[oauth2] google/google: update documentation for workload identity federation

Gerrit Bot (Gerrit)

unread,

Sep 29, 2022, 4:13:02 PM9/29/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Gerrit Bot has uploaded this change for review.

google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d
GitHub-Last-Rev: 1232a05c7a8374e5b7d9011d14dc80e2cb1010b3
GitHub-Pull-Request: golang/oauth2#592
---
M google/doc.go
1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/google/doc.go b/google/doc.go
index dddf651..88a6fc8 100644
--- a/google/doc.go
+++ b/google/doc.go
@@ -40,9 +40,10 @@
 //	Microsoft Azure: https://cloud.google.com/iam/docs/access-resources-azure
 //	OIDC identity provider: https://cloud.google.com/iam/docs/access-resources-oidc
 //
-// For OIDC providers, the library can retrieve OIDC tokens either from a
-// local file location (file-sourced credentials) or from a local server
-// (URL-sourced credentials).
+// For OIDC providers, the library can retrieve OIDC tokens in three ways: from
+// a local file location (file-sourced credentials), from a server
+// (URL-sourced credentials), or from a local executable (executable-sourced
+// credentials).
 // For file-sourced credentials, a background process needs to be continuously
 // refreshing the file location with a new OIDC token prior to expiration.
 // For tokens with one hour lifetimes, the token needs to be updated in the file
@@ -50,6 +51,11 @@
 // For URL-sourced credentials, a local server needs to host a GET endpoint to
 // return the OIDC token. The response can be in plain text or JSON.
 // Additional required request headers can also be specified.
+// For executable-sourced credentials, an application needs to be available to
+// output the OIDC token and other information in a JSON format.
+// For more information on how these work (and how to implement
+// executable-sourced credentials), please check out:
+// https://cloud.google.com/iam/docs/using-workload-identity-federation#oidc
 //
 // # Credentials
 //

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Leo Siracusa (Gerrit)

unread,

Sep 29, 2022, 4:57:57 PM9/29/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, Cody Oss, Ryan Kohler, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss.

View Change

1 comment:

File google/doc.go:
- Patch Set #1, Line 43: // For OIDC providers, the library can retrieve OIDC tokens in three ways: from
  Mention SAML as well

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit Bot (Gerrit)

unread,

Oct 3, 2022, 10:20:46 PM10/3/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss.

Gerrit Bot uploaded patch set #2 to this change.

View Change

google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d

GitHub-Last-Rev: 07d8f91cfcbefd389e9498988a66594102e92265


GitHub-Pull-Request: golang/oauth2#592
---
M google/doc.go
1 file changed, 22 insertions(+), 3 deletions(-)

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit Bot (Gerrit)

unread,

Oct 3, 2022, 10:30:06 PM10/3/22

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss.

Gerrit Bot uploaded patch set #3 to this change.

View Change

google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d

GitHub-Last-Rev: d61f2e71d26d9111f0fecd481ee1615ac60ad49b


GitHub-Pull-Request: golang/oauth2#592
---
M google/doc.go
1 file changed, 22 insertions(+), 3 deletions(-)

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Ryan Kohler (Gerrit)

unread,

Oct 3, 2022, 10:30:18 PM10/3/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, Leo Siracusa, Cody Oss, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss, Leo Siracusa.

View Change

1 comment:

File google/doc.go:

- Patch Set #1, Line 43: // For OIDC providers, the library can retrieve OIDC tokens in three ways: from
  Mention SAML as well

- Done

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Leo Siracusa (Gerrit)

unread,

Oct 5, 2022, 6:02:37 PM10/5/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, Cody Oss, Ryan Kohler, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss.

Patch set 3:Code-Review +1

View Change

1 comment:

Patchset:
- Patch Set #3:
  Is workforce not documented? If not please add it in another PR

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Ryan Kohler (Gerrit)

unread,

Oct 5, 2022, 7:18:18 PM10/5/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, Leo Siracusa, Cody Oss, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Cody Oss, Leo Siracusa.

View Change

1 comment:

Patchset:

- Patch Set #3:
  Is workforce not documented? If not please add it in another PR

- Ack

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Cody Oss (Gerrit)

unread,

Oct 6, 2022, 11:08:07 AM10/6/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, Leo Siracusa, Ryan Kohler, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Brad Fitzpatrick, Leo Siracusa.

Patch set 3:Run-TryBot +1Auto-Submit +1Code-Review +2

View Change

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Gopher Robot (Gerrit)

unread,

Oct 6, 2022, 11:09:54 AM10/6/22

to Gerrit Bot, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Cody Oss, Leo Siracusa, Ryan Kohler, Brad Fitzpatrick, Chris Broadfoot, Shin Fan, golang-co...@googlegroups.com

Gopher Robot submitted this change.

View Change

Approvals:
  Gopher Robot: TryBots succeeded
  Cody Oss: Looks good to me, approved; Run TryBots; Automatically submit change
  Leo Siracusa: Looks good to me, but someone else must approve

google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d
GitHub-Last-Rev: d61f2e71d26d9111f0fecd481ee1615ac60ad49b
GitHub-Pull-Request: golang/oauth2#592

Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/436836
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Leo Siracusa <leosi...@google.com>
Run-TryBot: Cody Oss <cod...@google.com>
Reviewed-by: Cody Oss <cod...@google.com>
Auto-Submit: Cody Oss <cod...@google.com>
---
M google/doc.go
1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/google/doc.go b/google/doc.go
index dddf651..b3e7bc8 100644


--- a/google/doc.go
+++ b/google/doc.go
@@ -40,9 +40,10 @@
 //	Microsoft Azure: https://cloud.google.com/iam/docs/access-resources-azure
 //	OIDC identity provider: https://cloud.google.com/iam/docs/access-resources-oidc
 //
-// For OIDC providers, the library can retrieve OIDC tokens either from a
-// local file location (file-sourced credentials) or from a local server
-// (URL-sourced credentials).

+// For OIDC and SAML providers, the library can retrieve tokens in three ways:
+// from a local file location (file-sourced credentials), from a server


+// (URL-sourced credentials), or from a local executable (executable-sourced
+// credentials).
 // For file-sourced credentials, a background process needs to be continuously
 // refreshing the file location with a new OIDC token prior to expiration.
 // For tokens with one hour lifetimes, the token needs to be updated in the file
@@ -50,6 +51,11 @@
 // For URL-sourced credentials, a local server needs to host a GET endpoint to
 // return the OIDC token. The response can be in plain text or JSON.
 // Additional required request headers can also be specified.
+// For executable-sourced credentials, an application needs to be available to
+// output the OIDC token and other information in a JSON format.
+// For more information on how these work (and how to implement
+// executable-sourced credentials), please check out:
+// https://cloud.google.com/iam/docs/using-workload-identity-federation#oidc
 //
 // # Credentials
 //

To view, visit change 436836. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward