Class ServiceAccountJwtAccessCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.ServiceAccountJwtAccessCredentials
-
- All Implemented Interfaces:
JwtProvider
,QuotaProjectIdProvider
,ServiceAccountSigner
,java.io.Serializable
public class ServiceAccountJwtAccessCredentials extends Credentials implements JwtProvider, ServiceAccountSigner, QuotaProjectIdProvider
Service Account credentials for calling Google APIs using a JWT directly for access.Uses a JSON Web Token (JWT) directly in the request metadata to provide authorization.
- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
ServiceAccountJwtAccessCredentials.Builder
-
Nested classes/interfaces inherited from interface com.google.auth.ServiceAccountSigner
ServiceAccountSigner.SigningException
-
-
Field Summary
Fields Modifier and Type Field Description private java.lang.String
clientEmail
private java.lang.String
clientId
(package private) com.google.api.client.util.Clock
clock
private static long
CLOCK_SKEW
private com.google.common.cache.LoadingCache<JwtClaims,JwtCredentials>
credentialsCache
private java.net.URI
defaultAudience
(package private) static java.lang.String
JWT_ACCESS_PREFIX
(package private) static long
LIFE_SPAN_SECS
private java.security.PrivateKey
privateKey
private java.lang.String
privateKeyId
private java.lang.String
quotaProjectId
private static long
serialVersionUID
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Modifier Constructor Description private
ServiceAccountJwtAccessCredentials(java.lang.String clientId, java.lang.String clientEmail, java.security.PrivateKey privateKey, java.lang.String privateKeyId)
Constructor with minimum identifying information.private
ServiceAccountJwtAccessCredentials(java.lang.String clientId, java.lang.String clientEmail, java.security.PrivateKey privateKey, java.lang.String privateKeyId, java.net.URI defaultAudience, java.lang.String quotaProjectId)
Constructor with full information.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private com.google.common.cache.LoadingCache<JwtClaims,JwtCredentials>
createCache()
boolean
equals(java.lang.Object obj)
(package private) static ServiceAccountJwtAccessCredentials
fromJson(java.util.Map<java.lang.String,java.lang.Object> json)
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.(package private) static ServiceAccountJwtAccessCredentials
fromJson(java.util.Map<java.lang.String,java.lang.Object> json, java.net.URI defaultAudience)
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.static ServiceAccountJwtAccessCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId)
Factory using PKCS#8 for the private key.static ServiceAccountJwtAccessCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.net.URI defaultAudience)
Factory using PKCS#8 for the private key.(package private) static ServiceAccountJwtAccessCredentials
fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.net.URI defaultAudience, java.lang.String quotaProjectId)
static ServiceAccountJwtAccessCredentials
fromStream(java.io.InputStream credentialsStream)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.static ServiceAccountJwtAccessCredentials
fromStream(java.io.InputStream credentialsStream, java.net.URI defaultAudience)
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.java.lang.String
getAccount()
Returns the service account associated with the signer.java.lang.String
getAuthenticationType()
A constant string name describing the authentication technology.java.lang.String
getClientEmail()
java.lang.String
getClientId()
java.security.PrivateKey
getPrivateKey()
java.lang.String
getPrivateKeyId()
java.lang.String
getQuotaProjectId()
java.util.Map<java.lang.String,java.util.List<java.lang.String>>
getRequestMetadata(java.net.URI uri)
Provide the request metadata by putting an access JWT directly in the metadata.void
getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Get the current request metadata without blocking.int
hashCode()
boolean
hasRequestMetadata()
Whether the credentials have metadata entries that should be added to each request.boolean
hasRequestMetadataOnly()
Indicates whether or not the Auth mechanism works purely by including request metadata.JwtCredentials
jwtWithClaims(JwtClaims newClaims)
Returns a new JwtCredentials instance with modified claims.static ServiceAccountJwtAccessCredentials.Builder
newBuilder()
private void
readObject(java.io.ObjectInputStream input)
void
refresh()
Discard any cached databyte[]
sign(byte[] toSign)
Signs the provided bytes using the private key associated with the service account.ServiceAccountJwtAccessCredentials.Builder
toBuilder()
java.lang.String
toString()
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata, getUniverseDomain
-
-
-
-
Field Detail
-
serialVersionUID
private static final long serialVersionUID
- See Also:
- Constant Field Values
-
JWT_ACCESS_PREFIX
static final java.lang.String JWT_ACCESS_PREFIX
- See Also:
- Constant Field Values
-
LIFE_SPAN_SECS
static final long LIFE_SPAN_SECS
-
CLOCK_SKEW
private static final long CLOCK_SKEW
-
clientId
private final java.lang.String clientId
-
clientEmail
private final java.lang.String clientEmail
-
privateKey
private final java.security.PrivateKey privateKey
-
privateKeyId
private final java.lang.String privateKeyId
-
defaultAudience
private final java.net.URI defaultAudience
-
quotaProjectId
private final java.lang.String quotaProjectId
-
credentialsCache
private transient com.google.common.cache.LoadingCache<JwtClaims,JwtCredentials> credentialsCache
-
clock
transient com.google.api.client.util.Clock clock
-
-
Constructor Detail
-
ServiceAccountJwtAccessCredentials
private ServiceAccountJwtAccessCredentials(java.lang.String clientId, java.lang.String clientEmail, java.security.PrivateKey privateKey, java.lang.String privateKeyId)
Constructor with minimum identifying information.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKey
- RSA private key object for the service account.privateKeyId
- Private key identifier for the service account. May be null.
-
ServiceAccountJwtAccessCredentials
private ServiceAccountJwtAccessCredentials(java.lang.String clientId, java.lang.String clientEmail, java.security.PrivateKey privateKey, java.lang.String privateKeyId, java.net.URI defaultAudience, java.lang.String quotaProjectId)
Constructor with full information.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKey
- RSA private key object for the service account.privateKeyId
- Private key identifier for the service account. May be null.defaultAudience
- Audience to use if not provided by transport. May be null.
-
-
Method Detail
-
fromJson
static ServiceAccountJwtAccessCredentials fromJson(java.util.Map<java.lang.String,java.lang.Object> json) throws java.io.IOException
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.- Parameters:
json
- a map from the JSON representing the credentials.- Returns:
- the credentials defined by the JSON.
- Throws:
java.io.IOException
- if the credential cannot be created from the JSON.
-
fromJson
static ServiceAccountJwtAccessCredentials fromJson(java.util.Map<java.lang.String,java.lang.Object> json, java.net.URI defaultAudience) throws java.io.IOException
Returns service account credentials defined by JSON using the format supported by the Google Developers Console.- Parameters:
json
- a map from the JSON representing the credentials.defaultAudience
- Audience to use if not provided by transport. May be null.- Returns:
- the credentials defined by the JSON.
- Throws:
java.io.IOException
- if the credential cannot be created from the JSON.
-
fromPkcs8
public static ServiceAccountJwtAccessCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId) throws java.io.IOException
Factory using PKCS#8 for the private key.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- Private key identifier for the service account. May be null.- Returns:
- New ServiceAccountJwtAcceessCredentials created from a private key.
- Throws:
java.io.IOException
- if the credential cannot be created from the private key.
-
fromPkcs8
public static ServiceAccountJwtAccessCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.net.URI defaultAudience) throws java.io.IOException
Factory using PKCS#8 for the private key.- Parameters:
clientId
- Client ID of the service account from the console. May be null.clientEmail
- Client email address of the service account from the console.privateKeyPkcs8
- RSA private key object for the service account in PKCS#8 format.privateKeyId
- Private key identifier for the service account. May be null.defaultAudience
- Audience to use if not provided by transport. May be null.- Returns:
- New ServiceAccountJwtAcceessCredentials created from a private key.
- Throws:
java.io.IOException
- if the credential cannot be created from the private key.
-
fromPkcs8
static ServiceAccountJwtAccessCredentials fromPkcs8(java.lang.String clientId, java.lang.String clientEmail, java.lang.String privateKeyPkcs8, java.lang.String privateKeyId, java.net.URI defaultAudience, java.lang.String quotaProjectId) throws java.io.IOException
- Throws:
java.io.IOException
-
fromStream
public static ServiceAccountJwtAccessCredentials fromStream(java.io.InputStream credentialsStream) throws java.io.IOException
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.- Parameters:
credentialsStream
- the stream with the credential definition.- Returns:
- the credential defined by the credentialsStream.
- Throws:
java.io.IOException
- if the credential cannot be created from the stream.
-
fromStream
public static ServiceAccountJwtAccessCredentials fromStream(java.io.InputStream credentialsStream, java.net.URI defaultAudience) throws java.io.IOException
Returns credentials defined by a Service Account key file in JSON format from the Google Developers Console.- Parameters:
credentialsStream
- the stream with the credential definition.defaultAudience
- Audience to use if not provided by transport. May be null.- Returns:
- the credential defined by the credentialsStream.
- Throws:
java.io.IOException
- if the credential cannot be created from the stream.
