Skip to content

Commit

Permalink
Merge branch 'main' into revert-1359-revert-1358-b317995693
Browse files Browse the repository at this point in the history
  • Loading branch information
BigTailWolf authored Feb 7, 2024
2 parents b27088f + bd898c6 commit 6284168
Show file tree
Hide file tree
Showing 8 changed files with 208 additions and 11 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
# Changelog

## [1.23.0](https://github.com/googleapis/google-auth-library-java/compare/v1.22.0...v1.23.0) (2024-02-05)


### Features

* Add context object to pass to supplier functions ([#1363](https://github.com/googleapis/google-auth-library-java/issues/1363)) ([1d9efc7](https://github.com/googleapis/google-auth-library-java/commit/1d9efc78aa6ab24fc2aab5f081240a815c394c95))
* Adds support for user defined subject token suppliers in AWSCredentials and IdentityPoolCredentials ([#1336](https://github.com/googleapis/google-auth-library-java/issues/1336)) ([64ce8a1](https://github.com/googleapis/google-auth-library-java/commit/64ce8a1fbb82cb19e17ca0c6713c7c187078c28b))
* Adds universe domain for DownscopedCredentials and ExternalAccountAuthorizedUserCredentials ([#1355](https://github.com/googleapis/google-auth-library-java/issues/1355)) ([17ef707](https://github.com/googleapis/google-auth-library-java/commit/17ef70748aae4820f10694ae99c82ed7ca89dbce))
* Modify the refresh window to match go/async-token-refresh. Serverless tokens are cached until 4 minutes before expiration, so 4 minutes is the ideal refresh window. ([#1352](https://github.com/googleapis/google-auth-library-java/issues/1352)) ([a7a8d7a](https://github.com/googleapis/google-auth-library-java/commit/a7a8d7a4102b0b7c1b83791947ccb662f060eca7))


### Bug Fixes

* Add missing copyright header ([#1364](https://github.com/googleapis/google-auth-library-java/issues/1364)) ([a24e563](https://github.com/googleapis/google-auth-library-java/commit/a24e5631b8198d988a7b82deab5453e43917b0d2))
* Issue [#1347](https://github.com/googleapis/google-auth-library-java/issues/1347): ExternalAccountCredentials serialization is broken ([#1358](https://github.com/googleapis/google-auth-library-java/issues/1358)) ([e3a2e9c](https://github.com/googleapis/google-auth-library-java/commit/e3a2e9cbdd767c4664d895f98f69d8b742d645f0))
* Refactor compute and cloudshell credentials to pass quota project to base class ([#1284](https://github.com/googleapis/google-auth-library-java/issues/1284)) ([fb75239](https://github.com/googleapis/google-auth-library-java/commit/fb75239ead37b6677a392f38ea2ef2012b3f21e0))

## [1.22.0](https://github.com/googleapis/google-auth-library-java/compare/v1.21.0...v1.22.0) (2024-01-09)


Expand Down
180 changes: 180 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,128 @@ credentials unless they do not meet your specific requirements.
You can now [use the Auth library](#using-external-identities) to call Google Cloud
resources from an OIDC or SAML provider.

#### Using a custom supplier with OIDC and SAML
A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials
to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,
unexpired subject token when called by the GCP credential.

IdentityPoolCredentials do not cache the returned token, so caching logic should be
implemented in the token supplier to prevent multiple requests for the same subject token.

```java
import java.io.IOException;

public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {

@Override
public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
// Any call to the supplier will pass a context object with the requested
// audience and subject token type.
string audience = context.getAudience();
string tokenType = context.getSubjectTokenType();

try {
// Return a valid, unexpired token for the requested audience and token type.
// Note that IdentityPoolCredentials do not cache the subject token so
// any caching logic needs to be implemented in the token supplier.
return retrieveToken(audience, tokenType);
} catch (Exception e) {
// If token is unavailable, throw IOException.
throw new IOException(e);
}
}

private String retrieveToken(string tokenType, string audience) {
// Retrieve a subject token of the requested type for the requested audience.
}
}
```
```java
CustomTokenSupplier tokenSupplier = new CustomTokenSupplier();
IdentityPoolCredentials identityPoolCredentials =
IdentityPoolCredentials.newBuilder()
.setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.
.setAudience(...) // Sets the GCP audience.
.setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.
.build();
```
Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:
```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```

Where the following variables need to be substituted:
- `$WORKLOAD_POOL_ID`: The workload pool ID.
- `$PROVIDER_ID`: The provider ID.

The values for audience, service account impersonation URL, and any other builder field can also be found by
generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).

#### Using a custom supplier with AWS
A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token.
The supplier must return valid, unexpired AWS security credentials when called by the GCP credential.

AwsCredentials do not cache the returned AWS security credentials or region, so caching logic should be
implemented in the supplier to prevent multiple requests for the same resources.

