Skip to content

Commit

Permalink
[AIP-4117] expiration_time is optional unless an output_file is speci…
Browse files Browse the repository at this point in the history 
…fied (aip-dev#924)
  • Loading branch information
@lsirac
lsirac authored Aug 12, 2022
1 parent dbe3798 commit 7ce2985
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions aip/auth/4117.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -431,13 +431,13 @@ Additionally, the executable **must** adhere to the following response format:

Successful responses:

| Field Name | Type | Description |
|---------------------------|---------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| version | number | The version of the JSON output. Currently only version 1 is supported. |
| success | boolean | The status of the response. True in this case. |
| token_type | string | The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*, *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*. |
| id_token OR saml_response | string | The 3rd party OIDC token or SAML response. |
| expiration_time | number | The 3rd party subject token expiration time in seconds (unix epoch time). |
| Field Name | Type | Description |
|---------------------------|---------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| version | number | The version of the JSON output. Currently only version 1 is supported. |
| success | boolean | The status of the response. True in this case. |
| token_type | string | The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*, *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*. |
| id_token OR saml_response | string | The 3rd party OIDC token or SAML response. |
| expiration_time | number | The optional 3rd party subject token expiration time in seconds (unix epoch time). Only required in the response when an output file is specified in the credential configuration. |

A sample successful executable OIDC response:
```json
Expand Down Expand Up @@ -493,6 +493,7 @@ The auth libraries and applications **must** follow the steps below:
- If the response is malformed or invalid, error out.
- Ensure the following environment variables will be available to the executable:
- `GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE`: The audience field from the credential configuration. Must always be present.
- `GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE`: The subject token type. Must always be present.
- `GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL`: The service account email. Only present when service account impersonation is used.
- `GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE`: The output file location from the credential configuration. Only present when specified in the credential configuration.
- Run the command specified at **credential_source.executable.command**.
Expand Down

0 comments on commit 7ce2985

Please sign in to comment.