-
createCache
private com.google.common.cache.LoadingCache<JwtClaims,JwtCredentials> createCache()
-
jwtWithClaims
public JwtCredentials jwtWithClaims(JwtClaims newClaims)
Returns a new JwtCredentials instance with modified claims.- Specified by:
jwtWithClaims
in interfaceJwtProvider
- Parameters:
newClaims
- new claims. Any unspecified claim fields will default to the the current values.- Returns:
- new credentials
-
getAuthenticationType
public java.lang.String getAuthenticationType()
Description copied from class:Credentials
A constant string name describing the authentication technology.E.g. “OAuth2”, “SSL”. For use by the transport layer to determine whether it supports the type of authentication in the case where
Credentials.hasRequestMetadataOnly()
is false. Also serves as a debugging helper.- Specified by:
getAuthenticationType
in classCredentials
- Returns:
- The type of authentication used.
-
hasRequestMetadata
public boolean hasRequestMetadata()
Description copied from class:Credentials
Whether the credentials have metadata entries that should be added to each request.This should be called by the transport layer to see if
Credentials.getRequestMetadata()
should be used for each request.- Specified by:
hasRequestMetadata
in classCredentials
- Returns:
- Whether or not the transport layer should call
Credentials.getRequestMetadata()
-
hasRequestMetadataOnly
public boolean hasRequestMetadataOnly()
Description copied from class:Credentials
Indicates whether or not the Auth mechanism works purely by including request metadata.This is meant for the transport layer. If this is true a transport does not need to take actions other than including the request metadata. If this is false, a transport must specifically know about the authentication technology to support it, and should fail to accept the credentials otherwise.
- Specified by:
hasRequestMetadataOnly
in classCredentials
- Returns:
- Whether or not the Auth mechanism works purely by including request metadata.
-
getRequestMetadata
public void getRequestMetadata(java.net.URI uri, java.util.concurrent.Executor executor, RequestMetadataCallback callback)
Description copied from class:Credentials
Get the current request metadata without blocking.This should be called by the transport layer on each request, and the data should be populated in headers or other context. The implementation can either call the callback inline or asynchronously. Either way it should never block in this method. The executor is provided for tasks that may block.
The default implementation will just call
Credentials.getRequestMetadata(URI)
then the callback from the given executor.The convention for handling binary data is for the key in the returned map to end with
"-bin"
and for the corresponding values to be base64 encoded.- Overrides:
getRequestMetadata
in classCredentials
- Parameters:
uri
- URI of the entry point for the request.executor
- Executor to perform the request.callback
- Callback to execute when the request is finished.
-
getRequestMetadata
public java.util.Map<java.lang.String,java.util.List<java.lang.String>> getRequestMetadata(java.net.URI uri) throws java.io.IOException
Provide the request metadata by putting an access JWT directly in the metadata.- Specified by:
getRequestMetadata
in classCredentials
- Parameters:
uri
- URI of the entry point for the request.- Returns:
- The request metadata used for populating headers or other context.
- Throws:
java.io.IOException
- if there was an error getting up-to-date access. The exception should implementRetryable
andisRetryable()
will return true if the operation may be retried.
-
refresh
public void refresh()
Discard any cached data- Specified by:
refresh
in classCredentials
-
getClientId
public final java.lang.String getClientId()
-
getClientEmail
public final java.lang.String getClientEmail()
-
getPrivateKey
public final java.security.PrivateKey getPrivateKey()
-
getPrivateKeyId
public final java.lang.String getPrivateKeyId()
-
getAccount
public java.lang.String getAccount()
Description copied from interface:ServiceAccountSigner
Returns the service account associated with the signer.- Specified by:
getAccount
in interfaceServiceAccountSigner
- Returns:
- The service account associated with the signer.
-
sign
public byte[] sign(byte[] toSign)
Description copied from interface:ServiceAccountSigner
Signs the provided bytes using the private key associated with the service account.- Specified by:
sign
in interfaceServiceAccountSigner
- Parameters:
toSign
- bytes to sign- Returns:
- signed bytes
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classjava.lang.Object
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
equals
public boolean equals(java.lang.Object obj)
- Overrides:
equals
in classjava.lang.Object
-
readObject
private void readObject(java.io.ObjectInputStream input) throws java.io.IOException, java.lang.ClassNotFoundException
- Throws:
java.io.IOException
java.lang.ClassNotFoundException
-
newBuilder
public static ServiceAccountJwtAccessCredentials.Builder newBuilder()
-
toBuilder
public ServiceAccountJwtAccessCredentials.Builder toBuilder()
-
getQuotaProjectId
public java.lang.String getQuotaProjectId()
- Specified by:
getQuotaProjectId
in interfaceQuotaProjectIdProvider
- Returns:
- the quota project ID used for quota and billing purposes
-
-