google-apis-sts_v1 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3a920e124439536ee81b5a68784019e5fc96fc7e2ff24d0cfee8eaddadb3e7be
|
4
|
+
data.tar.gz: 3ede3bb61ad59cefbc89716cf100a6b3a21afb9a540023df6b77a8e6b4a78b97
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cfc64901e5ce05654fda2135cd6090314793306caace1cd4e5fd6905a8ac8fdb9cf27e345e48eece45a05a500c685d1c87647f50ac491a2a69e80895ac8a4a4e
|
7
|
+
data.tar.gz: 31fe1167205d212999e8c5f16bbb8e7438d62c1431aee8c9f1b4c988e99b4a72e562a06e8dfbcbaeaeb0916dd13cb5e4399d55ffaacbeb53b8bf684758e964b4
|
data/CHANGELOG.md
CHANGED
@@ -26,6 +26,13 @@ module Google
|
|
26
26
|
class GoogleIdentityStsV1ExchangeTokenRequest
|
27
27
|
include Google::Apis::Core::Hashable
|
28
28
|
|
29
|
+
# The full resource name of the identity provider; for example: `//iam.
|
30
|
+
# googleapis.com/projects//workloadIdentityPools//providers/`. Required when
|
31
|
+
# exchanging an external credential for a Google access token.
|
32
|
+
# Corresponds to the JSON property `audience`
|
33
|
+
# @return [String]
|
34
|
+
attr_accessor :audience
|
35
|
+
|
29
36
|
# Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-
|
30
37
|
# exchange`, which indicates a token exchange.
|
31
38
|
# Corresponds to the JSON property `grantType`
|
@@ -45,17 +52,81 @@ module Google
|
|
45
52
|
# @return [String]
|
46
53
|
attr_accessor :requested_token_type
|
47
54
|
|
48
|
-
#
|
49
|
-
#
|
50
|
-
#
|
51
|
-
#
|
55
|
+
# The OAuth 2.0 scopes to include on the resulting access token, formatted as a
|
56
|
+
# list of space-delimited, case-sensitive strings. Required when exchanging an
|
57
|
+
# external credential for a Google access token.
|
58
|
+
# Corresponds to the JSON property `scope`
|
59
|
+
# @return [String]
|
60
|
+
attr_accessor :scope
|
61
|
+
|
62
|
+
# Required. The input token. This token is a either an external credential
|
63
|
+
# issued by a workload identity pool provider, or a short-lived access token
|
64
|
+
# issued by Google. If the token is an OIDC JWT, it must use the JWT format
|
65
|
+
# defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `
|
66
|
+
# subject_token_type` must be `urn:ietf:params:oauth:token-type:jwt`. The
|
67
|
+
# following headers are required: - `kid`: The identifier of the signing key
|
68
|
+
# securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must
|
69
|
+
# be `RS256`. The following payload fields are required. For more information,
|
70
|
+
# see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `
|
71
|
+
# iss`: The issuer of the token. The issuer must provide a discovery document at
|
72
|
+
# the URL `/.well-known/openid-configuration`, where `` is the value of this
|
73
|
+
# field. The document must be formatted according to section 4.2 of the [OIDC 1.
|
74
|
+
# 0 Discovery specification](https://openid.net/specs/openid-connect-discovery-
|
75
|
+
# 1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds,
|
76
|
+
# since the Unix epoch. Must be in the past. - `exp`: The expiration time, in
|
77
|
+
# seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter
|
78
|
+
# expiration times are more secure. If possible, we recommend setting an
|
79
|
+
# expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. -
|
80
|
+
# `aud`: Configured by the mapper policy. The default value is the service
|
81
|
+
# account's unique ID. Example header: ``` ` "alg": "RS256", "kid": "us-east-11"
|
82
|
+
# ` ``` Example payload: ``` ` "iss": "https://accounts.google.com", "iat":
|
83
|
+
# 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": "
|
84
|
+
# 113475438248934895348", "my_claims": ` "additional_claim": "value" ` ` ``` If `
|
85
|
+
# subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token.
|
86
|
+
# This token contains the same information as a request to the AWS [`
|
87
|
+
# GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/
|
88
|
+
