304about the client or APIs on [StackOverflow](http://stackoverflow.com).
305
306[google-apis-php-client]: https://github.com/google/google-api-php-client
307[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
308[contributing]: https://github.com/google/google-auth-library-php/tree/main/.github/CONTRIBUTING.md
309[copying]: https://github.com/google/google-auth-library-php/tree/main/COPYING
310[Guzzle]: https://github.com/guzzle/guzzle
311[Guzzle 5]: http://docs.guzzlephp.org/en/5.3
312[developer console]: https://console.developers.google.com
313