Package com.oracle.bmc.auth.internal

Class WorkloadIdentityFederationClient

java.lang.Object

com.oracle.bmc.auth.internal.AbstractAsyncFederationClient

com.oracle.bmc.auth.internal.WorkloadIdentityFederationClient

All Implemented Interfaces:

AsyncFederationClient, ProvidesConfigurableRefreshAsync

public class WorkloadIdentityFederationClient
extends AbstractAsyncFederationClient

This class gets a security token from identity cloud service

Field Summary

Fields inherited from class com.oracle.bmc.auth.internal.AbstractAsyncFederationClient

circuitBreaker, federationClient, securityTokenAdapter, sessionKeySupplier

Constructor Summary

Constructors

Constructor

Description

WorkloadIdentityFederationClient(String tokenExchangeEndpoint, Supplier<String> subjectTokenSupplier, SessionKeySupplier sessionKeySupplier, String clientCredentials, Map<String,String> requestPayload, Boolean isInstanceCertificatesRequired, ClientConfigurator clientConfigurator, CircuitBreakerConfiguration circuitBreakerConfiguration, List<ClientConfigurator> additionalClientConfigurators, Long earlySessionTokenExpirationInSeconds, boolean enableProactiveRefresh, RetryConfiguration tokenExchangeRetryConfiguration)

Constructor of WorkloadIdentityFederationClient.

Method Summary

Modifier and Type	Method	Description
CompletableFuture<String>	getSecurityToken()	Overrides the base implementation to provide proactive token refresh behavior.
protected CompletableFuture<SecurityTokenAdapter>	getSecurityTokenFromServer()
String	getStringClaim(String key)	Get a claim embedded in the security token.
protected void	onTokenRefreshCompleted(Duration tokenValidDuration)	Hook method called after a successful token refresh.
void	shutdown()	Shuts down the proactive refresh scheduler.

Methods inherited from class com.oracle.bmc.auth.internal.AbstractAsyncFederationClient

getFederationEndpoint, refreshAndGetSecurityToken, refreshAndGetSecurityTokenIfExpiringWithin, refreshAndGetSecurityTokenIfExpiringWithin, refreshAndGetSecurityTokenInnerAsync

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WorkloadIdentityFederationClient

public WorkloadIdentityFederationClient(String tokenExchangeEndpoint,
                                        Supplier<String> subjectTokenSupplier,
                                        SessionKeySupplier sessionKeySupplier,
                                        String clientCredentials,
                                        Map<String,String> requestPayload,
                                        Boolean isInstanceCertificatesRequired,
                                        ClientConfigurator clientConfigurator,
                                        CircuitBreakerConfiguration circuitBreakerConfiguration,
                                        List<ClientConfigurator> additionalClientConfigurators,
                                        Long earlySessionTokenExpirationInSeconds,
                                        boolean enableProactiveRefresh,
                                        RetryConfiguration tokenExchangeRetryConfiguration)

Constructor of WorkloadIdentityFederationClient.

Parameters:

tokenExchangeEndpoint - the identity cloud service token endpoint

subjectTokenSupplier - the subject token supplier

sessionKeySupplier - the session key supplier.

clientCredentials - the client credential of OAuth application

requestPayload - the map of parameters to send to server

clientConfigurator - the reset client configurator.

circuitBreakerConfiguration - the rest client circuit breaker configuration.

additionalClientConfigurators - additional client configurators to be run after the primary configurator.

earlySessionTokenExpirationInSeconds - the number of seconds to refresh token before it expires

enableProactiveRefresh - control of proactive refresh

tokenExchangeRetryConfiguration - SDK retry configuration to use

Method Detail

getSecurityToken

public CompletableFuture<String> getSecurityToken()

Overrides the base implementation to provide proactive token refresh behavior.

Unlike the base class which only refreshes tokens when they are already invalid, this implementation refreshes tokens early (before expiration) to prevent authentication failures in workload identity scenarios where timing is critical.

The early refresh is controlled by earlySessionTokenExpirationInSeconds (default 5 minutes), ensuring tokens are renewed well before they expire to avoid any risk of using an expired token during authentication.

Specified by:

getSecurityToken in interface AsyncFederationClient

Overrides:

getSecurityToken in class AbstractAsyncFederationClient

Returns:

CompletableFuture containing the security token

getSecurityTokenFromServer

protected CompletableFuture<SecurityTokenAdapter> getSecurityTokenFromServer()

Specified by:

getSecurityTokenFromServer in class AbstractAsyncFederationClient

getStringClaim

public String getStringClaim(String key)

Description copied from interface: AsyncFederationClient

Get a claim embedded in the security token.

May use the cached token if it is judged to still be valid.

onTokenRefreshCompleted

protected void onTokenRefreshCompleted(Duration tokenValidDuration)

Description copied from class: AbstractAsyncFederationClient

Hook method called after a successful token refresh.

Subclasses can override this to perform additional actions like scheduling proactive refreshes.

Specified by:

onTokenRefreshCompleted in class AbstractAsyncFederationClient

shutdown

public void shutdown()

Shuts down the proactive refresh scheduler.

This method should be called when the client is no longer needed to clean up resources.