{"id":18533318,"url":"https://github.com/googleapis/google-auth-library-java","last_synced_at":"2025-05-14T07:08:22.496Z","repository":{"id":27205911,"uuid":"30676648","full_name":"googleapis/google-auth-library-java","owner":"googleapis","description":"Open source Auth client library for Java","archived":false,"fork":false,"pushed_at":"2025-05-06T19:15:56.000Z","size":4686,"stargazers_count":422,"open_issues_count":60,"forks_count":235,"subscribers_count":77,"default_branch":"main","last_synced_at":"2025-05-06T20:26:03.805Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://developers.google.com/identity","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/googleapis.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-02-12T00:06:15.000Z","updated_at":"2025-05-06T19:15:37.000Z","dependencies_parsed_at":"2023-01-17T00:01:25.481Z","dependency_job_id":"b02936c0-f143-41ac-b34c-c618143bcb8d","html_url":"https://github.com/googleapis/google-auth-library-java","commit_stats":null,"previous_names":[],"tags_count":91,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleapis%2Fgoogle-auth-library-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleapis%2Fgoogle-auth-library-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleapis%2Fgoogle-auth-library-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleapis%2Fgoogle-auth-library-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/googleapis","download_url":"https://codeload.github.com/googleapis/google-auth-library-java/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254092659,"owners_count":22013290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T19:10:59.302Z","updated_at":"2025-05-14T07:08:22.479Z","avatar_url":"https://github.com/googleapis.png","language":"Java","funding_links":[],"categories":["安全"],"sub_categories":[],"readme":"# Google Auth Library\n\nOpen source authentication client library for Java.\n\n[![stable](http://badges.github.io/stability-badges/dist/stable.svg)](http://github.com/badges/stability-badges)\n[![Maven](https://img.shields.io/maven-central/v/com.google.auth/google-auth-library-credentials.svg)](https://img.shields.io/maven-central/v/com.google.auth/google-auth-library-credentials.svg)\n\n-  [API Documentation](https://googleapis.dev/java/google-auth-library/latest)\n\nThis project consists of 4 artifacts:\n\n- [*google-auth-library-credentials*](#google-auth-library-credentials): contains base classes and\ninterfaces for Google credentials\n- [*google-auth-library-appengine*](#google-auth-library-appengine): contains App Engine\ncredentials. This artifact depends on the App Engine SDK.\n- [*google-auth-library-oauth2-http*](#google-auth-library-oauth2-http): contains \na wide variety of credentials and utility methods, including functionality to get \nApplication Default Credentials. Also provides the server-side approach for generating\ndownscoped tokens.\n- [*google-auth-library-cab-token-generator*](#google-auth-library-cab-token-generator):\nprovides the client-side approach for generating downscoped tokens.\n\n\u003e ⚠️ Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for\nauthentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing\nan unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more\ninformation, refer to [documentation](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).\n\n**Table of contents:**\n\n\n* [Quickstart](#quickstart)\n  * [Importing the Auth Library](#importing-the-auth-library)\n    * [Preferred: Libraries-Bom](#java-sdk-libraries-bom)\n    * [Auth-Bom](#google-auth-library-bill-of-materials)\n      * [Maven](#maven)\n      * [Gradle](#gradle)\n      * [Scala](#scala)\n  * [Migrating from GoogleCredential to GoogleCredentials](#migrating-from-googlecredential-to-googlecredentials)\n* [Troubleshooting](#troubleshooting)\n* [google-auth-library-oauth2-http](#google-auth-library-oauth2-http)\n  * [Application Default Credentials](#application-default-credentials)\n  * [ImpersonatedCredentials](#impersonatedcredentials)\n  * [Workload Identity Federation](#workload-identity-federation)\n      * [Accessing resources from AWS](#accessing-resources-from-aws)\n      * [Accessing resources from Azure](#access-resources-from-microsoft-azure)\n      * [Accessing resources from an OIDC identity provider](#accessing-resources-from-an-oidc-identity-provider)\n      * [Accessing resources using Executable-sourced credentials](#using-executable-sourced-credentials-with-oidc-and-saml)\n      * [Accessing resources using a custom supplier for OIDC or SAML](#using-a-custom-supplier-with-oidc-and-saml)\n      * [Accessing resources using a custom supplier with AWS](#using-a-custom-supplier-with-aws)\n      * [Configurable Token Lifetime](#configurable-token-lifetime)\n  * [Workforce Identity Federation](#workforce-identity-federation)\n      * [Accessing resources using an OIDC or SAML 2.0 identity provider](#accessing-resources-using-an-oidc-or-saml-20-identity-provider)\n      * [Accessing resources using external account authorized user workforce credentials](#using-external-account-authorized-user-workforce-credentials)\n      * [Accessing resources using Executable-sourced credentials](#using-executable-sourced-workforce-credentials-with-oidc-and-saml)\n      * [Accessing resources using a custom supplier for OIDC or SAML](#using-a-custom-supplier-for-workforce-credentials-with-oidc-and-saml)\n  * [Downscoping with Credential Access Boundaries](#downscoping-with-credential-access-boundaries)\n  * [Configuring a Proxy](#configuring-a-proxy)\n  * [Using Credentials with google-http-client](#using-credentials-with-google-http-client)\n  * [Verifying JWT Tokens](#verifying-a-signature)\n* [google-auth-library-credentials](#google-auth-library-credentials)\n* [google-auth-library-appengine](#google-auth-library-appengine)\n* [CI Status](#ci-status)\n* [Contributing](#contributing)\n* [License](#license)\n\n\n## Quickstart\n\n### Importing the Auth Library\n\n#### Java SDK Libraries-Bom\nIf you are trying to authenticate to a client library in the Java SDK (i.e. `google-cloud-datastore`),\nyou can import add `libraries-bom` to manage the versions of your dependencies. The BOM will pull in the\nversions of Auth Library compatible with the client library.\n\nFor example, importing with Maven from a pom.xml:\n\n[//]: # ({x-version-update-start:google-auth-library-bom:released})\n```xml\n\u003cdependencyManagement\u003e\n  \u003cdependencies\u003e\n    \u003cdependency\u003e\n      \u003cgroupId\u003ecom.google.cloud\u003c/groupId\u003e\n      \u003cartifactId\u003elibraries-bom\u003c/artifactId\u003e\n      \u003cversion\u003e26.53.0\u003c/version\u003e\n      \u003ctype\u003epom\u003c/type\u003e\n      \u003cscope\u003eimport\u003c/scope\u003e\n    \u003c/dependency\u003e\n  \u003c/dependencies\u003e\n\u003c/dependencyManagement\u003e\n```\n\nIf you don't plan using libraries-bom or the client libraries, see the next section on \n[Google Auth Library Bill of Materials](#google-auth-library-bill-of-materials) to just import the relevant\nAuth modules.\n\n#### Google Auth Library Bill of Materials\nAlternatively, you can use the Google Auth Library Bill of Materials to ensure that the Auth modules\nand relevant transitive dependencies are compatible.\n\n##### Maven\nAdd the following your pom.xml file\n\n[//]: # ({x-version-update-start:google-auth-library-bom:released})\n```xml\n\u003cdependencyManagement\u003e\n  \u003cdependencies\u003e\n    \u003cdependency\u003e\n      \u003cgroupId\u003ecom.google.auth\u003c/groupId\u003e\n      \u003cartifactId\u003egoogle-auth-library-bom\u003c/artifactId\u003e\n      \u003cversion\u003e1.30.1\u003c/version\u003e\n      \u003ctype\u003epom\u003c/type\u003e\n      \u003cscope\u003eimport\u003c/scope\u003e\n    \u003c/dependency\u003e\n  \u003c/dependencies\u003e\n\u003c/dependencyManagement\u003e\n```\n[//]: # ({x-version-update-end})\n\nIn the `\u003cdependency\u003e` section, you can specify any of the Auth modules that are needed.\nFor example, replace `google-auth-library-oauth2-http` below with any of `google-auth-library-credentials`\nand `google-auth-library-appengine`, depending on your application needs):\n\n```xml\n\u003cdependency\u003e\n  \u003cgroupId\u003ecom.google.auth\u003c/groupId\u003e\n  \u003c!-- Let the BOM manage the module and dependency versions --\u003e\n  \u003c!-- Replace with the module(s) that are needed --\u003e\n  \u003cartifactId\u003egoogle-auth-library-oauth2-http\u003c/artifactId\u003e\n\u003c/dependency\u003e\n```\n\n##### Gradle\nAdd the following to your build.gradle file and specify any modules needed.\n\n[//]: # ({x-version-update-start:google-auth-library-bom:released})\n```Groovy\ndependencies {\n    // The BOM will manage the module versions and transitive dependencies\n    implementation platform('com.google.auth:google-auth-library-bom:1.30.1')\n    // Replace with the module(s) that are needed\n    implementation 'com.google.auth:google-auth-library-oauth2-http'\n}\n\n```\n[//]: # ({x-version-update-end})\n\n##### Scala\nUnfortunately, SBT [cannot](https://github.com/sbt/sbt/issues/4531) manage dependencies via Maven Bills of Materials. You will have to\nadd the submodule directly. Make sure the module versions are aligned in case you are using more than\none authentication module in order to prevent transitive dependency conflicts.