Package com.google.auth.oauth2
Class DownscopedCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.OAuth2Credentials
-
- com.google.auth.oauth2.DownscopedCredentials
-
- All Implemented Interfaces:
java.io.Serializable
public final class DownscopedCredentials extends OAuth2Credentials
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.To downscope permissions you must define a
CredentialAccessBoundary
which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.Usage:
Note thatGoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault() .createScoped("https://www.googleapis.com/auth/cloud-platform"); CredentialAccessBoundary.AccessBoundaryRule rule = CredentialAccessBoundary.AccessBoundaryRule.newBuilder() .setAvailableResource( "//storage.googleapis.com/projects/_/buckets/bucket") .addAvailablePermission("inRole:roles/storage.objectViewer") .build(); DownscopedCredentials downscopedCredentials = DownscopedCredentials.newBuilder() .setSourceCredential(sourceCredentials) .setCredentialAccessBoundary( CredentialAccessBoundary.newBuilder().addRule(rule).build()) .build(); AccessToken accessToken = downscopedCredentials.refreshAccessToken(); OAuth2Credentials credentials = OAuth2Credentials.create(accessToken); Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService(); Blob blob = storage.get(BlobId.of("bucket", "object")); System.out.printf("Blob %s retrieved.", blob.getBlobId());
OAuth2CredentialsWithRefresh
can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing aOAuth2CredentialsWithRefresh.OAuth2RefreshHandler
.- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
DownscopedCredentials.Builder
-
Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
-
Field Summary
Fields Modifier and Type Field Description private CredentialAccessBoundary
credentialAccessBoundary
private GoogleCredentials
sourceCredential
private java.lang.String
TOKEN_EXCHANGE_URL_FORMAT
private java.lang.String
tokenExchangeEndpoint
private HttpTransportFactory
transportFactory
private java.lang.String
universeDomain
-
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Modifier Constructor Description private
DownscopedCredentials(DownscopedCredentials.Builder builder)
Internal constructor.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description CredentialAccessBoundary
getCredentialAccessBoundary()
GoogleCredentials
getSourceCredentials()
(package private) HttpTransportFactory
getTransportFactory()
java.lang.String
getUniverseDomain()
Returns the universe domain for the credential.static DownscopedCredentials.Builder
newBuilder()
AccessToken
refreshAccessToken()
Method to refresh the access token according to the specific type of credentials.-
Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, create, equals, getAccessToken, getAdditionalHeaders, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener, toBuilder, toString
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
-
-
-
Field Detail
-
TOKEN_EXCHANGE_URL_FORMAT
private final java.lang.String TOKEN_EXCHANGE_URL_FORMAT
- See Also:
- Constant Field Values
-
sourceCredential
private final GoogleCredentials sourceCredential
-
credentialAccessBoundary
private final CredentialAccessBoundary credentialAccessBoundary
-
universeDomain
private final java.lang.String universeDomain
-
transportFactory
private final transient HttpTransportFactory transportFactory
-
tokenExchangeEndpoint
private final java.lang.String tokenExchangeEndpoint
-
-
Constructor Detail
-
DownscopedCredentials
private DownscopedCredentials(DownscopedCredentials.Builder builder)
Internal constructor. SeeDownscopedCredentials.Builder
.
-
-
Method Detail
-
refreshAccessToken
public AccessToken refreshAccessToken() throws java.io.IOException
Description copied from class:OAuth2Credentials
Method to refresh the access token according to the specific type of credentials.Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
- Overrides:
refreshAccessToken
in classOAuth2Credentials
- Returns:
- never
- Throws:
java.io.IOException
-
getSourceCredentials
public GoogleCredentials getSourceCredentials()
-
getCredentialAccessBoundary
public CredentialAccessBoundary getCredentialAccessBoundary()
-
getUniverseDomain
public java.lang.String getUniverseDomain()
Returns the universe domain for the credential.- Overrides:
getUniverseDomain
in classCredentials
- Returns:
- An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.
-
getTransportFactory
HttpTransportFactory getTransportFactory()
-
newBuilder
public static DownscopedCredentials.Builder newBuilder()
-
-