1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
# Copyright 2015 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'date'
require 'google/apis/core/base_service'
require 'google/apis/core/json_representation'
require 'google/apis/core/hashable'
require 'google/apis/errors'
module Google
module Apis
module StsV1beta
# Request message for ExchangeToken.
class GoogleIdentityStsV1betaExchangeTokenRequest
include Google::Apis::Core::Hashable
# The full resource name of the identity provider. For example, `//iam.
# googleapis.com/projects//workloadIdentityPools//providers/`. Required when
# exchanging an external credential for a Google access token.
# Corresponds to the JSON property `audience`
# @return [String]
attr_accessor :audience
# Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-
# exchange`, which indicates a token exchange.
# Corresponds to the JSON property `grantType`
# @return [String]
attr_accessor :grant_type
# A set of features that Security Token Service supports, in addition to the
# standard OAuth 2.0 token exchange, formatted as a serialized JSON object of
# Options.
# Corresponds to the JSON property `options`
# @return [String]
attr_accessor :options
# Required. The type of security token. Must be `urn:ietf:params:oauth:token-
# type:access_token`, which indicates an OAuth 2.0 access token.
# Corresponds to the JSON property `requestedTokenType`
# @return [String]
attr_accessor :requested_token_type
# The OAuth 2.0 scopes to include on the resulting access token, formatted as a
# list of space-delimited, case-sensitive strings. Required when exchanging an
# external credential for a Google access token.
# Corresponds to the JSON property `scope`
# @return [String]
attr_accessor :scope
# Required. The input token. This token is a either an external credential
# issued by a workload identity pool provider, or a short-lived access token
# issued by Google. If the token is an OIDC JWT, it must use the JWT format
# defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `
# subject_token_type` must be `urn:ietf:params:oauth:token-type:jwt`. The
# following headers are required: - `kid`: The identifier of the signing key
# securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must
# be `RS256`. The following payload fields are required. For more information,
# see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `
# iss`: The issuer of the token. The issuer must provide a discovery document at
# the URL `/.well-known/openid-configuration`, where `` is the value of this
# field. The document must be formatted according to section 4.2 of the [OIDC 1.
# 0 Discovery specification](https://openid.net/specs/openid-connect-discovery-
# 1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds,
# since the Unix epoch. Must be in the past. - `exp`: The expiration time, in
# seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter
# expiration times are more secure. If possible, we recommend setting an
# expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. -
# `aud`: Configured by the mapper policy. The default value is the service
# account's unique ID. Example header: ``` ` "alg": "RS256", "kid": "us-east-11"
# ` ``` Example payload: ``` ` "iss": "https://accounts.google.com", "iat":
# 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": "
# 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If `
# subject_token` is an AWS token, it must be a serialized, [signed](https://docs.
# aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the
# AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/
# APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded
# JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-
# type:aws4_request`. The following parameters are required: - `url`: The URL of
# the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.
# com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also
# supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP
# request headers, which must include: - `Authorization`: The request signature.
# - `x-amz-date`: The time you will send the request, formatted as an [ISO8601
# Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#
# sigv4_elements_date) string. This is typically set to the current time and
# used to prevent replay attacks. - `host`: The hostname of the `url` field; for
# example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full,
# canonical resource name of the workload identity pool provider, with or
# without an `https:` prefix. To help ensure data integrity, we recommend
# including this header in the `SignedHeaders` field of the signed request. For
# example: //iam.googleapis.com/projects//locations//workloadIdentityPools//
# providers/ https://iam.googleapis.com/projects//locations//
# workloadIdentityPools//providers/ If you are using temporary security
# credentials provided by AWS, you must also include the header `x-amz-security-
# token`, with the value ``. The following example shows a signed, serialized
# request: ``` ` "headers":[ `"key": "x-amz-date", "value": "20200815T015049Z"`,
# `"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+
# SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$
# signature"`, `"key": "x-goog-cloud-target-resource", "value": "//iam.
# googleapis.com/projects//locations//workloadIdentityPools//providers/"`, `"key"
# : "host", "value": "sts.amazonaws.com"` . ], "method":"POST", "url":"https://
# sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" ` ``` You can
# also use a Google-issued OAuth 2.0 access token with this field to obtain an
# access token with new security attributes applied, such as a Credential Access
# Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:
# token-type:access_token`. If an access token already contains security
# attributes, you cannot apply additional security attributes.
# Corresponds to the JSON property `subjectToken`
# @return [String]
attr_accessor :subject_token
# Required. `urn:ietf:params:oauth:token-type:access_token`.
# Corresponds to the JSON property `subjectTokenType`
# @return [String]
attr_accessor :subject_token_type
def initialize(**args)
update!(**args)
end
# Update properties of this object
def update!(**args)
@audience = args[:audience] if args.key?(:audience)
@grant_type = args[:grant_type] if args.key?(:grant_type)
@options = args[:options] if args.key?(:options)
@requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
@scope = args[:scope] if args.key?(:scope)
@subject_token = args[:subject_token] if args.key?(:subject_token)
@subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
end
end
# Response message for ExchangeToken.
class GoogleIdentityStsV1betaExchangeTokenResponse
include Google::Apis::Core::Hashable
# An OAuth 2.0 security token, issued by Google, in response to the token
# exchange request. Tokens can vary in size, depending in part on the size of
# mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the
# right to change the token size and the maximum length at any time.
# Corresponds to the JSON property `access_token`
# @return [String]
attr_accessor :access_token
# The amount of time, in seconds, between the time when the `access_token` was
# issued and the time when the `access_token` will expire. This field is absent
# when the `subject_token` in the request is a Google-issued, short-lived access
# token. In this case, the `access_token` has the same expiration time as the `
# subject_token`.
# Corresponds to the JSON property `expires_in`
# @return [Fixnum]
attr_accessor :expires_in
# The token type. Always matches the value of `requested_token_type` from the
# request.
# Corresponds to the JSON property `issued_token_type`
# @return [String]
attr_accessor :issued_token_type
# The type of `access_token`. Always has the value `Bearer`.
# Corresponds to the JSON property `token_type`
# @return [String]
attr_accessor :token_type
def initialize(**args)
update!(**args)
end
# Update properties of this object
def update!(**args)
@access_token = args[:access_token] if args.key?(:access_token)
@expires_in = args[:expires_in] if args.key?(:expires_in)
@issued_token_type = args[:issued_token_type] if args.key?(:issued_token_type)
@token_type = args[:token_type] if args.key?(:token_type)
end
end
end
end
end
|
