Class: Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest
- Inherits:
-
Object
- Object
- Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/sts_v1/classes.rb,
lib/google/apis/sts_v1/representations.rb,
lib/google/apis/sts_v1/representations.rb
Overview
Request message for ExchangeToken.
Instance Attribute Summary collapse
-
#audience ⇒ String
The full resource name of the identity provider; for example: `//iam.
-
#grant_type ⇒ String
Required.
-
#options ⇒ String
A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.
-
#requested_token_type ⇒ String
Required.
-
#scope ⇒ String
The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings.
-
#subject_token ⇒ String
Required.
-
#subject_token_type ⇒ String
Required.
Instance Method Summary collapse
-
#initialize(**args) ⇒ GoogleIdentityStsV1ExchangeTokenRequest
constructor
A new instance of GoogleIdentityStsV1ExchangeTokenRequest.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ GoogleIdentityStsV1ExchangeTokenRequest
Returns a new instance of GoogleIdentityStsV1ExchangeTokenRequest.
330 331 332 |
# File 'lib/google/apis/sts_v1/classes.rb', line 330 def initialize(**args) update!(**args) end |
Instance Attribute Details
#audience ⇒ String
The full resource name of the identity provider; for example: //iam.
googleapis.com/projects//locations/global/workloadIdentityPools//providers/
for workload identity pool providers, or //iam.googleapis.com/locations/
global/workforcePools//providers/
for workforce pool providers. Required when
exchanging an external credential for a Google access token.
Corresponds to the JSON property audience
213 214 215 |
# File 'lib/google/apis/sts_v1/classes.rb', line 213 def audience @audience end |
#grant_type ⇒ String
Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token-
exchange
, which indicates a token exchange.
Corresponds to the JSON property grantType
219 220 221 |
# File 'lib/google/apis/sts_v1/classes.rb', line 219 def grant_type @grant_type end |
#options ⇒ String
A set of features that Security Token Service supports, in addition to the
standard OAuth 2.0 token exchange, formatted as a serialized JSON object of
Options. The size of the parameter value must not exceed 4096 characters.
Corresponds to the JSON property options
226 227 228 |
# File 'lib/google/apis/sts_v1/classes.rb', line 226 def @options end |
#requested_token_type ⇒ String
Required. An identifier for the type of requested security token. Can be urn:
ietf:params:oauth:token-type:access_token
or urn:ietf:params:oauth:token-
type:access_boundary_intermediate_token
.
Corresponds to the JSON property requestedTokenType
233 234 235 |
# File 'lib/google/apis/sts_v1/classes.rb', line 233 def requested_token_type @requested_token_type end |
#scope ⇒ String
The OAuth 2.0 scopes to include on the resulting access token, formatted as a
list of space-delimited, case-sensitive strings. Required when exchanging an
external credential for a Google access token.
Corresponds to the JSON property scope
240 241 242 |
# File 'lib/google/apis/sts_v1/classes.rb', line 240 def scope @scope end |
#subject_token ⇒ String
Required. The input token. This token is either an external credential issued
by a workload identity pool provider, or a short-lived access token issued by
Google. If the token is an OIDC JWT, it must use the JWT format defined in
RFC 7523, and the subject_token_type
must be either urn:ietf:params:oauth:token-type:jwt
or urn:ietf:params:
oauth:token-type:id_token
. The following headers are required: - kid
: The
identifier of the signing key securing the JWT. - alg
: The cryptographic
algorithm securing the JWT. Must be RS256
or ES256
. The following payload
fields are required. For more information, see RFC 7523, Section 3: - iss
: The issuer of the token. The
issuer must provide a discovery document at the URL /.well-known/openid-
configuration
, where is the value of this field. The document must be
formatted according to section 4.2 of the [OIDC 1.0 Discovery specification](
https://openid.net/specs/openid-connect-discovery-1_0.html#
ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the
Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds,
since the Unix epoch. Must be less than 48 hours after `iat`. Shorter
expiration times are more secure. If possible, we recommend setting an
expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. -
`aud`: For workload identity pools, this must be a value specified in the
allowed audiences for the workload identity pool provider, or one of the
audiences allowed by default if no audiences were specified. See https://cloud.
