Class GoogleIdentityStsV1ExchangeTokenRequest
Request message for ExchangeToken.
Implements
Inherited Members
Namespace: Google.Apis.CloudSecurityToken.v1.Data
Assembly: Google.Apis.CloudSecurityToken.v1.dll
Syntax
public class GoogleIdentityStsV1ExchangeTokenRequest : IDirectResponseSchema
Properties
Audience
The full resource name of the identity provider; for example:
//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/
for workload identity
pool providers, or //iam.googleapis.com/locations/global/workforcePools//providers/
for workforce pool
providers. Required when exchanging an external credential for a Google access token.
Declaration
[JsonProperty("audience")]
public virtual string Audience { get; set; }
Property Value
Type | Description |
---|---|
string |
ETag
The ETag of the item.
Declaration
public virtual string ETag { get; set; }
Property Value
Type | Description |
---|---|
string |
GrantType
Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token-exchange
, which indicates a token
exchange.
Declaration
[JsonProperty("grantType")]
public virtual string GrantType { get; set; }
Property Value
Type | Description |
---|---|
string |
Options
A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. The size of the parameter value must not exceed 4096 characters.
Declaration
[JsonProperty("options")]
public virtual string Options { get; set; }
Property Value
Type | Description |
---|---|
string |
RequestedTokenType
Required. An identifier for the type of requested security token. Can be
urn:ietf:params:oauth:token-type:access_token
or
urn:ietf:params:oauth:token-type:access_boundary_intermediary_token
.
Declaration
[JsonProperty("requestedTokenType")]
public virtual string RequestedTokenType { get; set; }
Property Value
Type | Description |
---|---|
string |
Scope
The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token.
Declaration
[JsonProperty("scope")]
public virtual string Scope { get; set; }
Property Value
Type | Description |
---|---|
string |
SubjectToken
Required. The input token. This token is either an external credential issued by a workload identity pool
provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT
format defined in RFC 7523, and the subject_token_type
must be
either urn:ietf:params:oauth:token-type:jwt
or urn:ietf:params:oauth:token-type:id_token
. The following
headers are required: - kid
: The identifier of the signing key securing the JWT. - alg
: The
cryptographic algorithm securing the JWT. Must be RS256
or ES256
. The following payload fields are
required. For more information, see RFC 7523, Section 3: -
iss
: The issuer of the token. The issuer must provide a discovery document at the URL
/.well-known/openid-configuration
, where `` is the value of this field. The document must be formatted
according to section 4.2 of the OIDC 1.0 Discovery
specification. -
iat
: The issue time, in seconds, since the Unix epoch. Must be in the past. - exp
: The expiration time,
in seconds, since the Unix epoch. Must be less than 48 hours after iat
. Shorter expiration times are more
secure. If possible, we recommend setting an expiration time less than 6 hours. - sub
: The identity
asserted in the JWT. - aud
: For workload identity pools, this must be a value specified in the allowed
audiences for the workload identity pool provider, or one of the audiences allowed by default if no
audiences were specified. See
https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc.
For workforce pools, this must match the client ID specified in the provider configuration. See
https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers#oidc. Example header:
{ "alg": "RS256", "kid": "us-east-11" }
Example payload:
{ "iss": "https://accounts.google.com",
"iat": 1517963104, "exp": 1517966704, "aud":
"//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider",
"sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }
If subject_token
is for
AWS, it must be a serialized GetCallerIdentity
token. This token contains the same information as a
request to the AWS
GetCallerIdentity()
method,
as well as the AWS signature
for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the
subject_token_type
parameter to urn:ietf:params:aws:token-type:aws4_request
. The following parameters
are required: - url
: The URL of the AWS STS endpoint for GetCallerIdentity()
, such as
https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
. Regional endpoints are also
supported. - method
: The HTTP request method: POST
. - headers
: The HTTP request headers, which must
include: - Authorization
: The request signature. - x-amz-date
: The time you will send the request,
formatted as an ISO8601
Basic string. This
value is typically set to the current time and is used to help prevent replay attacks. - host
: The
hostname of the url
field; for example, sts.amazonaws.com
. - x-goog-cloud-target-resource
: The full,
canonical resource name of the workload identity pool provider, with or without an https:
prefix. To help
ensure data integrity, we recommend including this header in the SignedHeaders
field of the signed
request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/
https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ If you are using
temporary security credentials provided by AWS, you must also include the header x-amz-security-token
,
with the value set to the session token. The following example shows a GetCallerIdentity
token:
{
"headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value":
"AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"},
{"key": "x-goog-cloud-target-resource", "value":
"//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/"}, {"key": "host",
"value": "sts.amazonaws.com"} . ], "method": "POST", "url":
"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" }
If the token is a SAML
2.0 assertion, it must use the format defined in the SAML 2.0
spec, and the
subject_token_type
must be urn:ietf:params:oauth:token-type:saml2
. See Verification of external
credentials
for details on how SAML 2.0 assertions are validated during token exchanges. You can also use a
Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes
applied, such as a Credential Access Boundary. In this case, set subject_token_type
to
urn:ietf:params:oauth:token-type:access_token
. If an access token already contains security attributes,
you cannot apply additional security attributes.
Declaration
[JsonProperty("subjectToken")]
public virtual string SubjectToken { get; set; }
Property Value
Type | Description |
---|---|
string |
SubjectTokenType
Required. An identifier that indicates the type of the security token in the subject_token
parameter.
Supported values are urn:ietf:params:oauth:token-type:jwt
, urn:ietf:params:oauth:token-type:id_token
,
urn:ietf:params:aws:token-type:aws4_request
, urn:ietf:params:oauth:token-type:access_token
, and
urn:ietf:params:oauth:token-type:saml2
.
Declaration
[JsonProperty("subjectTokenType")]
public virtual string SubjectTokenType { get; set; }
Property Value
Type | Description |
---|---|
string |