feat: Support scopes from JSON for Impersonated Credentials

robertvoinescu-work · robertvoinescu-work · commit bdd0b8446d3b · 2025-10-15T21:03:31.000Z
When using an impersonated service account, scopes specified in the JSON file were previously ignored.

This change updates the `CredentialFactory` to read the `scopes` array from the impersonated credential
configuration. Programmatically set scopes via `CreateScoped` will continue to take precedence over the scopes
defined in the JSON file.
diff --git a/Src/Support/Google.Apis.Auth.Tests/OAuth2/GoogleCredentialTests.cs b/Src/Support/Google.Apis.Auth.Tests/OAuth2/GoogleCredentialTests.cs
@@ -697,6 +697,36 @@ public void CreateScoped_Impersonated()
             Assert.Collection(impersonatedCredential.Scopes, scope => Assert.Equal("new_scope", scope));
         }
 
+        [Fact]
+        public void CreateScoped_Impersonated_FromJson()
+        {
+            var scopes = new[] { "scope1", "scope2" };
+            var parameters = CreateImpersonatedCredentialParameters(scopes);
+
+            var impersonatedCredential = CredentialFactory.FromJsonParameters<ImpersonatedCredential>(parameters);
+
+            // The scopes passed in through the credential json should be the scopes set on the impersonated credential
+            Assert.Equal(scopes, impersonatedCredential.Scopes);
+        }
+
+        [Fact]
+        public void CreateScoped_Impersonated_FromJsonScopesOverwritten()
+        {
+            var jsonScopes = new[] { "scope1", "scope2" };
+            var manuallySetScopes = new[] { "scope3" };
+            var parameters = CreateImpersonatedCredentialParameters(jsonScopes);
+
+            var credentialFromJson = CredentialFactory.FromJsonParameters<ImpersonatedCredential>(parameters).ToGoogleCredential();
+            var manuallyScopedCredential = credentialFromJson.CreateScoped(manuallySetScopes);
+            var originalImpersonatedCredential = Assert.IsType<ImpersonatedCredential>(credentialFromJson.UnderlyingCredential);
+            var newImpersonatedCredential = Assert.IsType<ImpersonatedCredential>(manuallyScopedCredential.UnderlyingCredential);
+
+            // If scopes are explicitly set in code, these should override the scopes passed through the credential json
+            Assert.Equal(manuallySetScopes, newImpersonatedCredential.Scopes);
+            // The original credential's scopes should remain unchanged
+            Assert.Equal(jsonScopes, originalImpersonatedCredential.Scopes);
+        }
+
         [Fact]
         public void CreateWithQuotaProject_Impersonated()
         {
@@ -846,5 +876,23 @@ public Task RevokeTokenAsync(string userId, string token, CancellationToken task
 
             public bool ShouldForceTokenRetrieval() => throw new NotImplementedException();
         }
+
+        /// <summary>
+        /// Creates json parameters for an impersonated credential with the specified scopes.
+        /// </summary>
+        private static JsonCredentialParameters CreateImpersonatedCredentialParameters(string[] scopes) =>
+            new JsonCredentialParameters
+            {
+                Type = JsonCredentialParameters.ImpersonatedServiceAccountCredentialType,
+                ServiceAccountImpersonationUrl = "https://example.com",
+                Scopes = scopes,
+                SourceCredential = new JsonCredentialParameters
+                {
+                    Type = JsonCredentialParameters.AuthorizedUserCredentialType,
+                    ClientId = "CLIENT_ID",
+                    ClientSecret = "CLIENT_SECRET",
+                    RefreshToken = "REFRESH_TOKEN"
+                }
+            };
     }
 }
diff --git a/Src/Support/Google.Apis.Auth/OAuth2/CredentialFactory.cs b/Src/Support/Google.Apis.Auth/OAuth2/CredentialFactory.cs
@@ -336,6 +336,7 @@ private static ImpersonatedCredential CreateImpersonatedServiceAccountCredential
         {
             DelegateAccounts = parameters.Delegates?.Length > 0 ? parameters.Delegates.ToList() : null,
             QuotaProject = parameters.QuotaProject,
+            Scopes = parameters.Scopes?.Length > 0 ? parameters.Scopes.ToList() : null,
         };
 
         var impersonatedCredential = ImpersonatedCredential.Create(sourceCredential.ToGoogleCredential(), initializer);
diff --git a/Src/Support/Google.Apis.Auth/OAuth2/JsonCredentialParameters.cs b/Src/Support/Google.Apis.Auth/OAuth2/JsonCredentialParameters.cs
@@ -152,6 +152,12 @@ public class JsonCredentialParameters
         [JsonProperty("delegates")]
         public string[] Delegates { get; set; }
 
+        /// <summary>
+        /// Scopes associated with the impersonated credential.
+        /// </summary>
+        [JsonProperty("scopes")]
+        public string[] Scopes { get; set; }
+
         /// <summary>
         /// The source credential associated to the impersonated credential.
         /// </summary>

Original file line number	Diff line number	Diff line change
`@@ -336,6 +336,7 @@ private static ImpersonatedCredential CreateImpersonatedServiceAccountCredential`
`336`	`336`	`{`
`337`	`337`	`DelegateAccounts = parameters.Delegates?.Length > 0 ? parameters.Delegates.ToList() : null,`
`338`	`338`	`QuotaProject = parameters.QuotaProject,`
	`339`	`+ Scopes = parameters.Scopes?.Length > 0 ? parameters.Scopes.ToList() : null,`
`339`	`340`	`};`
`340`	`341`
`341`	`342`	`var impersonatedCredential = ImpersonatedCredential.Create(sourceCredential.ToGoogleCredential(), initializer);`