Package com.oracle.bmc.auth

Class WorkloadIdentityFederationAuthenticationDetailProvider

java.lang.Object

com.oracle.bmc.auth.WorkloadIdentityFederationAuthenticationDetailProvider

All Implemented Interfaces:

AbstractAuthenticationDetailsProvider, BasicAuthenticationDetailsProvider, ProvidesConfigurableRefresh, RefreshableOnNotAuthenticatedProvider<String>, RegionProvider, AutoCloseable

public class WorkloadIdentityFederationAuthenticationDetailProvider
extends Object
implements BasicAuthenticationDetailsProvider, RegionProvider, RefreshableOnNotAuthenticatedProvider<String>, ProvidesConfigurableRefresh, AutoCloseable

A BasicAuthenticationDetailsProvider implementation that uses workload identity federation to authenticate with Oracle Cloud Infrastructure.

This provider exchanges a subject token (e.g., a Kubernetes service account token) for an OCI session token, which is then used to sign API requests.

This provider offers two key features for robust authentication in long-running applications:

1. Asynchronous Initialization with buildAsync():
   The builder() provides a buildAsync() method that pre-fetches the first authentication token upon initialization. This "fail-fast" approach ensures that authentication issues are discovered at startup rather than during the first API call, and it eliminates the initial authentication delay.
2. Automatic Proactive Token Refresh with retryConfiguration():
   For applications that make continuous API calls, this provider offers automatic proactive token refresh when retry configuration is provided via WorkloadIdentityFederationAuthenticationDetailProvider.WorkloadIdentityFederationAuthenticationDetailProviderBuilder.retryConfiguration(RetryConfiguration). When retry configuration is set, the provider uses a background thread to automatically refresh the session token before it expires, preventing the calling thread from being blocked by token refresh operations and ensuring consistent API call performance. When no retry configuration is provided, proactive refresh is disabled to conserve resources.

When proactive refresh is enabled (via retry configuration), it is crucial to call close() (or shutdown()) * when the provider is no longer needed to release the background scheduling thread.

See Also:

WorkloadIdentityFederationAuthenticationDetailProvider.WorkloadIdentityFederationAuthenticationDetailProviderBuilder

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	WorkloadIdentityFederationAuthenticationDetailProvider.WorkloadIdentityFederationAuthenticationDetailProviderBuilder	Builder for WorkloadIdentityFederationAuthenticationDetailProvider.

Method Summary

Modifier and Type	Method	Description
static WorkloadIdentityFederationAuthenticationDetailProvider.WorkloadIdentityFederationAuthenticationDetailProviderBuilder	builder()	Creates a new WorkloadIdentityFederationAuthenticationDetailProviderBuilder.
void	close()
String	getKeyId()	Returns the keyId used to sign requests.
String	getPassPhrase()	Returns the optional pass phrase for the (encrypted) private key.
char[]	getPassphraseCharacters()	Returns the optional pass phrase for the (encrypted) private key, as a character array.
InputStream	getPrivateKey()	Returns a new InputStream to the private key.
Region	getRegion()	Returns the region.
String	refresh()	Refreshes the authentication data used by the provider
String	refreshAndGetSecurityTokenIfExpiringWithin(Duration duration)	Gets a security token from the federation endpoint if the security token expires within the provided duration.
String	refreshAndGetSecurityTokenIfExpiringWithin(Duration duration, boolean refreshKeys)	Gets a security token from the federation endpoint if the security token expires within the provided duration and allows to enable/disable refresh of keys.
void	shutdown()	Shuts down the authentication provider and releases resources.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

builder

public static WorkloadIdentityFederationAuthenticationDetailProvider.WorkloadIdentityFederationAuthenticationDetailProviderBuilder builder()

Creates a new WorkloadIdentityFederationAuthenticationDetailProviderBuilder.

Returns:

A new builder instance.

refresh

public String refresh()

Description copied from interface: RefreshableOnNotAuthenticatedProvider

Refreshes the authentication data used by the provider

Specified by:

refresh in interface RefreshableOnNotAuthenticatedProvider<String>

Returns:

the refreshed authentication data

refreshAndGetSecurityTokenIfExpiringWithin

public String refreshAndGetSecurityTokenIfExpiringWithin(Duration duration)

Description copied from interface: ProvidesConfigurableRefresh

Gets a security token from the federation endpoint if the security token expires within the provided duration.

This will always retrieve a new token from the federation endpoint and does not use a cached token.

Specified by:

refreshAndGetSecurityTokenIfExpiringWithin in interface ProvidesConfigurableRefresh

Parameters:

duration - the duration to check

Returns:

A security token that can be used to authenticate requests.

refreshAndGetSecurityTokenIfExpiringWithin

public String refreshAndGetSecurityTokenIfExpiringWithin(Duration duration,
                                                         boolean refreshKeys)

Description copied from interface: ProvidesConfigurableRefresh

Gets a security token from the federation endpoint if the security token expires within the provided duration and allows to enable/disable refresh of keys.

This will always retrieve a new token from the federation endpoint and does not use a cached token.

Specified by:

refreshAndGetSecurityTokenIfExpiringWithin in interface ProvidesConfigurableRefresh

Parameters:

duration - the duration to check

refreshKeys - boolean value to enable/disable refresh of keys

Returns:

A security token that can be used to authenticate requests.

getRegion

public Region getRegion()

Description copied from interface: RegionProvider

Returns the region.

Specified by:

getRegion in interface RegionProvider

Returns:

Region object.

getKeyId

public String getKeyId()

Description copied from interface: BasicAuthenticationDetailsProvider

Returns the keyId used to sign requests.

Specified by:

getKeyId in interface BasicAuthenticationDetailsProvider

Returns:

The keyId.

getPrivateKey

public InputStream getPrivateKey()

Description copied from interface: BasicAuthenticationDetailsProvider

Returns a new InputStream to the private key.

This stream should be closed by the caller, implementations should return new streams each time.

Specified by:

getPrivateKey in interface BasicAuthenticationDetailsProvider

Returns:

A new InputStream.

getPassPhrase

public String getPassPhrase()

Description copied from interface: BasicAuthenticationDetailsProvider

Returns the optional pass phrase for the (encrypted) private key.

Specified by:

getPassPhrase in interface BasicAuthenticationDetailsProvider

Returns:

The pass phrase, or null if not applicable

getPassphraseCharacters

public char[] getPassphraseCharacters()

Description copied from interface: BasicAuthenticationDetailsProvider

Returns the optional pass phrase for the (encrypted) private key, as a character array.

Specified by:

getPassphraseCharacters in interface BasicAuthenticationDetailsProvider

Returns:

The pass phrase as character array, or null if not applicable

close

public void close()

Specified by:

close in interface AutoCloseable

shutdown

public void shutdown()

Shuts down the authentication provider and releases resources.

This method delegates to the federation client’s shutdown method to ensure proper cleanup of the proactive refresh scheduler.