The list of JWT
audiences.
that are allowed to access. A JWT containing any of these audiences will
be accepted. When this setting is absent, JWTs with audiences:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003e\u003ccode\u003eAuthProvider\u003c/code\u003e is a class for configuring authentication providers, supporting JSON Web Tokens (JWT).\u003c/p\u003e\n"],["\u003cp\u003eIt inherits from \u003ccode\u003eobject\u003c/code\u003e and implements interfaces like \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, \u003ccode\u003eIDeepCloneable\u003c/code\u003e, and \u003ccode\u003eIBufferMessage\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe class includes fields for defining JWT properties such as \u003ccode\u003eId\u003c/code\u003e, \u003ccode\u003eIssuer\u003c/code\u003e, \u003ccode\u003eJwksUri\u003c/code\u003e, \u003ccode\u003eAudiences\u003c/code\u003e, \u003ccode\u003eAuthorizationUrl\u003c/code\u003e, and \u003ccode\u003eJwtLocations\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAuthProvider\u003c/code\u003e allows setting JWT locations in headers, query parameters, or cookies for extraction, defaulting to \u003ccode\u003eAuthorization: Bearer\u003c/code\u003e, \u003ccode\u003ex-goog-iap-jwt-assertion\u003c/code\u003e, and \u003ccode\u003eaccess_token\u003c/code\u003e query parameter if unspecified.\u003c/p\u003e\n"],["\u003cp\u003eIt provides methods for message operations, including \u003ccode\u003eCalculateSize\u003c/code\u003e, \u003ccode\u003eClone\u003c/code\u003e, \u003ccode\u003eEquals\u003c/code\u003e, \u003ccode\u003eGetHashCode\u003c/code\u003e, \u003ccode\u003eMergeFrom\u003c/code\u003e, \u003ccode\u003eToString\u003c/code\u003e, and \u003ccode\u003eWriteTo\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Class AuthProvider (2.17.0)\n\nVersion latestkeyboard_arrow_down\n\n- [2.17.0 (latest)](/dotnet/docs/reference/Google.Api.CommonProtos/latest/Google.Api.AuthProvider)\n- [2.15.0](/dotnet/docs/reference/Google.Api.CommonProtos/2.15.0/Google.Api.AuthProvider)\n- [2.10.0](/dotnet/docs/reference/Google.Api.CommonProtos/2.10.0/Google.Api.AuthProvider)\n- [2.2.0](/dotnet/docs/reference/Google.Api.CommonProtos/2.2.0/Google.Api.AuthProvider) \n\n public sealed class AuthProvider : IMessage\u003cAuthProvider\u003e, IEquatable\u003cAuthProvider\u003e, IDeepCloneable\u003cAuthProvider\u003e, IBufferMessage, IMessage\n\nConfiguration for an authentication provider, including support for\n[JSON Web Token\n(JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32). \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e AuthProvider \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[AuthProvider](/dotnet/docs/reference/Google.Api.CommonProtos/latest/Google.Api.AuthProvider), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[AuthProvider](/dotnet/docs/reference/Google.Api.CommonProtos/latest/Google.Api.AuthProvider), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[AuthProvider](/dotnet/docs/reference/Google.Api.CommonProtos/latest/Google.Api.AuthProvider), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.Equals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object-system-object)) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ReferenceEquals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.referenceequals)\n\nNamespace\n---------\n\n[Google.Api](/dotnet/docs/reference/Google.Api.CommonProtos/latest/Google.Api)\n\nAssembly\n--------\n\nGoogle.Api.CommonProtos.dll\n\nConstructors\n------------\n\n### AuthProvider()\n\n public AuthProvider()\n\n### AuthProvider(AuthProvider)\n\n public AuthProvider(AuthProvider other)\n\nFields\n------\n\n### AudiencesFieldNumber\n\n public const int AudiencesFieldNumber = 4\n\nField number for the \"audiences\" field.\n\n### AuthorizationUrlFieldNumber\n\n public const int AuthorizationUrlFieldNumber = 5\n\nField number for the \"authorization_url\" field.\n\n### IdFieldNumber\n\n public const int IdFieldNumber = 1\n\nField number for the \"id\" field.\n\n### IssuerFieldNumber\n\n public const int IssuerFieldNumber = 2\n\nField number for the \"issuer\" field.\n\n### JwksUriFieldNumber\n\n public const int JwksUriFieldNumber = 3\n\nField number for the \"jwks_uri\" field.\n\n### JwtLocationsFieldNumber\n\n public const int JwtLocationsFieldNumber = 6\n\nField number for the \"jwt_locations\" field.\n\nProperties\n----------\n\n### Audiences\n\n public string Audiences { get; set; }\n\nThe list of JWT\n[audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).\nthat are allowed to access. A JWT containing any of these audiences will\nbe accepted. When this setting is absent, JWTs with audiences:\n\n- \"https://\\[service.name\\]/\\[google.protobuf.Api.name\\]\"\n- \"https://\\[service.name\\]/\" will be accepted. For example, if no audiences are in the setting, LibraryService API will accept JWTs with the following audiences: - \u003chttps://library-example.googleapis.com/google.example.library.v1.LibraryService\u003e\n- \u003chttps://library-example.googleapis.com/\u003e\n\nExample: \n\n audiences: bookstore_android.apps.googleusercontent.com,\n bookstore_web.apps.googleusercontent.com\n\n### AuthorizationUrl\n\n public string AuthorizationUrl { get; set; }\n\nRedirect URL if JWT token is required but not present or is expired.\nImplement authorizationUrl of securityDefinitions in OpenAPI spec.\n\n### Descriptor\n\n public static MessageDescriptor Descriptor { get; }\n\n### Id\n\n public string Id { get; set; }\n\nThe unique identifier of the auth provider. It will be referred to by\n`AuthRequirement.provider_id`.\n\nExample: \"bookstore_auth\".\n\n### Issuer\n\n public string Issuer { get; set; }\n\nIdentifies the principal that issued the JWT. See\n\u003chttps://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1\u003e\nUsually a URL or an email address.\n\nExample: \u003chttps://securetoken.google.com\u003e\nExample: 1234567-compute@developer.gserviceaccount.com\n\n### JwksUri\n\n public string JwksUri { get; set; }\n\nURL of the provider's public key set to validate signature of the JWT. See\n[OpenID\nDiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).\nOptional if the key set document:\n\n- can be retrieved from [OpenID\n Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of the issuer.\n- can be inferred from the email domain of the issuer (e.g. a Google service account).\n\nExample: \u003chttps://www.googleapis.com/oauth2/v1/certs\u003e\n\n### JwtLocations\n\n public RepeatedField\u003cJwtLocation\u003e JwtLocations { get; }\n\nDefines the locations to extract the JWT. For now it is only used by the\nCloud Endpoints to store the OpenAPI extension [x-google-jwt-locations](https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations)\n\nJWT locations can be one of HTTP headers, URL query parameters or\ncookies. The rule is that the first match wins.\n\nIf not specified, default to use following 3 locations:\n1) Authorization: Bearer\n2) x-goog-iap-jwt-assertion\n3) access_token query parameter\n\nDefault locations can be specified as followings:\njwt_locations:\n\n- header: Authorization value_prefix: \"Bearer \"\n- header: x-goog-iap-jwt-assertion\n- query: access_token\n\n### Parser\n\n public static MessageParser\u003cAuthProvider\u003e Parser { get; }\n\nMethods\n-------\n\n### CalculateSize()\n\n public int CalculateSize()\n\n### Clone()\n\n public AuthProvider Clone()\n\n### Equals(AuthProvider)\n\n public bool Equals(AuthProvider other)\n\n### Equals(object)\n\n public override bool Equals(object other)\n\n**Overrides** \n[object.Equals(object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object))\n\n### GetHashCode()\n\n public override int GetHashCode()\n\n**Overrides** \n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode)\n\n### MergeFrom(AuthProvider)\n\n public void MergeFrom(AuthProvider other)\n\n### MergeFrom(CodedInputStream)\n\n public void MergeFrom(CodedInputStream input)\n\n### ToString()\n\n public override string ToString()\n\n**Overrides** \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\n### WriteTo(CodedOutputStream)\n\n public void WriteTo(CodedOutputStream output)"]]
