com.google.auth.oauth2

Class ExternalAccountCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ExternalAccountCredentials

All Implemented Interfaces:

QuotaProjectIdProvider, Serializable

Direct Known Subclasses:

AwsCredentials, IdentityPoolCredentials, PluggableAuthCredentials

public abstract class ExternalAccountCredentials
extends GoogleCredentials

Base external account credentials class.

Handles initializing external credentials, calls to the Security Token Service, and service account impersonation.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ExternalAccountCredentials.Builder Base builder for external account credentials.

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Field Summary

Fields

Modifier and Type	Field and Description
protected ImpersonatedCredentials	impersonatedCredentials
protected HttpTransportFactory	transportFactory

Fields inherited from class com.google.auth.oauth2.GoogleCredentials

quotaProjectId

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	ExternalAccountCredentials(ExternalAccountCredentials.Builder builder) Internal constructor with minimum identifying information and custom HTTP transport.
protected	ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes) Constructor with minimum identifying information and custom HTTP transport.
protected	ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, com.google.auth.oauth2.EnvironmentProvider environmentProvider) Constructor with minimum identifying information and custom HTTP transport.

Method Summary

Modifier and Type	Method and Description
protected AccessToken	exchangeExternalCredentialForAccessToken(com.google.auth.oauth2.StsTokenExchangeRequest stsTokenExchangeRequest) Exchanges the external credential for a Google Cloud access token.
static ExternalAccountCredentials	fromStream(InputStream credentialsStream) Returns credentials defined by a JSON file stream.
static ExternalAccountCredentials	fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) Returns credentials defined by a JSON file stream.
String	getAudience()
String	getClientId()
String	getClientSecret()
com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource	getCredentialSource()
Map<String,List<String>>	getRequestMetadata(URI uri) Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
void	getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback) Get the current request metadata without blocking.
Collection<String>	getScopes()
String	getServiceAccountEmail()
com.google.auth.oauth2.ExternalAccountCredentials.ServiceAccountImpersonationOptions	getServiceAccountImpersonationOptions()
String	getServiceAccountImpersonationUrl()
String	getSubjectTokenType()
String	getTokenInfoUrl()
String	getTokenUrl()
String	getWorkforcePoolUserProject()
boolean	isWorkforcePoolConfiguration()
abstract String	retrieveSubjectToken() Retrieves the external subject token to be exchanged for a Google Cloud access token.

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, newBuilder, toBuilder

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, equals, getAccessToken, getAuthenticationType, getFromServiceLoader, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshAccessToken, refreshIfExpired, removeChangeListener, toString

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

transportFactory

protected transient HttpTransportFactory transportFactory

impersonatedCredentials

@Nullable
protected final ImpersonatedCredentials impersonatedCredentials

Constructor Detail

ExternalAccountCredentials

protected ExternalAccountCredentials(HttpTransportFactory transportFactory,
                                     String audience,
                                     String subjectTokenType,
                                     String tokenUrl,
                                     com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource,
                                     @Nullable
                                     String tokenInfoUrl,
                                     @Nullable
                                     String serviceAccountImpersonationUrl,
                                     @Nullable
                                     String quotaProjectId,
                                     @Nullable
                                     String clientId,
                                     @Nullable
                                     String clientSecret,
                                     @Nullable
                                     Collection<String> scopes)

Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.

Parameters:

transportFactory - HTTP transport factory, creates the transport used to get access tokens

audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider

subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file

tokenUrl - the Security Token Service token exchange endpoint

tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.

credentialSource - the external credential source

serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.

quotaProjectId - the project used for quota and billing purposes. May be null.

clientId - client ID of the service account from the console. May be null.

clientSecret - client secret of the service account from the console. May be null.

scopes - the scopes to request during the authorization grant. May be null.

ExternalAccountCredentials

protected ExternalAccountCredentials(HttpTransportFactory transportFactory,
                                     String audience,
                                     String subjectTokenType,
                                     String tokenUrl,
                                     com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource,
                                     @Nullable
                                     String tokenInfoUrl,
                                     @Nullable
                                     String serviceAccountImpersonationUrl,
                                     @Nullable
                                     String quotaProjectId,
                                     @Nullable
                                     String clientId,
                                     @Nullable
                                     String clientSecret,
                                     @Nullable
                                     Collection<String> scopes,
                                     @Nullable
                                     com.google.auth.oauth2.EnvironmentProvider environmentProvider)

Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.

Parameters:

transportFactory - HTTP transport factory, creates the transport used to get access tokens

audience - the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool provider

subjectTokenType - the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file

tokenUrl - the Security Token Service token exchange endpoint

tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.

credentialSource - the external credential source

serviceAccountImpersonationUrl - the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.

quotaProjectId - the project used for quota and billing purposes. May be null.

clientId - client ID of the service account from the console. May be null.

clientSecret - client secret of the service account from the console. May be null.

scopes - the scopes to request during the authorization grant. May be null.

environmentProvider - the environment provider. May be null. Defaults to SystemEnvironmentProvider.

ExternalAccountCredentials

protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)

Internal constructor with minimum identifying information and custom HTTP transport. See ExternalAccountCredentials.Builder.

Parameters:

builder - the Builder object used to construct the credentials.

Method Detail

getRequestMetadata

public void getRequestMetadata(URI uri,
                               Executor executor,
                               RequestMetadataCallback callback)

Description copied from class: Credentials

Get the current request metadata without blocking.

This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.

The default implementation will just call Credentials.getRequestMetadata(URI) then the callback from the given executor.

The convention for handling binary data is for the key in the returned map to end with "-bin" and for the corresponding values to be base64 encoded.

Overrides:

getRequestMetadata in class OAuth2Credentials

Parameters:

uri - URI of the entry point for the request.

executor - Executor to perform the request.

callback - Callback to execute when the request is finished.

getRequestMetadata

public Map<String,List<String>> getRequestMetadata(URI uri)
                                            throws IOException

Description copied from class: OAuth2Credentials

Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.

Overrides:

getRequestMetadata in class OAuth2Credentials

Parameters:

uri - URI of the entry point for the request.

Returns:

The request metadata used for populating headers or other context.

Throws:

IOException - if there was an error getting up-to-date access. The exception should implement Retryable and isRetryable() will return true if the operation may be retried.

fromStream

public static ExternalAccountCredentials fromStream(InputStream credentialsStream)
                                             throws IOException

Returns credentials defined by a JSON file stream.

Returns IdentityPoolCredentials or AwsCredentials.

Parameters:

credentialsStream - the stream with the credential definition

Returns:

the credential defined by the credentialsStream

Throws:

IOException - if the credential cannot be created from the stream

fromStream

public static ExternalAccountCredentials fromStream(InputStream credentialsStream,
                                                    HttpTransportFactory transportFactory)
                                             throws IOException

Returns credentials defined by a JSON file stream.

Returns a IdentityPoolCredentials or AwsCredentials.

Parameters:

credentialsStream - the stream with the credential definition

transportFactory - the HTTP transport factory used to create the transport to get access tokens

Returns:

the credential defined by the credentialsStream

Throws:

IOException - if the credential cannot be created from the stream

exchangeExternalCredentialForAccessToken

protected AccessToken exchangeExternalCredentialForAccessToken(com.google.auth.oauth2.StsTokenExchangeRequest stsTokenExchangeRequest)
                                                        throws IOException

Exchanges the external credential for a Google Cloud access token.

Parameters:

stsTokenExchangeRequest - the Security Token Service token exchange request

Returns:

the access token returned by the Security Token Service

Throws:

OAuthException - if the call to the Security Token Service fails

IOException

retrieveSubjectToken

public abstract String retrieveSubjectToken()
                                     throws IOException

Retrieves the external subject token to be exchanged for a Google Cloud access token.

Must be implemented by subclasses as the retrieval method is dependent on the credential source.

Returns:

the external subject token

Throws:

IOException - if the subject token cannot be retrieved

getAudience

public String getAudience()

getSubjectTokenType

public String getSubjectTokenType()

getTokenUrl

public String getTokenUrl()

getTokenInfoUrl

public String getTokenInfoUrl()

getCredentialSource

public com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource getCredentialSource()

getServiceAccountImpersonationUrl

@Nullable
public String getServiceAccountImpersonationUrl()

getServiceAccountEmail

@Nullable
public String getServiceAccountEmail()

Returns:

The service account email to be impersonated, if available

getClientId

@Nullable
public String getClientId()

getClientSecret

@Nullable
public String getClientSecret()

getScopes

@Nullable
public Collection<String> getScopes()

getWorkforcePoolUserProject

@Nullable
public String getWorkforcePoolUserProject()

getServiceAccountImpersonationOptions

@Nullable
public com.google.auth.oauth2.ExternalAccountCredentials.ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions()

isWorkforcePoolConfiguration

public boolean isWorkforcePoolConfiguration()

Returns:

whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads)