Lines Matching +full:x +full:- +full:access +full:- +full:token
5 [](http://github.com/badges/stab…
6 …/maven-central/v/com.google.auth/google-auth-library-credentials.svg)](https://img.shields.io/mave…
8 - [API Documentation](https://googleapis.dev/java/google-auth-library/latest)
12 - [*google-auth-library-credentials*](#google-auth-library-credentials): contains base classes and
14 - [*google-auth-library-appengine*](#google-auth-library-appengine): contains App Engine
16 - [*google-auth-library-oauth2-http*](#google-auth-library-oauth2-http): contains a wide variety of
24 * [google-auth-library-oauth2-http](#google-auth-library-oauth2-http)
25 * [Application Default Credentials](#application-default-credentials)
27 * [Workload Identity Federation](#workload-identity-federation)
28 * [Accessing resources from AWS](#accessing-resources-from-aws)
29 * [Accessing resources from Azure](#access-resources-from-microsoft-azure)
30 …cessing resources from an OIDC identity provider](#accessing-resources-from-an-oidc-identity-provi…
31 …* [Accessing resources using Executable-sourced credentials](#using-executable-sourced-credentials…
32 * [Configurable Token Lifetime](#configurable-token-lifetime)
33 * [Workforce Identity Federation](#workforce-identity-federation)
34 …sing an OIDC or SAML 2.0 identity provider](#accessing-resources-using-an-oidc-or-saml-20-identity…
35 … account authorized user workforce credentials](#using-external-account-authorized-user-workforce-…
36 …cessing resources using Executable-sourced credentials](#using-executable-sourced-workforce-creden…
37 * [Downscoping with Credential Access Boundaries](#downscoping-with-credential-access-boundaries)
38 * [Configuring a Proxy](#configuring-a-proxy)
39 * [Using Credentials with google-http-client](#using-credentials-with-google-http-client)
40 * [Verifying JWT Tokens](#verifying-a-signature)
41 * [google-auth-library-credentials](#google-auth-library-credentials)
42 * [google-auth-library-appengine](#google-auth-library-appengine)
43 * [CI Status](#ci-status)
51 `google-auth-library-oauth2-http` with any of `google-auth-library-credentials` and
52 `google-auth-library-appengine`, depending on your application needs):
54 [//]: # ({x-version-update-start:google-auth-library-oauth2-http:released})
59 <artifactId>google-auth-library-oauth2-http</artifactId>
63 [//]: # ({x-version-update-end})
68 [//]: # ({x-version-update-start:google-auth-library-oauth2-http:released})
70 implementation 'com.google.auth:google-auth-library-oauth2-http:1.19.0'
72 [//]: # ({x-version-update-end})
76 [//]: # ({x-version-update-start:google-auth-library-oauth2-http:released})
78 libraryDependencies += "com.google.auth" % "google-auth-library-oauth2-http" % "1.19.0"
80 [//]: # ({x-version-update-end})
82 ## google-auth-library-oauth2-http
87 [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-…
96 Application Default Credentials also support workload identity federation to access
97 Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS),
99 identity federation is recommended for non-Google Cloud environments as it avoids the
101 [Workload Identity Federation](#workload-identity-federation).
111 2. Credentials provided by the Google Cloud SDK `gcloud auth application-default login` command
112 3. Google App Engine built-in credentials
113 4. Google Cloud Shell built-in credentials
114 5. Google Compute Engine built-in credentials
115 - Skip this check by setting the environment variable `NO_GCE_CHECK=true`
116 …- Customize the GCE metadata server address by setting the environment variable `GCE_METADATA_HOST…
122 be refreshed before the access token is available.
127 AccessToken token = credentials.getAccessToken();
129 AccessToken token = credentials.refreshAccessToken();
137 the "Service Account Token Creator" IAM role.
147 "impersonated-account@project.iam.gserviceaccount.com", null,
150 Storage storage_service = StorageOptions.newBuilder().setProjectId("project-id")
159 Using workload identity federation, your application can access Google Cloud resources from
163 Traditionally, applications running outside Google Cloud have used service account keys to access
165 This lets the external workload access Google Cloud resources directly, eliminating the maintenance
170 In order to access Google Cloud resources from Amazon Web Services (AWS), the following requirements
172 - A workload identity pool needs to be created.
173 - AWS needs to be added as an identity provider in the workload identity pool (the Google [organiza…
174 - Permission to impersonate a service account needs to be granted to the external identity.
176 Follow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-aws) on how to
181 configuration file contains non-sensitive metadata to instruct the library on how to
182 retrieve external subject tokens and exchange them for service account access tokens.
189 gcloud iam workload-identity-pools create-cred-config \
191 --service-account $SERVICE_ACCOUNT_EMAIL \
192 --aws \
193 --output-file /path/to/generated/config.json
197 - `$PROJECT_NUMBER`: The Google Cloud project number.
198 - `$POOL_ID`: The workload identity pool ID.
199 - `$AWS_PROVIDER_ID`: The AWS provider ID.
200 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
204 …ring-instance-metadata-service.html), an additional flag `--enable-imdsv2` needs to be added to th…
207 gcloud iam workload-identity-pools create-cred-config \
209 --service-account $SERVICE_ACCOUNT_EMAIL \
210 --aws \
211 --output-file /path/to/generated/config.json \
212 --enable-imdsv2
215 You can now [use the Auth library](#using-external-identities) to call Google Cloud
218 #### Access resources from Microsoft Azure
220 In order to access Google Cloud resources from Microsoft Azure, the following requirements are
222 - A workload identity pool needs to be created.
223 - Azure needs to be added as an identity provider in the workload identity pool (the Google [organi…
224 - The Azure tenant needs to be configured for identity federation.
225 - Permission to impersonate a service account needs to be granted to the external identity.
227 Follow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-azure) on how
232 configuration file contains non-sensitive metadata to instruct the library on how to
233 retrieve external subject tokens and exchange them for service account access tokens.
240 gcloud iam workload-identity-pools create-cred-config \
242 --service-account $SERVICE_ACCOUNT_EMAIL \
243 --azure \
244 --output-file /path/to/generated/config.json
248 - `$PROJECT_NUMBER`: The Google Cloud project number.
249 - `$POOL_ID`: The workload identity pool ID.
250 - `$AZURE_PROVIDER_ID`: The Azure provider ID.
251 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
255 You can now [use the Auth library](#using-external-identities) to call Google Cloud
260 In order to access Google Cloud resources from an identity provider that supports [OpenID Connect (…
261 - A workload identity pool needs to be created.
262 - An OIDC identity provider needs to be added in the workload identity pool (the Google [organizati…
263 - Permission to impersonate a service account needs to be granted to the external identity.
265 Follow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-oidc) on how
270 configuration file contains non-sensitive metadata to instruct the library on how to
271 retrieve external subject tokens and exchange them for service account access tokens.
275 (file-sourced credentials) or from a local server (URL-sourced credentials).
277 **File-sourced credentials**
278 For file-sourced credentials, a background process needs to be continuously refreshing the file
279 location with a new OIDC token prior to expiration. For tokens with one hour lifetimes, the token
280 needs to be updated in the file every hour. The token can be stored directly as plain text or in
283 To generate a file-sourced OIDC configuration, run the following command:
286 # Generate an OIDC configuration file for file-sourced credentials.
287 gcloud iam workload-identity-pools create-cred-config \
289 --service-account $SERVICE_ACCOUNT_EMAIL \
290 --credential-source-file $PATH_TO_OIDC_ID_TOKEN \
292 # --credential-source-type "json" \
295 # --credential-source-field-name "id_token" \
296 --output-file /path/to/generated/config.json
300 - `$PROJECT_NUMBER`: The Google Cloud project number.
301 - `$POOL_ID`: The workload identity pool ID.
302 - `$OIDC_PROVIDER_ID`: The OIDC provider ID.
303 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
304 - `$PATH_TO_OIDC_ID_TOKEN`: The file path used to retrieve the OIDC token.
308 **URL-sourced credentials**
309 For URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token.
313 To generate a URL-sourced OIDC workload identity configuration, run the following command:
316 # Generate an OIDC configuration file for URL-sourced credentials.
317 gcloud iam workload-identity-pools create-cred-config \
319 --service-account $SERVICE_ACCOUNT_EMAIL \
320 --credential-source-url $URL_TO_GET_OIDC_TOKEN \
321 --credential-source-headers $HEADER_KEY=$HEADER_VALUE \
323 # --credential-source-type "json" \
326 # --credential-source-field-name "id_token" \
327 --output-file /path/to/generated/config.json
331 - `$PROJECT_NUMBER`: The Google Cloud project number.
332 - `$POOL_ID`: The workload identity pool ID.
333 - `$OIDC_PROVIDER_ID`: The OIDC provider ID.
334 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
335 - `$URL_TO_GET_OIDC_TOKEN`: The URL of the local server endpoint to call to retrieve the OIDC token.
336 - `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET
337 request to `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`.
339 You can now [use the Auth library](#using-external-identities) to call Google Cloud
342 #### Using Executable-sourced credentials with OIDC and SAML
344 **Executable-sourced credentials**
345 For executable-sourced credentials, a local executable is used to retrieve the 3rd party token.
346 The executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON for…
349 To use executable-sourced credentials, the `GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES`
352 To generate an executable-sourced workload identity configuration, run the following command:
355 # Generate a configuration file for executable-sourced credentials.
356 gcloud iam workload-identity-pools create-cred-config \
358 --service-account=$SERVICE_ACCOUNT_EMAIL \
359 --subject-token-type=$SUBJECT_TOKEN_TYPE \
361 # e.g. --executable-command="/path/to/command --foo=bar"
362 --executable-command=$EXECUTABLE_COMMAND \
364 # --executable-timeout-millis=$EXECUTABLE_TIMEOUT \
367 # --executable-output-file=$EXECUTABLE_OUTPUT_FILE \
368 --output-file /path/to/generated/config.json
371 - `$PROJECT_NUMBER`: The Google Cloud project number.
372 - `$POOL_ID`: The workload identity pool ID.
373 - `$PROVIDER_ID`: The OIDC or SAML provider ID.
374 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
375 - `$SUBJECT_TOKEN_TYPE`: The subject token type.
376 - `$EXECUTABLE_COMMAND`: The full command to run, including arguments. Must be an absolute path to …
378 The `--executable-timeout-millis` flag is optional. This is the duration for which
383 The `--executable-output-file` flag is optional. If provided, the file path must
389 handle writing to this file - the auth libraries will only attempt to read from
393 To retrieve the 3rd party token, the library will call the executable
402 "token_type": "urn:ietf:params:oauth:token-type:id_token",
413 "token_type": "urn:ietf:params:oauth:token-type:saml2",
435 …* `success`: When true, the response must contain the 3rd party token and token type. The response…
438 non-zero value.
439 * `token_type`: The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*,
440 *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*.
441 * `id_token`: The 3rd party OIDC token.
443 * `expiration_time`: The 3rd party subject token expiration time in seconds (unix epoch time).
455 * `GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE`: This expected subject token type. Always present.
459 These environment variables can be used by the executable to avoid hard-coding these values.
463 …* Access to the script should be restricted as it will be displaying credentials to stdout. This e…
464 …* The configuration file should not be modifiable. Write access should be restricted to avoid proc…
466 Given the complexity of using executable-sourced credentials, it is recommended to use
467 the existing supported mechanisms (file-sourced/URL-sourced) for providing 3rd party
470 You can now [use the Auth library](#using-external-identities) to call Google Cloud
473 #### Configurable Token Lifetime
474 …ation, you can provide an optional argument to configure the service account access token lifetime.
476 …iguration with configurable token lifetime, run the following command (this example uses an AWS co…
478 # Generate an AWS configuration file with configurable token lifetime.
479 gcloud iam workload-identity-pools create-cred-config \
481 --service-account $SERVICE_ACCOUNT_EMAIL \
482 --aws \
483 --output-file /path/to/generated/config.json \
484 --service-account-token-lifetime-seconds $TOKEN_LIFETIME
488 - `$PROJECT_NUMBER`: The Google Cloud project number.
489 - `$POOL_ID`: The workload identity pool ID.
490 - `$AWS_PROVIDER_ID`: The AWS provider ID.
491 - `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.
492 - `$TOKEN_LIFETIME`: The desired lifetime duration of the service account access token in seconds.
