/*
 * Copyright 2020 The gRPC Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package io.grpc;

/**
 * Represents a security configuration to be used for channels. There is no generic mechanism for
 * processing arbitrary {@code ChannelCredentials}; the consumer of the credential (the channel)
 * must support each implementation explicitly and separately. Consumers are not required to support
 * all types or even all possible configurations for types that are partially supported, but they
 * <em>must</em> at least fully support {@link ChoiceChannelCredentials}.
 *
 * <p>A {@code ChannelCredential} provides client identity and authenticates the server. This is
 * different from {@link CallCredentials}, which only provides client identity. They can also
 * influence types of encryption used and similar security configuration.
 *
 * <p>The concrete credential type should not be relevant to most users of the API and may be an
 * implementation decision. Users should generally use the {@code ChannelCredentials} type for
 * variables instead of the concrete type. Freshly-constructed credentials should be returned as
 * {@code ChannelCredentials} instead of a concrete type to encourage this pattern. Concrete types
 * would only be used after {@code instanceof} checks (which must consider
 * {@code ChoiceChannelCredentials}!).
 */
public abstract class ChannelCredentials {
  /**
   * Returns the ChannelCredentials stripped of its CallCredentials. In the future,
   * this may strip only some of the CallCredentials, preserving call credentials
   * that are safe from replay attacks (e.g., if the token is bound to the
   * channel's certificate).
   *
   * @since 1.35.0
   */
  public abstract ChannelCredentials withoutBearerTokens();
}