From 527ad4b52cfda9361de922dcf9014d591f3ad8ff Mon Sep 17 00:00:00 2001
From: "release-please[bot]"
<55107282+release-please[bot]@users.noreply.github.com>
Date: Wed, 7 Feb 2024 09:54:02 -0800
Subject: [PATCH 1/3] chore(main): release 1.23.0 (#1353)
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
---
CHANGELOG.md | 17 +++++++++++++++++
appengine/pom.xml | 2 +-
bom/pom.xml | 2 +-
credentials/pom.xml | 2 +-
oauth2_http/pom.xml | 2 +-
pom.xml | 2 +-
versions.txt | 12 ++++++------
7 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b9f67a516..6a69d4aa4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,22 @@
# Changelog
+## [1.23.0](https://github.com/googleapis/google-auth-library-java/compare/v1.22.0...v1.23.0) (2024-02-05)
+
+
+### Features
+
+* Add context object to pass to supplier functions ([#1363](https://github.com/googleapis/google-auth-library-java/issues/1363)) ([1d9efc7](https://github.com/googleapis/google-auth-library-java/commit/1d9efc78aa6ab24fc2aab5f081240a815c394c95))
+* Adds support for user defined subject token suppliers in AWSCredentials and IdentityPoolCredentials ([#1336](https://github.com/googleapis/google-auth-library-java/issues/1336)) ([64ce8a1](https://github.com/googleapis/google-auth-library-java/commit/64ce8a1fbb82cb19e17ca0c6713c7c187078c28b))
+* Adds universe domain for DownscopedCredentials and ExternalAccountAuthorizedUserCredentials ([#1355](https://github.com/googleapis/google-auth-library-java/issues/1355)) ([17ef707](https://github.com/googleapis/google-auth-library-java/commit/17ef70748aae4820f10694ae99c82ed7ca89dbce))
+* Modify the refresh window to match go/async-token-refresh. Serverless tokens are cached until 4 minutes before expiration, so 4 minutes is the ideal refresh window. ([#1352](https://github.com/googleapis/google-auth-library-java/issues/1352)) ([a7a8d7a](https://github.com/googleapis/google-auth-library-java/commit/a7a8d7a4102b0b7c1b83791947ccb662f060eca7))
+
+
+### Bug Fixes
+
+* Add missing copyright header ([#1364](https://github.com/googleapis/google-auth-library-java/issues/1364)) ([a24e563](https://github.com/googleapis/google-auth-library-java/commit/a24e5631b8198d988a7b82deab5453e43917b0d2))
+* Issue [#1347](https://github.com/googleapis/google-auth-library-java/issues/1347): ExternalAccountCredentials serialization is broken ([#1358](https://github.com/googleapis/google-auth-library-java/issues/1358)) ([e3a2e9c](https://github.com/googleapis/google-auth-library-java/commit/e3a2e9cbdd767c4664d895f98f69d8b742d645f0))
+* Refactor compute and cloudshell credentials to pass quota project to base class ([#1284](https://github.com/googleapis/google-auth-library-java/issues/1284)) ([fb75239](https://github.com/googleapis/google-auth-library-java/commit/fb75239ead37b6677a392f38ea2ef2012b3f21e0))
+
## [1.22.0](https://github.com/googleapis/google-auth-library-java/compare/v1.21.0...v1.22.0) (2024-01-09)
diff --git a/appengine/pom.xml b/appengine/pom.xml
index d65ade433..a98af5241 100644
--- a/appengine/pom.xml
+++ b/appengine/pom.xml
@@ -5,7 +5,7 @@
com.google.auth
google-auth-library-parent
- 1.22.1-SNAPSHOT
+ 1.23.0
../pom.xml
diff --git a/bom/pom.xml b/bom/pom.xml
index 2c7e5198c..01a093b62 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -3,7 +3,7 @@
4.0.0
com.google.auth
google-auth-library-bom
- 1.22.1-SNAPSHOT
+ 1.23.0
pom
Google Auth Library for Java BOM
diff --git a/credentials/pom.xml b/credentials/pom.xml
index bd5934deb..224af9b72 100644
--- a/credentials/pom.xml
+++ b/credentials/pom.xml
@@ -4,7 +4,7 @@
com.google.auth
google-auth-library-parent
- 1.22.1-SNAPSHOT
+ 1.23.0
../pom.xml
diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml
index 36da3d3b8..7c3068d1e 100644
--- a/oauth2_http/pom.xml