google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.
providers#oidc. For workforce pools, this must match the client ID specified
in the provider configuration. See https://cloud.google.com/iam/docs/reference/
rest/v1/locations.workforcePools.providers#oidc. Example header:
"alg": "
RS256", "kid": "us-east-11"
Example payload:
"iss": "https://
accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam.
googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/
my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims":
"additional_claim": "value"
If `subject_token` is for AWS, it must be
a serialized `GetCallerIdentity` token. This token contains the same
information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws.
amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as
the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/
signing_aws_api_requests.html) for the request information. Use Signature
Version 4. Format the request as URL-encoded JSON, and set the `
subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`.
The following parameters are required: - `url`: The URL of the AWS STS
endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action=
GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also supported. -
`method`: The HTTP request method: `POST`. - `headers`: The HTTP request
headers, which must include: - `Authorization`: The request signature. - `x-
amz-date`: The time you will send the request, formatted as an [ISO8601 Basic](
https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#
sigv4_elements_date) string. This value is typically set to the current time
and is used to help prevent replay attacks. - `host`: The hostname of the `url`
field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`:
The full, canonical resource name of the workload identity pool provider, with
or without an `https:` prefix. To help ensure data integrity, we recommend
including this header in the `SignedHeaders` field of the signed request. For
example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools/
/providers/ https://iam.googleapis.com/projects//locations/global/
workloadIdentityPools//providers/ If you are using temporary security
credentials provided by AWS, you must also include the header `x-amz-security-
token`, with the value set to the session token. The following example shows a
`GetCallerIdentity` token:
"headers": [
"key": "x-amz-date", "value": "
20200815T015049Z"
, "key": "Authorization", "value": "AWS4-HMAC-SHA256+
Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-
resource,+Signature=$signature"
, "key": "x-goog-cloud-target-resource", "
value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools/
/providers/"
, "key": "host", "value": "sts.amazonaws.com"
. ], "method": "
POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-
06-15" `
If the token is a SAML 2.0 assertion, it must use the format
defined in [the SAML 2.0 spec](https://docs.oasis-open.org/security/saml/Post2.
0/sstc-saml-tech-overview-2.0-cd-02.pdf), and the
subject_token_typemust be
urn:ietf:params:oauth:token-type:saml2. See [Verification of external
credentials](https://cloud.google.com/iam/docs/using-workload-identity-
federation#verification_of_external_credentials) for details on how SAML 2.0
assertions are validated during token exchanges. You can also use a Google-
issued OAuth 2.0 access token with this field to obtain an access token with
new security attributes applied, such as a Credential Access Boundary. In this
case, set
subject_token_typeto
urn:ietf:params:oauth:token-type:
access_token. If an access token already contains security attributes, you
cannot apply additional security attributes.
Corresponds to the JSON property
subjectToken`
319 320 321 |
# File 'lib/google/apis/sts_v1/classes.rb', line 319 def subject_token @subject_token end |
#subject_token_type ⇒ String
Required. An identifier that indicates the type of the security token in the
subject_token
parameter. Supported values are urn:ietf:params:oauth:token-
type:jwt
, urn:ietf:params:oauth:token-type:id_token
, urn:ietf:params:aws:
token-type:aws4_request
, urn:ietf:params:oauth:token-type:access_token
, and
urn:ietf:params:oauth:token-type:saml2
.
Corresponds to the JSON property subjectTokenType
328 329 330 |
# File 'lib/google/apis/sts_v1/classes.rb', line 328 def subject_token_type @subject_token_type end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
335 336 337 338 339 340 341 342 343 |
# File 'lib/google/apis/sts_v1/classes.rb', line 335 def update!(**args) @audience = args[:audience] if args.key?(:audience) @grant_type = args[:grant_type] if args.key?(:grant_type) @options = args[:options] if args.key?(:options) @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type) @scope = args[:scope] if args.key?(:scope) @subject_token = args[:subject_token] if args.key?(:subject_token) @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type) end |