\n\nIf you are using SBT, add this to your dependencies\n\n[//]: # ({x-version-update-start:google-auth-library-oauth2-http:released})\n```Scala\n// Replace this with the implementation module that suits your needs\nlibraryDependencies += \"com.google.auth\" % \"google-auth-library-oauth2-http\" % \"1.30.1\"\n```\n[//]: # ({x-version-update-end})\n\n### Migrating from GoogleCredential to GoogleCredentials\n[GoogleCredential](https://cloud.google.com/java/docs/reference/google-api-client/latest/com.google.api.client.googleapis.auth.oauth2.GoogleCredential)\nfrom google-api-java-client is deprecated and GoogleCredentials is the recommended replacement.\n\nWe recommend users to instantiate GoogleCredentials with [Application Default Credentials (ADC)](#application-default-credentials):\n`GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();`\n\nFor [Google Api Client Library](https://cloud.google.com/apis/docs/client-libraries-explained#google-api-client-libraries) users, please refer to this\n[guide](https://developers.google.com/api-client-library/java/google-api-java-client/requests) for a example to instantiate a library with GoogleCredentials.\n\nFor [Cloud Client Libraries](https://cloud.google.com/apis/docs/client-libraries-explained#cloud-client-libraries), the library will follow ADC to create a \ndefault GoogleCredential. Users do not need to manually create any Credentials or pass it into the library.\n\n### Troubleshooting\nThis library provides logging for debugging purposes. Please refer to [this guide](https://cloud.google.com/java/docs/bom#client_library_debug_logging) to enable debug logging feature.\n\n## google-auth-library-oauth2-http\n\n### Application Default Credentials\n\nThis library provides an implementation of\n[Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials)\nfor Java. Application Default Credentials provide a simple way to get authorization\ncredentials for use in calling Google APIs.\n\nThey are best suited for cases when the call needs to have the same identity and \nauthorization level for the application independent of the user. This is the recommended \napproach to authorize calls to Cloud APIs, particularly when you're building an application \nthat uses Google Cloud Platform.\n\nApplication Default Credentials also support workload identity federation to access \nGoogle Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), \nMicrosoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload \nidentity federation is recommended for non-Google Cloud environments as it avoids the \nneed to download, manage and store service account private keys locally, see: \n[Workload Identity Federation](#workload-identity-federation).\n\n#### Getting Application Default Credentials\n\nTo get Application Default Credentials use `GoogleCredentials.getApplicationDefault()` or\n`GoogleCredentials.getApplicationDefault(HttpTransportFactory)`. These methods return the\nApplication Default Credentials which are used to identify and authorize the whole application. The\nfollowing are searched (in order) to find the Application Default Credentials:\n\n1. Credentials file pointed to by the `GOOGLE_APPLICATION_CREDENTIALS` environment variable\n2. Credentials provided by the Google Cloud SDK `gcloud auth application-default login` command\n3. Google App Engine built-in credentials\n4. Google Cloud Shell built-in credentials\n5. Google Compute Engine built-in credentials\n   - Skip this check by setting the environment variable `NO_GCE_CHECK=true`\n   - Customize the GCE metadata server address by setting the environment variable `GCE_METADATA_HOST=\u003chostname\u003e`\n\n#### Explicit Credential Loading\n\nTo get Credentials from a Service Account JSON key use `GoogleCredentials.fromStream(InputStream)`\nor `GoogleCredentials.fromStream(InputStream, HttpTransportFactory)`. Note that the credentials must\nbe refreshed before the access token is available.\n\n```java\nGoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(\"/path/to/credentials.json\"));\ncredentials.refreshIfExpired();\nAccessToken token = credentials.getAccessToken();\n// OR\nAccessToken token = credentials.refreshAccessToken();\n```\n\n### ImpersonatedCredentials\n\nAllows a credentials issued to a user or service account to\nimpersonate another.  The source project using ImpersonatedCredentials must enable the\n\"IAMCredentials\" API.  Also, the target service account must grant the orginating principal\nthe \"Service Account Token Creator\" IAM role.\n\n```java\nString credPath = \"/path/to/svc_account.json\";\nServiceAccountCredentials sourceCredentials = ServiceAccountCredentials\n     .fromStream(new FileInputStream(credPath));\nsourceCredentials = (ServiceAccountCredentials) sourceCredentials\n    .createScoped(Arrays.asList(\"https://www.googleapis.com/auth/iam\"));\n\nImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create(sourceCredentials,\n    \"impersonated-account@project.iam.gserviceaccount.com\", null,\n    Arrays.asList(\"https://www.googleapis.com/auth/devstorage.read_only\"), 300);\n\nStorage storage_service = StorageOptions.newBuilder().setProjectId(\"project-id\")\n    .setCredentials(targetCredentials).build().getService();\n\nfor (Bucket b : storage_service.list().iterateAll())\n    System.out.println(b); \n```\n\n### Workload Identity Federation\n\nUsing workload identity federation, your application can access Google Cloud resources from\nAmazon Web Services (AWS), Microsoft Azure, or any identity provider that supports OpenID Connect\n(OIDC).\n\nTraditionally, applications running outside Google Cloud have used service account keys to access\nGoogle Cloud resources. Using identity federation, your workload can impersonate a service account.\nThis lets the external workload access Google Cloud resources directly, eliminating the maintenance\nand security burden associated with service account keys.\n\n#### Accessing resources from AWS\n\nIn order to access Google Cloud resources from Amazon Web Services (AWS), the following requirements\nare needed:\n- A workload identity pool needs to be created.\n- AWS needs to be added as an identity provider in the workload identity pool (the Google [organization policy](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict) needs to allow federation from AWS).\n- Permission to impersonate a service account needs to be granted to the external identity.\n\nFollow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-aws) on how to\nconfigure workload identity federation from AWS.\n\nAfter configuring the AWS provider to impersonate a service account, a credential configuration file\nneeds to be generated. Unlike service account credential files, the generated credential\nconfiguration file contains non-sensitive metadata to instruct the library on how to\nretrieve external subject tokens and exchange them for service account access tokens.\nThe configuration file can be generated by using the [gcloud CLI](https://cloud.google.com/sdk/).\n\nTo generate the AWS workload identity configuration, run the following command:\n\n```bash\n# Generate an AWS configuration file.\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \\\n    --service-account $SERVICE_ACCOUNT_EMAIL \\\n    --aws \\\n    --output-file /path/to/generated/config.json\n```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$AWS_PROVIDER_ID`: The AWS provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n\nThis generates the configuration file in the specified output file.\n\nIf you are using [AWS IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), an additional flag `--enable-imdsv2` needs to be added to the `gcloud iam workload-identity-pools create-cred-config` command:\n\n```bash\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \\\n    --service-account $SERVICE_ACCOUNT_EMAIL \\\n    --aws \\\n    --output-file /path/to/generated/config.json \\\n    --enable-imdsv2\n```\n\nYou can now [use the Auth library](#using-external-identities) to call Google Cloud\nresources from AWS.\n\n#### Access resources from Microsoft Azure\n\nIn order to access Google Cloud resources from Microsoft Azure, the following requirements are\nneeded:\n- A workload identity pool needs to be created.\n- Azure needs to be added as an identity provider in the workload identity pool (the Google [organization policy](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict) needs to allow federation from Azure).\n- The Azure tenant needs to be configured for identity federation.\n- Permission to impersonate a service account needs to be granted to the external identity.\n\nFollow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-azure) on how\nto configure workload identity federation from Microsoft Azure.\n\nAfter configuring the Azure provider to impersonate a service account, a credential configuration\nfile needs to be generated. Unlike service account credential files, the generated credential\nconfiguration file contains non-sensitive metadata to instruct the library on how to\nretrieve external subject tokens and exchange them for service account access tokens.\nThe configuration file can be generated by using the [gcloud CLI](https://cloud.google.com/sdk/).\n\nTo generate the Azure workload identity configuration, run the following command:\n\n```bash\n# Generate an Azure configuration file.\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AZURE_PROVIDER_ID \\\n    --service-account $SERVICE_ACCOUNT_EMAIL \\\n    --azure \\\n    --output-file /path/to/generated/config.json\n```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$AZURE_PROVIDER_ID`: The Azure provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n\nThis generates the configuration file in the specified output file.\n\nYou can now [use the Auth library](#using-external-identities) to call Google Cloud\nresources from Azure.\n\n#### Accessing resources from an OIDC identity provider\n\nIn order to access Google Cloud resources from an identity provider that supports [OpenID Connect (OIDC)](https://openid.net/connect/), the following requirements are needed:\n- A workload identity pool needs to be created.\n- An OIDC identity provider needs to be added in the workload identity pool (the Google [organization policy](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict) needs to allow federation from the identity provider).\n- Permission to impersonate a service account needs to be granted to the external identity.\n\nFollow the detailed [instructions](https://cloud.google.com/iam/docs/access-resources-oidc) on how\nto configure workload identity federation from an OIDC identity provider.\n\nAfter configuring the OIDC provider to impersonate a service account, a credential configuration\nfile needs to be generated. Unlike service account credential files, the generated credential\nconfiguration file contains non-sensitive metadata to instruct the library on how to\nretrieve external subject tokens and exchange them for service account access tokens.\nThe configuration file can be generated by using the [gcloud CLI](https://cloud.google.com/sdk/).\n\nFor OIDC providers, the Auth library can retrieve OIDC tokens either from a local file location\n(file-sourced credentials) or from a local server (URL-sourced credentials).\n\n**File-sourced credentials**\nFor file-sourced credentials, a background process needs to be continuously refreshing the file\nlocation with a new OIDC token prior to expiration. For tokens with one hour lifetimes, the token\nneeds to be updated in the file every hour. The token can be stored directly as plain text or in\nJSON format.\n\nTo generate a file-sourced OIDC configuration, run the following command:\n\n```bash\n# Generate an OIDC configuration file for file-sourced credentials.\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$OIDC_PROVIDER_ID \\\n    --service-account $SERVICE_ACCOUNT_EMAIL \\\n    --credential-source-file $PATH_TO_OIDC_ID_TOKEN \\\n    # Optional arguments for file types. Default is \"text\":\n    # --credential-source-type \"json\" \\\n    # Optional argument for the field that contains the OIDC credential.\n    # This is required for json.\n    # --credential-source-field-name \"id_token\" \\\n    --output-file /path/to/generated/config.json\n```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$OIDC_PROVIDER_ID`: The OIDC provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n- `$PATH_TO_OIDC_ID_TOKEN`: The file path used to retrieve the OIDC token.\n\nThis generates the configuration file in the specified output file.\n\n**URL-sourced credentials**\nFor URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token.\nThe response can be in plain text or JSON. Additional required request headers can also be\nspecified.\n\nTo generate a URL-sourced OIDC workload identity configuration, run the following command:\n\n```bash\n# Generate an OIDC configuration file for URL-sourced credentials.\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$OIDC_PROVIDER_ID \\\n    --service-account $SERVICE_ACCOUNT_EMAIL \\\n    --credential-source-url $URL_TO_GET_OIDC_TOKEN \\\n    --credential-source-headers $HEADER_KEY=$HEADER_VALUE \\\n    # Optional arguments for file types. Default is \"text\":\n    # --credential-source-type \"json\" \\\n    # Optional argument for the field that contains the OIDC credential.\n    # This is required for json.\n    # --credential-source-field-name \"id_token\" \\\n    --output-file /path/to/generated/config.json\n```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$OIDC_PROVIDER_ID`: The OIDC provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n- `$URL_TO_GET_OIDC_TOKEN`: The URL of the local server endpoint to call to retrieve the OIDC token.\n- `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET\nrequest to `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`.\n\nYou can now [use the Auth library](#using-external-identities) to call Google Cloud\nresources from an OIDC provider.\n\n#### Using Executable-sourced credentials with OIDC and SAML\n\n**Executable-sourced credentials**\nFor executable-sourced credentials, a local executable is used to retrieve the 3rd party token. \nThe executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON format\nto stdout.\n\nTo use executable-sourced credentials, the `GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES`\nenvironment variable must be set to `1`.\n\nTo generate an executable-sourced workload identity configuration, run the following command:\n\n```bash\n# Generate a configuration file for executable-sourced credentials.\ngcloud iam workload-identity-pools create-cred-config \\\n    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID \\\n    --service-account=$SERVICE_ACCOUNT_EMAIL \\\n    --subject-token-type=$SUBJECT_TOKEN_TYPE \\\n    # The absolute path for the program, including arguments.\n    # e.g. --executable-command=\"/path/to/command --foo=bar\"\n    --executable-command=$EXECUTABLE_COMMAND \\\n    # Optional argument for the executable timeout. Defaults to 30s.\n    # --executable-timeout-millis=$EXECUTABLE_TIMEOUT \\\n    # Optional argument for the absolute path to the executable output file.\n    # See below on how this argument impacts the library behaviour.\n    # --executable-output-file=$EXECUTABLE_OUTPUT_FILE \\\n    --output-file /path/to/generated/config.json\n```\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$PROVIDER_ID`: The OIDC or SAML provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n- `$SUBJECT_TOKEN_TYPE`: The subject token type.\n- `$EXECUTABLE_COMMAND`: The full command to run, including arguments. Must be an absolute path to the program. \n\nThe `--executable-timeout-millis` flag is optional. This is the duration for which\nthe auth library will wait for the executable to finish, in milliseconds. \nDefaults to 30 seconds when not provided. The maximum allowed value is 2 minutes.\nThe minimum is 5 seconds.\n\nThe `--executable-output-file` flag is optional. If provided, the file path must\npoint to the 3PI credential response generated by the executable. This is useful\nfor caching the credentials. By specifying this path, the Auth libraries will first\ncheck for its existence before running the executable. By caching the executable JSON\nresponse to this file, it improves performance as it avoids the need to run the executable\nuntil the cached credentials in the output file are expired. The executable must\nhandle writing to this file - the auth libraries will only attempt to read from \nthis location. The format of contents in the file should match the JSON format \nexpected by the executable shown below.\n\nTo retrieve the 3rd party token, the library will call the executable \nusing the command specified. The executable's output must adhere to the response format \nspecified below. It must output the response to stdout.\n\nA sample successful executable OIDC response:\n```json\n{\n  \"version\": 1,\n  \"success\": true,\n  \"token_type\": \"urn:ietf:params:oauth:token-type:id_token\",\n  \"id_token\": \"HEADER.PAYLOAD.SIGNATURE\",\n  \"expiration_time\": 1620499962\n}\n```\n\nA sample successful executable SAML response:\n```json\n{\n  \"version\": 1,\n  \"success\": true,\n  \"token_type\": \"urn:ietf:params:oauth:token-type:saml2\",\n  \"saml_response\": \"...\",\n  \"expiration_time\": 1620499962\n}\n```\nA sample executable error response:\n```json\n{\n  \"version\": 1,\n  \"success\": false,\n  \"code\": \"401\",\n  \"message\": \"Caller not authorized.\"\n}\n```\nThese are all required fields for an error response. The code and message\nfields will be used by the library as part of the thrown exception.