Skip to content

Commit 7ce2985

Browse files
lsiraclsirac
authored
[AIP-4117] expiration_time is optional unless an output_file is specified (#924)
1 parent dbe3798 commit 7ce2985

1 file changed

Lines changed: 8 additions & 7 deletions

File tree

aip/auth/4117.md

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -431,13 +431,13 @@ Additionally, the executable **must** adhere to the following response format:
431431

432432
Successful responses:
433433

434-
| Field Name | Type | Description |
435-
|---------------------------|---------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
436-
| version | number | The version of the JSON output. Currently only version 1 is supported. |
437-
| success | boolean | The status of the response. True in this case. |
438-
| token_type | string | The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*, *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*. |
439-
| id_token OR saml_response | string | The 3rd party OIDC token or SAML response. |
440-
| expiration_time | number | The 3rd party subject token expiration time in seconds (unix epoch time). |
434+
| Field Name | Type | Description |
435+
|---------------------------|---------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
436+
| version | number | The version of the JSON output. Currently only version 1 is supported. |
437+
| success | boolean | The status of the response. True in this case. |
438+
| token_type | string | The 3rd party subject token type. Must be *urn:ietf:params:oauth:token-type:jwt*, *urn:ietf:params:oauth:token-type:id_token*, or *urn:ietf:params:oauth:token-type:saml2*. |
439+
| id_token OR saml_response | string | The 3rd party OIDC token or SAML response. |
440+
| expiration_time | number | The optional 3rd party subject token expiration time in seconds (unix epoch time). Only required in the response when an output file is specified in the credential configuration. |
441441

442442
A sample successful executable OIDC response:
443443
```json
@@ -493,6 +493,7 @@ The auth libraries and applications **must** follow the steps below:
493493
- If the response is malformed or invalid, error out.
494494
- Ensure the following environment variables will be available to the executable:
495495
- `GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE`: The audience field from the credential configuration. Must always be present.
496+
- `GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE`: The subject token type. Must always be present.
496497
- `GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL`: The service account email. Only present when service account impersonation is used.
497498
- `GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE`: The output file location from the credential configuration. Only present when specified in the credential configuration.
498499
- Run the command specified at **credential_source.executable.command**.

0 commit comments

Comments
 (0)