```java
class CustomAwsSupplier implements AwsSecurityCredentialsSupplier {
@Override
AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException {
// Any call to the supplier will pass a context object with the requested
// audience.
string audience = context.getAudience();

try {
// Return valid, unexpired AWS security credentials for the requested audience.
// Note that AwsCredentials do not cache the AWS security credentials so
// any caching logic needs to be implemented in the credentials' supplier.
return retrieveAwsSecurityCredentials(audience);
} catch (Exception e) {
// If credentials are unavailable, throw IOException.
throw new IOException(e);
}
}

@Override
String getRegion(ExternalAccountSupplierContext context) throws IOException {
try {
// Return a valid AWS region. i.e. "us-east-2".
// Note that AwsCredentials do not cache the region so
// any caching logic needs to be implemented in the credentials' supplier.
return retrieveAwsRegion();
} catch (Exception e) {
// If region is unavailable, throw IOException.
throw new IOException(e);
}
}

private AwsSecurityCredentials retrieveAwsSecurityCredentials(string audience) {
// Retrieve Aws security credentials for the requested audience.
}

private String retrieveAwsRegion() {
// Retrieve current AWS region.
}
}
```
```java
CustomAwsSupplier awsSupplier = new CustomAwsSupplier();
AwsCredentials credentials = AwsCredentials.newBuilder()
.setSubjectTokenType(SubjectTokenTypes.AWS4) // Sets the subject token type.
.setAudience(...) // Sets the GCP audience.
.setAwsSecurityCredentialsSupplier(supplier) // Sets the supplier.
.build();
```

Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:
```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```

Where the following variables need to be substituted:
- `$WORKLOAD_POOL_ID`: The workload pool ID.
- `$PROVIDER_ID`: The provider ID.

The values for audience, service account impersonation URL, and any other builder field can also be found by
generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).

#### Configurable Token Lifetime
When creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime.

Expand Down Expand Up @@ -704,6 +826,64 @@ specified below. It must output the response to stdout.
Refer to the [using executable-sourced credentials with Workload Identity Federation](#using-executable-sourced-credentials-with-oidc-and-saml)
above for the executable response specification.

#### Using a custom supplier with OIDC and SAML
A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials
to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,
unexpired subject token when called by the GCP credential.

IdentityPoolCredentials do not cache the returned token, so caching logic should be
implemented in the token supplier to prevent multiple requests for the same subject token.

```java
import java.io.IOException;

public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {

@Override
public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
// Any call to supplier will pass a context object with the requested
// audience and subject token type.
string audience = context.getAudience();
string tokenType = context.getSubjectTokenType();

try {
// Return a valid, unexpired token for the requested audience and token type.
// Note that the IdentityPoolCredential does not cache the subject token so
// any caching logic needs to be implemented in the token supplier.
return retrieveToken(audience, tokenType);
} catch (Exception e) {
// If token is unavailable, throw IOException.
throw new IOException(e);
}
}

private String retrieveToken(string tokenType, string audience) {
// Retrieve a subject token of the requested type for the requested audience.
}
}
```
```java
CustomTokenSupplier tokenSupplier = new CustomTokenSupplier();
IdentityPoolCredentials identityPoolCredentials =
IdentityPoolCredentials.newBuilder()
.setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.
.setAudience(...) // Sets the GCP audience.
.setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.
.setWorkforcePoolUserProject(...) // Sets the workforce pool user project.
.build();
```
Where the audience is:
```//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID```

Where the following variables need to be substituted:
- `$WORKFORCE_POOL_ID`: The workforce pool ID.
- `$PROVIDER_ID`: The provider ID.

and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).

The values for audience, service account impersonation URL, and any other builder field can also be found by
generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in).

##### Security considerations
The following security practices are highly recommended:
* Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script.
Expand Down
2 changes: 1 addition & 1 deletion appengine/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-parent</artifactId>
<version>1.22.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<version>1.23.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion bom/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-bom</artifactId>
<version>1.22.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-bom:current} -->
<version>1.23.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-bom:current} -->
<packaging>pom</packaging>
<name>Google Auth Library for Java BOM</name>
<description>
Expand Down
2 changes: 1 addition & 1 deletion credentials/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<parent>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-parent</artifactId>
<version>1.22.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<version>1.23.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion oauth2_http/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<parent>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-parent</artifactId>
<version>1.22.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<version>1.23.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-parent</artifactId>
<version>1.22.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<version>1.23.1-SNAPSHOT</version><!-- {x-version-update:google-auth-library-parent:current} -->
<packaging>pom</packaging>
<name>Google Auth Library for Java</name>
<description>Client libraries providing authentication and
Expand Down
12 changes: 6 additions & 6 deletions versions.txt
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# Format:
# module:released-version:current-version

google-auth-library:1.22.0:1.22.1-SNAPSHOT
google-auth-library-bom:1.22.0:1.22.1-SNAPSHOT
google-auth-library-parent:1.22.0:1.22.1-SNAPSHOT
google-auth-library-appengine:1.22.0:1.22.1-SNAPSHOT
google-auth-library-credentials:1.22.0:1.22.1-SNAPSHOT
google-auth-library-oauth2-http:1.22.0:1.22.1-SNAPSHOT
google-auth-library:1.23.0:1.23.1-SNAPSHOT
google-auth-library-bom:1.23.0:1.23.1-SNAPSHOT
google-auth-library-parent:1.23.0:1.23.1-SNAPSHOT
google-auth-library-appengine:1.23.0:1.23.1-SNAPSHOT
google-auth-library-credentials:1.23.0:1.23.1-SNAPSHOT
google-auth-library-oauth2-http:1.23.0:1.23.1-SNAPSHOT

0 comments on commit 6284168

Please sign in to comment.