\n\nFor successful responses, the `expiration_time` field is only required\nwhen an output file is specified in the credential configuration. \n\nResponse format fields summary:\n  * `version`: The version of the JSON output. Currently only version 1 is supported.\n  * `success`: When true, the response must contain the 3rd party token and token type. The response must also contain\n    the expiration_time field if an output file was specified in the credential configuration. The executable must also \n    exit with exit code 0. When false, the response must contain the error code and message fields and exit with a\n    non-zero value.\n  * `token_type`: The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*, \n     *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*.\n  * `id_token`: The 3rd party OIDC token.\n  * `saml_response`: The 3rd party SAML response.\n  * `expiration_time`: The 3rd party subject token expiration time in seconds (unix epoch time).\n  * `code`: The error code string.\n  * `message`: The error message.\n\nAll response types must include both the `version` and `success` fields.\n * Successful responses must include the `token_type` and one of\n   `id_token` or `saml_response`. The `expiration_time` field must also be present if an output file was specified in\n    the credential configuration. \n * Error responses must include both the `code` and `message` fields.\n\nThe library will populate the following environment variables when the executable is run:\n  * `GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE`: The audience field from the credential configuration. Always present.\n  * `GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE`: This expected subject token type. Always present.\n  * `GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL`: The service account email. Only present when service account impersonation is used.\n  * `GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE`: The output file location from the credential configuration. Only present when specified in the credential configuration. \n\nThese environment variables can be used by the executable to avoid hard-coding these values.\n\n##### Security considerations\nThe following security practices are highly recommended:  \n  * Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script.\n  * The configuration file should not be modifiable. Write access should be restricted to avoid processes modifying the executable command portion.\n\nGiven the complexity of using executable-sourced credentials, it is recommended to use\nthe existing supported mechanisms (file-sourced/URL-sourced) for providing 3rd party\ncredentials unless they do not meet your specific requirements.\n\nYou can now [use the Auth library](#using-external-identities) to call Google Cloud\nresources from an OIDC or SAML provider.\n\n#### Using a custom supplier with OIDC and SAML\nA custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials\nto supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,\nunexpired subject token when called by the GCP credential.\n\nIdentityPoolCredentials do not cache the returned token, so caching logic should be\nimplemented in the token supplier to prevent multiple requests for the same subject token.\n\n```java\nimport java.io.IOException;\n\npublic class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {\n\n  @Override\n  public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {\n    // Any call to the supplier will pass a context object with the requested\n    // audience and subject token type.\n    string audience = context.getAudience();\n    string tokenType = context.getSubjectTokenType();\n\n    try {\n      // Return a valid, unexpired token for the requested audience and token type.\n      // Note that IdentityPoolCredentials do not cache the subject token so\n      // any caching logic needs to be implemented in the token supplier.\n      return retrieveToken(audience, tokenType);\n    } catch (Exception e) {\n      // If token is unavailable, throw IOException.\n      throw new IOException(e);\n    }\n  }\n\n  private String retrieveToken(string tokenType, string audience) {\n    // Retrieve a subject token of the requested type for the requested audience.\n  }\n}\n```\n```java\nCustomTokenSupplier tokenSupplier = new CustomTokenSupplier();\nIdentityPoolCredentials identityPoolCredentials =\n    IdentityPoolCredentials.newBuilder()\n        .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.\n        .setAudience(...) // Sets the GCP audience.\n        .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.\n        .build();\n```\nWhere the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:\n```//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$WORKLOAD_POOL_ID`: The workload identity pool ID.\n- `$PROVIDER_ID`: The provider ID.\n\n\nThe values for audience, service account impersonation URL, and any other builder field can also be found by\ngenerating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).\n\n#### Using a custom supplier with AWS\nA custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token.\nThe supplier must return valid, unexpired AWS security credentials when called by the GCP credential.\n\nAwsCredentials do not cache the returned AWS security credentials or region, so caching logic should be\nimplemented in the supplier to prevent multiple requests for the same resources.\n\n```java\nclass CustomAwsSupplier implements AwsSecurityCredentialsSupplier {\n  @Override\n  AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException {\n    // Any call to the supplier will pass a context object with the requested\n    // audience.\n    string audience = context.getAudience();\n\n    try {\n      // Return valid, unexpired AWS security credentials for the requested audience.\n      // Note that AwsCredentials do not cache the AWS security credentials so\n      // any caching logic needs to be implemented in the credentials' supplier.\n      return retrieveAwsSecurityCredentials(audience);\n    } catch (Exception e) {\n      // If credentials are unavailable, throw IOException.\n      throw new IOException(e);\n    }\n  }\n\n  @Override\n  String getRegion(ExternalAccountSupplierContext context) throws IOException {\n    try {\n      // Return a valid AWS region. i.e. \"us-east-2\".\n      // Note that AwsCredentials do not cache the region so\n      // any caching logic needs to be implemented in the credentials' supplier.\n      return retrieveAwsRegion();\n    } catch (Exception e) {\n      // If region is unavailable, throw IOException.\n      throw new IOException(e);\n    }\n  }\n\n  private AwsSecurityCredentials retrieveAwsSecurityCredentials(string audience) {\n    // Retrieve Aws security credentials for the requested audience.\n  }\n\n  private String retrieveAwsRegion() {\n    // Retrieve current AWS region.\n  }\n}\n```\n```java\nCustomAwsSupplier awsSupplier = new CustomAwsSupplier();\nAwsCredentials credentials = AwsCredentials.newBuilder()\n    .setSubjectTokenType(SubjectTokenTypes.AWS4) // Sets the subject token type.\n    .setAudience(...) // Sets the GCP audience.\n    .setAwsSecurityCredentialsSupplier(supplier) // Sets the supplier.\n    .build();\n```\n\nWhere the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is:\n```//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$WORKLOAD_POOL_ID`: The workload identity pool ID.\n- `$PROVIDER_ID`: The provider ID.\n\nThe values for audience, service account impersonation URL, and any other builder field can also be found by\ngenerating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config).\n\n#### Configurable Token Lifetime\nWhen creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime.\n\nTo generate the configuration with configurable token lifetime, run the following command (this example uses an AWS configuration, but the token lifetime can be configured for all workload identity federation providers):\n  ```bash\n  # Generate an AWS configuration file with configurable token lifetime.\n  gcloud iam workload-identity-pools create-cred-config \\\n      projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \\\n      --service-account $SERVICE_ACCOUNT_EMAIL \\\n      --aws \\\n      --output-file /path/to/generated/config.json \\\n      --service-account-token-lifetime-seconds $TOKEN_LIFETIME\n  ```\n\nWhere the following variables need to be substituted:\n- `$PROJECT_NUMBER`: The Google Cloud project number.\n- `$POOL_ID`: The workload identity pool ID.\n- `$AWS_PROVIDER_ID`: The AWS provider ID.\n- `$SERVICE_ACCOUNT_EMAIL`: The email of the service account to impersonate.\n- `$TOKEN_LIFETIME`: The desired lifetime duration of the service account access token in seconds.\n\nThe `service-account-token-lifetime-seconds` flag is optional. If not provided, this defaults to one hour.\nThe minimum allowed value is 600 (10 minutes) and the maximum allowed value is 43200 (12 hours).