# API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.
|
89
|
+
# amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request
|
90
|
+
# information. Use Signature Version 4. Format the request as URL-encoded JSON,
|
91
|
+
# and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type:
|
92
|
+
# aws4_request`. The following parameters are required: - `url`: The URL of the
|
93
|
+
# AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?
|
94
|
+
# Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also
|
95
|
+
# supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP
|
96
|
+
# request headers, which must include: - `Authorization`: The request signature.
|
97
|
+
# - `x-amz-date`: The time you will send the request, formatted as an [ISO8601
|
98
|
+
# Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#
|
99
|
+
# sigv4_elements_date) string. This value is typically set to the current time
|
100
|
+
# and is used to help prevent replay attacks. - `host`: The hostname of the `url`
|
101
|
+
# field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`:
|
102
|
+
# The full, canonical resource name of the workload identity pool provider, with
|
103
|
+
# or without an `https:` prefix. To help ensure data integrity, we recommend
|
104
|
+
# including this header in the `SignedHeaders` field of the signed request. For
|
105
|
+
# example: //iam.googleapis.com/projects//locations//workloadIdentityPools//
|
106
|
+
# providers/ https://iam.googleapis.com/projects//locations//
|
107
|
+
# workloadIdentityPools//providers/ If you are using temporary security
|
108
|
+
# credentials provided by AWS, you must also include the header `x-amz-security-
|
109
|
+
# token`, with the value set to the session token. The following example shows a
|
110
|
+
# `GetCallerIdentity` token: ``` ` "headers": [ `"key": "x-amz-date", "value": "
|
111
|
+
# 20200815T015049Z"`, `"key": "Authorization", "value": "AWS4-HMAC-SHA256+
|
112
|
+
# Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-
|
113
|
+
# resource,+Signature=$signature"`, `"key": "x-goog-cloud-target-resource", "
|
114
|
+
# value": "//iam.googleapis.com/projects//locations//workloadIdentityPools//
|
115
|
+
# providers/"`, `"key": "host", "value": "sts.amazonaws.com"` . ], "method": "
|
116
|
+
# POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-
|
117
|
+
# 06-15" ` ``` You can also use a Google-issued OAuth 2.0 access token with this
|
118
|
+
# field to obtain an access token with new security attributes applied, such as
|
119
|
+
# a Credential Access Boundary. In this case, set `subject_token_type` to `urn:
|
120
|
+
# ietf:params:oauth:token-type:access_token`. If an access token already
|
121
|
+
# contains security attributes, you cannot apply additional security attributes.
|
52
122
|
# Corresponds to the JSON property `subjectToken`
|
53
123
|
# @return [String]
|
54
124
|
attr_accessor :subject_token
|
55
125
|
|
56
126
|
# Required. An identifier that indicates the type of the security token in the `
|
57
|
-
# subject_token` parameter.
|
58
|
-
#
|
127
|
+
# subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-
|
128
|
+
# type:jwt`, `urn:ietf:params:aws:token-type:aws4_request`, and `urn:ietf:params:
|
129
|
+
# oauth:token-type:access_token`.
|
59
130
|
# Corresponds to the JSON property `subjectTokenType`
|
60
131
|
# @return [String]
|
61
132
|
attr_accessor :subject_token_type
|
@@ -66,9 +137,11 @@ module Google
|
|
66
137
|
|
67
138
|
# Update properties of this object
|
68
139
|
def update!(**args)
|
140
|
+
@audience = args[:audience] if args.key?(:audience)
|
69
141
|
@grant_type = args[:grant_type] if args.key?(:grant_type)
|
70
142
|
@options = args[:options] if args.key?(:options)
|
71
143
|
@requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
|
144
|
+
@scope = args[:scope] if args.key?(:scope)
|
72
145
|
@subject_token = args[:subject_token] if args.key?(:subject_token)
