| GitHub Repository |
Classes
| Class | Description |
|---|---|
| com. |
Represents a temporary OAuth2 access token and its expiration information. |
| com. |
|
| com. |
The AWS credential source. Stores data required to retrieve the AWS credential. |
| com. |
Credentials representing an AWS third-party identity for calling Google APIs. AWS security credentials are either sourced by calling EC2 metadata endpoints, environment variables, or a user provided supplier method. |
| com. |
|
| com. |
Defines AWS security credentials. These are either retrieved from the AWS security_credentials endpoint or AWS environment variables. |
| com. |
Provider for retrieving the subject tokens for IdentityPoolCredentials by reading an X.509 certificate from the filesystem. The certificate file (e.g., PEM or DER encoded) is read, the leaf certificate is base64-encoded (DER format), wrapped in a JSON array, and used as the subject token for STS exchange. |
| com. |
An OAuth2 user authorization Client ID and associated information.
Corresponds to the information in the json file downloadable for a Client ID. |
| com. |
|
| com. |
OAuth2 credentials representing the built-in service account for Google Cloud Shell. |
| com. |
|
| com. |
OAuth2 credentials representing the built-in service account for a Google Compute Engine VM.
Fetches access tokens from the Google Compute Engine metadata server. |
| com. |
|
| com. |
Defines an upper bound of permissions available for a GCP credential via AccessBoundaryRules. |
| com. |
Defines an upper bound of permissions on a particular resource.
The following snippet shows an AccessBoundaryRule that applies to the Cloud Storage bucket bucket-one to set the upper bound of permissions to those defined by the |
| com. |
An optional condition that can be used as part of a AccessBoundaryRule to further
restrict permissions.
For example, you can define an AvailabilityCondition that applies to a set of Cloud |
| com. |
|
| com. |
|
| com. |
|
| com. |
Implements PKCE using only the Java standard library. See https://www.rfc-editor.org/rfc/rfc7636.
https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier. |
| com. |
DownscopedCredentials enables the ability to downscope, or restrict, the Identity and Access
Management (IAM) permissions that a short-lived credential can use for Cloud Storage.
This class provides a server-side approach for generating downscoped tokens, suitable for |
| com. |
|
| com. |
OAuth2 credentials sourced using external identities through Workforce Identity Federation.
Obtaining the initial access and refresh token can be done through the Google Cloud CLI. |
| com. |
Builder for ExternalAccountAuthorizedUserCredentials. |
| com. |
Base external account credentials class.
Handles initializing external credentials, calls to the Security Token Service, and service account impersonation. |
| com. |
Base builder for external account credentials. |
| com. |
Context object to pass relevant variables from external account credentials to suppliers. This will be passed on any call made to IdentityPoolSubjectTokenSupplier or AwsSecurityCredentialsSupplier. |
| com. |
|
| com. |
|
| com. |
This public class provides shared utilities for common OAuth2 utils or ADC. It also exposes convenience methods such as a getter for well-known Application Default Credentials file path |
| com. |
Base type for credentials for authorizing calls to Google APIs using OAuth2. |
| com. |
|
| com. |
Represents a temporary IdToken and its JsonWebSignature object |
| com. |
IdTokenCredentials provides a Google Issued OpenIdConnect token. Use an ID token to access services that require presenting an ID token for authentication such as Cloud Functions or Cloud Run. The following Credential subclasses support IDTokens: ServiceAccountCredentials, |
| com. |
|
| com. |
The IdentityPool credential source. Dictates the retrieval method of the external credential, which can either be through a metadata server or a local file. |
| com. |
Represents the configuration options for X.509-based workload credentials (mTLS). It specifies how to locate and use the client certificate, private key, and optional trust chain for mutual TLS authentication. |
| com. |
Url-sourced, file-sourced, or user provided supplier method-sourced external account credentials.
By default, attempts to exchange the external credential for a GCP access token. |
| com. |
|
| com. |
ImpersonatedCredentials allowing credentials issued to a user or service account to impersonate another. The source project using ImpersonatedCredentials must enable the "IAMCredentials" API. Also, the target service account must grant the originating principal the "Service Account Token Creator" IAM role. |
| com. |
|
| com. |
Value class representing the set of fields used as the payload of a JWT token.
