OCI authentication-provider constructors.
Each public fn returns an AbstractAuthenticationDetailsProvider — the
marker interface that every OCI client's Builder.build(...) accepts.
Pass the result to clj-oci.clients/build-*-client for a one-shot
client, or to the 2-arity clj-oci.clients/*-client-for-region /
:auth-details-keyed clj-oci.clients/*-client-for for the per-region
cache.
No auto-detection. No implicit env-var consultation. No silent fallback.
The caller picks the provider by name. The existing ~/.oci/config
path is what clj-oci.clients/authentication-details provides
(singleton); everything in this namespace is the explicit alternative
for OCI-native runtimes (Instance Principal, Resource Principal, OKE
workload identity, workload-identity federation, session token) and for
tests.
Why the unusual return type: InstancePrincipalsAuthenticationDetailsProvider
and ResourcePrincipalAuthenticationDetailsProvider do NOT implement
AuthenticationDetailsProvider (only AbstractAuthenticationDetailsProvider,
the marker interface). So we declare the marker — which is also what
every client builder's .build actually accepts.
Javadocs: https://docs.oracle.com/en-us/iaas/tools/java/3.86.0/
OCI authentication-provider constructors. Each public fn returns an `AbstractAuthenticationDetailsProvider` — the marker interface that every OCI client's `Builder.build(...)` accepts. Pass the result to `clj-oci.clients/build-*-client` for a one-shot client, or to the 2-arity `clj-oci.clients/*-client-for-region` / `:auth-details`-keyed `clj-oci.clients/*-client-for` for the per-region cache. No auto-detection. No implicit env-var consultation. No silent fallback. The caller picks the provider by name. The existing `~/.oci/config` path is what `clj-oci.clients/authentication-details` provides (singleton); everything in this namespace is the explicit alternative for OCI-native runtimes (Instance Principal, Resource Principal, OKE workload identity, workload-identity federation, session token) and for tests. Why the unusual return type: `InstancePrincipalsAuthenticationDetailsProvider` and `ResourcePrincipalAuthenticationDetailsProvider` do NOT implement `AuthenticationDetailsProvider` (only `AbstractAuthenticationDetailsProvider`, the marker interface). So we declare the marker — which is also what every client builder's `.build` actually accepts. Javadocs: https://docs.oracle.com/en-us/iaas/tools/java/3.86.0/
(config-file)(config-file {:keys [path profile]})ConfigFileAuthenticationDetailsProvider — reads ~/.oci/config.
Zero-arg: parses the default config file with the DEFAULT profile. With opts map: :path — config file path (default: ~/.oci/config) :profile — profile name (default: DEFAULT)
ConfigFileAuthenticationDetailsProvider — reads ~/.oci/config. Zero-arg: parses the default config file with the DEFAULT profile. With opts map: :path — config file path (default: ~/.oci/config) :profile — profile name (default: DEFAULT)
(instance-principal)InstancePrincipalsAuthenticationDetailsProvider — for code running on an OCI Compute instance with instance principal authentication enabled. Authenticates via the instance metadata service (IMDS).
Takes no opts. The SDK builder for IPV does NOT expose a region setter —
region is always derived from IMDS at call time. Cross-region operations
from an IPV-authenticated process go through the per-region client
dispatchers (*-client-for-region), which set region on the client
builder.
InstancePrincipalsAuthenticationDetailsProvider — for code running on an OCI Compute instance with instance principal authentication enabled. Authenticates via the instance metadata service (IMDS). Takes no opts. The SDK builder for IPV does NOT expose a region setter — region is always derived from IMDS at call time. Cross-region operations from an IPV-authenticated process go through the per-region client dispatchers (`*-client-for-region`), which set region on the *client* builder.
(oke-workload-identity)OkeWorkloadIdentityAuthenticationDetailsProvider — for code running in an OKE pod, authenticating as the workload (cluster + namespace + service-account) rather than the worker node. Zero-config: auto-detects the pod's projected service-account token and the in-cluster proxymux endpoint.
Distinct from instance-principal (the node's coarse identity, shared by
every pod on the node) and from workload-identity-federation (Identity-
Domains OAuth token-exchange — a different mechanism).
Requirements: an ENHANCED OKE cluster, and the pod bound to a service
account. Authorization is granted by an IAM policy with request.principal.*
conditions — NOT a dynamic group:
Allow any-user to <verb> <resource> in <location> where all { request.principal.type = 'workload', request.principal.namespace = '<k8s-namespace>', request.principal.service_account = '<k8s-service-account>', request.principal.cluster_id = '<cluster-ocid>' }
Usable only via an OCI SDK (not the Console/API).
OkeWorkloadIdentityAuthenticationDetailsProvider — for code running in an OKE
pod, authenticating as the *workload* (cluster + namespace + service-account)
rather than the worker node. Zero-config: auto-detects the pod's projected
service-account token and the in-cluster proxymux endpoint.
Distinct from `instance-principal` (the node's coarse identity, shared by
every pod on the node) and from `workload-identity-federation` (Identity-
Domains OAuth token-exchange — a different mechanism).
Requirements: an ENHANCED OKE cluster, and the pod bound to a service
account. Authorization is granted by an IAM policy with `request.principal.*`
conditions — NOT a dynamic group:
Allow any-user to <verb> <resource> in <location> where all {
request.principal.type = 'workload',
request.principal.namespace = '<k8s-namespace>',
request.principal.service_account = '<k8s-service-account>',
request.principal.cluster_id = '<cluster-ocid>' }
Usable only via an OCI SDK (not the Console/API).(resource-principal)ResourcePrincipalAuthenticationDetailsProvider — for code running in OCI Functions / Container Instances / Data Science. Reads the OCI_RESOURCE_PRINCIPAL_* environment variables that the OCI runtime injects. Auto-selects v1.1 / v2 / v2.1 / v2.2 based on OCI_RESOURCE_PRINCIPAL_VERSION.
The caller chooses to use this; we do not auto-detect from the env.
ResourcePrincipalAuthenticationDetailsProvider — for code running in OCI Functions / Container Instances / Data Science. Reads the OCI_RESOURCE_PRINCIPAL_* environment variables that the OCI runtime injects. Auto-selects v1.1 / v2 / v2.1 / v2.2 based on OCI_RESOURCE_PRINCIPAL_VERSION. The caller chooses to use this; we do not auto-detect from the env.
(resource-principal-v3)ResourcePrincipalsV3AuthenticationDetailsProvider — pins the v3 token
shape explicitly. Use when v3 semantics are required; most callers
want resource-principal instead.
ResourcePrincipalsV3AuthenticationDetailsProvider — pins the v3 token shape explicitly. Use when v3 semantics are required; most callers want `resource-principal` instead.
(session-token)(session-token {:keys [path profile]})SessionTokenAuthenticationDetailsProvider — for delegated user sessions
(the output of oci session authenticate). Reads the session token from
the config file.
The SDK builder for this provider does NOT expose configuration-file-path
or profile-name setters — only file-path and session-token setters at the
constituent level. To load from ~/.oci/config, we use the constructor.
Zero-arg: reads the default config file with the DEFAULT profile. With opts map: :path — config file path :profile — profile name
SessionTokenAuthenticationDetailsProvider — for delegated user sessions (the output of `oci session authenticate`). Reads the session token from the config file. The SDK builder for this provider does NOT expose configuration-file-path or profile-name setters — only file-path and session-token setters at the constituent level. To load from `~/.oci/config`, we use the constructor. Zero-arg: reads the default config file with the DEFAULT profile. With opts map: :path — config file path :profile — profile name
(simple {:keys [tenancy-id user-id fingerprint region private-key-supplier
pass-phrase]})SimpleAuthenticationDetailsProvider — manual credential supply. Useful for tests and for callers that hold credentials in a non-standard form.
Required keys: :tenancy-id tenancy OCID (passed to .tenantId) :user-id user OCID :fingerprint key fingerprint :region com.oracle.bmc.Region :private-key-supplier java.util.function.Supplier<InputStream> returning a PEM-encoded private key Optional: :pass-phrase PEM passphrase string
SimpleAuthenticationDetailsProvider — manual credential supply. Useful
for tests and for callers that hold credentials in a non-standard form.
Required keys:
:tenancy-id tenancy OCID (passed to .tenantId)
:user-id user OCID
:fingerprint key fingerprint
:region com.oracle.bmc.Region
:private-key-supplier java.util.function.Supplier<InputStream>
returning a PEM-encoded private key
Optional:
:pass-phrase PEM passphrase string(workload-identity-federation
{:keys [token-exchange-url subject-token-supplier region client-credential
app-id resource-type rpst-expiry requested-token-type]})WorkloadIdentityFederationAuthenticationDetailProvider — OCI Identity-Domains
OAuth2 token-exchange federation. Exchanges an external workload's subject
token for an OCI session token against an Identity Domain. This is NOT OKE
pod workload identity — for that, use oke-workload-identity. (The SDK class
name omits the 's' — DetailProvider, not DetailsProvider — an SDK quirk.)
Required keys (the token-exchange flow): :token-exchange-url Identity-Domain token-exchange endpoint (String) :subject-token-supplier java.util.function.Supplier<String> yielding the external subject token :region com.oracle.bmc.Region :client-credential OAuth client credential (String) :app-id confidential-application id (String) Optional keys: :resource-type (String) :rpst-expiry (String) :requested-token-type "RPST" | "UPST" (String)
WorkloadIdentityFederationAuthenticationDetailProvider — OCI Identity-Domains
OAuth2 *token-exchange federation*. Exchanges an external workload's subject
token for an OCI session token against an Identity Domain. This is NOT OKE
pod workload identity — for that, use `oke-workload-identity`. (The SDK class
name omits the 's' — DetailProvider, not DetailsProvider — an SDK quirk.)
Required keys (the token-exchange flow):
:token-exchange-url Identity-Domain token-exchange endpoint (String)
:subject-token-supplier java.util.function.Supplier<String> yielding the
external subject token
:region com.oracle.bmc.Region
:client-credential OAuth client credential (String)
:app-id confidential-application id (String)
Optional keys:
:resource-type (String)
:rpst-expiry (String)
:requested-token-type "RPST" | "UPST" (String)cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |