Class PluggableAuthCredentials (1.19.0)

public class PluggableAuthCredentials extends ExternalAccountCredentials

PluggableAuthCredentials enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token to be exchanged for a Google access token.

To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set to '1'. This is for security reasons.

Both OIDC and SAML are supported. The executable must adhere to a specific response format defined below.

The executable must print out the 3rd party token to STDOUT in JSON format. When an output_file is specified in the credential configuration, the executable must also handle writing the JSON response to this file.

OIDC response sample: { "version": 1, "success": true, "token_type": "urn:ietf:params:oauth:token-type:id_token", "id_token": "HEADER.PAYLOAD.SIGNATURE", "expiration_time": 1620433341 }

SAML2 response sample: { "version": 1, "success": true, "token_type": "urn:ietf:params:oauth:token-type:saml2", "saml_response": "...", "expiration_time": 1620433341 }

Error response sample: { "version": 1, "success": false, "code": "401", "message": "Error message." }

The expiration_time field in the JSON response is only required for successful responses when an output file was specified in the credential configuration.

The auth libraries will populate certain environment variables that will be accessible by the executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE, GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.

Please see this repositories README for a complete executable request/response specification.

Static Methods

newBuilder()

public static PluggableAuthCredentials.Builder newBuilder()
Returns
TypeDescription
PluggableAuthCredentials.Builder

newBuilder(PluggableAuthCredentials pluggableAuthCredentials)

public static PluggableAuthCredentials.Builder newBuilder(PluggableAuthCredentials pluggableAuthCredentials)
Parameter
NameDescription
pluggableAuthCredentialsPluggableAuthCredentials
Returns
TypeDescription
PluggableAuthCredentials.Builder

Methods

createScoped(Collection<String> newScopes)

public PluggableAuthCredentials createScoped(Collection<String> newScopes)

Clones the PluggableAuthCredentials with the specified scopes.

Parameter
NameDescription
newScopesCollection<String>
Returns
TypeDescription
PluggableAuthCredentials
Overrides

refreshAccessToken()

public AccessToken refreshAccessToken()

Method to refresh the access token according to the specific type of credentials.

Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

Returns
TypeDescription
AccessToken
Overrides
Exceptions
TypeDescription
IOException

retrieveSubjectToken()

public String retrieveSubjectToken()

Returns the 3rd party subject token by calling the executable specified in the credential source.

Returns
TypeDescription
String
Overrides
Exceptions
TypeDescription
IOException

if an error occurs with the executable execution.