Class PluggableAuthCredentials

java.lang.Object

com.google.auth.Credentials

com.google.auth.oauth2.OAuth2Credentials

com.google.auth.oauth2.GoogleCredentials

com.google.auth.oauth2.ExternalAccountCredentials

com.google.auth.oauth2.PluggableAuthCredentials

All Implemented Interfaces:

QuotaProjectIdProvider, Serializable

public class PluggableAuthCredentials
extends ExternalAccountCredentials

PluggableAuthCredentials enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token to be exchanged for a Google access token.

To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set to '1'. This is for security reasons.

Both OIDC and SAML are supported. The executable must adhere to a specific response format defined below.

The executable must print out the 3rd party token to STDOUT in JSON format. When an output_file is specified in the credential configuration, the executable must also handle writing the JSON response to this file.

OIDC response sample:
{
  "version": 1,
  "success": true,
  "token_type": "urn:ietf:params:oauth:token-type:id_token",
  "id_token": "HEADER.PAYLOAD.SIGNATURE",
  "expiration_time": 1620433341
}

SAML2 response sample:
{
  "version": 1,
  "success": true,
  "token_type": "urn:ietf:params:oauth:token-type:saml2",
  "saml_response": "...",
  "expiration_time": 1620433341
}

Error response sample:
{
  "version": 1,
  "success": false,
  "code": "401",
  "message": "Error message."
}

The `expiration_time` field in the JSON response is only required for successful responses when an output file was specified in the credential configuration.

The auth libraries will populate certain environment variables that will be accessible by the executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE, GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.

Please see this repositories README for a complete executable request/response specification.

See Also:

• Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	PluggableAuthCredentials.Builder

Nested classes/interfaces inherited from class ExternalAccountCredentials

ExternalAccountCredentials.CredentialSource, ExternalAccountCredentials.ServiceAccountImpersonationOptions, ExternalAccountCredentials.SubjectTokenTypes

Nested classes/interfaces inherited from class OAuth2Credentials

OAuth2Credentials.AsyncRefreshResult, OAuth2Credentials.CacheState, OAuth2Credentials.CredentialsChangedListener, OAuth2Credentials.FutureCallbackToMetadataCallbackAdapter, OAuth2Credentials.OAuthValue, OAuth2Credentials.RefreshTask, OAuth2Credentials.RefreshTaskListener

Field Summary

Fields

Modifier and Type	Field	Description
private final PluggableAuthCredentialSource	config
private final ExecutableHandler	handler
(package private) static final String	PLUGGABLE_AUTH_METRICS_HEADER_VALUE

Fields inherited from class ExternalAccountCredentials

DEFAULT_TOKEN_URL, EXECUTABLE_SOURCE_KEY, EXTERNAL_ACCOUNT_FILE_TYPE, impersonatedCredentials, PROGRAMMATIC_METRICS_HEADER_VALUE, transportFactory

Fields inherited from class GoogleCredentials

GDCH_SERVICE_ACCOUNT_FILE_TYPE, QUOTA_PROJECT_ID_HEADER_KEY, quotaProjectId, SERVICE_ACCOUNT_FILE_TYPE, USER_FILE_TYPE

Fields inherited from class OAuth2Credentials

clock, DEFAULT_EXPIRATION_MARGIN, DEFAULT_REFRESH_MARGIN, lock, refreshTask

Fields inherited from class Credentials

GOOGLE_DEFAULT_UNIVERSE

Constructor Summary

Constructors

Constructor	Description
PluggableAuthCredentials(PluggableAuthCredentials.Builder builder)	Internal constructor.

Method Summary

Modifier and Type	Method	Description
PluggableAuthCredentials	createScoped(Collection<String> newScopes)	Clones the PluggableAuthCredentials with the specified scopes.
(package private) String	getCredentialSourceType()
(package private) ExecutableHandler	getExecutableHandler()
static PluggableAuthCredentials.Builder	newBuilder()
static PluggableAuthCredentials.Builder	newBuilder(PluggableAuthCredentials pluggableAuthCredentials)
AccessToken	refreshAccessToken()	Method to refresh the access token according to the specific type of credentials.
String	retrieveSubjectToken()	Returns the 3rd party subject token by calling the executable specified in the credential source.

Methods inherited from class ExternalAccountCredentials

buildImpersonatedCredentials, exchangeExternalCredentialForAccessToken, fromJson, fromStream, fromStream, getAudience, getClientId, getClientSecret, getCredentialSource, getEnvironmentProvider, getRequestMetadata, getRequestMetadata, getScopes, getServiceAccountEmail, getServiceAccountImpersonationOptions, getServiceAccountImpersonationUrl, getSubjectTokenType, getTokenInfoUrl, getTokenUrl, getUniverseDomain, getWorkforcePoolUserProject, isWorkforcePoolConfiguration, validateServiceAccountImpersonationInfoUrl, validateTokenUrl

Methods inherited from class GoogleCredentials

addQuotaProjectIdToRequestMetadata, create, create, createDelegated, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, hashCode, isDefaultUniverseDomain, isExplicitUniverseDomain, toBuilder, toString, toStringHelper

Methods inherited from class OAuth2Credentials

addChangeListener, getAccessToken, getAuthenticationType, getExpirationMargin, getFromServiceLoader, getRefreshMargin, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListener

Methods inherited from class Credentials

blockingGetToCallback, getMetricsCredentialType, getRequestMetadata

Methods inherited from class Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Details

PLUGGABLE_AUTH_METRICS_HEADER_VALUE

static final String PLUGGABLE_AUTH_METRICS_HEADER_VALUE

See Also:

• Constant Field Values

config

private final PluggableAuthCredentialSource config

handler

private final ExecutableHandler handler

Constructor Details

PluggableAuthCredentials

PluggableAuthCredentials(PluggableAuthCredentials.Builder builder)

Internal constructor. See PluggableAuthCredentials.Builder.

Method Details

refreshAccessToken

public AccessToken refreshAccessToken()
                               throws IOException

Description copied from class: OAuth2Credentials

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Overrides:

refreshAccessToken in class OAuth2Credentials

Returns:

never

Throws:

IOException

retrieveSubjectToken

public String retrieveSubjectToken()
                            throws IOException

Returns the 3rd party subject token by calling the executable specified in the credential source.

Specified by:

retrieveSubjectToken in class ExternalAccountCredentials

Returns:

the external subject token

Throws:

IOException - if an error occurs with the executable execution.

createScoped

public PluggableAuthCredentials createScoped(Collection<String> newScopes)

Clones the PluggableAuthCredentials with the specified scopes.

Overrides:

createScoped in class GoogleCredentials

Parameters:

newScopes - Collection of scopes to request.

Returns:

GoogleCredentials with requested scopes.

getCredentialSourceType

String getCredentialSourceType()

Overrides:

getCredentialSourceType in class ExternalAccountCredentials

newBuilder

public static PluggableAuthCredentials.Builder newBuilder()

newBuilder

public static PluggableAuthCredentials.Builder newBuilder(PluggableAuthCredentials pluggableAuthCredentials)

getExecutableHandler

@Nullable
ExecutableHandler getExecutableHandler()