\nIf a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the `constraints/iam.allowServiceAccountCredentialLifetimeExtension` constraint.\n\nNote that configuring a short lifetime (e.g. 10 minutes) will result in the library initiating the entire token exchange flow every 10 minutes, which will call the 3rd party token provider even if the 3rd party token is not expired.\n\n###  Workforce Identity Federation\n\n[Workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation) lets you use an\nexternal identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, \npartners, and contractors—using IAM, so that the users can access Google Cloud services. Workforce identity federation\nextends Google Cloud's identity capabilities to support syncless, attribute-based single sign on.\n\nWith workforce identity federation, your workforce can access Google Cloud resources using an external\nidentity provider (IdP) that supports OpenID Connect (OIDC) or SAML 2.0 such as Azure Active Directory (Azure AD),\nActive Directory Federation Services (AD FS), Okta, and others. \n\n#### Accessing resources using an OIDC or SAML 2.0 identity provider\n\nIn order to access Google Cloud resources from an identity provider that supports [OpenID Connect (OIDC)](https://openid.net/connect/), \nthe following requirements are needed:\n- A workforce identity pool needs to be created.\n- An OIDC or SAML 2.0 identity provider needs to be added in the workforce pool.\n\nFollow the detailed [instructions](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation) on how\nto configure workforce identity federation.\n\nAfter configuring an OIDC or SAML 2.0 provider, a credential configuration\nfile needs to be generated. The generated credential configuration file contains non-sensitive metadata to instruct the\nlibrary on how to retrieve external subject tokens and exchange them for GCP access tokens.\nThe configuration file can be generated by using the [gcloud CLI](https://cloud.google.com/sdk/).\n\nThe Auth library can retrieve external subject tokens from a local file location\n(file-sourced credentials), from a local server (URL-sourced credentials) or by calling an executable \n(executable-sourced credentials).\n\n**File-sourced credentials**\nFor file-sourced credentials, a background process needs to be continuously refreshing the file\nlocation with a new subject token prior to expiration. For tokens with one hour lifetimes, the token\nneeds to be updated in the file every hour. The token can be stored directly as plain text or in\nJSON format.\n\nTo generate a file-sourced OIDC configuration, run the following command:\n\n```bash\n# Generate an OIDC configuration file for file-sourced credentials.\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \\\n    --subject-token-type=urn:ietf:params:oauth:token-type:id_token \\\n    --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \\\n    --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \\\n    # Optional arguments for file types. Default is \"text\":\n    # --credential-source-type \"json\" \\\n    # Optional argument for the field that contains the OIDC credential.\n    # This is required for json.\n    # --credential-source-field-name \"id_token\" \\\n    --output-file=/path/to/generated/config.json\n```\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n- `$PATH_TO_OIDC_ID_TOKEN`: The file path used to retrieve the OIDC token.\n- `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\nTo generate a file-sourced SAML configuration, run the following command:\n\n```bash\n# Generate a SAML configuration file for file-sourced credentials.\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \\\n    --credential-source-file=$PATH_TO_SAML_ASSERTION \\\n    --subject-token-type=urn:ietf:params:oauth:token-type:saml2 \\\n    --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \\\n    --output-file=/path/to/generated/config.json \n```\n\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n- `$PATH_TO_SAML_ASSERTION`: The file path used to retrieve the base64-encoded SAML assertion.\n- `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\nThese commands generate the configuration file in the specified output file.\n\n**URL-sourced credentials**\nFor URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token.\nThe response can be in plain text or JSON. Additional required request headers can also be\nspecified.\n\nTo generate a URL-sourced OIDC workforce identity configuration, run the following command:\n\n```bash\n# Generate an OIDC configuration file for URL-sourced credentials.\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \\\n    --subject-token-type=urn:ietf:params:oauth:token-type:id_token \\\n    --credential-source-url=$URL_TO_RETURN_OIDC_ID_TOKEN \\\n    --credential-source-headers $HEADER_KEY=$HEADER_VALUE \\\n    --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \\\n    --output-file=/path/to/generated/config.json\n```\n\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n- `$URL_TO_RETURN_OIDC_ID_TOKEN`: The URL of the local server endpoint.\n- `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET request to\n  `$URL_TO_GET_OIDC_TOKEN`, e.g. `Metadata-Flavor=Google`.\n- `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\nTo generate a URL-sourced SAML configuration, run the following command:\n\n```bash\n# Generate a SAML configuration file for file-sourced credentials.\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \\\n    --subject-token-type=urn:ietf:params:oauth:token-type:saml2 \\\n    --credential-source-url=$URL_TO_GET_SAML_ASSERTION \\\n    --credential-source-headers $HEADER_KEY=$HEADER_VALUE \\\n    --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \\\n    --output-file=/path/to/generated/config.json \n```\n\nThese commands generate the configuration file in the specified output file.\n\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n- `$URL_TO_GET_SAML_ASSERTION`: The URL of the local server endpoint.\n- `$HEADER_KEY` and `$HEADER_VALUE`: The additional header key/value pairs to pass along the GET request to\n  `$URL_TO_GET_SAML_ASSERTION`, e.g. `Metadata-Flavor=Google`.\n- `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\n#### Using external account authorized user workforce credentials\n\n[External account authorized user credentials](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#browser-based-sign-in) allow you to sign in with a web browser to an external identity provider account via the\ngcloud CLI and create a configuration for the auth library to use.\n\nTo generate an external account authorized user workforce identity configuration, run the following command:\n\n```bash\ngcloud auth application-default login --login-config=$LOGIN_CONFIG\n```\n\nWhere the following variable needs to be substituted:\n- `$LOGIN_CONFIG`: The login config file generated with the cloud console or\n  [gcloud iam workforce-pools create-login-config](https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/create-login-config)\n\nThis will open a browser flow for you to sign in via the configured third party identity provider\nand then will store the external account authorized user configuration at the well known ADC location.\nThe auth library will then use the provided refresh token from the configuration to generate and refresh\nan access token to call Google Cloud services.\n\nNote that the default lifetime of the refresh token is one hour, after which a new configuration will need to be generated from the gcloud CLI.\nThe lifetime can be modified by changing the [session duration of the workforce pool](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools), and can be set as high as 12 hours.\n\n#### Using Executable-sourced workforce credentials with OIDC and SAML\n\n**Executable-sourced credentials**\nFor executable-sourced credentials, a local executable is used to retrieve the 3rd party token.\nThe executable must handle providing a valid, unexpired OIDC ID token or SAML assertion in JSON format\nto stdout.\n\nTo use executable-sourced credentials, the `GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES`\nenvironment variable must be set to `1`.\n\nTo generate an executable-sourced workforce identity configuration, run the following command:\n\n```bash\n# Generate a configuration file for executable-sourced credentials.\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID \\\n    --subject-token-type=$SUBJECT_TOKEN_TYPE \\\n    # The absolute path for the program, including arguments.\n    # e.g. --executable-command=\"/path/to/command --foo=bar\"\n    --executable-command=$EXECUTABLE_COMMAND \\\n    # Optional argument for the executable timeout. Defaults to 30s.\n    # --executable-timeout-millis=$EXECUTABLE_TIMEOUT \\\n    # Optional argument for the absolute path to the executable output file.\n    # See below on how this argument impacts the library behaviour.\n    # --executable-output-file=$EXECUTABLE_OUTPUT_FILE \\\n    --workforce-pool-user-project=$WORKFORCE_POOL_USER_PROJECT \\\n    --output-file /path/to/generated/config.json\n```\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n- `$SUBJECT_TOKEN_TYPE`: The subject token type.\n- `$EXECUTABLE_COMMAND`: The full command to run, including arguments. Must be an absolute path to the program.\n- `$WORKFORCE_POOL_USER_PROJECT`: The project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\nThe `--executable-timeout-millis` flag is optional. This is the duration for which\nthe auth library will wait for the executable to finish, in milliseconds.\nDefaults to 30 seconds when not provided. The maximum allowed value is 2 minutes.\nThe minimum is 5 seconds.\n\nThe `--executable-output-file` flag is optional. If provided, the file path must\npoint to the 3rd party credential response generated by the executable. This is useful\nfor caching the credentials. By specifying this path, the Auth libraries will first\ncheck for its existence before running the executable. By caching the executable JSON\nresponse to this file, it improves performance as it avoids the need to run the executable\nuntil the cached credentials in the output file are expired. The executable must\nhandle writing to this file - the auth libraries will only attempt to read from\nthis location. The format of contents in the file should match the JSON format\nexpected by the executable shown below.\n\nTo retrieve the 3rd party token, the library will call the executable\nusing the command specified. The executable's output must adhere to the response format\nspecified below. It must output the response to stdout.\n\nRefer to the [using executable-sourced credentials with Workload Identity Federation](#using-executable-sourced-credentials-with-oidc-and-saml)\nabove for the executable response specification.\n\n#### Using a custom supplier for workforce credentials with OIDC and SAML\nA custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials\nto supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid,\nunexpired subject token when called by the GCP credential.\n\nIdentityPoolCredentials do not cache the returned token, so caching logic should be\nimplemented in the token supplier to prevent multiple requests for the same subject token.\n\n```java\nimport java.io.IOException;\n\npublic class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier {\n\n  @Override\n  public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {\n    // Any call to supplier will pass a context object with the requested\n    // audience and subject token type.\n    string audience = context.getAudience();\n    string tokenType = context.getSubjectTokenType();\n\n    try {\n      // Return a valid, unexpired token for the requested audience and token type.\n      // Note that the IdentityPoolCredential does not cache the subject token so\n      // any caching logic needs to be implemented in the token supplier.\n      return retrieveToken(audience, tokenType);\n    } catch (Exception e) {\n      // If token is unavailable, throw IOException.\n      throw new IOException(e);\n    }\n  }\n\n  private String retrieveToken(string tokenType, string audience) {\n    // Retrieve a subject token of the requested type for the requested audience.\n  }\n}\n```\n```java\nCustomTokenSupplier tokenSupplier = new CustomTokenSupplier();\nIdentityPoolCredentials identityPoolCredentials =\n    IdentityPoolCredentials.newBuilder()\n        .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier.\n        .setAudience(...) // Sets the GCP audience.\n        .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type.\n        .setWorkforcePoolUserProject(...) // Sets the workforce pool user project.\n        .build();\n```\nWhere the audience is:\n```//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID```\n\nWhere the following variables need to be substituted:\n- `$WORKFORCE_POOL_ID`: The workforce pool ID.\n- `$PROVIDER_ID`: The provider ID.\n\nand the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).\n\nThe values for audience, service account impersonation URL, and any other builder field can also be found by\ngenerating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in).\n\n##### Security considerations\nThe following security practices are highly recommended:\n* Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script.\n* The configuration file should not be modifiable. Write access should be restricted to avoid processes modifying the executable command portion.\n\nGiven the complexity of using executable-sourced credentials, it is recommended to use\nthe existing supported mechanisms (file-sourced/URL-sourced) for providing 3rd party\ncredentials unless they do not meet your specific requirements.\n\nYou can now [use the Auth library](#using-external-identities) to call Google Cloud\nresources from an OIDC or SAML provider.\n\n### Using External Identities\n\nExternal identities can be used with `Application Default Credentials`. In order to use external identities with\nApplication Default Credentials, you need to generate the JSON credentials configuration file for your external identity\nas described above. Once generated, store the path to this file in the`GOOGLE_APPLICATION_CREDENTIALS` environment variable.\n\n```bash\nexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/config.json\n```\n\nThe library can now choose the right type of client and initialize credentials from the context\nprovided in the configuration file.\n\n```java\nGoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();\n\nString projectId = \"your-project-id\";\nString url = \"https://storage.googleapis.com/storage/v1/b?project=\" + projectId;\n\nHttpCredentialsAdapter credentialsAdapter = new HttpCredentialsAdapter(googleCredentials);\nHttpRequestFactory requestFactory = new NetHttpTransport().createRequestFactory(credentialsAdapter);\nHttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));\n\nJsonObjectParser parser = new JsonObjectParser(GsonFactory.getDefaultInstance());\nrequest.setParser(parser);\n\nHttpResponse response = request.execute();\nSystem.out.println(response.parseAsString());\n```\n\nYou can also explicitly initialize external account clients using the generated configuration file.\n\n```java\nExternalAccountCredentials credentials = \n    ExternalAccountCredentials.fromStream(new FileInputStream(\"/path/to/credentials.json\"));\n```\n\n##### Security Considerations\nNote that this library does not perform any validation on the token_url, token_info_url,\nor service_account_impersonation_url fields of the credential configuration.\nIt is not recommended to use a credential configuration that you did not\ngenerate with the gcloud CLI unless you verify that the URL fields point to a\ngoogleapis.com domain.\n\n### Downscoping with Credential Access Boundaries\n\n[Downscoping with Credential Access Boundaries](https://cloud.google.com/iam/docs/downscoping-short-lived-credentials)\nenables restricting the Identity and Access Management (IAM) permissions that a\nshort-lived credential can use for Cloud Storage. This involves creating a\n`CredentialAccessBoundary` that defines the restrictions applied to the\ndownscoped token. Using downscoped credentials ensures tokens in flight always\nhave the least privileges ([Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)).\n\n#### Creating a CredentialAccessBoundary\n\nThe Credential Access Boundary specifies which resources the newly created credential can access,\nas well as an upper bound on the permissions that are available on each resource. \nIt consists of one or more `AccessBoundaryRule` objects.\n\nThe snippet below shows how to initialize a `CredentialAccessBoundary` with one `AccessBoundaryRule` \nwhich specifies that the downscoped token will have readonly access to objects starting with\n\"customer-a\" in bucket \"bucket-123\":\n```java\n// Create the AccessBoundaryRule.\nString availableResource = \"//storage.googleapis.com/projects/_/buckets/bucket-123\";\nString availablePermission = \"inRole:roles/storage.objectViewer\";\nString expression =  \"resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')\";\n\nCredentialAccessBoundary.AccessBoundaryRule rule =\n    CredentialAccessBoundary.AccessBoundaryRule.newBuilder()\n        .setAvailableResource(availableResource)\n        .addAvailablePermission(availablePermission)\n        .setAvailabilityCondition(\n        CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(expression).build())\n        .build();\n\n// Create the CredentialAccessBoundary with the rule.\nCredentialAccessBoundary credentialAccessBoundary = \n        CredentialAccessBoundary.newBuilder().addRule(rule).build();\n```\n\n#### Common Usage Pattern\n\nThe common pattern of usage is to have a token broker with elevated access generate these downscoped\ncredentials from higher access source credentials and pass the downscoped short-lived access tokens\nto a token consumer via some secure authenticated channel for limited access to Google Cloud Storage\nresources.\n\n#### Generating Downscoped Tokens\nThere are two ways to generate downscoped tokens using a CredentialAccessBoundary:\n\n* **Server-side (using `DownscopedCredentials`):** The client calls the Security \nToken Service (STS) each time a downscoped token is needed. This is suitable for\napplications where the Credential Access Boundary rules change infrequently or \nwhen a single downscoped credential is reused many times.  A key consideration\nis that every rule change requires a new call to the STS. This approach is available \nwithin the `google-auth-library-oauth2-http` library and does not require any additional \ndependencies, making it simpler to integrate.  It's a good choice if your use case \ndoesn't demand the specific benefits of the client-side approach.\n\n\n* **Client-side (using `ClientSideCredentialAccessBoundaryFactory`):** The client \nretrieves cryptographic material once and then generates multiple downscoped tokens \nlocally. This minimizes calls to the STS and is more efficient when Credential Access \nBoundary rules change frequently, as the client doesn't need to contact the STS \nfor each rule change. This is also more efficient for applications that need to \ngenerate many *unique* downscoped tokens.  This approach is available in the \n`google-auth-library-cab-token-generator` module.  However, this module comes with \nits own set of dependencies, which can add complexity to your project.  Consider\nthis approach if minimizing STS calls and generating numerous unique tokens are \nprimary concerns and you are willing to manage the additional dependencies.\n\n#### Server-side CAB\n\nThe `DownscopedCredentials` class can be used to produce a downscoped access\ntoken from a source credential and the `CredentialAccessBoundary`.\n\n```java\n// Retrieve the source credentials from ADC.\nGoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()\n        .createScoped(\"https://www.googleapis.com/auth/cloud-platform\");\n\n// Create an Access Boundary Rule which will restrict the downscoped token to having readonly\n// access to objects starting with \"customer-a\" in bucket \"bucket-123\".\nString availableResource = \"//storage.googleapis.com/projects/_/buckets/bucket-123\";\nString availablePermission = \"inRole:roles/storage.objectViewer\";\nString expression =  \"resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')\";\n        \nCredentialAccessBoundary.AccessBoundaryRule rule =\n    CredentialAccessBoundary.AccessBoundaryRule.newBuilder()\n        .setAvailableResource(availableResource)\n        .addAvailablePermission(availablePermission)\n        .setAvailabilityCondition(\n            new AvailabilityCondition(expression, /* title= */ null, /* description= */ null))\n        .build();\n\n// Initialize the DownscopedCredentials class.\nDownscopedCredentials downscopedCredentials =\n    DownscopedCredentials.newBuilder()\n        .setSourceCredential(sourceCredentials)\n        .setCredentialAccessBoundary(CredentialAccessBoundary.newBuilder().addRule(rule).build())\n        .build();\n\n// Retrieve the downscoped access token.\n// This will need to be passed to the Token Consumer.\nAccessToken downscopedAccessToken = downscopedCredentials.refreshAccessToken();\n```\n\n#### Client-side CAB\n\nFor client-side CAB, the `ClientSideCredentialAccessBoundaryFactory` is used\nwith a source credential. After initializing the factory, the `generateToken()`\nmethod can be called repeatedly with different `CredentialAccessBoundary`\nobjects to create multiple downscoped tokens.\n\n```java\n// Retrieve the source credentials from ADC.\nGoogleCredentials sourceCredentials = GoogleCredentials.getApplicationDefault()\n        .createScoped(\"https://www.googleapis.com/auth/cloud-platform\");\n\n// Create an Access Boundary Rule which will restrict the downscoped token to having readonly\n// access to objects starting with \"customer-a\" in bucket \"bucket-123\".\nString availableResource = \"//storage.googleapis.com/projects/_/buckets/bucket-123\";\nString availablePermission = \"inRole:roles/storage.objectViewer\";\nString expression =  \"resource.name.startsWith('projects/_/buckets/bucket-123/objects/customer-a')\";\n        \nCredentialAccessBoundary.AccessBoundaryRule rule =\n    CredentialAccessBoundary.AccessBoundaryRule.newBuilder()\n        .setAvailableResource(availableResource)\n        .addAvailablePermission(availablePermission)\n        .setAvailabilityCondition(\n            new AvailabilityCondition(expression, /* title= */ null, /* description= */ null))\n        .build();\n\n// Initialize the ClientSideCredentialAccessBoundaryFactory.\nClientSideCredentialAccessBoundaryFactory factory =\n    ClientSideCredentialAccessBoundaryFactory.newBuilder()\n        .setSourceCredential(sourceCredentials)\n        .build();\n\n// Create the CredentialAccessBoundary with the rule.\nCredentialAccessBoundary credentialAccessBoundary = \n        CredentialAccessBoundary.newBuilder().addRule(rule).build();\n\n// Generate the downscoped access token.\n// This will need to be passed to the Token Consumer.\nAccessToken downscopedAccessToken = factory.generateToken(credentialAccessBoundary);\n```\n\n#### Using Downscoped Access Tokens\n\nA token broker can be set up on a server in a private network. Various workloads\n(token consumers) in the same network will send authenticated requests to that\nbroker for downscoped tokens to access or modify specific google cloud storage\nbuckets.\n\nThe broker will instantiate downscoped credentials instances that can be used to\ngenerate short-lived downscoped access tokens which will be passed to the token\nconsumer.\n\nThese downscoped access tokens can be used by the Token Consumer via `OAuth2Credentials` or\n`OAuth2CredentialsWithRefresh`. This credential can then be used to initialize a storage client \ninstance to access Google Cloud Storage resources with restricted access.\n\n```java\n// You can pass an `OAuth2RefreshHandler` to `OAuth2CredentialsWithRefresh` which will allow the\n// library to seamlessly handle downscoped token refreshes on expiration.\nOAuth2CredentialsWithRefresh.OAuth2RefreshHandler handler = \n        new OAuth2CredentialsWithRefresh.OAuth2RefreshHandler() {\n    @Override\n    public AccessToken refreshAccessToken() {\n      // Add the logic here that retrieves the token from your Token Broker.\n      return accessToken;\n    }\n};\n\n// Downscoped token retrieved from token broker.\nAccessToken downscopedToken = handler.refreshAccessToken();\n\n// Build the OAuth2CredentialsWithRefresh from the downscoped token and pass a refresh handler \n// to handle token expiration. Passing the original downscoped token or the expiry here is optional,\n// as the refresh_handler will generate the downscoped token on demand.\nOAuth2CredentialsWithRefresh credentials =\n    OAuth2CredentialsWithRefresh.newBuilder()\n        .setAccessToken(downscopedToken)\n        .setRefreshHandler(handler)\n        .build();\n\n// Use the credentials with the Cloud Storage SDK.\nStorageOptions options = StorageOptions.newBuilder().setCredentials(credentials).build();\nStorage storage = options.getService();\n\n// Call GCS APIs.\n// Since we passed the downscoped credential, we will have have limited readonly access to objects\n// starting with \"customer-a\" in bucket \"bucket-123\".\nstorage.get(...)\n```\n\nNote: Only Cloud Storage supports Credential Access Boundaries. Other Google Cloud services do not\nsupport this feature.\n\n## Configuring a Proxy\n\nFor HTTP clients, a basic proxy can be configured by using `http.proxyHost` and related system properties as documented\nby [Java Networking and Proxies](https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html).\n\nFor a more custom proxy (e.g. for an authenticated proxy), provide a custom \n[`HttpTransportFactory`][http-transport-factory] to [`GoogleCredentials`][google-credentials]:\n\n```java\nimport com.google.api.client.http.HttpTransport;\nimport com.google.api.client.http.apache.v2.ApacheHttpTransport;\nimport com.google.auth.http.HttpTransportFactory;\nimport com.google.auth.oauth2.GoogleCredentials;\nimport org.apache.http.HttpHost;\nimport org.apache.http.auth.AuthScope;\nimport org.apache.http.auth.UsernamePasswordCredentials;\nimport org.apache.http.client.CredentialsProvider;\nimport org.apache.http.client.HttpClient;\nimport org.apache.http.conn.routing.HttpRoutePlanner;\nimport org.apache.http.impl.client.BasicCredentialsProvider;\nimport org.apache.http.impl.client.ProxyAuthenticationStrategy;\nimport org.apache.http.impl.conn.DefaultProxyRoutePlanner;\n\nimport java.io.IOException;\n\npublic class ProxyExample {\n  public GoogleCredentials getCredentials() throws IOException {\n    HttpTransportFactory httpTransportFactory = getHttpTransportFactory(\n        \"some-host\", 8080, \"some-username\", \"some-password\"\n    );\n\n    return GoogleCredentials.getApplicationDefault(httpTransportFactory);\n  }\n\n  public HttpTransportFactory getHttpTransportFactory(String proxyHost, int proxyPort, String proxyUsername, String proxyPassword) {\n    HttpHost proxyHostDetails = new HttpHost(proxyHost, proxyPort);\n    HttpRoutePlanner httpRoutePlanner = new DefaultProxyRoutePlanner(proxyHostDetails);\n\n    CredentialsProvider credentialsProvider = new BasicCredentialsProvider();\n    credentialsProvider.setCredentials(\n        new AuthScope(proxyHostDetails.getHostName(), proxyHostDetails.getPort()),\n        new UsernamePasswordCredentials(proxyUsername, proxyPassword)\n    );\n\n    HttpClient httpClient = ApacheHttpTransport.newDefaultHttpClientBuilder()\n        .setRoutePlanner(httpRoutePlanner)\n        .setProxyAuthenticationStrategy(ProxyAuthenticationStrategy.INSTANCE)\n        .setDefaultCredentialsProvider(credentialsProvider)\n        .build();\n\n    final HttpTransport httpTransport = new ApacheHttpTransport(httpClient);\n    return new HttpTransportFactory() {\n      @Override\n      public HttpTransport create() {\n        return httpTransport;\n      }\n    };\n  }\n}\n```\n\nThe above example requires `com.google.http-client:google-http-client-apache-v2`.\n\n## Using Credentials with `google-http-client`\n\nCredentials provided by [com.google.auth:google-auth-library-oauth2-http](\nhttps://search.maven.org/artifact/com.google.auth/google-auth-library-oauth2-http)\ncan be used with Google's [HTTP-based clients][apiary-clients].\nWe provide a [`HttpCredentialsAdapter`][http-credentials-adapter] which can be used\nas an [`HttpRequestInitializer`][http-request-initializer], the last argument for\ntheir builders.\n\n```java\nimport com.google.api.client.http.HttpRequestInitializer;\nimport com.google.api.services.bigquery.Bigquery;\nimport com.google.auth.http.HttpCredentialsAdapter;\nimport com.google.auth.oauth2.GoogleCredentials;\n\nGoogleCredentials credentials = GoogleCredentials.getApplicationDefault();\nHttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(credentials);\n\nBigquery bq = new Bigquery.Builder(HTTP_TRANSPORT, JSON_FACTORY, requestInitializer)\n    .setApplicationName(APPLICATION_NAME)\n    .build();\n```\n\n## Verifying JWT Tokens (Beta)\n\nTo verify a JWT token, use the [`TokenVerifier`][token-verifier] class.\n\n### Verifying a Signature\n\nTo verify a signature, use the default [`TokenVerifier`][token-verifier]:\n\n```java\nimport com.google.api.client.json.webtoken.JsonWebSignature;\nimport com.google.auth.oauth2.TokenVerifier;\n\nTokenVerifier tokenVerifier = TokenVerifier.newBuilder().build();\ntry {\n  JsonWebSignature jsonWebSignature = tokenVerifier.verify(tokenString);\n  // optionally verify additional claims\n  if (!\"expected-value\".equals(jsonWebSignature.getPayload().get(\"additional-claim\"))) {\n    // handle custom verification error\n  }\n} catch (TokenVerifier.VerificationException e) {\n  // invalid token\n}\n```\n\n### Customizing the TokenVerifier\n\nTo customize a [`TokenVerifier`][token-verifier], instantiate it via its builder:\n\n```java\nimport com.google.api.client.json.webtoken.JsonWebSignature;\nimport com.google.auth.oauth2.TokenVerifier;\n\nTokenVerifier tokenVerifier = TokenVerifier.newBuilder()\n  .setAudience(\"audience-to-verify\")\n  .setIssuer(\"issuer-to-verify\")\n  .build();\ntry {\n  JsonWebSignature jsonWebSignature = tokenVerifier.verify(tokenString);\n  // optionally verify additional claims\n  if (!\"expected-value\".equals(jsonWebSignature.getPayload().get(\"additional-claim\"))) {\n    // handle custom verification error\n  }\n} catch (TokenVerifier.VerificationException e) {\n  // invalid token\n}\n```\n\nFor more options, see the [`TokenVerifier.Builder`][token-verifier-builder] documentation.\n\n\n## google-auth-library-credentials\n\nThis artifact contains base classes and interfaces for Google credentials:\n- `Credentials`: base class for an authorized identity. Implementations of this class can be used to\n  authorize your application\n- `RequestMetadataCallback`: interface for the callback that receives the result of the asynchronous\n  `Credentials.getRequestMetadata(URI, Executor, RequestMetadataCallback)`\n- `ServiceAccountSigner`: interface for a service account signer. Implementations of this class are\n  capable of signing byte arrays using the credentials associated to a Google Service Account\n\n## google-auth-library-appengine\n\nThis artifact depends on the App Engine SDK (`appengine-api-1.0-sdk`) and should be used only by\napplications running on App Engine environments that use urlfetch. The `AppEngineCredentials` class\nallows you to authorize your App Engine application given an instance of\n[AppIdentityService][appengine-app-identity-service].\n\nUsage:\n\n```java\nimport com.google.appengine.api.appidentity.AppIdentityService;\nimport com.google.appengine.api.appidentity.AppIdentityServiceFactory;\nimport com.google.auth.Credentials;\nimport com.google.auth.appengine.AppEngineCredentials;\n\nAppIdentityService appIdentityService = AppIdentityServiceFactory.getAppIdentityService();\n\nCredentials credentials =\n    AppEngineCredentials.newBuilder()\n        .setScopes(...)\n        .setAppIdentityService(appIdentityService)\n        .build();\n```\n\n**Important: `com.google.auth.appengine.AppEngineCredentials` is a separate class from\n`com.google.auth.oauth2.AppEngineCredentials`.**\n\n## google-auth-library-cab-token-generator\n\nThis module provides the `ClientSideCredentialAccessBoundaryFactory` class, \nenabling client-side generation of downscoped tokens for Cloud Storage using \nCredential Access Boundaries. This approach is particularly useful for applications \nrequiring frequent changes to Credential Access Boundary rules or the generation \nof many unique downscoped tokens, as it minimizes calls to the Security Token \nService (STS). For more details on when to consider this approach and how it \ncompares to the server-side method, see [Downscoping with Credential Access Boundaries](#downscoping-with-credential-access-boundaries). \nFor usage examples, see the [Client-side CAB](#client-side-cab) section. \nThis module comes with its own set of dependencies, so evaluate whether the \nbenefits of client-side downscoping outweigh the added complexity for your specific use case.\n\n## CI Status\n\nJava Version | Status\n------------ | ------\nJava 8 | [![Kokoro CI](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8.svg)](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8.html)\nJava 8 OSX | [![Kokoro CI](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8-osx.svg)](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8-osx.html)\nJava 8 Windows | [![Kokoro CI](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8-win.svg)](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java8-win.html)\nJava 11 | [![Kokoro CI](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java11.svg)](http://storage.googleapis.com/cloud-devrel-public/java/badges/google-auth-library-java/java11.html)\n\n## Contributing\n\nContributions to this library are always welcome and highly encouraged.\n\nSee [CONTRIBUTING](CONTRIBUTING.md) documentation for more information on how to get started.\n\nPlease note that this project is released with a Contributor Code of Conduct. By participating in\nthis project you agree to abide by its terms. See [Code of Conduct](CODE_OF_CONDUCT.md) for more\ninformation.\n\n## Running the Tests\n\nTo run the tests you will need:\n\n* Maven 3+\n\n```bash\n$ mvn test\n```\n\n## License\n\nBSD 3-Clause - See [LICENSE](LICENSE) for more information.\n\n[appengine-sdk-versions]: https://search.maven.org/search?q=g:com.google.appengine%20AND%20a:appengine-api-1.0-sdk\u0026core=gav\n[appengine-sdk-install]: https://github.com/googleapis/google-auth-library-java/blob/main/README.md#google-auth-library-appengine\n[appengine-app-identity-service]: https://cloud.google.com/appengine/docs/java/javadoc/com/google/appengine/api/appidentity/AppIdentityService\n[apiary-clients]: https://search.maven.org/search?q=g:com.google.apis\n[http-credentials-adapter]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/http/HttpCredentialsAdapter.html\n[http-request-initializer]: https://googleapis.dev/java/google-http-client/latest/index.html?com/google/api/client/http/HttpRequestInitializer.html\n[token-verifier]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/TokenVerifier.html\n[token-verifier-builder]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/TokenVerifier.Builder.html\n[http-transport-factory]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/http/HttpTransportFactory.html\n[google-credentials]: https://googleapis.dev/java/google-auth-library/latest/index.html?com/google/auth/oauth2/GoogleCredentials.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleapis%2Fgoogle-auth-library-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogleapis%2Fgoogle-auth-library-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleapis%2Fgoogle-auth-library-java/lists"}