doc: Samples for Documenting Custom Credential Suppliers #1820
Conversation
…Workloads and Okta Workload.
vverman
force-pushed
the
chore/document-custom-credential-suppliers
branch
from
d6f790b to
49d17f5
Compare
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierOktaWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierOktaWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
samples/snippets/src/main/java/CustomCredentialSupplierAwsWorkload.java
Outdated
Show resolved
Hide resolved
| // 2. GCP_WORKLOAD_AUDIENCE: | ||
| // The audience for the workload identity federation. This is the full resource name of the | ||
| // Workload Identity Pool Provider, in the following format: | ||
| // //iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id> |
There was a problem hiding this comment.
qq, in //iam.googleapis.com, is the // needed or a typo?
There was a problem hiding this comment.
Nope that is how the aucience is structured -> Refer
There was a problem hiding this comment.
Gotcha, thanks! Can you wrap it in `` or quotes so that it doesn't look like a typo?
samples/snippets/src/main/java/CustomCredentialSupplierOktaWorkload.java
Show resolved
Hide resolved
| public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { | ||
| // Check if the current token is still valid (with a 60-second buffer). | ||
| boolean isTokenValid = | ||
| this.accessToken != null && System.currentTimeMillis() < this.expiryTime - 60 * 1000; |
There was a problem hiding this comment.
expiryTime looks like it's set in fetchOktaAccessToken(), which is called later
There was a problem hiding this comment.
This is used to demonstrate caching and token expiry in case of multiple calls to the storage endpoints which isn't handled by the library in case of custom credential suppliers.
Hence I think we should keep this logic.
There was a problem hiding this comment.
I think the logic is fine. From what I see, expiryTime is only set inside fetchOktaAccessToken(), so it may not be set on this first invocation (and has a default value of 0).
| private final String clientId; | ||
| private final String clientSecret; | ||
| private String accessToken; | ||
| private long expiryTime; |
There was a problem hiding this comment.
Instead of using a long, is it possible to use java.time.Instant instead?
If possible, I would prefer to use Instant.now() instead of System.currentTimeMillis()
| public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { | ||
| // Check if the current token is still valid (with a 60-second buffer). | ||
| boolean isTokenValid = | ||
| this.accessToken != null && System.currentTimeMillis() < this.expiryTime - 60 * 1000; |
There was a problem hiding this comment.
Can you create a constant for 60 * 1000 (make it less of a magic number)?
| // Okta authorization server. Multiple scopes can be requested by space-separating them | ||
| // (e.g., "scope1 scope2"). |
There was a problem hiding this comment.
Can the example showcase multiple scopes?
Would it be scope=gcp.test.read gcp.test.write or would the spcae need to be encoded?
| */ | ||
| private void fetchOktaAccessToken() throws IOException { | ||
| URL url = new URL(this.oktaTokenUrl); | ||
| HttpURLConnection conn = (HttpURLConnection) url.openConnection(); |
There was a problem hiding this comment.
Can you call disconnect() at the end to close the connection?
| <dependency> | ||
| <groupId>software.amazon.awssdk</groupId> | ||
| <artifactId>auth</artifactId> | ||
| <version>2.20.27</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>software.amazon.awssdk</groupId> | ||
| <artifactId>regions</artifactId> | ||
| <version>2.20.27</version> | ||
| </dependency> |
There was a problem hiding this comment.
nit: Can we import their BOM? and have the bom manage these versions together?
I know above we seem to have a bom but manage some deps separately (I'm not too sure why that's the case).
| // To set up the Okta application for this flow: | ||
| // a. In your Okta developer console, create a new Application of type "Machine-to-Machine | ||
| // (M2M)". | ||
| // b. Under the "General" tab, ensure that "Client Credentials" is an allowed grant type. | ||
| // c. Note the "Client ID" and "Client Secret" for your application. | ||
| // d. Navigate to "Security" > "API" and select your authorization server (e.g., "default"). | ||
| // e. Under the "Scopes" tab, add a custom scope (e.g., "gcp.test.read"). | ||
| // f. Ensure your M2M application is granted this scope. |
There was a problem hiding this comment.
Thanks! I am fine with this for the samples. I'm wondering if Okta has any public docs that also describes this. I'm just a bit worried that this flow or UI may change in the future.
3 participants
Documenting the custom credential supplier for authenticating:
AWS Workloads.
Okta Workloads.