Class IdTokenCredentials

  • All Implemented Interfaces:
    java.io.Serializable

    public class IdTokenCredentials
    extends OAuth2Credentials
    IdTokenCredentials provides a Google Issued OpenIdConnect token.
    Use an ID token to access services that require presenting an ID token for authentication such as Cloud Functions or Cloud Run.
    The following Credential subclasses support IDTokens: ServiceAccountCredentials, ComputeEngineCredentials, ImpersonatedCredentials.

    For more information see
    Usage:

     String credPath = "/path/to/svc_account.json";
     String targetAudience = "https://example.com";
    
     // For Application Default Credentials (as ServiceAccountCredentials)
     // export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc.json
     GoogleCredentials adcCreds = GoogleCredentials.getApplicationDefault();
     if (!adcCreds instanceof IdTokenProvider) {
       // handle error message
     }
    
     IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
         .setIdTokenProvider(adcCreds)
         .setTargetAudience(targetAudience).build();
    
     // for ServiceAccountCredentials
     ServiceAccountCredentials saCreds = ServiceAccountCredentials.fromStream(new FileInputStream(credPath));
     saCreds = (ServiceAccountCredentials) saCreds.createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
     IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
         .setIdTokenProvider(saCreds)
         .setTargetAudience(targetAudience).build();
    
     // for ComputeEngineCredentials
     ComputeEngineCredentials caCreds = ComputeEngineCredentials.create();
     IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
         .setIdTokenProvider(caCreds)
         .setTargetAudience(targetAudience)
         .setOptions(Arrays.asList(ComputeEngineCredentials.ID_TOKEN_FORMAT_FULL))
         .build();
    
     // for ImpersonatedCredentials
     ImpersonatedCredentials imCreds = ImpersonatedCredentials.create(saCreds,
         "impersonated-account@project.iam.gserviceaccount.com", null,
         Arrays.asList("https://www.googleapis.com/auth/cloud-platform"), 300);
     IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
         .setIdTokenProvider(imCreds)
         .setTargetAudience(targetAudience)
         .setOptions(Arrays.asList(ImpersonatedCredentials.INCLUDE_EMAIL))
         .build();
    
     // Use the IdTokenCredential in an authorized transport
     GenericUrl genericUrl = new GenericUrl("https://example.com");
     HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
     HttpTransport transport = new NetHttpTransport();
     HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
     HttpResponse response = request.execute();
    
     // Print the token, expiration and the audience
     System.out.println(tokenCredential.getIdToken().getTokenValue());
     System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudienceAsList());
     System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getExpirationTimeSeconds());
     
    See Also:
    Serialized Form