Package com.google.auth.oauth2

Class ExternalAccountAuthorizedUserCredentials

java.lang.Object
com.google.auth.Credentials
com.google.auth.oauth2.OAuth2Credentials
com.google.auth.oauth2.GoogleCredentials
com.google.auth.oauth2.ExternalAccountAuthorizedUserCredentials
All Implemented Interfaces:
QuotaProjectIdProvider, Serializable
public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials
OAuth2 credentials sourced using external identities through Workforce Identity Federation.

Obtaining the initial access and refresh token can be done through the Google Cloud CLI. 

 Example credentials file:
 {
   "type": "external_account_authorized_user",
   "audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID",
   "refresh_token": "refreshToken",
   "token_url": "https://sts.googleapis.com/v1/oauthtoken",
   "token_info_url": "https://sts.googleapis.com/v1/introspect",
   "client_id": "clientId",
   "client_secret": "clientSecret"
 }
See Also:

  • Method Details

    • fromStream

      public static ExternalAccountAuthorizedUserCredentials fromStream(InputStream credentialsStream) throws IOException
      Returns external account authorized user credentials defined by a JSON file stream.

      Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to .

      Parameters:
      credentialsStream - the stream with the credential definition
      Returns:
      the credential defined by the credentialsStream
      Throws:
      IOException - if the credential cannot be created from the stream

    • fromStream

      public static ExternalAccountAuthorizedUserCredentials fromStream(InputStream credentialsStream, HttpTransportFactory transportFactory) throws IOException
      Returns external account authorized user credentials defined by a JSON file stream.

      Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to .

      Parameters:
      credentialsStream - the stream with the credential definition
      transportFactory - the HTTP transport factory used to create the transport to get access tokens
      Returns:
      the credential defined by the credentialsStream
      Throws:
      IOException - if the credential cannot be created from the stream

    • refreshAccessToken

      public AccessToken refreshAccessToken() throws IOException
      Description copied from class: OAuth2Credentials
      Method to refresh the access token according to the specific type of credentials.

      Throws IllegalStateException if not overridden since direct use of OAuth2Credentials is only for temporary or non-refreshing access tokens.

      Overrides:
      refreshAccessToken in class OAuth2Credentials
      Returns:
      never
      Throws:
      IOException

    • getAudience

      @Nullable public String getAudience()

    • getClientId

      @Nullable public String getClientId()

    • getClientSecret

      @Nullable public String getClientSecret()

    • getRevokeUrl

      @Nullable public String getRevokeUrl()

    • getTokenUrl

      @Nullable public String getTokenUrl()

    • getTokenInfoUrl

      @Nullable public String getTokenInfoUrl()

    • getRefreshToken

      @Nullable public String getRefreshToken()

    • newBuilder

      public static ExternalAccountAuthorizedUserCredentials.Builder newBuilder()

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class GoogleCredentials

    • toString

      public String toString()
      Returns a string representation of this credential.

      Security Warning: The output of this method includes sensitive fields such as the client secret, refresh token, and request metadata containing the raw Bearer access token. Do not log this output in production environments as it may expose sensitive credentials.

      Overrides:
      toString in class GoogleCredentials

    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class GoogleCredentials

    • toBuilder

      public ExternalAccountAuthorizedUserCredentials.Builder toBuilder()
      Overrides:
      toBuilder in class GoogleCredentials