Class DelegatedCredentials
- All Implemented Interfaces:
com.google.auth.oauth2.QuotaProjectIdProvider,Serializable
ServiceAccountSigner.
This class accepts the application-default-credential as ServiceAccountSigner,
avoiding the need for exported private keys. In this case, the default credential user itself
(project-id@appspot.gserviceaccount.com on AppEngine) must have domain-wide delegation to the
Workspace APIs. The default credential user also must have the Token Creator role to itself.
If the user provides a credential S that carries its own private key, such as ServiceAccountCredentials, this class can use S to impersonate
another service account D and gain delegated access as D, as long as S has the
Token Creator role to D. This usage is documented here for future reference.
As of October 2022, the functionalities described above are not implemented in the GCP Java Auth library, although they are available in the Python library. We have filed a feature request. This class is a stop-gap implementation.
The main body of this class is adapted from ServiceAccountCredentials with cosmetic changes. The important changes
include the removal of all uses of the private key and the signing of the JWT (in signAssertion(com.google.api.client.json.JsonFactory, com.google.api.client.json.webtoken.JsonWebSignature.Header, com.google.api.client.json.webtoken.JsonWebToken.Payload)). We choose not to extend ServiceAccountCredentials because it would add
dependency to the non-public details of that class.
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class com.google.auth.oauth2.GoogleCredentials
com.google.auth.oauth2.GoogleCredentials.BuilderNested classes/interfaces inherited from class com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.OAuth2Credentials.CredentialsChangedListener -
Field Summary
Fields inherited from class com.google.auth.oauth2.GoogleCredentials
quotaProjectIdFields inherited from class com.google.auth.Credentials
GOOGLE_DEFAULT_UNIVERSE -
Method Summary
Modifier and TypeMethodDescriptionprotected static <T> TgetFromServiceLoader(Class<? extends T> clazz, T defaultInstance) com.google.auth.oauth2.AccessTokenRefreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).Methods inherited from class com.google.auth.oauth2.GoogleCredentials
create, create, createDelegated, createScoped, createScoped, createScoped, createScopedRequired, createWithCustomRetryStrategy, createWithQuotaProject, equals, fromStream, fromStream, getAdditionalHeaders, getApplicationDefault, getApplicationDefault, getQuotaProjectId, getUniverseDomain, hashCode, isExplicitUniverseDomain, newBuilder, toBuilder, toString, toStringHelperMethods inherited from class com.google.auth.oauth2.OAuth2Credentials
addChangeListener, getAccessToken, getAuthenticationType, getRequestMetadata, getRequestMetadata, getRequestMetadataInternal, hasRequestMetadata, hasRequestMetadataOnly, newInstance, refresh, refreshIfExpired, removeChangeListenerMethods inherited from class com.google.auth.Credentials
blockingGetToCallback, getMetricsCredentialType, getRequestMetadata
-
Method Details
-
refreshAccessToken
Refreshes the OAuth2 access token by getting a new access token using a JSON Web Token (JWT).- Overrides:
refreshAccessTokenin classcom.google.auth.oauth2.OAuth2Credentials- Throws:
IOException
-
getFromServiceLoader
-