+++ b/oauth2_http/pom.xml
@@ -7,7 +7,7 @@
com.google.auth
google-auth-library-parent
- 1.22.1-SNAPSHOT
+ 1.23.0
../pom.xml
diff --git a/pom.xml b/pom.xml
index 0b44d72fd..a055fb74d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
4.0.0
com.google.auth
google-auth-library-parent
- 1.22.1-SNAPSHOT
+ 1.23.0
pom
Google Auth Library for Java
Client libraries providing authentication and
diff --git a/versions.txt b/versions.txt
index ee3f1a94a..b51d5f59b 100644
--- a/versions.txt
+++ b/versions.txt
@@ -1,9 +1,9 @@
# Format:
# module:released-version:current-version
-google-auth-library:1.22.0:1.22.1-SNAPSHOT
-google-auth-library-bom:1.22.0:1.22.1-SNAPSHOT
-google-auth-library-parent:1.22.0:1.22.1-SNAPSHOT
-google-auth-library-appengine:1.22.0:1.22.1-SNAPSHOT
-google-auth-library-credentials:1.22.0:1.22.1-SNAPSHOT
-google-auth-library-oauth2-http:1.22.0:1.22.1-SNAPSHOT
+google-auth-library:1.23.0:1.23.0
+google-auth-library-bom:1.23.0:1.23.0
+google-auth-library-parent:1.23.0:1.23.0
+google-auth-library-appengine:1.23.0:1.23.0
+google-auth-library-credentials:1.23.0:1.23.0
+google-auth-library-oauth2-http:1.23.0:1.23.0
From b97fa2006adb313ebe4e3385c733b6d408c85656 Mon Sep 17 00:00:00 2001
From: "release-please[bot]"
<55107282+release-please[bot]@users.noreply.github.com>
Date: Wed, 7 Feb 2024 17:56:17 +0000
Subject: [PATCH 2/3] chore(main): release 1.23.1-SNAPSHOT (#1366)
:robot: I have created a release *beep* *boop*
---
### Updating meta-information for bleeding-edge SNAPSHOT release.
---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).
---
appengine/pom.xml | 2 +-
bom/pom.xml | 2 +-
credentials/pom.xml | 2 +-
oauth2_http/pom.xml | 2 +-
pom.xml | 2 +-
versions.txt | 12 ++++++------
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/appengine/pom.xml b/appengine/pom.xml
index a98af5241..85bef4522 100644
--- a/appengine/pom.xml
+++ b/appengine/pom.xml
@@ -5,7 +5,7 @@
com.google.auth
google-auth-library-parent
- 1.23.0
+ 1.23.1-SNAPSHOT
../pom.xml
diff --git a/bom/pom.xml b/bom/pom.xml
index 01a093b62..e5a936189 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -3,7 +3,7 @@
4.0.0
com.google.auth
google-auth-library-bom
- 1.23.0
+ 1.23.1-SNAPSHOT
pom
Google Auth Library for Java BOM
diff --git a/credentials/pom.xml b/credentials/pom.xml
index 224af9b72..42bb369b0 100644
--- a/credentials/pom.xml
+++ b/credentials/pom.xml
@@ -4,7 +4,7 @@
com.google.auth
google-auth-library-parent
- 1.23.0
+ 1.23.1-SNAPSHOT
../pom.xml
diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml
index 7c3068d1e..5b1362ed7 100644
--- a/oauth2_http/pom.xml
+++ b/oauth2_http/pom.xml
@@ -7,7 +7,7 @@
com.google.auth
google-auth-library-parent
- 1.23.0
+ 1.23.1-SNAPSHOT
../pom.xml
diff --git a/pom.xml b/pom.xml
index a055fb74d..8d207deef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
4.0.0
com.google.auth
google-auth-library-parent
- 1.23.0
+ 1.23.1-SNAPSHOT
pom
Google Auth Library for Java
Client libraries providing authentication and
diff --git a/versions.txt b/versions.txt
index b51d5f59b..e1a417028 100644
--- a/versions.txt
+++ b/versions.txt
@@ -1,9 +1,9 @@
# Format:
# module:released-version:current-version
-google-auth-library:1.23.0:1.23.0
-google-auth-library-bom:1.23.0:1.23.0
-google-auth-library-parent:1.23.0:1.23.0
-google-auth-library-appengine:1.23.0:1.23.0
-google-auth-library-credentials:1.23.0:1.23.0
-google-auth-library-oauth2-http:1.23.0:1.23.0
+google-auth-library:1.23.0:1.23.1-SNAPSHOT
+google-auth-library-bom:1.23.0:1.23.1-SNAPSHOT
+google-auth-library-parent:1.23.0:1.23.1-SNAPSHOT
+google-auth-library-appengine:1.23.0:1.23.1-SNAPSHOT
+google-auth-library-credentials:1.23.0:1.23.1-SNAPSHOT
+google-auth-library-oauth2-http:1.23.0:1.23.1-SNAPSHOT
From bd898c64875a87414f84ca0787ba6c140e05921b Mon Sep 17 00:00:00 2001
From: aeitzman <12433791+aeitzman@users.noreply.github.com>
Date: Wed, 7 Feb 2024 10:08:05 -0800
Subject: [PATCH 3/3] docs: adds docs for supplier based external account
credentials (#1362)
* docs: adds readme for supplier based external account credentials
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Update README.md
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* addressing review
* Addressing comments
* Apply suggestions from code review
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* clean up workforce docs
* Addressing comments
* Apply suggestions from code review
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
* Adding audience documentation for workload
---------
Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
---
README.md | 180 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 180 insertions(+)
diff --git a/README.md b/README.md
index 4c6a3dff8..149d4aa69 100644
--- a/README.md
+++ b/README.md
@@ -470,6 +470,128 @@ credentials unless they do not meet your specific requirements.
You can now [use the Auth library](#using-external-identities) to call Google Cloud
resources from an OIDC or SAML provider.
+#### Using a custom supplier with OIDC and SAML
+A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials
+to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,
+unexpired subject token when called by the GCP credential.
+
+IdentityPoolCredentials do not cache the returned token, so caching logic should be
+implemented in the token supplier to prevent multiple requests for the same subject token.
+
+```java
+import java.io.IOException;
+
+public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {
+
+ @Override
+ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
+ // Any call to the supplier will pass a context object with the requested
+ // audience and subject token type.
+ string audience = context.getAudience();
+ string tokenType = context.getSubjectTokenType();
+
+ try {
+ // Return a valid, unexpired token for the requested audience and token type.
+ // Note that IdentityPoolCredentials do not cache the subject token so
+ // any caching logic needs to be implemented in the token supplier.
+ return retrieveToken(audience, tokenType);
+ } catch (Exception e) {
+ // If token is unavailable, throw IOException.
+ throw new IOException(e);
+ }
+ }
+
+ private String retrieveToken(string tokenType, string audience) {
+ // Retrieve a subject token of the requested type for the requested audience.
+ }
+}
+```
+```java
+CustomTokenSupplier tokenSupplier = new CustomTokenSupplier();
+IdentityPoolCredentials identityPoolCredentials =
+ IdentityPoolCredentials.newBuilder()
+ .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.
+ .setAudience(...) // Sets the GCP audience.
+ .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.
+ .build();
+```
+Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:
+```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```
+
+Where the following variables need to be substituted:
+- `$WORKLOAD_POOL_ID`: The workload pool ID.
+- `$PROVIDER_ID`: The provider ID.
+
+The values for audience, service account impersonation URL, and any other builder field can also be found by
+generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).
+
+#### Using a custom supplier with AWS
+A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token.
+The supplier must return valid, unexpired AWS security credentials when called by the GCP credential.
+
+AwsCredentials do not cache the returned AWS security credentials or region, so caching logic should be
+implemented in the supplier to prevent multiple requests for the same resources.
+
+```java
+class CustomAwsSupplier implements AwsSecurityCredentialsSupplier {
+ @Override
+ AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException {
+ // Any call to the supplier will pass a context object with the requested
+ // audience.
+ string audience = context.getAudience();
+
+ try {
+ // Return valid, unexpired AWS security credentials for the requested audience.
+ // Note that AwsCredentials do not cache the AWS security credentials so
+ // any caching logic needs to be implemented in the credentials' supplier.
+ return retrieveAwsSecurityCredentials(audience);
+ } catch (Exception e) {
+ // If credentials are unavailable, throw IOException.
+ throw new IOException(e);
+ }
+ }
+
+ @Override
+ String getRegion(ExternalAccountSupplierContext context) throws IOException {
+ try {
+ // Return a valid AWS region. i.e. "us-east-2".
+ // Note that AwsCredentials do not cache the region so
+ // any caching logic needs to be implemented in the credentials' supplier.
+ return retrieveAwsRegion();
+ } catch (Exception e) {
+ // If region is unavailable, throw IOException.
+ throw new IOException(e);
+ }
+ }
+
+ private AwsSecurityCredentials retrieveAwsSecurityCredentials(string audience) {
+ // Retrieve Aws security credentials for the requested audience.
+ }
+
+ private String retrieveAwsRegion() {
+ // Retrieve current AWS region.
+ }
+}
+```
+```java
+CustomAwsSupplier awsSupplier = new CustomAwsSupplier();
+AwsCredentials credentials = AwsCredentials.newBuilder()
+ .setSubjectTokenType(SubjectTokenTypes.AWS4) // Sets the subject token type.
+ .setAudience(...) // Sets the GCP audience.
+ .setAwsSecurityCredentialsSupplier(supplier) // Sets the supplier.
+ .build();
+```
+
+Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:
+```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```
+
+Where the following variables need to be substituted:
+- `$WORKLOAD_POOL_ID`: The workload pool ID.
+- `$PROVIDER_ID`: The provider ID.
+
+The values for audience, service account impersonation URL, and any other builder field can also be found by
+generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).
+
#### Configurable Token Lifetime
When creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime.
@@ -704,6 +826,64 @@ specified below. It must output the response to stdout.
Refer to the [using executable-sourced credentials with Workload Identity Federation](#using-executable-sourced-credentials-with-oidc-and-saml)
above for the executable response specification.
+#### Using a custom supplier with OIDC and SAML
+A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials
+to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,
+unexpired subject token when called by the GCP credential.
+
+IdentityPoolCredentials do not cache the returned token, so caching logic should be
+implemented in the token supplier to prevent multiple requests for the same subject token.
+
+```java
+import java.io.IOException;
+
+public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {
+
+ @Override
+ public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
+ // Any call to supplier will pass a context object with the requested
+ // audience and subject token type.
+ string audience = context.getAudience();
+ string tokenType = context.getSubjectTokenType();
+
+ try {
+ // Return a valid, unexpired token for the requested audience and token type.
+ // Note that the IdentityPoolCredential does not cache the subject token so
+ // any caching logic needs to be implemented in the token supplier.
+ return retrieveToken(audience, tokenType);
+ } catch (Exception e) {
+ // If token is unavailable, throw IOException.
+ throw new IOException(e);
+ }
+ }
+
+ private String retrieveToken(string tokenType, string audience) {
+ // Retrieve a subject token of the requested type for the requested audience.
+ }
+}
+```
+```java
+CustomTokenSupplier tokenSupplier = new CustomTokenSupplier();
+IdentityPoolCredentials identityPoolCredentials =
+ IdentityPoolCredentials.newBuilder()
+ .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.
+ .setAudience(...) // Sets the GCP audience.
+ .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.
+ .setWorkforcePoolUserProject(...) // Sets the workforce pool user project.
+ .build();
+```
+Where the audience is:
+```//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID```
+
+Where the following variables need to be substituted:
+- `$WORKFORCE_POOL_ID`: The workforce pool ID.
+- `$PROVIDER_ID`: The provider ID.
+
+and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).
+
+The values for audience, service account impersonation URL, and any other builder field can also be found by
+generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in).
+
##### Security considerations
The following security practices are highly recommended:
* Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script.