com.google.auth.oauth2

Class ExternalAccountCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ExternalAccountCredentials

All Implemented Interfaces:

QuotaProjectIdProvider, Serializable

Direct Known Subclasses:

AwsCredentials, IdentityPoolCredentials

public abstract class ExternalAccountCredentials
extends GoogleCredentials
implements QuotaProjectIdProvider

Base external account credentials class.

Handles initializing external credentials, calls to STS, and service account impersonation.

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ExternalAccountCredentials.Builder Base builder for external account credentials.

Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials

OAuth2Credentials.CredentialsChangedListener

Field Summary

Fields

Modifier and Type	Field and Description
protected ImpersonatedCredentials	impersonatedCredentials
protected HttpTransportFactory	transportFactory

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes) Constructor with minimum identifying information and custom HTTP transport.
protected	ExternalAccountCredentials(HttpTransportFactory transportFactory, String audience, String subjectTokenType, String tokenUrl, com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource, String tokenInfoUrl, String serviceAccountImpersonationUrl, String quotaProjectId, String clientId, String clientSecret, Collection<String> scopes, com.google.auth.oauth2.EnvironmentProvider environmentProvider) See ExternalAccountCredentials(HttpTransportFactory, String, String, String, CredentialSource, String, String, String, String, String, Collection)

Method Summary

Modifier and Type	Method and Description
protected AccessToken	exchangeExternalCredentialForAccessToken(com.google.auth.oauth2.StsTokenExchangeRequest stsTokenExchangeRequest) Exchanges the external credential for a GCP access token.
static ExternalAccountCredentials	fromStream(InputStream credentialsStream) Returns credentials defined by a JSON file stream.
static ExternalAccountCredentials	fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) Returns credentials defined by a JSON file stream.
String	getAudience()
String	getClientId()
String	getClientSecret()
com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource	getCredentialSource()
String	getQuotaProjectId()
Map<String,List<String>>	getRequestMetadata(URI uri) Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.
void	getRequestMetadata(URI uri, Executor executor, RequestMetadataCallback callback)
Collection<String>	getScopes()
String	getServiceAccountImpersonationUrl()
String	getSubjectTokenType()
String	getTokenInfoUrl()
String	getTokenUrl()
abstract String	retrieveSubjectToken() Retrieves the external subject token to be exchanged for a GCP access token.

Methods inherited from class com.google.auth.oauth2.GoogleCredentials

create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, getApplicationDefault, getApplicationDefault, newBuilder, toBuilder

Methods inherited from class com.google.auth.oauth2.OAuth2Credentials

addChangeListener, equals, getAccessToken, getAdditionalHeaders, getAuthenticationType, getFromServiceLoader, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshAccessToken, refreshIfExpired, removeChangeListener, toString

Methods inherited from class com.google.auth.Credentials

blockingGetToCallback, getRequestMetadata

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

transportFactory

protected transient HttpTransportFactory transportFactory

impersonatedCredentials

@Nullable
protected final ImpersonatedCredentials impersonatedCredentials

Constructor Detail

ExternalAccountCredentials

protected ExternalAccountCredentials(HttpTransportFactory transportFactory,
                                     String audience,
                                     String subjectTokenType,
                                     String tokenUrl,
                                     com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource,
                                     @Nullable
                                     String tokenInfoUrl,
                                     @Nullable
                                     String serviceAccountImpersonationUrl,
                                     @Nullable
                                     String quotaProjectId,
                                     @Nullable
                                     String clientId,
                                     @Nullable
                                     String clientSecret,
                                     @Nullable
                                     Collection<String> scopes)

Constructor with minimum identifying information and custom HTTP transport.

Parameters:

transportFactory - HTTP transport factory, creates the transport used to get access tokens

audience - the STS audience which is usually the fully specified resource name of the workload/workforce pool provider

subjectTokenType - the STS subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential file

tokenUrl - the STS token exchange endpoint

tokenInfoUrl - the endpoint used to retrieve account related information. Required for gCloud session account identification.

credentialSource - the external credential source

serviceAccountImpersonationUrl - the URL for the service account impersonation request. This is only required for workload identity pools when APIs to be accessed have not integrated with UberMint. If this is not available, the STS returned GCP access token is directly used. May be null.

quotaProjectId - the project used for quota and billing purposes. May be null.

clientId - client ID of the service account from the console. May be null.

clientSecret - client secret of the service account from the console. May be null.

scopes - the scopes to request during the authorization grant. May be null.

ExternalAccountCredentials

protected ExternalAccountCredentials(HttpTransportFactory transportFactory,
                                     String audience,
                                     String subjectTokenType,
                                     String tokenUrl,
                                     com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource credentialSource,
                                     @Nullable
                                     String tokenInfoUrl,
                                     @Nullable
                                     String serviceAccountImpersonationUrl,
                                     @Nullable
                                     String quotaProjectId,
                                     @Nullable
                                     String clientId,
                                     @Nullable
                                     String clientSecret,
                                     @Nullable
                                     Collection<String> scopes,
                                     @Nullable
                                     com.google.auth.oauth2.EnvironmentProvider environmentProvider)

See ExternalAccountCredentials(HttpTransportFactory, String, String, String, CredentialSource, String, String, String, String, String, Collection)

Parameters:

environmentProvider - the environment provider. May be null. Defaults to SystemEnvironmentProvider.

Method Detail

getRequestMetadata

public void getRequestMetadata(URI uri,
                               Executor executor,
                               RequestMetadataCallback callback)

Overrides:

getRequestMetadata in class OAuth2Credentials

getRequestMetadata

public Map<String,List<String>> getRequestMetadata(URI uri)
                                            throws IOException

Description copied from class: OAuth2Credentials

Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.

Overrides:

getRequestMetadata in class OAuth2Credentials

Throws:

IOException

fromStream

public static ExternalAccountCredentials fromStream(InputStream credentialsStream)
                                             throws IOException

Returns credentials defined by a JSON file stream.

Returns IdentityPoolCredentials or AwsCredentials.

Parameters:

credentialsStream - the stream with the credential definition

Returns:

the credential defined by the credentialsStream

Throws:

IOException - if the credential cannot be created from the stream

fromStream

public static ExternalAccountCredentials fromStream(InputStream credentialsStream,
                                                    HttpTransportFactory transportFactory)
                                             throws IOException

Returns credentials defined by a JSON file stream.

Returns a IdentityPoolCredentials or AwsCredentials.

Parameters:

credentialsStream - the stream with the credential definition

transportFactory - the HTTP transport factory used to create the transport to get access tokens

Returns:

the credential defined by the credentialsStream

Throws:

IOException - if the credential cannot be created from the stream

exchangeExternalCredentialForAccessToken

protected AccessToken exchangeExternalCredentialForAccessToken(com.google.auth.oauth2.StsTokenExchangeRequest stsTokenExchangeRequest)
                                                        throws IOException

Exchanges the external credential for a GCP access token.

Parameters:

stsTokenExchangeRequest - the STS token exchange request

Returns:

the access token returned by STS

Throws:

OAuthException - if the call to STS fails

IOException

retrieveSubjectToken

public abstract String retrieveSubjectToken()
                                     throws IOException

Retrieves the external subject token to be exchanged for a GCP access token.

Must be implemented by subclasses as the retrieval method is dependent on the credential source.

Returns:

the external subject token

Throws:

IOException

getAudience

public String getAudience()

getSubjectTokenType

public String getSubjectTokenType()

getTokenUrl

public String getTokenUrl()

getTokenInfoUrl

public String getTokenInfoUrl()

getCredentialSource

public com.google.auth.oauth2.ExternalAccountCredentials.CredentialSource getCredentialSource()

getServiceAccountImpersonationUrl

@Nullable
public String getServiceAccountImpersonationUrl()

getQuotaProjectId

@Nullable
public String getQuotaProjectId()

Specified by:

getQuotaProjectId in interface QuotaProjectIdProvider

Returns:

the quota project ID used for quota and billing purposes

getClientId

@Nullable
public String getClientId()

getClientSecret

@Nullable
public String getClientSecret()

getScopes

@Nullable
public Collection<String> getScopes()