Google Git
Sign in
go / oauth2 / b44042a4b9c12aec471902e0287a912bcb3ac1db^! / .
commitb44042a4b9c12aec471902e0287a912bcb3ac1db[log] [tgz]
authorRyan Kohler <ryan.c.kohler@gmail.com>Tue Oct 04 02:30:00 2022 +0000
committerGopher Robot <gobot@golang.org>Thu Oct 06 15:09:49 2022 +0000
treecfd4cb9c1d00e98342468e68f4c8773c3e0f5c3f
parentf21342109be17cd214ecfcd33065b79cd571673e [diff]
google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d
GitHub-Last-Rev: d61f2e71d26d9111f0fecd481ee1615ac60ad49b
GitHub-Pull-Request: golang/oauth2#592
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/436836
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Leo Siracusa <leosiracusa@google.com>
Run-TryBot: Cody Oss <codyoss@google.com>
Reviewed-by: Cody Oss <codyoss@google.com>
Auto-Submit: Cody Oss <codyoss@google.com>

diff --git a/google/doc.go b/google/doc.go
index dddf651..b3e7bc8 100644
--- a/google/doc.go
+++ b/google/doc.go

@@ -40,9 +40,10 @@
 //	Microsoft Azure: https://cloud.google.com/iam/docs/access-resources-azure
 //	OIDC identity provider: https://cloud.google.com/iam/docs/access-resources-oidc
 //
-// For OIDC providers, the library can retrieve OIDC tokens either from a
-// local file location (file-sourced credentials) or from a local server
-// (URL-sourced credentials).
+// For OIDC and SAML providers, the library can retrieve tokens in three ways:
+// from a local file location (file-sourced credentials), from a server
+// (URL-sourced credentials), or from a local executable (executable-sourced
+// credentials).
 // For file-sourced credentials, a background process needs to be continuously
 // refreshing the file location with a new OIDC token prior to expiration.
 // For tokens with one hour lifetimes, the token needs to be updated in the file
@@ -50,6 +51,11 @@
 // For URL-sourced credentials, a local server needs to host a GET endpoint to
 // return the OIDC token. The response can be in plain text or JSON.
 // Additional required request headers can also be specified.
+// For executable-sourced credentials, an application needs to be available to
+// output the OIDC token and other information in a JSON format.
+// For more information on how these work (and how to implement
+// executable-sourced credentials), please check out:
+// https://cloud.google.com/iam/docs/using-workload-identity-federation#oidc
 //
 // # Credentials
 //