Package com.google.auth.oauth2
Class DownscopedCredentials
- java.lang.Object
-
- com.google.auth.Credentials
-
- com.google.auth.oauth2.OAuth2Credentials
-
- com.google.auth.oauth2.DownscopedCredentials
-
- All Implemented Interfaces:
java.io.Serializable
public final class DownscopedCredentials extends OAuth2Credentials
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.To downscope permissions you must define a
CredentialAccessBoundarywhich specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.Usage:
Note thatGoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault() .createScoped("https://www.googleapis.com/auth/cloud-platform"); CredentialAccessBoundary.AccessBoundaryRule rule = CredentialAccessBoundary.AccessBoundaryRule.newBuilder() .setAvailableResource( "//storage.googleapis.com/projects/_/buckets/bucket") .addAvailablePermission("inRole:roles/storage.objectViewer") .build(); DownscopedCredentials downscopedCredentials = DownscopedCredentials.newBuilder() .setSourceCredential(sourceCredentials) .setCredentialAccessBoundary( CredentialAccessBoundary.newBuilder().addRule(rule).build()) .build(); AccessToken accessToken = downscopedCredentials.refreshAccessToken(); OAuth2Credentials credentials = OAuth2Credentials.create(accessToken); Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService(); Blob blob = storage.get(BlobId.of("bucket", "object")); System.out.printf("Blob %s retrieved.", blob.getBlobId());OAuth2CredentialsWithRefreshcan instead be used to consume the downscoped token, allowing for automatic token refreshes by providing aOAuth2CredentialsWithRefresh.OAuth2RefreshHandler.- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classDownscopedCredentials.Builder-
Nested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener
-
-
Field Summary
Fields Modifier and Type Field Description private CredentialAccessBoundarycredentialAccessBoundaryprivate GoogleCredentialssourceCredentialprivate java.lang.StringTOKEN_EXCHANGE_URL_FORMATprivate java.lang.StringtokenExchangeEndpointprivate HttpTransportFactorytransportFactoryprivate java.lang.StringuniverseDomain-
Fields inherited from class com.google.auth.oauth2.OAuth2Credentials
clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask
-
Fields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE
-
-
Constructor Summary
Constructors Modifier Constructor Description privateDownscopedCredentials(DownscopedCredentials.Builder builder)Internal constructor.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description CredentialAccessBoundarygetCredentialAccessBoundary()GoogleCredentialsgetSourceCredentials()(package private) HttpTransportFactorygetTransportFactory()java.lang.StringgetUniverseDomain()Returns the universe domain for the credential.static DownscopedCredentials.BuildernewBuilder()AccessTokenrefreshAccessToken()Method to refresh the access token according to the specific type of credentials.-
Methods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, create, equals, getAccessToken, getAdditionalHeaders, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener, toBuilder, toString
-
Methods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
-
-
-
Field Detail
-
TOKEN_EXCHANGE_URL_FORMAT
private final java.lang.String TOKEN_EXCHANGE_URL_FORMAT
- See Also:
- Constant Field Values
-
sourceCredential
private final GoogleCredentials sourceCredential
-
credentialAccessBoundary
private final CredentialAccessBoundary credentialAccessBoundary
-
universeDomain
private final java.lang.String universeDomain
-
transportFactory
private final transient HttpTransportFactory transportFactory
-
tokenExchangeEndpoint
private final java.lang.String tokenExchangeEndpoint
-
-
Constructor Detail
-
DownscopedCredentials
private DownscopedCredentials(DownscopedCredentials.Builder builder)
Internal constructor. SeeDownscopedCredentials.Builder.
-
-
Method Detail
-
refreshAccessToken
public AccessToken refreshAccessToken() throws java.io.IOException
Description copied from class:OAuth2CredentialsMethod to refresh the access token according to the specific type of credentials.Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.
- Overrides:
refreshAccessTokenin classOAuth2Credentials- Returns:
- never
- Throws:
java.io.IOException
-
getSourceCredentials
public GoogleCredentials getSourceCredentials()
-
getCredentialAccessBoundary
public CredentialAccessBoundary getCredentialAccessBoundary()
-
getUniverseDomain
public java.lang.String getUniverseDomain()
Returns the universe domain for the credential.- Overrides:
getUniverseDomainin classCredentials- Returns:
- An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.
-
getTransportFactory
HttpTransportFactory getTransportFactory()
-
newBuilder
public static DownscopedCredentials.Builder newBuilder()
-
-