Class PluggableAuthCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.OAuth2Credentials
-
- com.google.auth.oauth2.GoogleCredentials
-
- com.google.auth.oauth2.ExternalAccountCredentials
-
- com.google.auth.oauth2.PluggableAuthCredentials
-
- All Implemented Interfaces:
QuotaProjectIdProvider
,java.io.Serializable
public class PluggableAuthCredentials extends ExternalAccountCredentials
PluggableAuthCredentials enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token to be exchanged for a Google access token.To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set to '1'. This is for security reasons.
Both OIDC and SAML are supported. The executable must adhere to a specific response format defined below.
The executable must print out the 3rd party token to STDOUT in JSON format. When an output_file is specified in the credential configuration, the executable must also handle writing the JSON response to this file.
OIDC response sample: { "version": 1, "success": true, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": "HEADER.PAYLOAD.SIGNATURE", "expiration_time": 1620433341 } SAML2 response sample: { "version": 1, "success": true, "token_type": "urn:ietf:params:oauth:token-type:saml2", "saml_response": "...", "expiration_time": 1620433341 } Error response sample: { "version": 1, "success": false, "code": "401", "message": "Error message." }
The `expiration_time` field in the JSON response is only required for successful responses when an output file was specified in the credential configuration.
The auth libraries will populate certain environment variables that will be accessible by the executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE, GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.
Please see this repositories README for a complete executable request/response specification.
- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
PluggableAuthCredentials.Builder
-
Nested classes/interfaces inherited from class com.google.auth.oauth2.ExternalAccountCredentials
ExternalAccountCredentials.CredentialSource, ExternalAccountCredentials.ServiceAccountImpersonationOptions, ExternalAccountCredentials.SubjectTokenTypes
-
Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
-
Field Summary
Fields Modifier and Type Field Description private PluggableAuthCredentialSource
config
private ExecutableHandler
handler
(package private) static java.lang.String
PLUGGABLE_AUTH_METRICS_HEADER_VALUE
-
Fields inherited from class com.google.auth.oauth2.ExternalAccountCredentials
DEFAULT_TOKEN_URL, EXECUTABLE_SOURCE_KEY, EXTERNAL_ACCOUNT_FILE_TYPE, impersonatedCredentials, PROGRAMMATIC_METRICS_HEADER_VALUE, transportFactory
-
Fields inherited from class com.google.auth.oauth2.GoogleCredentials
GDCH_SERVICE_ACCOUNT_FILE_TYPE, QUOTA_PROJECT_ID_HEADER_KEY, quotaProjectId, SERVICE_ACCOUNT_FILE_TYPE, USER_FILE_TYPE
-
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Constructor Description PluggableAuthCredentials(PluggableAuthCredentials.Builder builder)
Internal constructor.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description PluggableAuthCredentials
createScoped(java.util.Collection<java.lang.String> newScopes)
Clones the PluggableAuthCredentials with the specified scopes.(package private) java.lang.String
getCredentialSourceType()
(package private) ExecutableHandler
getExecutableHandler()
static PluggableAuthCredentials.Builder
newBuilder()
static PluggableAuthCredentials.Builder
newBuilder(PluggableAuthCredentials pluggableAuthCredentials)
AccessToken
refreshAccessToken()
Method to refresh the access token according to the specific type of credentials.java.lang.String
retrieveSubjectToken()
Returns the 3rd party subject token by calling the executable specified in the credential source.-
Methods inherited from class com.google.auth.oauth2.ExternalAccountCredentials
buildImpersonatedCredentials, exchangeExternalCredentialForAccessToken, fromJson, fromStream, fromStream, getAudience, getClientId, getClientSecret, getCredentialSource, getEnvironmentProvider, getRequestMetadata, getRequestMetadata, getScopes, getServiceAccountEmail, getServiceAccountImpersonationOptions, getServiceAccountImpersonationUrl, getSubjectTokenType, getTokenInfoUrl, getTokenUrl, getUniverseDomain, getWorkforcePoolUserProject, isWorkforcePoolConfiguration, validateServiceAccountImpersonationInfoUrl, validateTokenUrl
-
Methods inherited from class com.google.auth.oauth2.GoogleCredentials
addQuotaProjectIdToRequestMetadata, create, create, createDelegated, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, hashCode, isDefaultUniverseDomain, isExplicitUniverseDomain, toBuilder, toString, toStringHelper
-
Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, getAccessToken, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
-
-
-
Field Detail
-
PLUGGABLE_AUTH_METRICS_HEADER_VALUE
static final java.lang.String PLUGGABLE_AUTH_METRICS_HEADER_VALUE
- See Also:
- Constant Field Values
-
config
private final PluggableAuthCredentialSource config
-
handler
private final ExecutableHandler handler
-
-
Constructor Detail
-
PluggableAuthCredentials
PluggableAuthCredentials(PluggableAuthCredentials.Builder builder)
Internal constructor. SeePluggableAuthCredentials.Builder
.
-
-
Method Detail
-
refreshAccessToken
public AccessToken refreshAccessToken() throws java.io.IOException
Description copied from class:OAuth2Credentials
Method to refresh the access token according to the specific type of credentials.Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
- Overrides:
refreshAccessToken
in classOAuth2Credentials
- Returns:
- never
- Throws:
java.io.IOException
-
retrieveSubjectToken
public java.lang.String retrieveSubjectToken() throws java.io.IOException
Returns the 3rd party subject token by calling the executable specified in the credential source.- Specified by:
retrieveSubjectToken
in classExternalAccountCredentials
- Returns:
- the external subject token
- Throws:
java.io.IOException
- if an error occurs with the executable execution.
-
createScoped
public PluggableAuthCredentials createScoped(java.util.Collection<java.lang.String> newScopes)
Clones the PluggableAuthCredentials with the specified scopes.- Overrides:
createScoped
in classGoogleCredentials
- Parameters:
newScopes
- Collection of scopes to request.- Returns:
- GoogleCredentials with requested scopes.
-
getCredentialSourceType
java.lang.String getCredentialSourceType()
- Overrides:
getCredentialSourceType
in classExternalAccountCredentials
-
newBuilder
public static PluggableAuthCredentials.Builder newBuilder()
-
newBuilder
public static PluggableAuthCredentials.Builder newBuilder(PluggableAuthCredentials pluggableAuthCredentials)
-
getExecutableHandler
@Nullable ExecutableHandler getExecutableHandler()
-
-