494 The `service-account-token-lifetime-seconds` flag is optional. If not provided, this defaults to on…
498 …nitiating the entire token exchange flow every 10 minutes, which will call the 3rd party token pro…
502 [Workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation) le…
504 partners, and contractors—using IAM, so that the users can access Google Cloud services. Workforce …
505 extends Google Cloud's identity capabilities to support syncless, attribute-based single sign on.
507 With workforce identity federation, your workforce can access Google Cloud resources using an exter…
513 In order to access Google Cloud resources from an identity provider that supports [OpenID Connect (…
515 - A workforce identity pool needs to be created.
516 - An OIDC or SAML 2.0 identity provider needs to be added in the workforce pool.
518 …ailed [instructions](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation) …
522 file needs to be generated. The generated credential configuration file contains non-sensitive meta…
523 library on how to retrieve external subject tokens and exchange them for GCP access tokens.
527 (file-sourced credentials), from a local server (URL-sourced credentials) or by calling an executab…
528 (executable-sourced credentials).
530 **File-sourced credentials**
531 For file-sourced credentials, a background process needs to be continuously refreshing the file
532 location with a new subject token prior to expiration. For tokens with one hour lifetimes, the token
533 needs to be updated in the file every hour. The token can be stored directly as plain text or in
536 To generate a file-sourced OIDC configuration, run the following command:
539 # Generate an OIDC configuration file for file-sourced credentials.
540 gcloud iam workforce-pools create-cred-config \
542 --subject-token-type=urn:ietf:params:oauth:token-type:id_token \
543 --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \
544 --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
546 # --credential-source-type "json" \
549 # --credential-source-field-name "id_token" \
550 --output-file=/path/to/generated/config.json
553 - `$WORKFORCE_POOL_ID`: The workforce pool ID.
554 - `$PROVIDER_ID`: The provider ID.
555 - `$PATH_TO_OIDC_ID_TOKEN`: The file path used to retrieve the OIDC token.
556 - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user proj…
558 To generate a file-sourced SAML configuration, run the following command:
561 # Generate a SAML configuration file for file-sourced credentials.
562 gcloud iam workforce-pools create-cred-config \
564 --credential-source-file=$PATH_TO_SAML_ASSERTION \
565 --subject-token-type=urn:ietf:params:oauth:token-type:saml2 \
566 --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
567 --output-file=/path/to/generated/config.json
571 - `$WORKFORCE_POOL_ID`: The workforce pool ID.
572 - `$PROVIDER_ID`: The provider ID.
573 - `$PATH_TO_SAML_ASSERTION`: The file path used to retrieve the base64-encoded SAML assertion.
574 - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user proj…
578 **URL-sourced credentials**
579 For URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token.
583 To generate a URL-sourced OIDC workforce identity configuration, run the following command:
586 # Generate an OIDC configuration file for URL-sourced credentials.
587 gcloud iam workforce-pools create-cred-config \
589 --subject-token-type=urn:ietf:params:oauth:token-type:id_token \
590 --credential-source-url=$URL_TO_RETURN_OIDC_ID_TOKEN \
591 --credential-source-headers $HEADER_KEY=$HEADER_VALUE \
592 --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
593 --output-file=/path/to/generated/config.json
597 - `$WORKFORCE_POOL_ID`: The workforce pool ID.
598 - `$PROVIDER_ID`: The provider ID.
599 - `$URL_TO_RETURN_OIDC_ID_TOKEN`: The URL of the local server endpoint.
600 - `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET re…
601 `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`.
602 - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user proj…
604 To generate a URL-sourced SAML configuration, run the following command:
607 # Generate a SAML configuration file for file-sourced credentials.
608 gcloud iam workforce-pools create-cred-config \
610 --subject-token-type=urn:ietf:params:oauth:token-type:saml2 \
611 --credential-source-url=$URL_TO_GET_SAML_ASSERTION \
612 --credential-source-headers $HEADER_KEY=$HEADER_VALUE \
613 --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
614 --output-file=/path/to/generated/config.json
620 - `$WORKFORCE_POOL_ID`: The workforce pool ID.
621 - `$PROVIDER_ID`: The provider ID.
622 - `$URL_TO_GET_SAML_ASSERTION`: The URL of the local server endpoint.
623 - `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET re…
624 `$URL_TO_GET_SAML_ASSERTION`, e.g. `Metadata-Flavor=Google`.
625 - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user proj…
629 …ials](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#browser-based-…
635 gcloud auth application-default login --login-config=$LOGIN_CONFIG
639 - `$LOGIN_CONFIG`: The login config file generated with the cloud console or
640 …[gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam…
644 The auth library will then use the provided refresh token from the configuration to generate and re…
645 an access token to call Google Cloud services.
647 Note that the default lifetime of the refresh token is one hour, after which a new configuration wi…
650 #### Using Executable-sourced workforce credentials with OIDC and SAML
652 **Executable-sourced credentials**
653 For executable-sourced credentials, a local executable is used to retrieve the 3rd party token.
654 The executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON for…
657 To use executable-sourced credentials, the `GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES`
660 To generate an executable-sourced workforce identity configuration, run the following command:
663 # Generate a configuration file for executable-sourced credentials.
664 gcloud iam workforce-pools create-cred-config \
666 --subject-token-type=$SUBJECT_TOKEN_TYPE \
668 # e.g. --executable-command="/path/to/command --foo=bar"
669 --executable-command=$EXECUTABLE_COMMAND \
671 # --executable-timeout-millis=$EXECUTABLE_TIMEOUT \
674 # --executable-output-file=$EXECUTABLE_OUTPUT_FILE \
675 --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \
676 --output-file /path/to/generated/config.json
679 - `$WORKFORCE_POOL_ID`: The workforce pool ID.
680 - `$PROVIDER_ID`: The provider ID.
681 - `$SUBJECT_TOKEN_TYPE`: The subject token type.
682 - `$EXECUTABLE_COMMAND`: The full command to run, including arguments. Must be an absolute path to …
683 - `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user proj…
685 The `--executable-timeout-millis` flag is optional. This is the duration for which
690 The `--executable-output-file` flag is optional. If provided, the file path must
696 handle writing to this file - the auth libraries will only attempt to read from
700 To retrieve the 3rd party token, the library will call the executable
704 … the [using executable-sourced credentials with Workload Identity Federation](#using-executable-so…
709 * Access to the script should be restricted as it will be displaying credentials to stdout. This en…
710 * The configuration file should not be modifiable. Write access should be restricted to avoid proce…
712 Given the complexity of using executable-sourced credentials, it is recommended to use
713 the existing supported mechanisms (file-sourced/URL-sourced) for providing 3rd party
716 You can now [use the Auth library](#using-external-identities) to call Google Cloud
735 String projectId = "your-project-id";
763 ### Downscoping with Credential Access Boundaries
765 [Downscoping with Credential Access Boundaries](https://cloud.google.com/iam/docs/downscoping-short…
766 enables the ability to downscope, or restrict, the Identity and Access Management (IAM) permissions
767 that a short-lived credential can use for Cloud Storage.
769 The `DownscopedCredentials` class can be used to produce a downscoped access token from a
770 `CredentialAccessBoundary` and a source credential. The Credential Access Boundary specifies which
771 resources the newly created credential can access, as well as an upper bound on the permissions that
776 which specifies that the downscoped token will have readonly access to objects starting with
777 "customer-a" in bucket "bucket-123":
780 String availableResource = "//storage.googleapis.com/projects/_/buckets/bucket-123";
782 String expression = "resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')";
797 The common pattern of usage is to have a token broker with elevated access generate these downscoped
798 credentials from higher access source credentials and pass the downscoped short-lived access tokens
799 to a token consumer via some secure authenticated channel for limited access to Google Cloud Storage
802 Using the CredentialAccessBoundary created above in the Token Broker:
806 .createScoped("https://www.googleapis.com/auth/cloud-platform");
815 // Retrieve the downscoped access token.
816 // This will need to be passed to the Token Consumer.
820 A token broker can be set up on a server in a private network. Various workloads
821 (token consumers) in the same network will send authenticated requests to that broker for downscoped
822 tokens to access or modify specific google cloud storage buckets.
825 lived downscoped access tokens which will be passed to the token consumer.
831 .createScoped("https://www.googleapis.com/auth/cloud-platform");
833 // Create an Access Boundary Rule which will restrict the downscoped token to having readonly
834 // access to objects starting with "customer-a" in bucket "bucket-123".
835 String availableResource = "//storage.googleapis.com/projects/_/buckets/bucket-123";
837 String expression = "resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')";
854 // Retrieve the downscoped access token.
855 // This will need to be passed to the Token Consumer.
859 These downscoped access tokens can be used by the Token Consumer via `OAuth2Credentials` or
861 instance to access Google Cloud Storage resources with restricted access.
865 // library to seamlessly handle downscoped token refreshes on expiration.
870 // Add the logic here that retrieves the token from your Token Broker.
875 // Downscoped token retrieved from token broker.
878 // Build the OAuth2CredentialsWithRefresh from the downscoped token and pass a refresh handler
879 // to handle token expiration. Passing the original downscoped token or the expiry here is optional,
880 // as the refresh_handler will generate the downscoped token on demand.
892 // Since we passed the downscoped credential, we will have have limited readonly access to objects
893 // starting with "customer-a" in bucket "bucket-123".
897 Note: Only Cloud Storage supports Credential Access Boundaries. Other Google Cloud services do not
906 [`HttpTransportFactory`][http-transport-factory] to [`GoogleCredentials`][google-credentials]:
928 "some-host", 8080, "some-username", "some-password"
961 The above example requires `com.google.http-client:google-http-client-apache-v2`.
963 ## Using Credentials with `google-http-client`
965 Credentials provided by [com.google.auth:google-auth-library-oauth2-http](
966 https://search.maven.org/artifact/com.google.auth/google-auth-library-oauth2-http)
967 can be used with Google's [HTTP-based clients][apiary-clients].
968 We provide a [`HttpCredentialsAdapter`][http-credentials-adapter] which can be used
969 as an [`HttpRequestInitializer`][http-request-initializer], the last argument for
988 To verify a JWT token, use the [`TokenVerifier`][token-verifier] class.
992 To verify a signature, use the default [`TokenVerifier`][token-verifier]:
1002 if (!"expected-value".equals(jsonWebSignature.getPayload().get("additional-claim"))) {
1006 // invalid token
1012 To customize a [`TokenVerifier`][token-verifier], instantiate it via its builder:
1019 .setAudience("audience-to-verify")
1020 .setIssuer("issuer-to-verify")
1025 if (!"expected-value".equals(jsonWebSignature.getPayload().get("additional-claim"))) {
1029 // invalid token
1033 For more options, see the [`TokenVerifier.Builder`][token-verifier-builder] documentation.
1036 ## google-auth-library-credentials
1039 - `Credentials`: base class for an authorized identity. Implementations of this class can be used to
1041 - `RequestMetadataCallback`: interface for the callback that receives the result of the asynchronous
1043 - `ServiceAccountSigner`: interface for a service account signer. Implementations of this class are
1046 ## google-auth-library-appengine
1048 This artifact depends on the App Engine SDK (`appengine-api-1.0-sdk`) and should be used only by
1051 [AppIdentityService][appengine-app-identity-service].
1076 ------------ | ------
1077 …oud-devrel-public/java/badges/google-auth-library-java/java8.svg)](http://storage.googleapis.com/c…
1078 …-devrel-public/java/badges/google-auth-library-java/java8-osx.svg)](http://storage.googleapis.com/…
1079 …-devrel-public/java/badges/google-auth-library-java/java8-win.svg)](http://storage.googleapis.com/…
1080 …oud-devrel-public/java/badges/google-auth-library-java/java11.svg)](http://storage.googleapis.com/…
1104 BSD 3-Clause - See [LICENSE](LICENSE) for more information.
1106 [appengine-sdk-versions]: https://search.maven.org/search?q=g:com.google.appengine%20AND%20a:appeng…
1107 [appengine-sdk-install]: https://github.com/googleapis/google-auth-library-java/blob/main/README.md…
1108 [appengine-app-identity-service]: https://cloud.google.com/appengine/docs/java/javadoc/com/google/a…
1109 [apiary-clients]: https://search.maven.org/search?q=g:com.google.apis
1110 [http-credentials-adapter]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/g…
1111 [http-request-initializer]: https://googleapis.dev/java/google-http-client/latest/index.html?com/go…
1112 [token-verifier]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth…
1113 [token-verifier-builder]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/goo…
1114 [http-transport-factory]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/goo…
1115 [google-credentials]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/…