googleapis / google-auth-library-java Goto Github PK

The DefaultCredentialProvider in google-api-java-client allows for specifying the GCE metadata server address using the GCE_METADATA_HOST environment variable.

https://github.com/google/google-api-java-client/blob/dev/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/OAuth2Utils.java#L110

The golang google cloud library seems to offer the same capability.

https://godoc.org/cloud.google.com/go/compute/metadata#Get

It would be useful if google-auth-library-java supported this as well.

The commit implementing this in google-api-java-client: googleapis/google-api-java-client@7bb680f

I am writing the below code to connect to a Pub-Sub Subscriber.

ServiceAccountCredentials servicecreds= ServiceAccountCredentials.fromStream(new FileInputStream("*.json"));
CredentialsProvider creds= FixedCredentialsProvider.create(servicecreds);
subscriber=Subscriber.newBuilder(subscription, new MessageReceiverExample()).setCredentialsProvider(creds).build();

I am getting "UnAuthenticatedException" when i am Trying to Listen via Subscriber. The code works if i use defaultApplicationCredentials(). But my requirement needs me to connect via the json file and not set Environment Variables.

Hi,
I am trying to check whether a google big query table exists.
I instantiated Credentials object as follows:

Credentials c = new ServiceAccountJwtAccessCredentials(
                "client ID",
                "client email",
                privateKey,
                "private key id");
        BigQueryOptions bqo = BigQueryOptions
                .newBuilder()
                .setCredentials(c)
                .setProjectId("project ID")
                .build();
        BigQuery bq = bqo.getService();
        TableId id = TableId.of("dataset name", "table name");
        Table t = bq.getTable(id);
        System.out.println("table exists()? : " + t.exists());

I am getting the following exception:

Exception in thread "main" com.google.cloud.bigquery.BigQueryException: JwtAccess requires Audience uri to be passed in or the defaultAudience to be specified
	at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.translate(HttpBigQueryRpc.java:86)
	at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.getTable(HttpBigQueryRpc.java:227)
	at com.google.cloud.bigquery.BigQueryImpl$11.call(BigQueryImpl.java:378)
	at com.google.cloud.bigquery.BigQueryImpl$11.call(BigQueryImpl.java:375)
	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:94)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:54)
	at com.google.cloud.bigquery.BigQueryImpl.getTable(BigQueryImpl.java:375)
	at com.syed.googlecloudstorage.InstantiateStorage.doSecondJob(InstantiateStorage.java:147)
	at com.syed.googlecloudstorage.InstantiateStorage.main(InstantiateStorage.java:131)
Caused by: java.io.IOException: JwtAccess requires Audience uri to be passed in or the defaultAudience to be specified
	at com.google.auth.oauth2.ServiceAccountJwtAccessCredentials.getRequestMetadata(ServiceAccountJwtAccessCredentials.java:257)
	at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:96)
	at com.google.cloud.http.HttpTransportOptions$1.initialize(HttpTransportOptions.java:157)
	at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:300)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
	at com.google.cloud.bigquery.spi.v2.HttpBigQueryRpc.getTable(HttpBigQueryRpc.java:225)
	... 7 more

Any clues? Can somebody help me on what possible values I can supply for audience uri? Any steps to know that? Please.

The implementation of ComputeEngineCredentials does not support scope, which makes ComputeEngineCredential.createScoped not attach scope as expected. This is causing working with Drive scopes on GAE java8 and GCE receiving errors (e.g. this BigQuery auth issue) . Consider add support for scope in ComputeEngineCredentials.

With GAE java 8 standard runtime, GCE metadata server is used to retrieve credentials. However, unlike google.appengine.api.app_identity.sign_blob(), metadata sever is not able to sign GCS blob (discussion captured here and here). It seems the timeline for metadata server to enable signing is not clear. This currently blocks java storage client library to run on GAE java 8 standard (googleapis/google-cloud-java#2629). Auth lib should implement IAM signer to provide workaround (as python auth lib did: googleapis/google-auth-library-python#108)

Exception in thread "main" java.io.IOException: The Application Default Credentials are not available. They are available if running on Google App Engine, Google Compute Engine, or Google Cloud Shell. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
	at com.google.api.client.googleapis.auth.oauth2.DefaultCredentialProvider.getDefaultCredential(DefaultCredentialProvider.java:98)
	at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.getApplicationDefault(GoogleCredential.java:213)
	at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.getApplicationDefault(GoogleCredential.java:191)
	at com.google.cloud.vision.samples.label.LabelApp.getVisionService(LabelApp.java:100)
	at com.google.cloud.vision.samples.label.LabelApp.main(LabelApp.java:73)

BUILD FAILURE

An access token can become invalid separately from its expiration time due a clock mismatch or other scenarios. If a request fails because the access token is invalid, the adapter should call refresh() to discard the token and retry the request a single time. See google-api-java-client for a reference implementation.

