Class ExternalAccountCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.OAuth2Credentials
-
- com.google.auth.oauth2.GoogleCredentials
-
- com.google.auth.oauth2.ExternalAccountCredentials
-
- All Implemented Interfaces:
QuotaProjectIdProvider
,java.io.Serializable
- Direct Known Subclasses:
AwsCredentials
,IdentityPoolCredentials
,PluggableAuthCredentials
public abstract class ExternalAccountCredentials extends GoogleCredentials
Base external account credentials class.Handles initializing external credentials, calls to the Security Token Service, and service account impersonation.
- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
ExternalAccountCredentials.Builder
Base builder for external account credentials.(package private) static class
ExternalAccountCredentials.CredentialSource
Base credential source class.(package private) static class
ExternalAccountCredentials.ServiceAccountImpersonationOptions
Encapsulates the service account impersonation options portion of the configuration for ExternalAccountCredentials.static class
ExternalAccountCredentials.SubjectTokenTypes
Enum specifying values for the subjectTokenType field inExternalAccountCredentials
.-
Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
-
Field Summary
Fields Modifier and Type Field Description private java.lang.String
audience
private java.lang.String
clientId
private java.lang.String
clientSecret
private static java.lang.String
CLOUD_PLATFORM_SCOPE
private ExternalAccountCredentials.CredentialSource
credentialSource
(package private) static java.lang.String
DEFAULT_TOKEN_URL
private EnvironmentProvider
environmentProvider
(package private) static java.lang.String
EXECUTABLE_SOURCE_KEY
(package private) static java.lang.String
EXTERNAL_ACCOUNT_FILE_TYPE
protected ImpersonatedCredentials
impersonatedCredentials
private ExternalAccountMetricsHandler
metricsHandler
(package private) static java.lang.String
PROGRAMMATIC_METRICS_HEADER_VALUE
private java.util.Collection<java.lang.String>
scopes
private static long
serialVersionUID
private ExternalAccountCredentials.ServiceAccountImpersonationOptions
serviceAccountImpersonationOptions
private java.lang.String
serviceAccountImpersonationUrl
private java.lang.String
subjectTokenType
private java.lang.String
tokenInfoUrl
private java.lang.String
tokenUrl
protected HttpTransportFactory
transportFactory
private java.lang.String
transportFactoryClassName
private java.lang.String
workforcePoolUserProject
-
Fields inherited from class com.google.auth.oauth2.GoogleCredentials
GDCH_SERVICE_ACCOUNT_FILE_TYPE, QUOTA_PROJECT_ID_HEADER_KEY, quotaProjectId, SERVICE_ACCOUNT_FILE_TYPE, USER_FILE_TYPE
-
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Modifier Constructor Description protected
ExternalAccountCredentials(HttpTransportFactory transportFactory, java.lang.String audience, java.lang.String subjectTokenType, java.lang.String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, java.lang.String tokenInfoUrl, java.lang.String serviceAccountImpersonationUrl, java.lang.String quotaProjectId, java.lang.String clientId, java.lang.String clientSecret, java.util.Collection<java.lang.String> scopes)
Constructor with minimum identifying information and custom HTTP transport.protected
ExternalAccountCredentials(HttpTransportFactory transportFactory, java.lang.String audience, java.lang.String subjectTokenType, java.lang.String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, java.lang.String tokenInfoUrl, java.lang.String serviceAccountImpersonationUrl, java.lang.String quotaProjectId, java.lang.String clientId, java.lang.String clientSecret, java.util.Collection<java.lang.String> scopes, EnvironmentProvider environmentProvider)
Constructor with minimum identifying information and custom HTTP transport.protected
ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
Internal constructor with minimum identifying information and custom HTTP transport.
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description (package private) ImpersonatedCredentials
buildImpersonatedCredentials()
protected AccessToken
exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest)
Exchanges the external credential for a Google Cloud access token.(package private) static ExternalAccountCredentials
fromJson(java.util.Map<java.lang.String,java.lang.Object> json, HttpTransportFactory transportFactory)
Returns external account credentials defined by JSON using the format generated by gCloud.static ExternalAccountCredentials
fromStream(java.io.InputStream credentialsStream)
Returns credentials defined by a JSON file stream.static ExternalAccountCredentials
fromStream(java.io.InputStream credentialsStream, HttpTransportFactory transportFactory)
Returns credentials defined by a JSON file stream.java.lang.String
getAudience()
java.lang.String
getClientId()
java.lang.String
getClientSecret()
ExternalAccountCredentials.CredentialSource
getCredentialSource()
(package private) java.lang.String
getCredentialSourceType()
(package private) EnvironmentProvider
getEnvironmentProvider()
java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadata(java.net.URI uri)
Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.void
getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Get the current request metadata without blocking.java.util.Collection<java.lang.String>
getScopes()
java.lang.String
getServiceAccountEmail()
ExternalAccountCredentials.ServiceAccountImpersonationOptions
getServiceAccountImpersonationOptions()
java.lang.String
getServiceAccountImpersonationUrl()
java.lang.String
getSubjectTokenType()
java.lang.String
getTokenInfoUrl()
java.lang.String
getTokenUrl()
java.lang.String
getUniverseDomain()
Gets the universe domain for the credential.java.lang.String
getWorkforcePoolUserProject()
private static boolean
isAwsCredential(java.util.Map<java.lang.String,java.lang.Object> credentialSource)
private static boolean
isPluggableAuthCredential(java.util.Map<java.lang.String,java.lang.Object> credentialSource)
private static boolean
isValidUrl(java.lang.String url)
Returns true if the provided URL's scheme is valid and is HTTPS.boolean
isWorkforcePoolConfiguration()
private void
readObject(java.io.ObjectInputStream input)
abstract java.lang.String
retrieveSubjectToken()
Retrieves the external subject token to be exchanged for a Google Cloud access token.private boolean
shouldBuildImpersonatedCredential()
(package private) static void
validateServiceAccountImpersonationInfoUrl(java.lang.String serviceAccountImpersonationUrl)
(package private) static void
validateTokenUrl(java.lang.String tokenUrl)
-
Methods inherited from class com.google.auth.oauth2.GoogleCredentials
addQuotaProjectIdToRequestMetadata, create, create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, hashCode, isDefaultUniverseDomain, isExplicitUniverseDomain, newBuilder, toBuilder, toString, toStringHelper
-
Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, getAccessToken, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshAccessToken, refreshIfExpired, removeChangeListener
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
-
-
-
Field Detail
-
serialVersionUID
private static final long serialVersionUID
- See Also:
- Constant Field Values
-
CLOUD_PLATFORM_SCOPE
private static final java.lang.String CLOUD_PLATFORM_SCOPE
- See Also:
- Constant Field Values
-
EXTERNAL_ACCOUNT_FILE_TYPE
static final java.lang.String EXTERNAL_ACCOUNT_FILE_TYPE
- See Also:
- Constant Field Values
-
EXECUTABLE_SOURCE_KEY
static final java.lang.String EXECUTABLE_SOURCE_KEY
- See Also:
- Constant Field Values
-
DEFAULT_TOKEN_URL
static final java.lang.String DEFAULT_TOKEN_URL
- See Also:
- Constant Field Values
-
PROGRAMMATIC_METRICS_HEADER_VALUE
static final java.lang.String PROGRAMMATIC_METRICS_HEADER_VALUE
- See Also:
- Constant Field Values
-
transportFactoryClassName
private final java.lang.String transportFactoryClassName
-
audience
private final java.lang.String audience
-
subjectTokenType
private final java.lang.String subjectTokenType
-
tokenUrl
private final java.lang.String tokenUrl
-
credentialSource
private final ExternalAccountCredentials.CredentialSource credentialSource
-
scopes
private final java.util.Collection<java.lang.String> scopes
-
serviceAccountImpersonationOptions
private final ExternalAccountCredentials.ServiceAccountImpersonationOptions serviceAccountImpersonationOptions
-
metricsHandler
private ExternalAccountMetricsHandler metricsHandler
-
tokenInfoUrl
@Nullable private final java.lang.String tokenInfoUrl
-
serviceAccountImpersonationUrl
@Nullable private final java.lang.String serviceAccountImpersonationUrl
-
clientId
@Nullable private final java.lang.String clientId
-
clientSecret
@Nullable private final java.lang.String clientSecret
-
workforcePoolUserProject
@Nullable private final java.lang.String workforcePoolUserProject
-
transportFactory
protected transient HttpTransportFactory transportFactory
-
impersonatedCredentials
@Nullable protected ImpersonatedCredentials impersonatedCredentials
-
environmentProvider
private EnvironmentProvider environmentProvider
-
-
Constructor Detail
-
ExternalAccountCredentials
protected ExternalAccountCredentials(HttpTransportFactory transportFactory, java.lang.String audience, java.lang.String subjectTokenType, java.lang.String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, @Nullable java.lang.String tokenInfoUrl, @Nullable java.lang.String serviceAccountImpersonationUrl, @Nullable java.lang.String quotaProjectId, @Nullable java.lang.String clientId, @Nullable java.lang.String clientSecret, @Nullable java.util.Collection<java.lang.String> scopes)
Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.- Parameters:
transportFactory
- HTTP transport factory, creates the transport used to get access tokensaudience
- the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool providersubjectTokenType
- the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential filetokenUrl
- the Security Token Service token exchange endpointtokenInfoUrl
- the endpoint used to retrieve account related information. Required for gCloud session account identification.credentialSource
- the external credential sourceserviceAccountImpersonationUrl
- the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.quotaProjectId
- the project used for quota and billing purposes. May be null.clientId
- client ID of the service account from the console. May be null.clientSecret
- client secret of the service account from the console. May be null.scopes
- the scopes to request during the authorization grant. May be null.
-
ExternalAccountCredentials
protected ExternalAccountCredentials(HttpTransportFactory transportFactory, java.lang.String audience, java.lang.String subjectTokenType, java.lang.String tokenUrl, ExternalAccountCredentials.CredentialSource credentialSource, @Nullable java.lang.String tokenInfoUrl, @Nullable java.lang.String serviceAccountImpersonationUrl, @Nullable java.lang.String quotaProjectId, @Nullable java.lang.String clientId, @Nullable java.lang.String clientSecret, @Nullable java.util.Collection<java.lang.String> scopes, @Nullable EnvironmentProvider environmentProvider)
Constructor with minimum identifying information and custom HTTP transport. Does not support workforce credentials.- Parameters:
transportFactory
- HTTP transport factory, creates the transport used to get access tokensaudience
- the Security Token Service audience, which is usually the fully specified resource name of the workload/workforce pool providersubjectTokenType
- the Security Token Service subject token type based on the OAuth 2.0 token exchange spec. Indicates the type of the security token in the credential filetokenUrl
- the Security Token Service token exchange endpointtokenInfoUrl
- the endpoint used to retrieve account related information. Required for gCloud session account identification.credentialSource
- the external credential sourceserviceAccountImpersonationUrl
- the URL for the service account impersonation request. This URL is required for some APIs. If this URL is not available, the access token from the Security Token Service is used directly. May be null.quotaProjectId
- the project used for quota and billing purposes. May be null.clientId
- client ID of the service account from the console. May be null.clientSecret
- client secret of the service account from the console. May be null.scopes
- the scopes to request during the authorization grant. May be null.environmentProvider
- the environment provider. May be null. Defaults toSystemEnvironmentProvider
.
-
ExternalAccountCredentials
protected ExternalAccountCredentials(ExternalAccountCredentials.Builder builder)
Internal constructor with minimum identifying information and custom HTTP transport. SeeExternalAccountCredentials.Builder
.- Parameters:
builder
- theBuilder
object used to construct the credentials.
-
-
Method Detail
-
buildImpersonatedCredentials
ImpersonatedCredentials buildImpersonatedCredentials()
-
getRequestMetadata
public void getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Description copied from class:Credentials
Get the current request metadata without blocking.This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.
The default implementation will just call
Credentials.getRequestMetadata(URI)
then the callback from the given executor.The convention for handling binary data is for the key in the returned map to end with
"-bin"
and for the corresponding values to be base64 encoded.- Overrides:
getRequestMetadata
in classOAuth2Credentials
- Parameters:
uri
- URI of the entry point for the request.executor
- Executor to perform the request.callback
- Callback to execute when the request is finished.
-
getUniverseDomain
public java.lang.String getUniverseDomain()
Description copied from class:GoogleCredentials
Gets the universe domain for the credential.- Overrides:
getUniverseDomain
in classGoogleCredentials
- Returns:
- An explicit universe domain if it was explicitly provided, invokes the super implementation otherwise
-
getRequestMetadata
public java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadata(java.net.URI uri) throws java.io.IOException
Description copied from class:OAuth2Credentials
Provide the request metadata by ensuring there is a current access token and providing it as an authorization bearer token.- Overrides:
getRequestMetadata
in classOAuth2Credentials
- Parameters:
uri
- URI of the entry point for the request.- Returns:
- The request metadata used for populating headers or other context.
- Throws:
java.io.IOException
- if there was an error getting up-to-date access. The exception should implementRetryable
andisRetryable()
will return true if the operation may be retried.
-
fromStream
public static ExternalAccountCredentials fromStream(java.io.InputStream credentialsStream) throws java.io.IOException
Returns credentials defined by a JSON file stream.Returns
IdentityPoolCredentials
orAwsCredentials
.- Parameters:
credentialsStream
- the stream with the credential definition- Returns:
- the credential defined by the credentialsStream
- Throws:
java.io.IOException
- if the credential cannot be created from the stream
-
fromStream
public static ExternalAccountCredentials fromStream(java.io.InputStream credentialsStream, HttpTransportFactory transportFactory) throws java.io.IOException
Returns credentials defined by a JSON file stream.Returns a
IdentityPoolCredentials
orAwsCredentials
.- Parameters:
credentialsStream
- the stream with the credential definitiontransportFactory
- the HTTP transport factory used to create the transport to get access tokens- Returns:
- the credential defined by the credentialsStream
- Throws:
java.io.IOException
- if the credential cannot be created from the stream
-
fromJson
static ExternalAccountCredentials fromJson(java.util.Map<java.lang.String,java.lang.Object> json, HttpTransportFactory transportFactory)
Returns external account credentials defined by JSON using the format generated by gCloud.- Parameters:
json
- a map from the JSON representing the credentialstransportFactory
- HTTP transport factory, creates the transport used to get access tokens- Returns:
- the credentials defined by the JSON
-
isPluggableAuthCredential
private static boolean isPluggableAuthCredential(java.util.Map<java.lang.String,java.lang.Object> credentialSource)
-
isAwsCredential
private static boolean isAwsCredential(java.util.Map<java.lang.String,java.lang.Object> credentialSource)
-
shouldBuildImpersonatedCredential
private boolean shouldBuildImpersonatedCredential()
-
exchangeExternalCredentialForAccessToken
protected AccessToken exchangeExternalCredentialForAccessToken(StsTokenExchangeRequest stsTokenExchangeRequest) throws java.io.IOException
Exchanges the external credential for a Google Cloud access token.- Parameters:
stsTokenExchangeRequest
- the Security Token Service token exchange request- Returns:
- the access token returned by the Security Token Service
- Throws:
OAuthException
- if the call to the Security Token Service failsjava.io.IOException
-
retrieveSubjectToken
public abstract java.lang.String retrieveSubjectToken() throws java.io.IOException
Retrieves the external subject token to be exchanged for a Google Cloud access token.Must be implemented by subclasses as the retrieval method is dependent on the credential source.
- Returns:
- the external subject token
- Throws:
java.io.IOException
- if the subject token cannot be retrieved
-
getAudience
public java.lang.String getAudience()
-
getSubjectTokenType
public java.lang.String getSubjectTokenType()
-
getTokenUrl
public java.lang.String getTokenUrl()
-
getTokenInfoUrl
public java.lang.String getTokenInfoUrl()
-
getCredentialSource
public ExternalAccountCredentials.CredentialSource getCredentialSource()
-
readObject
private void readObject(java.io.ObjectInputStream input) throws java.io.IOException, java.lang.ClassNotFoundException
- Throws:
java.io.IOException
java.lang.ClassNotFoundException
-
getServiceAccountImpersonationUrl
@Nullable public java.lang.String getServiceAccountImpersonationUrl()
-
getServiceAccountEmail
@Nullable public java.lang.String getServiceAccountEmail()
- Returns:
- The service account email to be impersonated, if available
-
getClientId
@Nullable public java.lang.String getClientId()
-
getClientSecret
@Nullable public java.lang.String getClientSecret()
-
getScopes
@Nullable public java.util.Collection<java.lang.String> getScopes()
-
getWorkforcePoolUserProject
@Nullable public java.lang.String getWorkforcePoolUserProject()
-
getServiceAccountImpersonationOptions
@Nullable public ExternalAccountCredentials.ServiceAccountImpersonationOptions getServiceAccountImpersonationOptions()
-
getCredentialSourceType
java.lang.String getCredentialSourceType()
-
getEnvironmentProvider
EnvironmentProvider getEnvironmentProvider()
-
isWorkforcePoolConfiguration
public boolean isWorkforcePoolConfiguration()
- Returns:
- whether the current configuration is for Workforce Pools (which enable 3p user identities, rather than workloads)
-
validateTokenUrl
static void validateTokenUrl(java.lang.String tokenUrl)
-
validateServiceAccountImpersonationInfoUrl
static void validateServiceAccountImpersonationInfoUrl(java.lang.String serviceAccountImpersonationUrl)
-
isValidUrl
private static boolean isValidUrl(java.lang.String url)
Returns true if the provided URL's scheme is valid and is HTTPS.
-
-