Package com.google.auth.oauth2
Class DownscopedCredentials
java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.DownscopedCredentials
- All Implemented Interfaces:
Serializable
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access
Management (IAM) permissions that a short-lived credential can use for Cloud Storage.
To downscope permissions you must define a CredentialAccessBoundary
which specifies
the upper bound of permissions that the credential can access. You must also provide a source
credential which will be used to acquire the downscoped credential.
Usage:
GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
.createScoped("https://www.googleapis.com/auth/cloud-platform");
CredentialAccessBoundary.AccessBoundaryRule rule =
CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
.setAvailableResource(
"//storage.googleapis.com/projects/_/buckets/bucket")
.addAvailablePermission("inRole:roles/storage.objectViewer")
.build();
DownscopedCredentials downscopedCredentials =
DownscopedCredentials.newBuilder()
.setSourceCredential(sourceCredentials)
.setCredentialAccessBoundary(
CredentialAccessBoundary.newBuilder().addRule(rule).build())
.build();
AccessToken accessToken = downscopedCredentials.refreshAccessToken();
OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);
Storage storage =
StorageOptions.newBuilder().setCredentials(credentials).build().getService();
Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());
Note that OAuth2CredentialsWithRefresh
can instead be used to consume the downscoped
token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler
.- See Also:
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final CredentialAccessBoundary
private final GoogleCredentials
private final String
private final String
private final HttpTransportFactory
private final String
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
Constructor Summary
ConstructorsModifierConstructorDescriptionprivate
Internal constructor. -
Method Summary
Modifier and TypeMethodDescription(package private) HttpTransportFactory
Returns the universe domain for the credential.Method to refresh the access token according to the specific type of credentials.Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, create, equals, getAccessToken, getAdditionalHeaders, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener, toBuilder, toString
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
Field Details
-
TOKEN_EXCHANGE_URL_FORMAT
- See Also:
-
sourceCredential
-
credentialAccessBoundary
-
universeDomain
-
transportFactory
-
tokenExchangeEndpoint
-
-
Constructor Details
-
DownscopedCredentials
Internal constructor. SeeDownscopedCredentials.Builder
.
-
-
Method Details
-
refreshAccessToken
Description copied from class:OAuth2Credentials
Method to refresh the access token according to the specific type of credentials.Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
- Overrides:
refreshAccessToken
in classOAuth2Credentials
- Returns:
- never
- Throws:
IOException
-
getSourceCredentials
-
getCredentialAccessBoundary
-
getUniverseDomain
Returns the universe domain for the credential.- Overrides:
getUniverseDomain
in classCredentials
- Returns:
- An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.
-
getTransportFactory
HttpTransportFactory getTransportFactory() -
newBuilder
-