As @aozarov mentioned in #45, it'd be nice to avoid depending on appengine-api-1.0-sdk (17Mb jar) when not necessary.

Alternate options include:

• Use "provided" or a like as a maven dependency
• Use reflection to invoke methods on AppIdentityService. gcloud-java used to do the latter.

I get this error:
Error:(1, 0) You appear to have guava-jdk5 on your project buildScript or buildSrc classpath.
This is likely a transitive dependency of another gradle plugin.Run the buildEnvironment task to find out more.
See https://issuetracker.google.com/38419426#comment8 for a workaround.
Open File

My build.gradle is:

apply plugin: 'com.android.application'
apply plugin: 'org.greenrobot.greendao'
apply plugin: 'com.google.firebase.firebase-crash'
apply plugin: 'me.tatarka.retrolambda'

android {
    compileSdkVersion 25
    buildToolsVersion "25.0.2"
    defaultConfig {
        applicationId "com.digitaldna.courier"
        minSdkVersion 16
        targetSdkVersion 25
        versionCode 3
        versionName "1.3"
        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
        multiDexEnabled true
    }

    signingConfigs {
        debug {
            storeFile file("./debug.keystore")
            storePassword "android"
            keyAlias "androiddebugkey"
            keyPassword "android"
        }

        release {
            storeFile file("./debug.keystore")
            storePassword "android"
            keyAlias "androiddebugkey"
            keyPassword "android"
        }
    }

    buildTypes {
        debug {
            applicationIdSuffix ".debug"
            minifyEnabled false
            debuggable true
            signingConfig signingConfigs.debug
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            buildConfigField "String", "ENDPOINT", '"https://beta-api.1temiz.com"'
        }

        stage {
            applicationIdSuffix ".stage"
            minifyEnabled false
            debuggable true
            signingConfig signingConfigs.debug
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            buildConfigField "String", "ENDPOINT", '"https://api.1temiz.com"'
        }

        release {
            applicationIdSuffix ".prod"
            minifyEnabled true
            debuggable false
            signingConfig signingConfigs.release
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
            buildConfigField "String", "ENDPOINT", '"https://api.1temiz.com"'
        }
    }

    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }

    // for jenkins
    packagingOptions {
        exclude 'META-INF/NOTICE' // It is not include NOTICE file
        exclude 'META-INF/LICENSE' // It is not include LICENSE file
    }

    // for jenkins
    lintOptions {
        abortOnError false
    }
}

dependencies {
    def supportLibraryVersion = "25.2.0"
    def retrofitVersion = "2.1.0"
    def playService = '10.2.0'
    def jacksonVersion = "2.8.6"

    compile fileTree(dir: 'libs', include: ['*.jar'])
    androidTestCompile('com.android.support.test.espresso:espresso-core:2.2.2', {
        exclude group: 'com.android.support', module: 'support-annotations'
    })
    testCompile 'junit:junit:4.12'

    // support library
    compile "com.android.support:appcompat-v7:$supportLibraryVersion"
    compile "com.android.support:design:$supportLibraryVersion"
    compile "com.android.support:support-v4:$supportLibraryVersion"
    compile "com.android.support:cardview-v7:$supportLibraryVersion"

    // retrofit
    compile "com.squareup.retrofit2:retrofit:$retrofitVersion"
    compile "com.squareup.retrofit2:converter-jackson:$retrofitVersion"
    compile "com.squareup.retrofit2:adapter-rxjava:$retrofitVersion"

    // Jackson
    compile "com.fasterxml.jackson.core:jackson-core:$jacksonVersion"
    compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion"
    compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion"

    compile 'com.squareup.okhttp3:logging-interceptor:3.3.0'

    // rxjava
    compile 'io.reactivex:rxjava:1.1.6'
    compile 'io.reactivex:rxandroid:1.2.1'
    compile 'com.artemzin.rxjava:proguard-rules:1.1.0.0'

    // glide
    compile 'com.github.bumptech.glide:glide:3.7.0'
    compile 'jp.wasabeef:glide-transformations:2.0.1'

    // play services
    compile "com.google.android.gms:play-services-base:$playService"
    compile "com.google.android.gms:play-services-location:$playService"