To create and customize claims, use the builder: |
| com. |
|
| com. |
Credentials class for calling Google APIs using a JWT with custom claims.
Uses a JSON Web Token (JWT) directly in the request metadata to provide authorization. |
| com. |
|
| com. |
Represents an in-memory storage of tokens. |
| com. |
Base type for Credentials using OAuth2. |
| com. |
|
| com. |
A refreshable alternative to OAuth2Credentials.
To enable automatic token refreshes, you must provide an OAuth2RefreshHandler. |
| com. |
|
| com. |
Internal utilities for the com.google.auth.oauth2 namespace.
These classes are marked public but should be treated effectively as internal classes only. They are not subject to any backwards compatibility guarantees and might change or be removed at |
| com. |
Encapsulates the credential source portion of the configuration for PluggableAuthCredentials.
Command is the only required field. If timeout_millis is not specified, the library will default to a 30 second timeout. |
| com. |
PluggableAuthCredentials enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token |
| com. |
|
| com. |
Utilities to fetch the S2A (Secure Session Agent) address from the mTLS configuration.
mTLS configuration is queried from the MDS MTLS Autoconfiguration endpoint. See https://google.aip.dev/auth/4115 for details. |
| com. |
|
| com. |
Holds an mTLS configuration (consists of address of S2A) retrieved from the Metadata Server. |
| com. |
|
| com. |
OAuth2 credentials representing a Service Account for calling Google APIs.
By default uses a JSON Web Token (JWT) to fetch access tokens. |
| com. |
|
| com. |
Service Account credentials for calling Google APIs using a JWT directly for access.
Uses a JSON Web Token (JWT) directly in the request metadata to provide authorization. |
| com. |
|
| com. |
Implements the OAuth 2.0 token exchange based on RFC 8693.
This class handles the process of exchanging one type of token for another using the Security Token Service (STS). It constructs and sends the token exchange request to the STS endpoint and |
| com. |
|
| com. |
Represents an OAuth 2.0 token exchange request, as defined in RFC 8693, Section 2.1.
This class encapsulates the parameters necessary for making a token exchange request to Google Security Token Service (STS). It includes the subject token, subject token type, optional |
| com. |
|
| com. |
Represents a successful OAuth 2.0 token exchange response from the Google Security Token Service (STS), as defined in RFC 8693, Section 2.2.1. |
| com. |
|
| com. |
Represents the default system environment provider.
For internal use only. |
| com. |
Represents the default system property provider.
For internal use only. |
| com. |
Handle verification of Google-signed JWT tokens. |
| com. |
|
| com. |
Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization. |
| com. |
|
| com. |
Represents the response from an OAuth token exchange, including configuration details used to
initiate the flow.
This response can be used to initialize the following credentials types: |
| com. |
OAuth2 Credentials representing a user's identity and consent. |
| com. |
Interfaces
| Interface | Description |
|---|---|
| com. |
Supplier for retrieving AWS Security credentials for AwsCredentials to exchange for GCP access tokens. |
| com. |
Interface for an environment provider.
For internal use only. |
| com. |
Interface for an Google OIDC token provider. This type represents a google issued OIDC token. |
| com. |
|
| com. |
Interface for creating custom JWT tokens |
| com. |
Listener for changes to credentials.
This is called when token content changes, such as when the access token is refreshed. This is typically used by code caching the access token. |
| com. |
Interface for the refresh handler. |
| com. |
|
| com. |
Interface for a system property provider.
For internal use only. |
| com. |
Interface for GoogleCredentials that return a quota project ID. |
| com. |
Interface for long term storage of tokens |
Enums
| Enum | Description |
|---|---|
| com. |
Experimental Feature.
BindingEnforcement specifies how binding info in tokens will be enforced. |
| com. |
Experimental Feature.
GoogleAuthTransport specifies how to authenticate to Google APIs. |
| com. |
Enum specifying values for the subjectTokenType field in ExternalAccountCredentials. |
| com. |
Enum of various credential-specific options to apply to the token.
ComputeEngineCredentials |
| com. |
Represents the client authentication types as specified in RFC 7591.
For more details, see RFC 7591. |
Exceptions
| Exception | Description |
|---|---|
| com. |
Custom exception for wrapping all verification errors. |