Class: Google::Apis::StsV1beta::GoogleIdentityStsV1betaExchangeTokenRequest
- Inherits:
-
Object
- Object
- Google::Apis::StsV1beta::GoogleIdentityStsV1betaExchangeTokenRequest
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- generated/google/apis/sts_v1beta/classes.rb,
generated/google/apis/sts_v1beta/representations.rb,
generated/google/apis/sts_v1beta/representations.rb
Overview
Request message for ExchangeToken.
Instance Attribute Summary collapse
-
#audience ⇒ String
The full resource name of the identity provider.
-
#grant_type ⇒ String
Required.
-
#options ⇒ String
A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.
-
#requested_token_type ⇒ String
Required.
-
#scope ⇒ String
The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings.
-
#subject_token ⇒ String
Required.
-
#subject_token_type ⇒ String
Required.
Instance Method Summary collapse
-
#initialize(**args) ⇒ GoogleIdentityStsV1betaExchangeTokenRequest
constructor
A new instance of GoogleIdentityStsV1betaExchangeTokenRequest.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ GoogleIdentityStsV1betaExchangeTokenRequest
Returns a new instance of GoogleIdentityStsV1betaExchangeTokenRequest.
129 130 131 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 129 def initialize(**args) update!(**args) end |
Instance Attribute Details
#audience ⇒ String
The full resource name of the identity provider. For example, //iam.
googleapis.com/projects//workloadIdentityPools//providers/
. Required when
exchanging an external credential for a Google access token.
Corresponds to the JSON property audience
34 35 36 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 34 def audience @audience end |
#grant_type ⇒ String
Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token-
exchange
, which indicates a token exchange.
Corresponds to the JSON property grantType
40 41 42 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 40 def grant_type @grant_type end |
#options ⇒ String
A set of features that Security Token Service supports, in addition to the
standard OAuth 2.0 token exchange, formatted as a serialized JSON object of
Options.
Corresponds to the JSON property options
47 48 49 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 47 def @options end |
#requested_token_type ⇒ String
Required. The type of security token. Must be urn:ietf:params:oauth:token-
type:access_token
, which indicates an OAuth 2.0 access token.
Corresponds to the JSON property requestedTokenType
53 54 55 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 53 def requested_token_type @requested_token_type end |
#scope ⇒ String
The OAuth 2.0 scopes to include on the resulting access token, formatted as a
list of space-delimited, case-sensitive strings. Required when exchanging an
external credential for a Google access token.
Corresponds to the JSON property scope
60 61 62 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 60 def scope @scope end |
#subject_token ⇒ String
Required. The input token. This token is a either an external credential
issued by a workload identity pool provider, or a short-lived access token
issued by Google. If the token is an OIDC JWT, it must use the JWT format
defined in RFC 7523, and the
subject_token_type
must be urn:ietf:params:oauth:token-type:jwt
. The
following headers are required: - kid
: The identifier of the signing key
securing the JWT. - alg
: The cryptographic algorithm securing the JWT. Must
be RS256
. The following payload fields are required. For more information,
see RFC 7523, Section 3: -
iss
: The issuer of the token. The issuer must provide a discovery document at
the URL /.well-known/openid-configuration
, where is the value of this
field. The document must be formatted according to section 4.2 of the [OIDC 1.
0 Discovery specification](https://openid.net/specs/openid-connect-discovery-
1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds,
since the Unix epoch. Must be in the past. - `exp`: The expiration time, in
seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter
expiration times are more secure. If possible, we recommend setting an
expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. -
`aud`: Configured by the mapper policy. The default value is the service
account's unique ID. Example header:
"alg": "RS256", "kid": "us-east-11"
Example payload:
"iss": "https://accounts.google.com", "iat":
1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": "
113475438248934895348", "my_claims":
"additional_claim": "value"
`
If
subject_tokenis an AWS token, it must be a serialized, [signed](https://docs.
aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the
AWS [
GetCallerIdentity()](https://docs.aws.amazon.com/STS/latest/
APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded
JSON, and set the
subject_token_typeparameter to
urn:ietf:params:aws:token-
type:aws4_request. The following parameters are required: -
url: The URL of
the AWS STS endpoint for
GetCallerIdentity(), such as
https://sts.amazonaws.
com?Action=GetCallerIdentity&Version=2011-06-15. Regional endpoints are also
supported. -
method: The HTTP request method:
POST. -
headers: The HTTP
request headers, which must include: -
Authorization`: The request signature.
x-amz-date
: The time you will send the request, formatted as an ISO8601 Basic string. This is typically set to the current time and used to prevent replay attacks. -host
: The hostname of theurl
field; for example,sts.amazonaws.com
. -x-goog-cloud-target-resource
: The full, canonical resource name of the workload identity pool provider, with or without anhttps:
prefix. To help ensure data integrity, we recommend including this header in theSignedHeaders
field of the signed request. For example: //iam.googleapis.com/projects//locations//workloadIdentityPools// providers/ https://iam.googleapis.com/projects//locations// workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the headerx-amz-security- token
, with the value. The following example shows a signed, serialized request:
"headers":[
"key": "x-amz-date", "value": "20200815T015049Z"
,"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+ SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$ signature"
,"key": "x-goog-cloud-target-resource", "value": "//iam. googleapis.com/projects//locations//workloadIdentityPools//providers/"
,"key" : "host", "value": "sts.amazonaws.com"
. ], "method":"POST", "url":"https:// sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"`
You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set
subject_token_typeto
urn:ietf:params:oauth: token-type:access_token. If an access token already contains security attributes, you cannot apply additional security attributes. Corresponds to the JSON property
subjectToken`
122 123 124 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 122 def subject_token @subject_token end |
#subject_token_type ⇒ String
Required. urn:ietf:params:oauth:token-type:access_token
.
Corresponds to the JSON property subjectTokenType
127 128 129 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 127 def subject_token_type @subject_token_type end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
134 135 136 137 138 139 140 141 142 |
# File 'generated/google/apis/sts_v1beta/classes.rb', line 134 def update!(**args) @audience = args[:audience] if args.key?(:audience) @grant_type = args[:grant_type] if args.key?(:grant_type) @options = args[:options] if args.key?(:options) @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type) @scope = args[:scope] if args.key?(:scope) @subject_token = args[:subject_token] if args.key?(:subject_token) @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type) end |