    //firebase
    compile "com.google.firebase:firebase-core:$playService"
    compile "com.google.firebase:firebase-crash:$playService"
    compile "com.google.firebase:firebase-messaging:$playService"
    compile "com.google.firebase:firebase-appindexing:$playService"
    compile 'com.firebase:firebase-jobdispatcher:0.5.2'


    // multidex
    compile 'com.android.support:multidex:1.0.1'

    // stetho
    compile 'com.facebook.stetho:stetho:1.4.2'

    // google maps
    compile "com.google.android.gms:play-services-maps:$playService"

    //sticky header
    compile 'org.zakariya.stickyheaders:stickyheaders:0.7.6'

    // bootstrap includes
    compile project(path: ':core')
    compile project(path: ':mvp-loader')
    compile project(path: ':permissionmanager')
    compile project(path: ':validators')
    compile project(path: ':database')


    compile project(path: ':passwordindicator')
    compile project(path: ':orderstatus')
    compile project(path: ':notificationscount')
    compile project(path: ':lineweekchart')
    compile project(path: ':numbercircle')
}

apply plugin: 'com.google.gms.google-services'

There is https://stackoverflow.com/questions/47262150/commanderror-you-appear-to-have-guava-jdk5-on-your-project-buildscript-or-build
but its resolution doesn't work for me, I have "no classpath ('com.google.firebase:firebase-plugins:1.0.5') " to add "exclude group"
PLEASE HELP how to fix it.

The current HttpCredentialsAdapter will refresh the token if it detects that it has expired on the client side. However, the token can be invalided or expire earlier than this due to clock differences. The adaptere should also detect this case, refresh the token and retry the request.

As a reference, the equivalent credential class in the V1 library does this:
https://github.com/google/google-oauth-java-client/blob/dev/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/Credential.java

It will require the HttpCredentialsAdapter to implement the HttpUnsuccessfulResponseHandler interface.

The interface of OAuth2Credentials does not allow an external class to know the expiration time of the currently cached access token. This prevents implementation of asynchronous refresh patterns.

Currently callers must use

credentials.getRequestMetadata()

which will block if the token has expired. This is not ideal for high-performance clients.

Add support for the GAE built-in service account, aka. App Identity. Also, add support to Application Default Credentials for detecting this environment and automatically using this identity.

The interface of OAuth2Credentials does not allow an external class to know the expiration time of the currently cached access token. This prevents implementation of asynchronous refresh patterns.

Currently callers must use

credentials.getRequestMetadata()

which will block if the token has expired. This is not ideal for high-performance clients.

As reported in googleapis/google-cloud-java#1545 , users have seen failures in ServiceAccountCredentials.refreshAccessToken, which has no retries on the http call. These failures should be retried.

java.io.IOException: Error getting access token for service account:
         at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:319)
         at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
         at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
         at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:96)
         at com.google.cloud.HttpServiceOptions$1.initialize(HttpServiceOptions.java:224)
         at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
         at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:423)
         at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
         at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
         at com.google.cloud.storage.spi.DefaultStorageRpc.create(DefaultStorageRpc.java:245)
         ... 10 more
 Caused by: java.net.SocketTimeoutException: connect timed out
  ...

The JWT Access Credentials should temporarily cache JWTs. Suggested algorithm:

• Hash JWTs using Audience as key.
• Also store the timestamp of last use with each JWT.
• On access clear any JWT unused for more than 1 hour.

Remove references to anything that is not in all versions of that version range.

This might already be true, but it needs to be verified.

cc @lesv

DefaultCredentialsProvider is detecting App Engine when running on App Engine Flex compat mode. Since GAE Flex is based on GCE VMs is would be better if it use ComputeEngineCredentials when running on Flex.

The App Engine check is here:
https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L211

In DefaultCredentialsProvider.getWellKnownCredentialsFile(), the environment variable CLOUDSDK_CONFIG isn't checked. Instead, it assumes that the .config directory is in home. If the CLOUDSDK_CONFIG environment variable is set, that should be used instead of home. This would be consistent with the issue reported in the python equivalent of this library (see this issue).

As a result of not checking CLOUDSDK_CONFIG, users can see the issues like this if they install Cloud SDK in a non-default location.

Credentials.getRequestMetadata(URI) is passed a URI defined as "the entry point for the request". What does that mean?

To be in sync with grpc/grpc#2911 and work with the current ServiceAccountJwtAccessCredentials, the URI passed would need to exclude the gRPC method name. But given the credential API, I would more expect the URI to be the request URI, which would include the method name.

Is it possible for "entry point" to be better defined?

We should have some functionality to verify JWT's.

1. General validation of jwt

2. Validation of a Google JWT
   (Get and cache Google's certificates - validate: iss, iat?, & exp)

3. Validation of a Firebase JWT
   (get and cache Firebase certificates, validate: iss, iat, & exp)

4. Validate Identity provider tokens as well. (FB, Twitter, Github, etc.)

See https://github.com/auth0/java-jwt

Looking up application default credentials on a GCE VM can fail due to VM metadata server being unavailable during VM launch. This is a rare event but Google Cloud Dataflow customers hit this rare case one or two times a month due to the sheer number of VMs. GCE attempted to mitigate VM metadata server unavailability but were only able to reduce it be an order of magnitude thus we need support from the client to retry. Additionally, when contacting the GCE VM metadata server, we should be using the fixed IP address avoiding the nameserver lookup (another potential point of failure).

Problem area in the code:
https://github.com/google/google-auth-library-java/blob/b94f8e4d02bf6917af2e2f7ef8d7114a51dbcfa8/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java#L261

Note that the code in this library and the Apiary auth support code are very similar. The fix was done within the Apiary auth code (note the use of the static IP address and also the presence of a fixed number of retries):
https://github.com/google/google-api-java-client/blob/4fc8c099d9db5646770868cc1bc9a33c9225b3c7/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/OAuth2Utils.java#L74

It turned out that the fixes resulted in zero future customer contacts about this issue.

From feedback from initial port:
You also need license headers in the java files.

PR's #94 & #144 both want to find a way to improve ADC for non-google cloud providers.

The ADC algorithm is defined to:

1. Look at environment variable GOOGLE_APPLICATION_CREDENTIALS
2. Look for gcloud auth application-default login
3. Get a service account from the GCP Metadata server (GAE & GCP are a bit different, but it's the same idea)

We should see if there is a way to safely and securely inject a secret like a service account JSON into a container running on another cloud platform. (item 3 above).

@jonparrott said: environment variables should not be used to hold secrets.

This is a very important item for us. We are trying get to the point where docker containers can run anywhere, on GCP, on a competing cloud provider, in their own datacenter, or locally in their laptop with just a change in the configuration.

Currently the com.google.auth.oauth2.ServiceAccountCredentials class does not handle the project_id field available in Google service account JSON files. It would be useful if the credential can read this field, and expose it via a new getProjectId() method.

Usecase: We want to use this library within some Firebase SDKs, and we (in some situations) need to know the project ID along with the credential.

Implement the ID Token auth mechanism, where a signed JWT is attached to each request.

Would improve usability to support

GoogleCredentials.createScope(String... scopes)

After updating google-auth-libraries to 0.3.0, we noticed the following stacktrace when using application default credentials:

com.google.gcloud.RetryHelper$NonRetriableException: java.lang.NullPointerException
    at com.google.gcloud.RetryHelper.doRetry(RetryHelper.java:193)
    at com.google.gcloud.RetryHelper.runWithRetries(RetryHelper.java:247)
    at com.google.gcloud.RetryHelper.runWithRetries(RetryHelper.java:237)
    at com.google.gcloud.storage.StorageImpl.listBuckets(StorageImpl.java:291)
    at com.google.gcloud.storage.StorageImpl.list(StorageImpl.java:285)
    at com.examples.example.Main.main(Main.java:19)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
    at com.google.auth.http.HttpCredentialsAdapter.initialize(HttpCredentialsAdapter.java:61)
    at com.google.gcloud.ServiceOptions$1.initialize(ServiceOptions.java:513)
    at com.google.api.client.http.HttpRequestFactory.buildRequest(HttpRequestFactory.java:93)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.buildHttpRequest(AbstractGoogleClientRequest.java:300)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
    at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
    at com.google.gcloud.spi.DefaultStorageRpc.list(DefaultStorageRpc.java:155)
    at com.google.gcloud.storage.StorageImpl$6.call(StorageImpl.java:295)
    at com.google.gcloud.storage.StorageImpl$6.call(StorageImpl.java:292)
    at com.google.gcloud.RetryHelper.doRetry(RetryHelper.java:181)

I think the issue was introduced in this commit. Also see https://github.com/google/google-auth-library-java/blame/master/oauth2_http/java/com/google/auth/http/HttpCredentialsAdapter.java#L61
The HTTP client's request factory seems to initialize the request before it sets the URL.

Something like LocalServerReceiver in google-oauth-client.

This would satisfy the Identity-aware Proxy use case as well as a few other niche cases that have come up.

Context:
https://gist.github.com/jonparrott/cffca2fa7881e03fbe6ff7c25773c9cf
https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py#L121

See googleapis/google-auth-library-python#130 for additional context.

In order for us to expose google-auth-library-java classes in google-cloud-java (thus dropping our AuthCredentials classes), we need Credentials classes to be Serializable.

One of the main obstacles to making Credentials classes serializable is that some of them contain an HttpTransport field, which is not serializable (see ComputeEngineCredentials for instance).

We faced this issue with our HttpServiceOptions classes and introduced the HttpTransportFactory interface:

  /**
   * A base interface for all {@link HttpTransport} factories.
   *
   * <p>Implementation must provide a public no-arg constructor. Loading of a factory implementation
   * is done via {@link java.util.ServiceLoader}.
   */
  public interface HttpTransportFactory {
    HttpTransport create();
  }

When serializing an option object we only transmit the class name for the transport factory and try to instantiate the factory from its classname upon deserialization.

Do you think something like this could be done for Credentials classes as well? Opinions are welcome.

/cc @anthmgoogle @garrettjonesgoogle @lesv

Readme should be a bit more detailed, including:

• How to include this in Maven / Gradle
• Current version
• How to use or a link to documentation
• Link to license and Contributing

See https://github.com/GoogleCloudPlatform/Template for suggested outline.

Should we set up Travis or similar CIs for this project?

When using Application Default Credentials from App Engine, both on the local development server (after logging in via gcloud auth login) and in production, I get the following error message:
java.io.IOException: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Based on that website, it seems like the behavior should be that the SDK credentials are used in the local development server and the App Engine credentials should be provided without setting the GOOGLE_APPLICATION_CREDENTIALS environment variable.

Similar to googleapis/google-cloud-java#1883

I'm working on some samples to do specific authentication flows, and I'd like to link to the classes used in cloud.google.com documentation, but would rather link to the latest version of the API docs instead of a specific version.

It works if you call refreshAccessToken(). We should either:

1. change the documentation idiom to recommend using refreshAccessToken() instead
2. comment that in getAccessToken() that it might not work.
3. Make getAccessToken() call refreshAccessToken() when nothing is cached. (ie null)

Is there a reason that UserCredentials' member variables don't have public getters? It would be useful to have getters like in ServiceAccountCredentials.

Types like ServiceAccountCredentials handle lists of scopes. The types are effectively immutable, so for safety, all types taking collections of scopes should use ImmutableList.copy(scopes).

Hello all.

I routed here from google-doublecliek-ad-exchange-buyer-api group for OAuth auto-refresh issue. https://groups.google.com/forum/#!topic/google-doubleclick-ad-exchange-buyer-api/ptf3-LO-2Jc

I saw "GoogleCredential takes care of automatically "refreshing" the token" state from below page.
https://developers.google.com/api-client-library/java/google-api-java-client/oauth2

I wrote below but it doesn't refresh token automatically.

String token = ...;
TokenResponse tokenResponse = JacksonFactory.getDefaultInstance().fromString(token, TokenResponse.getClass());
tokenResponse.setRefreshToken("CCCCC");

Credential credential = new GoogleCredential.Builder().setJsonFactory(JacksonFactory.getDefaultInstance())
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setClientSecrets("XXXX", "XXXX")
.build().setFromTokenResponse(tokenResponse);
AdExchangeBuyerII buyer = new AdExchangeBuyerII.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), credential).setApplicationName("").build();

Originally, I set refreshToken at GoogleCredential, but I change it to set it on TokenResponse after Mark's suggestion. But both of them isn't work.

I also add CredentialRefreshListener() to check whether refresh request is sent, but I can't see anyting.

Could you let me know whether my code need to be updated or it is a bug on auth library?

The API docs URL given in index.md is outdated: http://google.github.io/google-auth-library-java/releases/0.7.1/apidocs/

It doesn't look like the API docs of the last release (v0.8.0) are published anywhere. Please publish the latest API docs, and provide a version-neural permanent link like http://google.github.io/google-auth-library-java/releases/latest/apidocs/ so downstream projects can easily link to API docs of this library.

We now depend on guava-jdk5:13.0. In both google-cloud-java and gax-java we instead depend on standard guava (version 19 and 18 respectively).

Is there any reason for depending on guava-jdk5? If not excluded (as we do in google-cloud-java), this just results in a bunch of duplicated classes in all projects that use standard guava. /cc @anthmgoogle @garrettjonesgoogle

OAuth2Credentials has methods refresh(). But there's no method to check if the token is close to expiring and refresh if so. I want to do these few lines, but these methods are private.

My use case is that I have a long-lived GoogleCredentials instance. I only want to refresh when I need to to minimize unnecessary overhead in making requests to the backend. There are the methods getRequestMetadata() which will essentially do the check and refresh logic, but this method name and parameter is an awkward fit.

Can we expose a new public method in this class that does this?

public void refreshIfExpired() throws IOException {
  synchronized(lock) {
    if (shouldRefresh()) {
      refresh();
    }
  }
}

• Mark anything @BetaApi or @Internal that we want the flexibility to change later (requires adding a dependency on api-common) - only things unused in google-cloud-java and grpc-auth can be marked this way
• Remove Guava from the surface
• Add back any features removed since 0.4.0 (to maintain compatibility with grpc-auth)
• Any other GA cleanup
• drop guava-jdk5 support
• Full end-to-end testing (#293)

While running some tests using the MockTokenServerTransport of the Google API client, I noticed that sometimes GoogleCredentials.getExpirationTime() incorrectly returns timestamps that are several days old. This is what's going on:

1. MockTokenServerTransport has a bug where it reports the expires_in field in milliseconds (3600000), where it should be seconds. I reported this in their Github repo (googleapis/google-api-java-client#1061).
2. The code in ServiceAccountCredentials class will encounter an integer overflow, when the backend server reports a large expires_in value:

https://github.com/google/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java#L375

    long expiresAtMilliseconds = clock.currentTimeMillis() + expiresInSeconds * 1000;

If expiresInSeconds is large (say 3600000), this code will overflow, and the resulting timestamp will be in the past.

I'm using spanner java client with gcloud SDK and trying to connect to Google Spanner from machine that uses proxy for internet access.
I have configured gcloud to use my proxy server and it is ok.
I have specified environment variable GRPC_PROXY_EXP and Spanner requests to spanner.googleapis.com go through proxy and it's ok as well.

But spanner sql requests fail with com.google.cloud.spanner.SpannerException: UNAUTHENTICATED exception because of another error related to OAuth2:

Caused by: java.net.UnknownHostException: accounts.google.com
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
	at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
	at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:77)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:965)
	at com.google.auth.oauth2.UserCredentials.refreshAccessToken(UserCredentials.java:207)
	at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:149)
	at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:135)
	at io.grpc.auth.GoogleAuthLibraryCallCredentials$1.run(GoogleAuthLibraryCallCredentials.java:110)
	... 3 common frames omitted

I wend deeper in the code and found that https://github.com/google/google-auth-library-java/blob/0fab63ca9798b78929e52d0313fe54241bda6256/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java#L64 initializes with default parameters and without any possibility to configure proxy settings.

If you find it reasonable I would be glad to make PR.

The other languages are trying to pickup current / default ProjectID - since SQL v2, bigtable, and other services require .

We possibly may need to get the default zone & region from gcloud config.

It would be helpful to give users the ability to generate a User Credentials JSON file. While this is a feature of Python's auth library, the only way users can get a User Credentials JSON file now is to login using the Google Cloud SDK and then go hunting for it in the configurations directory.

It was released to Maven Central, but the tag is missing in GitHub.

Would it be possible to cut a new release to incorporate #132?

Also, it appears that master has diverged from the released artifacts. Maven central has the artifacts:

• google-auth-library-credentials:0.8.0
• google-auth-library-oauth2-http:0.8.0
• etc

While the pom files in this repo still reference 0.7.2-SNAPSHOT and are missing the 0.8.0 tag

Thanks

This is needed for google-auth-library-java and googleapis/google-api-java-client#1037 (creating an issue for both projects):

User's current way:

GoogleCredential googleCredential = new GoogleCredential.Builder()
     .setTransport(TRANSPORT).setJsonFactory(JSON_FACTORY)
     .setServiceAccountId(emailAddress)
     .setServiceAccountPrivateKeyFromP12File(p12File)
     .setServiceAccountScopes(scopes)
     .setServiceAccountUser(user).build();

Would like: to do:

GoogleCredential googleCredential = 
    GoogleCredential.fromStream(jsonInputStream, TRANSPORT, JSON_FACTORY).createScoped(Collections.singleton(Oauth2Scopes.USERINFO_EMAIL))

Python you just do:

credentials = credentials.create_delegated(user)