feat: Add ADC support for ExternalAccountAuthorizedUserCredential.

amanda-tarafa · amanda-tarafa · commit cfc39bb9b7a3 · 2025-04-01T09:40:31.000-07:00
diff --git a/Src/Support/Google.Apis.Auth.Tests/OAuth2/DefaultCredentialProviderTests.cs b/Src/Support/Google.Apis.Auth.Tests/OAuth2/DefaultCredentialProviderTests.cs
@@ -81,7 +81,8 @@ public class DefaultCredentialProviderTests
         private const string ImpersonatedServiceAccountCredentialFileName = "impersonated_service_account_credential.json";
         private const string ImpersonatedServiceAccountCredentialUniverseDomainFileName = "impersonated_service_account_credential_universe_domain.json";
         private const string ImpersonatedServiceAccountCredentialUniverseDomainDifferentFileName = "impersonated_service_account_credential_universe_domain_different.json";
-        private const string RecursiveImpersonatedServiceAccountCredentialName = "recursive_impersonated_service_account_credential.json";
+        private const string RecursiveImpersonatedServiceAccountCredentialFileName = "recursive_impersonated_service_account_credential.json";
+        private const string ExternalAccountAuthorizedUserCredentialFileName = "external_account_authorized_user_credential.json";
 
         public DefaultCredentialProviderTests()
         {
@@ -380,13 +381,33 @@ public async Task GetDefaultCredential_ImpersonatedCredential_UniverseDomain_Dif
         [Fact]
         public async Task GetDefaultCredential_RecursiveImpersonatedCredential_FromEnvironmentVariable()
         {
-            credentialProvider.SetEnvironmentVariable(CredentialEnvironmentVariable, RecursiveImpersonatedServiceAccountCredentialName);
+            credentialProvider.SetEnvironmentVariable(CredentialEnvironmentVariable, RecursiveImpersonatedServiceAccountCredentialFileName);
 
             await Assert.ThrowsAsync<InvalidOperationException>(() => credentialProvider.GetDefaultCredentialAsync());
         }
 
         #endregion
 
+        #region ExternalAccountAuthorizedUserCredential
+
+        [Fact]
+        public async Task GetDefaultCredential_ExternalAccountAuthorizedUserCredential_FromEnvironmentVariable()
+        {
+            credentialProvider.SetEnvironmentVariable(CredentialEnvironmentVariable, ExternalAccountAuthorizedUserCredentialFileName);
+
+            var credential = await credentialProvider.GetDefaultCredentialAsync();
+
+            var externalCredential = Assert.IsType<ExternalAccountAuthorizedUserCredential>(credential.UnderlyingCredential);
+            Assert.Equal("refreshToken", externalCredential.RefreshToken);
+            Assert.Equal("https://sts.googleapis.com/v1/oauthtoken", externalCredential.TokenServerUrl);
+            Assert.Equal("clientId", externalCredential.ClientId);
+            Assert.Equal("clientSecret", externalCredential.ClientSecret);
+            Assert.Equal("//iam.googleapis.com/locations/global/workforcePools/poolId/providers/providerId", externalCredential.Audience);
+            Assert.Equal("https://sts.googleapis.com/v1/introspect", externalCredential.TokenInfoUrl);
+        }
+
+        #endregion
+
         #region Invalid Cases
 
         /// <summary>Environment variable points to a non existant credential file.</summary>
diff --git a/Src/Support/Google.Apis.Auth.Tests/OAuth2/FakeCredentialFiles/external_account_authorized_user_credential.json b/Src/Support/Google.Apis.Auth.Tests/OAuth2/FakeCredentialFiles/external_account_authorized_user_credential.json
@@ -0,0 +1,9 @@
+{
+  "type": "external_account_authorized_user",
+  "audience": "//iam.googleapis.com/locations/global/workforcePools/poolId/providers/providerId",
+  "refresh_token": "refreshToken",
+  "token_url": "https://sts.googleapis.com/v1/oauthtoken",
+  "token_info_url": "https://sts.googleapis.com/v1/introspect",
+  "client_id": "clientId",
+  "client_secret": "clientSecret"
+}
diff --git a/Src/Support/Google.Apis.Auth/OAuth2/DefaultCredentialProvider.cs b/Src/Support/Google.Apis.Auth/OAuth2/DefaultCredentialProvider.cs
@@ -216,6 +216,7 @@ internal GoogleCredential CreateDefaultCredentialFromParameters(JsonCredentialPa
                 JsonCredentialParameters.ServiceAccountCredentialType => GoogleCredential.FromServiceAccountCredential(CreateServiceAccountCredentialFromParameters(credentialParameters)),
                 JsonCredentialParameters.ExternalAccountCredentialType => new GoogleCredential(CreateExternalCredentialFromParameters(credentialParameters)),
                 JsonCredentialParameters.ImpersonatedServiceAccountCredentialType => new GoogleCredential(CreateImpersonatedServiceAccountCredentialFromParameters(credentialParameters)),
+                JsonCredentialParameters.ExternalAccountAuthorizedUserCredentialType => new GoogleCredential(CreateExternalAccountAuthorizedUserCredentialFromParemeters(credentialParameters)),
                 _ => throw new InvalidOperationException($"Error creating credential from JSON or JSON parameters. Unrecognized credential type {credentialParameters.Type}."),
             };
 
@@ -378,6 +379,29 @@ private ImpersonatedCredential CreateImpersonatedServiceAccountCredentialFromPar
             return impersonatedCredential;
         }
 
+        private ExternalAccountAuthorizedUserCredential CreateExternalAccountAuthorizedUserCredentialFromParemeters(JsonCredentialParameters parameters)
+        {
+            if (parameters.Type != JsonCredentialParameters.ExternalAccountAuthorizedUserCredentialType
+                || string.IsNullOrEmpty(parameters.TokenUrl)
+                || string.IsNullOrEmpty(parameters.RefreshToken)
+                || string.IsNullOrEmpty(parameters.ClientId)
+                || string.IsNullOrEmpty(parameters.ClientSecret))
+            {
+                throw new InvalidOperationException("JSON data does not represent a valid external account authorized user credential.");
+            }
+
+            var initializer = new ExternalAccountAuthorizedUserCredential.Initializer(
+                parameters.TokenUrl, parameters.RefreshToken, parameters.ClientId, parameters.ClientSecret)
+            {
+                Audience = parameters.Audience,
+                QuotaProject = parameters.QuotaProject,
+                TokenInfoUrl = parameters.TokenInfoUrl,
+                UniverseDomain = parameters.UniverseDomain,
+            };
+
+            return new ExternalAccountAuthorizedUserCredential(initializer);
+        }
+
         /// <summary> 
         /// Returns platform-specific well known credential file path. This file is created by 
         /// <a href="https://cloud.google.com/sdk/gcloud/reference/auth/login">gcloud auth login</a>
diff --git a/Src/Support/Google.Apis.Auth/OAuth2/JsonCredentialParameters.cs b/Src/Support/Google.Apis.Auth/OAuth2/JsonCredentialParameters.cs
@@ -52,6 +52,12 @@ public class JsonCredentialParameters
         /// </summary>
         public const string ExternalAccountCredentialType = "external_account";
 
+        /// <summary>
+        /// OAuth2 credentials sourced using external identities through Workforce Identity Federation.
+        /// Obtaining the initial access and refresh token can be done through the Google Cloud CLI.
+        /// </summary>
+        public const string ExternalAccountAuthorizedUserCredentialType = "external_account_authorized_user";
+
         /// <summary>Type of the credential.</summary>
         [JsonProperty("type")]
         public string Type { get; set; }
@@ -174,6 +180,12 @@ public class JsonCredentialParameters
         [JsonProperty("token_url")]
         public string TokenUrl { get; set; }
 
+        /// <summary>
+        /// Endpoint to retrieve information related to an external account authorized user, like email, username, etc.
+        /// </summary>
+        [JsonProperty("token_info_url")]
+        public string TokenInfoUrl { get; set; }
+
         /// <summary>
         /// The GCP project number to be used for Workforce Pools
         /// external credentials.
