1 /* 2 * Copyright 2022 Google Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 // [START auth_cloud_idtoken_service_account] 18 19 import com.google.auth.oauth2.IdToken; 20 import com.google.auth.oauth2.IdTokenProvider.Option; 21 import com.google.auth.oauth2.ServiceAccountCredentials; 22 import java.io.FileInputStream; 23 import java.io.IOException; 24 import java.security.GeneralSecurityException; 25 import java.util.Arrays; 26 import java.util.List; 27 import java.util.concurrent.ExecutionException; 28 29 public class IdTokenFromServiceAccount { 30 main(String[] args)31 public static void main(String[] args) 32 throws IOException, ExecutionException, InterruptedException, GeneralSecurityException { 33 // TODO(Developer): Replace the below variables before running the code. 34 35 // *NOTE*: 36 // Using service account keys introduces risk; they are long-lived, and can be used by anyone 37 // that obtains the key. Proper rotation and storage reduce this risk but do not eliminate it. 38 // For these reasons, you should consider an alternative approach that 39 // does not use a service account key. Several alternatives to service account keys 40 // are described here: 41 // https://cloud.google.com/docs/authentication/external/set-up-adc 42 43 // Path to the service account json credential file. 44 String jsonCredentialPath = "path-to-json-credential-file"; 45 46 // The url or target audience to obtain the ID token for. 47 String targetAudience = "https://example.com"; 48 49 getIdTokenFromServiceAccount(jsonCredentialPath, targetAudience); 50 } 51 getIdTokenFromServiceAccount(String jsonCredentialPath, String targetAudience)52 public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String targetAudience) 53 throws IOException { 54 55 // Initialize the Service Account Credentials class with the path to the json file. 56 ServiceAccountCredentials serviceAccountCredentials = 57 ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath)); 58 59 // Obtain the id token by providing the target audience. 60 // tokenOption: Enum of various credential-specific options to apply to the token. Applicable 61 // only for credentials obtained through Compute Engine or Impersonation. 62 List<Option> tokenOption = Arrays.asList(); 63 IdToken idToken = serviceAccountCredentials.idTokenWithAudience(targetAudience, tokenOption); 64 65 // The following method can also be used to generate the ID token. 66 // IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder() 67 // .setIdTokenProvider(serviceAccountCredentials) 68 // .setTargetAudience(targetAudience) 69 // .build(); 70 71 String token = idToken.getTokenValue(); 72 System.out.println("Generated ID token."); 73 } 74 } 75 // [END auth_cloud_idtoken_service_account] 76