Package com.google.auth.oauth2

Class CertificateIdentityPoolSubjectTokenSupplier

java.lang.Object
com.google.auth.oauth2.CertificateIdentityPoolSubjectTokenSupplier
All Implemented Interfaces:
IdentityPoolSubjectTokenSupplier, Serializable
public class CertificateIdentityPoolSubjectTokenSupplier extends Object implements IdentityPoolSubjectTokenSupplier
Provider for retrieving the subject tokens for IdentityPoolCredentials by reading an X.509 certificate from the filesystem. The certificate file (e.g., PEM or DER encoded) is read, the leaf certificate is base64-encoded (DER format), wrapped in a JSON array, and used as the subject token for STS exchange.
See Also:

  • Method Details

    • getSubjectToken

      public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException
      Retrieves the X509 subject token. This method loads the leaf certificate specified by the credentialSource.credentialLocation. If a trust chain path is configured in the credentialSource.certificateConfig, it also loads and includes the trust chain certificates. The subject token is constructed as a JSON array containing the base64-encoded (DER format) leaf certificate, followed by the base64-encoded (DER format) certificates in the trust chain. This JSON array serves as the subject token for mTLS authentication.
      Specified by:
      getSubjectToken in interface IdentityPoolSubjectTokenSupplier
      Parameters:
      context - The external account supplier context. This parameter is currently not used in this implementation.
      Returns:
      The JSON string representation of the base64-encoded certificate chain (leaf certificate followed by the trust chain, if present).
      Throws:
      IOException - If an I/O error occurs while reading the certificate file(s).