Class: Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest

Inherits:
Object
  • Object
show all
Includes:
Core::Hashable, Core::JsonObjectSupport
Defined in:
lib/google/apis/sts_v1/classes.rb,
lib/google/apis/sts_v1/representations.rb,
lib/google/apis/sts_v1/representations.rb

Overview

Request message for ExchangeToken.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(**args) ⇒ GoogleIdentityStsV1ExchangeTokenRequest

Returns a new instance of GoogleIdentityStsV1ExchangeTokenRequest.



330
331
332
# File 'lib/google/apis/sts_v1/classes.rb', line 330

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#audienceString

The full resource name of the identity provider; for example: //iam. googleapis.com/projects//locations/global/workloadIdentityPools//providers/ for workload identity pool providers, or //iam.googleapis.com/locations/ global/workforcePools//providers/ for workforce pool providers. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property audience

Returns:

  • (String)


213
214
215
# File 'lib/google/apis/sts_v1/classes.rb', line 213

def audience
  @audience
end

#grant_typeString

Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token- exchange, which indicates a token exchange. Corresponds to the JSON property grantType

Returns:

  • (String)


219
220
221
# File 'lib/google/apis/sts_v1/classes.rb', line 219

def grant_type
  @grant_type
end

#optionsString

A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. The size of the parameter value must not exceed 4096 characters. Corresponds to the JSON property options

Returns:

  • (String)


226
227
228
# File 'lib/google/apis/sts_v1/classes.rb', line 226

def options
  @options
end

#requested_token_typeString

Required. An identifier for the type of requested security token. Can be urn: ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token- type:access_boundary_intermediate_token. Corresponds to the JSON property requestedTokenType

Returns:

  • (String)


233
234
235
# File 'lib/google/apis/sts_v1/classes.rb', line 233

def requested_token_type
  @requested_token_type
end

#scopeString

The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property scope

Returns:

  • (String)


240
241
242
# File 'lib/google/apis/sts_v1/classes.rb', line 240

def scope
  @scope
end

#subject_tokenString

Required. The input token. This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523, and the subject_token_type must be either urn:ietf:params:oauth:token-type:jwt or urn:ietf:params: oauth:token-type:id_token. The following headers are required: - kid: The identifier of the signing key securing the JWT. - alg: The cryptographic algorithm securing the JWT. Must be RS256 or ES256. The following payload fields are required. For more information, see RFC 7523, Section 3: - iss: The issuer of the token. The issuer must provide a discovery document at the URL /.well-known/openid- configuration, where is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery specification]( https://openid.net/specs/openid-connect-discovery-1_0.html# ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud. google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools. providers#oidc. For workforce pools, this must match the client ID specified in the provider configuration. See https://cloud.google.com/iam/docs/reference/ rest/v1/locations.workforcePools.providers#oidc. Example header: "alg": " RS256", "kid": "us-east-11" Example payload: "iss": "https:// accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam. googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/ my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": "additional_claim": "value" If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws. amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/ signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the ` subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action= GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x- amz-date`: The time you will send the request, formatted as an [ISO8601 Basic]( https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html# sigv4_elements_date) string. This value is typically set to the current time and is used to help prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools/ /providers/ https://iam.googleapis.com/projects//locations/global/ workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security- token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: "headers": [ "key": "x-amz-date", "value": " 20200815T015049Z", "key": "Authorization", "value": "AWS4-HMAC-SHA256+ Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target- resource,+Signature=$signature", "key": "x-goog-cloud-target-resource", " value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools/ /providers/", "key": "host", "value": "sts.amazonaws.com" . ], "method": " POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011- 06-15" `If the token is a SAML 2.0 assertion, it must use the format defined in [the SAML 2.0 spec](https://docs.oasis-open.org/security/saml/Post2. 0/sstc-saml-tech-overview-2.0-cd-02.pdf), and thesubject_token_typemust be urn:ietf:params:oauth:token-type:saml2. See [Verification of external credentials](https://cloud.google.com/iam/docs/using-workload-identity- federation#verification_of_external_credentials) for details on how SAML 2.0 assertions are validated during token exchanges. You can also use a Google- issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, setsubject_token_typetourn:ietf:params:oauth:token-type: access_token. If an access token already contains security attributes, you cannot apply additional security attributes. Corresponds to the JSON propertysubjectToken`

Returns:

  • (String)


319
320
321
# File 'lib/google/apis/sts_v1/classes.rb', line 319

def subject_token
  @subject_token
end

#subject_token_typeString

Required. An identifier that indicates the type of the security token in the subject_token parameter. Supported values are urn:ietf:params:oauth:token- type:jwt, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:aws: token-type:aws4_request, urn:ietf:params:oauth:token-type:access_token, and urn:ietf:params:oauth:token-type:saml2. Corresponds to the JSON property subjectTokenType

Returns:

  • (String)


328
329
330
# File 'lib/google/apis/sts_v1/classes.rb', line 328

def subject_token_type
  @subject_token_type
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object



335
336
337
338
339
340
341
342
343
# File 'lib/google/apis/sts_v1/classes.rb', line 335

def update!(**args)
  @audience = args[:audience] if args.key?(:audience)
  @grant_type = args[:grant_type] if args.key?(:grant_type)
  @options = args[:options] if args.key?(:options)
  @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
  @scope = args[:scope] if args.key?(:scope)
  @subject_token = args[:subject_token] if args.key?(:subject_token)
  @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
end