Class GoogleIdentityStsV1ExchangeTokenRequest
Request message for ExchangeToken.
Implements
Inherited Members
Namespace: Google.Apis.CloudSecurityToken.v1.Data
Assembly: Google.Apis.CloudSecurityToken.v1.dll
Syntax
public class GoogleIdentityStsV1ExchangeTokenRequest : IDirectResponseSchemaProperties
Audience
The full resource name of the identity provider; for example:
//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ for workload identity
pool providers, or //iam.googleapis.com/locations/global/workforcePools//providers/ for workforce pool
providers. Required when exchanging an external credential for a Google access token.
Declaration
[JsonProperty("audience")]
public virtual string Audience { get; set; }Property Value
| Type | Description |
|---|---|
| string |
ETag
The ETag of the item.
Declaration
public virtual string ETag { get; set; }Property Value
| Type | Description |
|---|---|
| string |
GrantType
Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token-exchange, which indicates a token
exchange.
Declaration
[JsonProperty("grantType")]
public virtual string GrantType { get; set; }Property Value
| Type | Description |
|---|---|
| string |
Options
A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. The size of the parameter value must not exceed 4096 characters.
Declaration
[JsonProperty("options")]
public virtual string Options { get; set; }Property Value
| Type | Description |
|---|---|
| string |
RequestedTokenType
Required. An identifier for the type of requested security token. Can be
urn:ietf:params:oauth:token-type:access_token or
urn:ietf:params:oauth:token-type:access_boundary_intermediary_token.
Declaration
[JsonProperty("requestedTokenType")]
public virtual string RequestedTokenType { get; set; }Property Value
| Type | Description |
|---|---|
| string |
Scope
The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token.
Declaration
[JsonProperty("scope")]
public virtual string Scope { get; set; }Property Value
| Type | Description |
|---|---|
| string |
SubjectToken
Required. The input token. This token is either an external credential issued by a workload identity pool
provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT
format defined in RFC 7523, and the subject_token_type must be
either urn:ietf:params:oauth:token-type:jwt or urn:ietf:params:oauth:token-type:id_token. The following
headers are required: - kid: The identifier of the signing key securing the JWT. - alg: The
cryptographic algorithm securing the JWT. Must be RS256 or ES256. The following payload fields are
required. For more information, see RFC 7523, Section 3: -
iss: The issuer of the token. The issuer must provide a discovery document at the URL
/.well-known/openid-configuration, where `` is the value of this field. The document must be formatted
according to section 4.2 of the OIDC 1.0 Discovery
specification. -
iat: The issue time, in seconds, since the Unix epoch. Must be in the past. - exp: The expiration time,
in seconds, since the Unix epoch. Must be less than 48 hours after iat. Shorter expiration times are more
secure. If possible, we recommend setting an expiration time less than 6 hours. - sub: The identity
asserted in the JWT. - aud: For workload identity pools, this must be a value specified in the allowed
audiences for the workload identity pool provider, or one of the audiences allowed by default if no
audiences were specified. See
https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc.
For workforce pools, this must match the client ID specified in the provider configuration. See
https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers#oidc. Example header:
{ "alg": "RS256", "kid": "us-east-11" }
Example payload:
{ "iss": "https://accounts.google.com",
"iat": 1517963104, "exp": 1517966704, "aud":
"//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider",
"sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }
If subject_token is for
AWS, it must be a serialized GetCallerIdentity token. This token contains the same information as a
request to the AWS
GetCallerIdentity() method,
as well as the AWS signature
for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the
subject_token_type parameter to urn:ietf:params:aws:token-type:aws4_request. The following parameters
are required: - url: The URL of the AWS STS endpoint for GetCallerIdentity(), such as
https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15. Regional endpoints are also
supported. - method: The HTTP request method: POST. - headers: The HTTP request headers, which must
include: - Authorization: The request signature. - x-amz-date: The time you will send the request,
formatted as an ISO8601
Basic string. This
value is typically set to the current time and is used to help prevent replay attacks. - host: The
hostname of the url field; for example, sts.amazonaws.com. - x-goog-cloud-target-resource: The full,
canonical resource name of the workload identity pool provider, with or without an https: prefix. To help
ensure data integrity, we recommend including this header in the SignedHeaders field of the signed
request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/
https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ If you are using
temporary security credentials provided by AWS, you must also include the header x-amz-security-token,
with the value set to the session token. The following example shows a GetCallerIdentity token:
{
"headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value":
"AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"},
{"key": "x-goog-cloud-target-resource", "value":
"//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/"}, {"key": "host",
"value": "sts.amazonaws.com"} . ], "method": "POST", "url":
"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" }
If the token is a SAML
2.0 assertion, it must use the format defined in the SAML 2.0
spec, and the
subject_token_type must be urn:ietf:params:oauth:token-type:saml2. See Verification of external
credentials
for details on how SAML 2.0 assertions are validated during token exchanges. You can also use a
Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes
applied, such as a Credential Access Boundary. In this case, set subject_token_type to
urn:ietf:params:oauth:token-type:access_token. If an access token already contains security attributes,
you cannot apply additional security attributes.
Declaration
[JsonProperty("subjectToken")]
public virtual string SubjectToken { get; set; }Property Value
| Type | Description |
|---|---|
| string |
SubjectTokenType
Required. An identifier that indicates the type of the security token in the subject_token parameter.
Supported values are urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:id_token,
urn:ietf:params:aws:token-type:aws4_request, urn:ietf:params:oauth:token-type:access_token, and
urn:ietf:params:oauth:token-type:saml2.
Declaration
[JsonProperty("subjectTokenType")]
public virtual string SubjectTokenType { get; set; }Property Value
| Type | Description |
|---|---|
| string |