Class DownscopedCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.DownscopedCredentials

All Implemented Interfaces:

Serializable

public final class DownscopedCredentials
extends OAuth2Credentials

DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions that a short-lived credential can use for Cloud Storage.

To downscope permissions you must define a CredentialAccessBoundary which specifies the upper bound of permissions that the credential can access. You must also provide a source credential which will be used to acquire the downscoped credential.

See for more information.

Usage:

GoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()
   .createScoped("https://www.googleapis.com/auth/cloud-platform");

CredentialAccessBoundary.AccessBoundaryRule rule =
    CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
        .setAvailableResource(
            "//storage.googleapis.com/projects/_/buckets/bucket")
        .addAvailablePermission("inRole:roles/storage.objectViewer")
        .build();

DownscopedCredentials downscopedCredentials =
    DownscopedCredentials.newBuilder()
        .setSourceCredential(sourceCredentials)
        .setCredentialAccessBoundary(
            CredentialAccessBoundary.newBuilder().addRule(rule).build())
        .build();

AccessToken accessToken = downscopedCredentials.refreshAccessToken();

OAuth2Credentials credentials = OAuth2Credentials.create(accessToken);

Storage storage =
StorageOptions.newBuilder().setCredentials(credentials).build().getService();

Blob blob = storage.get(BlobId.of("bucket", "object"));
System.out.printf("Blob %s retrieved.", blob.getBlobId());

Note that OAuth2CredentialsWithRefresh can instead be used to consume the downscoped token, allowing for automatic token refreshes by providing a OAuth2CredentialsWithRefresh.OAuth2RefreshHandler.

See Also:

• Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	DownscopedCredentials.Builder

Nested classes/interfaces inherited from class OAuth2Credentials

OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener

Field Summary

Fields

Modifier and Type	Field	Description
private final CredentialAccessBoundary	credentialAccessBoundary
private final GoogleCredentials	sourceCredential
private final String	TOKEN_EXCHANGE_URL_FORMAT
private final String	tokenExchangeEndpoint
private final HttpTransportFactory	transportFactory
private final String	universeDomain

Fields inherited from class OAuth2Credentials

clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask

Fields inherited from class Credentials

GOOGLE_DEFAULT_UNIVERSE

Constructor Summary

Constructors

Modifier	Constructor	Description
private	DownscopedCredentials(DownscopedCredentials.Builder builder)	Internal constructor.

Method Summary

Modifier and Type	Method	Description
CredentialAccessBoundary	getCredentialAccessBoundary()
GoogleCredentials	getSourceCredentials()
(package private) HttpTransportFactory	getTransportFactory()
String	getUniverseDomain()	Returns the universe domain for the credential.
static DownscopedCredentials.Builder	newBuilder()
AccessToken	refreshAccessToken()	Method to refresh the access token according to the specific type of credentials.

Methods inherited from class OAuth2Credentials

addChangeListener, create, equals, getAccessToken, getAdditionalHeaders, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hashCode, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener, toBuilder, toString

Methods inherited from class Credentials

blockingGetToCallback, getMetricsCredentialType, getRequestMetadata

Methods inherited from class Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Details

TOKEN_EXCHANGE_URL_FORMAT

private final String TOKEN_EXCHANGE_URL_FORMAT

See Also:

• Constant Field Values

sourceCredential

private final GoogleCredentials sourceCredential

credentialAccessBoundary

private final CredentialAccessBoundary credentialAccessBoundary

universeDomain

private final String universeDomain

transportFactory

private final transient HttpTransportFactory transportFactory

tokenExchangeEndpoint

private final String tokenExchangeEndpoint

Constructor Details

DownscopedCredentials

private DownscopedCredentials(DownscopedCredentials.Builder builder)

Internal constructor. See DownscopedCredentials.Builder.

Method Details

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Description copied from class: OAuth2Credentials

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

never

Throws:

IOException

getSourceCredentials

public GoogleCredentials getSourceCredentials()

getCredentialAccessBoundary

public CredentialAccessBoundary getCredentialAccessBoundary()

getUniverseDomain

public String getUniverseDomain()

Returns the universe domain for the credential.

Overrides:

getUniverseDomain in class Credentials

Returns:

An explicit universe domain if it was explicitly provided, otherwise the default Google universe will be returned.

getTransportFactory

HttpTransportFactory getTransportFactory()

newBuilder

public static DownscopedCredentials.Builder newBuilder()