|
73
146
|
@subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
|
74
147
|
end
|
@@ -79,15 +152,17 @@ module Google
|
|
79
152
|
include Google::Apis::Core::Hashable
|
80
153
|
|
81
154
|
# An OAuth 2.0 security token, issued by Google, in response to the token
|
82
|
-
# exchange request.
|
155
|
+
# exchange request. Tokens can vary in size, depending in part on the size of
|
156
|
+
# mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the
|
157
|
+
# right to change the token size and the maximum length at any time.
|
83
158
|
# Corresponds to the JSON property `access_token`
|
84
159
|
# @return [String]
|
85
160
|
attr_accessor :access_token
|
86
161
|
|
87
|
-
# The amount of time, in seconds, between the time when the
|
88
|
-
# issued and the time when the
|
162
|
+
# The amount of time, in seconds, between the time when the access token was
|
163
|
+
# issued and the time when the access token will expire. This field is absent
|
89
164
|
# when the `subject_token` in the request is a Google-issued, short-lived access
|
90
|
-
# token. In this case, the
|
165
|
+
# token. In this case, the access token has the same expiration time as the `
|
91
166
|
# subject_token`.
|
92
167
|
# Corresponds to the JSON property `expires_in`
|
93
168
|
# @return [Fixnum]
|
@@ -99,7 +174,7 @@ module Google
|
|
99
174
|
# @return [String]
|
100
175
|
attr_accessor :issued_token_type
|
101
176
|
|
102
|
-
# The type of
|
177
|
+
# The type of access token. Always has the value `Bearer`.
|
103
178
|
# Corresponds to the JSON property `token_type`
|
104
179
|
# @return [String]
|
105
180
|
attr_accessor :token_type
|
@@ -16,13 +16,13 @@ module Google
|
|
16
16
|
module Apis
|
17
17
|
module StsV1
|
18
18
|
# Version of the google-apis-sts_v1 gem
|
19
|
-
GEM_VERSION = "0.
|
19
|
+
GEM_VERSION = "0.2.0"
|
20
20
|
|
21
21
|
# Version of the code generator used to generate this client
|
22
|
-
GENERATOR_VERSION = "0.1.
|
22
|
+
GENERATOR_VERSION = "0.1.2"
|
23
23
|
|
24
24
|
# Revision of the discovery document this client was generated from
|
25
|
-
REVISION = "
|
25
|
+
REVISION = "20210130"
|
26
26
|
end
|
27
27
|
end
|
28
28
|
end
|
@@ -37,9 +37,11 @@ module Google
|
|
37
37
|
class GoogleIdentityStsV1ExchangeTokenRequest
|
38
38
|
# @private
|
39
39
|
class Representation < Google::Apis::Core::JsonRepresentation
|
40
|
+
property :audience, as: 'audience'
|
40
41
|
property :grant_type, as: 'grantType'
|
41
42
|
property :options, as: 'options'
|
42
43
|
property :requested_token_type, as: 'requestedTokenType'
|
44
|
+
property :scope, as: 'scope'
|
43
45
|
property :subject_token, as: 'subjectToken'
|
44
46
|
property :subject_token_type, as: 'subjectTokenType'
|
45
47
|
end
|
@@ -50,7 +50,9 @@ module Google
|
|
50
50
|
@batch_path = 'batch'
|
51
51
|
end
|
52
52
|
|
53
|
-
# Exchanges a credential for a Google OAuth 2.0 access token.
|
53
|
+
# Exchanges a credential for a Google OAuth 2.0 access token. The token asserts
|
54
|
+
# an external identity within a workload identity pool, or it applies a
|
55
|
+
# Credential Access Boundary to a Google access token.
|
54
56
|
# @param [Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest] google_identity_sts_v1_exchange_token_request_object
|
55
57
|
# @param [String] fields
|
56
58
|
# Selector specifying which fields to include in a partial response.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: google-apis-sts_v1
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Google LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-02-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: google-apis-core
|
@@ -52,7 +52,7 @@ licenses:
|
|
52
52
|
metadata:
|
53
53
|
bug_tracker_uri: https://github.com/googleapis/google-api-ruby-client/issues
|
54
54
|
changelog_uri: https://github.com/googleapis/google-api-ruby-client/tree/master/generated/google-apis-sts_v1/CHANGELOG.md
|
55
|
-
documentation_uri: https://googleapis.dev/ruby/google-apis-sts_v1/v0.
|
55
|
+
documentation_uri: https://googleapis.dev/ruby/google-apis-sts_v1/v0.2.0
|
56
56
|
source_code_uri: https://github.com/googleapis/google-api-ruby-client/tree/master/generated/google-apis-sts_v1
|
57
57
|
post_install_message:
|
58
58
|
rdoc_options: []
|
@@ -69,7 +69,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
69
69
|
- !ruby/object:Gem::Version
|
70
70
|
version: '0'
|
71
71
|
requirements: []
|
72
|
-
rubygems_version: 3.
|
72
|
+
rubygems_version: 3.2.6
|
73
73
|
signing_key:
|
74
74
|
specification_version: 4
|
75
75
|
summary: Simple REST client for Security Token Service API V1
|