forked from Mirrors/oauth2
google: Updating 3pi documentation
Fixing dead links in workload docs, adds workforce documentation
Change-Id: Ifad86e1937997f96ef577f5469d1e6fe496197b5
GitHub-Last-Rev: af288081ce
GitHub-Pull-Request: golang/oauth2#638
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/478555
Auto-Submit: Cody Oss <codyoss@google.com>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
aeitzman
Gopher Robot
parent
54b70c833f
commit
a6e37e7441
|
|
@ -26,7 +26,7 @@
|
||||||
//
|
//
|
||||||
// Using workload identity federation, your application can access Google Cloud
|
// Using workload identity federation, your application can access Google Cloud
|
||||||
// resources from Amazon Web Services (AWS), Microsoft Azure or any identity
|
// resources from Amazon Web Services (AWS), Microsoft Azure or any identity
|
||||||
// provider that supports OpenID Connect (OIDC).
|
// provider that supports OpenID Connect (OIDC) or SAML 2.0.
|
||||||
// Traditionally, applications running outside Google Cloud have used service
|
// Traditionally, applications running outside Google Cloud have used service
|
||||||
// account keys to access Google Cloud resources. Using identity federation,
|
// account keys to access Google Cloud resources. Using identity federation,
|
||||||
// you can allow your workload to impersonate a service account.
|
// you can allow your workload to impersonate a service account.
|
||||||
|
|
@ -36,26 +36,70 @@
|
||||||
// Follow the detailed instructions on how to configure Workload Identity Federation
|
// Follow the detailed instructions on how to configure Workload Identity Federation
|
||||||
// in various platforms:
|
// in various platforms:
|
||||||
//
|
//
|
||||||
// Amazon Web Services (AWS): https://cloud.google.com/iam/docs/access-resources-aws
|
// Amazon Web Services (AWS): https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#aws
|
||||||
// Microsoft Azure: https://cloud.google.com/iam/docs/access-resources-azure
|
// Microsoft Azure: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#azure
|
||||||
// OIDC identity provider: https://cloud.google.com/iam/docs/access-resources-oidc
|
// OIDC identity provider: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#oidc
|
||||||
|
// SAML 2.0 identity provider: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#saml
|
||||||
//
|
//
|
||||||
// For OIDC and SAML providers, the library can retrieve tokens in three ways:
|
// For OIDC and SAML providers, the library can retrieve tokens in three ways:
|
||||||
// from a local file location (file-sourced credentials), from a server
|
// from a local file location (file-sourced credentials), from a server
|
||||||
// (URL-sourced credentials), or from a local executable (executable-sourced
|
// (URL-sourced credentials), or from a local executable (executable-sourced
|
||||||
// credentials).
|
// credentials).
|
||||||
// For file-sourced credentials, a background process needs to be continuously
|
// For file-sourced credentials, a background process needs to be continuously
|
||||||
// refreshing the file location with a new OIDC token prior to expiration.
|
// refreshing the file location with a new OIDC/SAML token prior to expiration.
|
||||||
// For tokens with one hour lifetimes, the token needs to be updated in the file
|
// For tokens with one hour lifetimes, the token needs to be updated in the file
|
||||||
// every hour. The token can be stored directly as plain text or in JSON format.
|
// every hour. The token can be stored directly as plain text or in JSON format.
|
||||||
// For URL-sourced credentials, a local server needs to host a GET endpoint to
|
// For URL-sourced credentials, a local server needs to host a GET endpoint to
|
||||||
// return the OIDC token. The response can be in plain text or JSON.
|
// return the OIDC/SAML token. The response can be in plain text or JSON.
|
||||||
// Additional required request headers can also be specified.
|
// Additional required request headers can also be specified.
|
||||||
// For executable-sourced credentials, an application needs to be available to
|
// For executable-sourced credentials, an application needs to be available to
|
||||||
// output the OIDC token and other information in a JSON format.
|
// output the OIDC/SAML token and other information in a JSON format.
|
||||||
// For more information on how these work (and how to implement
|
// For more information on how these work (and how to implement
|
||||||
// executable-sourced credentials), please check out:
|
// executable-sourced credentials), please check out:
|
||||||
// https://cloud.google.com/iam/docs/using-workload-identity-federation#oidc
|
// https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_a_credential_configuration
|
||||||
|
//
|
||||||
|
// Note that this library does not perform any validation on the token_url, token_info_url,
|
||||||
|
// or service_account_impersonation_url fields of the credential configuration.
|
||||||
|
// It is not recommended to use a credential configuration that you did not generate with
|
||||||
|
// the gcloud CLI unless you verify that the URL fields point to a googleapis.com domain.
|
||||||
|
//
|
||||||
|
// # Workforce Identity Federation
|
||||||
|
//
|
||||||
|
// Workforce identity federation lets you use an external identity provider (IdP) to
|
||||||
|
// authenticate and authorize a workforce—a group of users, such as employees, partners,
|
||||||
|
// and contractors—using IAM, so that the users can access Google Cloud services.
|
||||||
|
// Workforce identity federation extends Google Cloud's identity capabilities to support
|
||||||
|
// syncless, attribute-based single sign on.
|
||||||
|
//
|
||||||
|
// With workforce identity federation, your workforce can access Google Cloud resources
|
||||||
|
// using an external identity provider (IdP) that supports OpenID Connect (OIDC) or
|
||||||
|
// SAML 2.0 such as Azure Active Directory (Azure AD), Active Directory Federation
|
||||||
|
// Services (AD FS), Okta, and others.
|
||||||
|
//
|
||||||
|
// Follow the detailed instructions on how to configure Workload Identity Federation
|
||||||
|
// in various platforms:
|
||||||
|
//
|
||||||
|
// Azure AD: https://cloud.google.com/iam/docs/workforce-sign-in-azure-ad
|
||||||
|
// Okta: https://cloud.google.com/iam/docs/workforce-sign-in-okta
|
||||||
|
// OIDC identity provider: https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#oidc
|
||||||
|
// SAML 2.0 identity provider: https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#saml
|
||||||
|
//
|
||||||
|
// For workforce identity federation, the library can retrieve tokens in three ways:
|
||||||
|
// from a local file location (file-sourced credentials), from a server
|
||||||
|
// (URL-sourced credentials), or from a local executable (executable-sourced
|
||||||
|
// credentials).
|
||||||
|
// For file-sourced credentials, a background process needs to be continuously
|
||||||
|
// refreshing the file location with a new OIDC/SAML token prior to expiration.
|
||||||
|
// For tokens with one hour lifetimes, the token needs to be updated in the file
|
||||||
|
// every hour. The token can be stored directly as plain text or in JSON format.
|
||||||
|
// For URL-sourced credentials, a local server needs to host a GET endpoint to
|
||||||
|
// return the OIDC/SAML token. The response can be in plain text or JSON.
|
||||||
|
// Additional required request headers can also be specified.
|
||||||
|
// For executable-sourced credentials, an application needs to be available to
|
||||||
|
// output the OIDC/SAML token and other information in a JSON format.
|
||||||
|
// For more information on how these work (and how to implement
|
||||||
|
// executable-sourced credentials), please check out:
|
||||||
|
// https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#generate_a_configuration_file_for_non-interactive_sign-in
|
||||||
//
|
//
|
||||||
// Note that this library does not perform any validation on the token_url, token_info_url,
|
// Note that this library does not perform any validation on the token_url, token_info_url,
|
||||||
// or service_account_impersonation_url fields of the credential configuration.
|
// or service_account_impersonation_url fields of the credential configuration.
|
||||||
|
|
@ -86,5 +130,4 @@
|
||||||
// same as the one obtained from the oauth2.Config returned from ConfigFromJSON or
|
// same as the one obtained from the oauth2.Config returned from ConfigFromJSON or
|
||||||
// JWTConfigFromJSON, but the Credentials may contain additional information
|
// JWTConfigFromJSON, but the Credentials may contain additional information
|
||||||
// that is useful is some circumstances.
|
// that is useful is some circumstances.
|
||||||
//
|
|
||||||
package google // import "golang.org/x/oauth2/google"
|
package google // import "golang.org/x/oauth2/google"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue