@@ -89,15 +89,16 @@ public final class GoogleIdentityStsV1betaExchangeTokenRequest extends com.googl
8989 * formatted according to section 4.2 of the [OIDC 1.0 Discovery
9090 * specification](https://openid.net/specs/openid-connect-
9191 * discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since
92- * the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix
93- * epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If
94- * possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity
95- * asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in
96- * the allowed audiences for the workload identity pool provider, or one of the audiences allowed
97- * by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest
98- * /v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { "alg":
99- * "RS256", "kid": "us-east-11" } ``` Example payload: ``` { "iss": "https://accounts.google.com",
100- * "iat": 1517963104, "exp": 1517966704, "aud":
92+ * the Unix epoch. This timestamp must be in the past and no more than 24 hours in the past, or
93+ * the token will be rejected. Note that this implies the token is only acceptable within a time
94+ * window of at most 24 hours. - `exp`: The expiration time, in seconds, since the Unix epoch.
95+ * Shorter expiration times are more secure. If possible, we recommend setting an expiration time
96+ * less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity
97+ * pools, this must be a value specified in the allowed audiences for the workload identity pool
98+ * provider, or one of the audiences allowed by default if no audiences were specified. See https:
99+ * //cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.provider
100+ * s#oidc Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example payload: ``` {
101+ * "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud":
101102 * "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-
102103 * pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": { "additional_claim":
103104 * "value" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity`
@@ -268,15 +269,16 @@ public GoogleIdentityStsV1betaExchangeTokenRequest setScope(java.lang.String sco
268269 * formatted according to section 4.2 of the [OIDC 1.0 Discovery
269270 * specification](https://openid.net/specs/openid-connect-
270271 * discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since
271- * the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix
272- * epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If
273- * possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity
274- * asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in
275- * the allowed audiences for the workload identity pool provider, or one of the audiences allowed
276- * by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest
277- * /v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { "alg":
278- * "RS256", "kid": "us-east-11" } ``` Example payload: ``` { "iss": "https://accounts.google.com",
279- * "iat": 1517963104, "exp": 1517966704, "aud":
272+ * the Unix epoch. This timestamp must be in the past and no more than 24 hours in the past, or
273+ * the token will be rejected. Note that this implies the token is only acceptable within a time
274+ * window of at most 24 hours. - `exp`: The expiration time, in seconds, since the Unix epoch.
275+ * Shorter expiration times are more secure. If possible, we recommend setting an expiration time
276+ * less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity
277+ * pools, this must be a value specified in the allowed audiences for the workload identity pool
278+ * provider, or one of the audiences allowed by default if no audiences were specified. See https:
279+ * //cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.provider
280+ * s#oidc Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example payload: ``` {
281+ * "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud":
280282 * "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-
281283 * pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": { "additional_claim":
282284 * "value" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity`
@@ -333,15 +335,16 @@ public java.lang.String getSubjectToken() {
333335 * formatted according to section 4.2 of the [OIDC 1.0 Discovery
334336 * specification](https://openid.net/specs/openid-connect-
335337 * discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since
336- * the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix
337- * epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If
338- * possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity
339- * asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in
340- * the allowed audiences for the workload identity pool provider, or one of the audiences allowed
341- * by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest
342- * /v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { "alg":
343- * "RS256", "kid": "us-east-11" } ``` Example payload: ``` { "iss": "https://accounts.google.com",
344- * "iat": 1517963104, "exp": 1517966704, "aud":
338+ * the Unix epoch. This timestamp must be in the past and no more than 24 hours in the past, or
339+ * the token will be rejected. Note that this implies the token is only acceptable within a time
340+ * window of at most 24 hours. - `exp`: The expiration time, in seconds, since the Unix epoch.
341+ * Shorter expiration times are more secure. If possible, we recommend setting an expiration time
342+ * less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity
343+ * pools, this must be a value specified in the allowed audiences for the workload identity pool
344+ * provider, or one of the audiences allowed by default if no audiences were specified. See https:
345+ * //cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.provider
346+ * s#oidc Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example payload: ``` {
347+ * "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud":
345348 * "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-
346349 * pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": { "additional_claim":
347350 * "value" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity`
0 commit comments