diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java index 547a04261..4dd02861c 100644 --- a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java +++ b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java @@ -58,7 +58,8 @@ /** * Base external account credentials class. * - *
Handles initializing external credentials, calls to STS, and service account impersonation. + *
Handles initializing external credentials, calls to the Security Token Service, and service
+ * account impersonation.
*/
public abstract class ExternalAccountCredentials extends GoogleCredentials
implements QuotaProjectIdProvider {
@@ -89,8 +90,9 @@ abstract static class CredentialSource {
@Nullable private final String clientId;
@Nullable private final String clientSecret;
- // This is used for Workforce Pools. It is passed to STS during token exchange in the
- // `options` param and will be embedded in the token by STS.
+ // This is used for Workforce Pools. It is passed to the Security Token Service during token
+ // exchange in the `options` param and will be embedded in the token by the Security Token
+ // Service.
@Nullable private final String workforcePoolUserProject;
protected transient HttpTransportFactory transportFactory;
@@ -104,18 +106,17 @@ abstract static class CredentialSource {
* workforce credentials.
*
* @param transportFactory HTTP transport factory, creates the transport used to get access tokens
- * @param audience the STS audience which is usually the fully specified resource name of the
- * workload/workforce pool provider
- * @param subjectTokenType the STS subject token type based on the OAuth 2.0 token exchange spec.
- * Indicates the type of the security token in the credential file
- * @param tokenUrl the STS token exchange endpoint
+ * @param audience the Security Token Service audience, which is usually the fully specified
+ * resource name of the workload/workforce pool provider
+ * @param subjectTokenType the Security Token Service subject token type based on the OAuth 2.0
+ * token exchange spec. Indicates the type of the security token in the credential file
+ * @param tokenUrl the Security Token Service token exchange endpoint
* @param tokenInfoUrl the endpoint used to retrieve account related information. Required for
* gCloud session account identification.
* @param credentialSource the external credential source
* @param serviceAccountImpersonationUrl the URL for the service account impersonation request.
- * This is only required for workload identity pools when APIs to be accessed have not
- * integrated with UberMint. If this is not available, the STS returned GCP access token is
- * directly used. May be null.
+ * This URL is required for some APIs. If this URL is not available, the access token from the
+ * Security Token Service is used directly. May be null.
* @param quotaProjectId the project used for quota and billing purposes. May be null.
* @param clientId client ID of the service account from the console. May be null.
* @param clientSecret client secret of the service account from the console. May be null.
@@ -395,11 +396,11 @@ private static boolean isAwsCredential(Map Must be implemented by subclasses as the retrieval method is dependent on the credential
* source.
@@ -603,8 +605,8 @@ public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
}
/**
- * Sets the STS audience which is usually the fully specified resource name of the
- * workload/workforce pool provider.
+ * Sets the Security Token Service audience, which is usually the fully specified resource name
+ * of the workload/workforce pool provider.
*/
public Builder setAudience(String audience) {
this.audience = audience;
@@ -612,15 +614,15 @@ public Builder setAudience(String audience) {
}
/**
- * Sets the STS subject token type based on the OAuth 2.0 token exchange spec. Indicates the
- * type of the security token in the credential file.
+ * Sets the Security Token Service subject token type based on the OAuth 2.0 token exchange
+ * spec. Indicates the type of the security token in the credential file.
*/
public Builder setSubjectTokenType(String subjectTokenType) {
this.subjectTokenType = subjectTokenType;
return this;
}
- /** Sets the STS token exchange endpoint. */
+ /** Sets the Security Token Service token exchange endpoint. */
public Builder setTokenUrl(String tokenUrl) {
this.tokenUrl = tokenUrl;
return this;
@@ -633,9 +635,9 @@ public Builder setCredentialSource(CredentialSource credentialSource) {
}
/**
- * Sets the optional URL used for service account impersonation. This is only required when APIs
- * to be accessed have not integrated with UberMint. If this is not available, the STS returned
- * GCP access token is directly used.
+ * Sets the optional URL used for service account impersonation, which is required for some
+ * APIs. If this URL is not available, the access token from the Security Token Service is used
+ * directly.
*/
public Builder setServiceAccountImpersonationUrl(String serviceAccountImpersonationUrl) {
this.serviceAccountImpersonationUrl = serviceAccountImpersonationUrl;